]>
Commit | Line | Data |
---|---|---|
5b76dd13 DB |
1 | /* |
2 | * QEMU authorization framework base class | |
3 | * | |
4 | * Copyright (c) 2018 Red Hat, Inc. | |
5 | * | |
6 | * This library is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU Lesser General Public | |
8 | * License as published by the Free Software Foundation; either | |
9 | * version 2 of the License, or (at your option) any later version. | |
10 | * | |
11 | * This library is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | * Lesser General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU Lesser General Public | |
17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
18 | * | |
19 | */ | |
20 | ||
a8b991b5 MA |
21 | #ifndef QAUTHZ_BASE_H |
22 | #define QAUTHZ_BASE_H | |
5b76dd13 | 23 | |
5b76dd13 DB |
24 | #include "qapi/error.h" |
25 | #include "qom/object.h" | |
26 | ||
27 | ||
28 | #define TYPE_QAUTHZ "authz" | |
29 | ||
30 | #define QAUTHZ_CLASS(klass) \ | |
31 | OBJECT_CLASS_CHECK(QAuthZClass, (klass), \ | |
32 | TYPE_QAUTHZ) | |
33 | #define QAUTHZ_GET_CLASS(obj) \ | |
34 | OBJECT_GET_CLASS(QAuthZClass, (obj), \ | |
35 | TYPE_QAUTHZ) | |
36 | #define QAUTHZ(obj) \ | |
063603d4 PMD |
37 | OBJECT_CHECK(QAuthZ, (obj), \ |
38 | TYPE_QAUTHZ) | |
5b76dd13 DB |
39 | |
40 | typedef struct QAuthZ QAuthZ; | |
41 | typedef struct QAuthZClass QAuthZClass; | |
42 | ||
43 | /** | |
44 | * QAuthZ: | |
45 | * | |
46 | * The QAuthZ class defines an API contract to be used | |
47 | * for providing an authorization driver for services | |
48 | * with user identities. | |
49 | */ | |
50 | ||
51 | struct QAuthZ { | |
52 | Object parent_obj; | |
53 | }; | |
54 | ||
55 | ||
56 | struct QAuthZClass { | |
57 | ObjectClass parent_class; | |
58 | ||
59 | bool (*is_allowed)(QAuthZ *authz, | |
60 | const char *identity, | |
61 | Error **errp); | |
62 | }; | |
63 | ||
64 | ||
65 | /** | |
66 | * qauthz_is_allowed: | |
67 | * @authz: the authorization object | |
68 | * @identity: the user identity to authorize | |
69 | * @errp: pointer to a NULL initialized error object | |
70 | * | |
71 | * Check if a user @identity is authorized. If an error | |
72 | * occurs this method will return false to indicate | |
73 | * denial, as well as setting @errp to contain the details. | |
74 | * Callers are recommended to treat the denial and error | |
75 | * scenarios identically. Specifically the error info in | |
76 | * @errp should never be fed back to the user being | |
77 | * authorized, it is merely for benefit of administrator | |
78 | * debugging. | |
79 | * | |
80 | * Returns: true if @identity is authorized, false if denied or if | |
81 | * an error occurred. | |
82 | */ | |
83 | bool qauthz_is_allowed(QAuthZ *authz, | |
84 | const char *identity, | |
85 | Error **errp); | |
86 | ||
87 | ||
88 | /** | |
89 | * qauthz_is_allowed_by_id: | |
90 | * @authzid: ID of the authorization object | |
91 | * @identity: the user identity to authorize | |
92 | * @errp: pointer to a NULL initialized error object | |
93 | * | |
94 | * Check if a user @identity is authorized. If an error | |
95 | * occurs this method will return false to indicate | |
96 | * denial, as well as setting @errp to contain the details. | |
97 | * Callers are recommended to treat the denial and error | |
98 | * scenarios identically. Specifically the error info in | |
99 | * @errp should never be fed back to the user being | |
100 | * authorized, it is merely for benefit of administrator | |
101 | * debugging. | |
102 | * | |
103 | * Returns: true if @identity is authorized, false if denied or if | |
104 | * an error occurred. | |
105 | */ | |
106 | bool qauthz_is_allowed_by_id(const char *authzid, | |
107 | const char *identity, | |
108 | Error **errp); | |
109 | ||
a8b991b5 | 110 | #endif /* QAUTHZ_BASE_H */ |