1 /* 2 * QEMU authorization framework base class 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QAUTHZ_BASE_H 22 #define QAUTHZ_BASE_H 23 24 #include "qapi/error.h" 25 #include "qom/object.h" 26 27 28 #define TYPE_QAUTHZ "authz" 29 30 OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass, 31 qauthz, QAUTHZ) 32 33 34 /** 35 * QAuthZ: 36 * 37 * The QAuthZ class defines an API contract to be used 38 * for providing an authorization driver for services 39 * with user identities. 40 */ 41 42 struct QAuthZ { 43 Object parent_obj; 44 }; 45 46 47 struct QAuthZClass { 48 ObjectClass parent_class; 49 50 bool (*is_allowed)(QAuthZ *authz, 51 const char *identity, 52 Error **errp); 53 }; 54 55 56 /** 57 * qauthz_is_allowed: 58 * @authz: the authorization object 59 * @identity: the user identity to authorize 60 * @errp: pointer to a NULL initialized error object 61 * 62 * Check if a user @identity is authorized. If an error 63 * occurs this method will return false to indicate 64 * denial, as well as setting @errp to contain the details. 65 * Callers are recommended to treat the denial and error 66 * scenarios identically. Specifically the error info in 67 * @errp should never be fed back to the user being 68 * authorized, it is merely for benefit of administrator 69 * debugging. 70 * 71 * Returns: true if @identity is authorized, false if denied or if 72 * an error occurred. 73 */ 74 bool qauthz_is_allowed(QAuthZ *authz, 75 const char *identity, 76 Error **errp); 77 78 79 /** 80 * qauthz_is_allowed_by_id: 81 * @authzid: ID of the authorization object 82 * @identity: the user identity to authorize 83 * @errp: pointer to a NULL initialized error object 84 * 85 * Check if a user @identity is authorized. If an error 86 * occurs this method will return false to indicate 87 * denial, as well as setting @errp to contain the details. 88 * Callers are recommended to treat the denial and error 89 * scenarios identically. Specifically the error info in 90 * @errp should never be fed back to the user being 91 * authorized, it is merely for benefit of administrator 92 * debugging. 93 * 94 * Returns: true if @identity is authorized, false if denied or if 95 * an error occurred. 96 */ 97 bool qauthz_is_allowed_by_id(const char *authzid, 98 const char *identity, 99 Error **errp); 100 101 #endif /* QAUTHZ_BASE_H */ 102