1/* 2 * QEMU authorization framework base class 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21#ifndef QAUTHZ_BASE_H 22#define QAUTHZ_BASE_H 23 24#include "qapi/error.h" 25#include "qom/object.h" 26 27 28#define TYPE_QAUTHZ "authz" 29 30#define QAUTHZ_CLASS(klass) \ 31 OBJECT_CLASS_CHECK(QAuthZClass, (klass), \ 32 TYPE_QAUTHZ) 33#define QAUTHZ_GET_CLASS(obj) \ 34 OBJECT_GET_CLASS(QAuthZClass, (obj), \ 35 TYPE_QAUTHZ) 36#define QAUTHZ(obj) \ 37 OBJECT_CHECK(QAuthZ, (obj), \ 38 TYPE_QAUTHZ) 39 40typedef struct QAuthZ QAuthZ; 41typedef struct QAuthZClass QAuthZClass; 42 43/** 44 * QAuthZ: 45 * 46 * The QAuthZ class defines an API contract to be used 47 * for providing an authorization driver for services 48 * with user identities. 49 */ 50 51struct QAuthZ { 52 Object parent_obj; 53}; 54 55 56struct QAuthZClass { 57 ObjectClass parent_class; 58 59 bool (*is_allowed)(QAuthZ *authz, 60 const char *identity, 61 Error **errp); 62}; 63 64 65/** 66 * qauthz_is_allowed: 67 * @authz: the authorization object 68 * @identity: the user identity to authorize 69 * @errp: pointer to a NULL initialized error object 70 * 71 * Check if a user @identity is authorized. If an error 72 * occurs this method will return false to indicate 73 * denial, as well as setting @errp to contain the details. 74 * Callers are recommended to treat the denial and error 75 * scenarios identically. Specifically the error info in 76 * @errp should never be fed back to the user being 77 * authorized, it is merely for benefit of administrator 78 * debugging. 79 * 80 * Returns: true if @identity is authorized, false if denied or if 81 * an error occurred. 82 */ 83bool qauthz_is_allowed(QAuthZ *authz, 84 const char *identity, 85 Error **errp); 86 87 88/** 89 * qauthz_is_allowed_by_id: 90 * @authzid: ID of the authorization object 91 * @identity: the user identity to authorize 92 * @errp: pointer to a NULL initialized error object 93 * 94 * Check if a user @identity is authorized. If an error 95 * occurs this method will return false to indicate 96 * denial, as well as setting @errp to contain the details. 97 * Callers are recommended to treat the denial and error 98 * scenarios identically. Specifically the error info in 99 * @errp should never be fed back to the user being 100 * authorized, it is merely for benefit of administrator 101 * debugging. 102 * 103 * Returns: true if @identity is authorized, false if denied or if 104 * an error occurred. 105 */ 106bool qauthz_is_allowed_by_id(const char *authzid, 107 const char *identity, 108 Error **errp); 109 110#endif /* QAUTHZ_BASE_H */ 111