qemu/include/authz/base.h
<<
>>
Prefs
   1/*
   2 * QEMU authorization framework base class
   3 *
   4 * Copyright (c) 2018 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21#ifndef QAUTHZ_BASE_H
  22#define QAUTHZ_BASE_H
  23
  24#include "qapi/error.h"
  25#include "qom/object.h"
  26
  27
  28#define TYPE_QAUTHZ "authz"
  29
  30OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass,
  31                    QAUTHZ)
  32
  33
  34/**
  35 * QAuthZ:
  36 *
  37 * The QAuthZ class defines an API contract to be used
  38 * for providing an authorization driver for services
  39 * with user identities.
  40 */
  41
  42struct QAuthZ {
  43    Object parent_obj;
  44};
  45
  46
  47struct QAuthZClass {
  48    ObjectClass parent_class;
  49
  50    bool (*is_allowed)(QAuthZ *authz,
  51                       const char *identity,
  52                       Error **errp);
  53};
  54
  55
  56/**
  57 * qauthz_is_allowed:
  58 * @authz: the authorization object
  59 * @identity: the user identity to authorize
  60 * @errp: pointer to a NULL initialized error object
  61 *
  62 * Check if a user @identity is authorized. If an error
  63 * occurs this method will return false to indicate
  64 * denial, as well as setting @errp to contain the details.
  65 * Callers are recommended to treat the denial and error
  66 * scenarios identically. Specifically the error info in
  67 * @errp should never be fed back to the user being
  68 * authorized, it is merely for benefit of administrator
  69 * debugging.
  70 *
  71 * Returns: true if @identity is authorized, false if denied or if
  72 * an error occurred.
  73 */
  74bool qauthz_is_allowed(QAuthZ *authz,
  75                       const char *identity,
  76                       Error **errp);
  77
  78
  79/**
  80 * qauthz_is_allowed_by_id:
  81 * @authzid: ID of the authorization object
  82 * @identity: the user identity to authorize
  83 * @errp: pointer to a NULL initialized error object
  84 *
  85 * Check if a user @identity is authorized. If an error
  86 * occurs this method will return false to indicate
  87 * denial, as well as setting @errp to contain the details.
  88 * Callers are recommended to treat the denial and error
  89 * scenarios identically. Specifically the error info in
  90 * @errp should never be fed back to the user being
  91 * authorized, it is merely for benefit of administrator
  92 * debugging.
  93 *
  94 * Returns: true if @identity is authorized, false if denied or if
  95 * an error occurred.
  96 */
  97bool qauthz_is_allowed_by_id(const char *authzid,
  98                             const char *identity,
  99                             Error **errp);
 100
 101#endif /* QAUTHZ_BASE_H */
 102