1/* 2 * QEMU authorization framework base class 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21#ifndef QAUTHZ_BASE_H__ 22#define QAUTHZ_BASE_H__ 23 24#include "qemu-common.h" 25#include "qapi/error.h" 26#include "qom/object.h" 27 28 29#define TYPE_QAUTHZ "authz" 30 31#define QAUTHZ_CLASS(klass) \ 32 OBJECT_CLASS_CHECK(QAuthZClass, (klass), \ 33 TYPE_QAUTHZ) 34#define QAUTHZ_GET_CLASS(obj) \ 35 OBJECT_GET_CLASS(QAuthZClass, (obj), \ 36 TYPE_QAUTHZ) 37#define QAUTHZ(obj) \ 38 OBJECT_CHECK(QAuthZ, (obj), \ 39 TYPE_QAUTHZ) 40 41typedef struct QAuthZ QAuthZ; 42typedef struct QAuthZClass QAuthZClass; 43 44/** 45 * QAuthZ: 46 * 47 * The QAuthZ class defines an API contract to be used 48 * for providing an authorization driver for services 49 * with user identities. 50 */ 51 52struct QAuthZ { 53 Object parent_obj; 54}; 55 56 57struct QAuthZClass { 58 ObjectClass parent_class; 59 60 bool (*is_allowed)(QAuthZ *authz, 61 const char *identity, 62 Error **errp); 63}; 64 65 66/** 67 * qauthz_is_allowed: 68 * @authz: the authorization object 69 * @identity: the user identity to authorize 70 * @errp: pointer to a NULL initialized error object 71 * 72 * Check if a user @identity is authorized. If an error 73 * occurs this method will return false to indicate 74 * denial, as well as setting @errp to contain the details. 75 * Callers are recommended to treat the denial and error 76 * scenarios identically. Specifically the error info in 77 * @errp should never be fed back to the user being 78 * authorized, it is merely for benefit of administrator 79 * debugging. 80 * 81 * Returns: true if @identity is authorized, false if denied or if 82 * an error occurred. 83 */ 84bool qauthz_is_allowed(QAuthZ *authz, 85 const char *identity, 86 Error **errp); 87 88 89/** 90 * qauthz_is_allowed_by_id: 91 * @authzid: ID of the authorization object 92 * @identity: the user identity to authorize 93 * @errp: pointer to a NULL initialized error object 94 * 95 * Check if a user @identity is authorized. If an error 96 * occurs this method will return false to indicate 97 * denial, as well as setting @errp to contain the details. 98 * Callers are recommended to treat the denial and error 99 * scenarios identically. Specifically the error info in 100 * @errp should never be fed back to the user being 101 * authorized, it is merely for benefit of administrator 102 * debugging. 103 * 104 * Returns: true if @identity is authorized, false if denied or if 105 * an error occurred. 106 */ 107bool qauthz_is_allowed_by_id(const char *authzid, 108 const char *identity, 109 Error **errp); 110 111#endif /* QAUTHZ_BASE_H__ */ 112 113