xref: /openbmc/qemu/include/authz/base.h (revision 1a7c00bb)
1 /*
2  * QEMU authorization framework base class
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_BASE_H__
22 #define QAUTHZ_BASE_H__
23 
24 #include "qemu-common.h"
25 #include "qapi/error.h"
26 #include "qom/object.h"
27 
28 
29 #define TYPE_QAUTHZ "authz"
30 
31 #define QAUTHZ_CLASS(klass) \
32      OBJECT_CLASS_CHECK(QAuthZClass, (klass), \
33                         TYPE_QAUTHZ)
34 #define QAUTHZ_GET_CLASS(obj) \
35      OBJECT_GET_CLASS(QAuthZClass, (obj), \
36                       TYPE_QAUTHZ)
37 #define QAUTHZ(obj) \
38      INTERFACE_CHECK(QAuthZ, (obj), \
39                      TYPE_QAUTHZ)
40 
41 typedef struct QAuthZ QAuthZ;
42 typedef struct QAuthZClass QAuthZClass;
43 
44 /**
45  * QAuthZ:
46  *
47  * The QAuthZ class defines an API contract to be used
48  * for providing an authorization driver for services
49  * with user identities.
50  */
51 
52 struct QAuthZ {
53     Object parent_obj;
54 };
55 
56 
57 struct QAuthZClass {
58     ObjectClass parent_class;
59 
60     bool (*is_allowed)(QAuthZ *authz,
61                        const char *identity,
62                        Error **errp);
63 };
64 
65 
66 /**
67  * qauthz_is_allowed:
68  * @authz: the authorization object
69  * @identity: the user identity to authorize
70  * @errp: pointer to a NULL initialized error object
71  *
72  * Check if a user @identity is authorized. If an error
73  * occurs this method will return false to indicate
74  * denial, as well as setting @errp to contain the details.
75  * Callers are recommended to treat the denial and error
76  * scenarios identically. Specifically the error info in
77  * @errp should never be fed back to the user being
78  * authorized, it is merely for benefit of administrator
79  * debugging.
80  *
81  * Returns: true if @identity is authorized, false if denied or if
82  * an error occurred.
83  */
84 bool qauthz_is_allowed(QAuthZ *authz,
85                        const char *identity,
86                        Error **errp);
87 
88 
89 /**
90  * qauthz_is_allowed_by_id:
91  * @authzid: ID of the authorization object
92  * @identity: the user identity to authorize
93  * @errp: pointer to a NULL initialized error object
94  *
95  * Check if a user @identity is authorized. If an error
96  * occurs this method will return false to indicate
97  * denial, as well as setting @errp to contain the details.
98  * Callers are recommended to treat the denial and error
99  * scenarios identically. Specifically the error info in
100  * @errp should never be fed back to the user being
101  * authorized, it is merely for benefit of administrator
102  * debugging.
103  *
104  * Returns: true if @identity is authorized, false if denied or if
105  * an error occurred.
106  */
107 bool qauthz_is_allowed_by_id(const char *authzid,
108                              const char *identity,
109                              Error **errp);
110 
111 #endif /* QAUTHZ_BASE_H__ */
112 
113