projects / mirror_qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 5b76dd13 DB |
1 | /* |
| 2 | * QEMU authorization framework base class | |
| 3 | * | |
| 4 | * Copyright (c) 2018 Red Hat, Inc. | |
| 5 | * | |
| 6 | * This library is free software; you can redistribute it and/or | |
| 7 | * modify it under the terms of the GNU Lesser General Public | |
| 8 | * License as published by the Free Software Foundation; either | |
| 9 | * version 2 of the License, or (at your option) any later version. | |
| 10 | * | |
| 11 | * This library is distributed in the hope that it will be useful, | |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 14 | * Lesser General Public License for more details. | |
| 15 | * | |
| 16 | * You should have received a copy of the GNU Lesser General Public | |
| 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
| 18 | * | |
| 19 | */ | |
| 20 | ||
| a8b991b5 MA |
21 | #ifndef QAUTHZ_BASE_H |
| 22 | #define QAUTHZ_BASE_H | |
| 5b76dd13 | 23 | |
| 5b76dd13 DB |
24 | #include "qapi/error.h" |
| 25 | #include "qom/object.h" | |
| 26 | ||
| 27 | ||
| 28 | #define TYPE_QAUTHZ "authz" | |
| 29 | ||
| db1015e9 EH |
30 | typedef struct QAuthZ QAuthZ; |
| 31 | typedef struct QAuthZClass QAuthZClass; | |
| 8110fa1d EH |
32 | DECLARE_OBJ_CHECKERS(QAuthZ, QAuthZClass, |
| 33 | QAUTHZ, TYPE_QAUTHZ) | |
| 5b76dd13 | 34 | |
| 5b76dd13 DB |
35 | |
| 36 | /** | |
| 37 | * QAuthZ: | |
| 38 | * | |
| 39 | * The QAuthZ class defines an API contract to be used | |
| 40 | * for providing an authorization driver for services | |
| 41 | * with user identities. | |
| 42 | */ | |
| 43 | ||
| 44 | struct QAuthZ { | |
| 45 | Object parent_obj; | |
| 46 | }; | |
| 47 | ||
| 48 | ||
| 49 | struct QAuthZClass { | |
| 50 | ObjectClass parent_class; | |
| 51 | ||
| 52 | bool (*is_allowed)(QAuthZ *authz, | |
| 53 | const char *identity, | |
| 54 | Error **errp); | |
| 55 | }; | |
| 56 | ||
| 57 | ||
| 58 | /** | |
| 59 | * qauthz_is_allowed: | |
| 60 | * @authz: the authorization object | |
| 61 | * @identity: the user identity to authorize | |
| 62 | * @errp: pointer to a NULL initialized error object | |
| 63 | * | |
| 64 | * Check if a user @identity is authorized. If an error | |
| 65 | * occurs this method will return false to indicate | |
| 66 | * denial, as well as setting @errp to contain the details. | |
| 67 | * Callers are recommended to treat the denial and error | |
| 68 | * scenarios identically. Specifically the error info in | |
| 69 | * @errp should never be fed back to the user being | |
| 70 | * authorized, it is merely for benefit of administrator | |
| 71 | * debugging. | |
| 72 | * | |
| 73 | * Returns: true if @identity is authorized, false if denied or if | |
| 74 | * an error occurred. | |
| 75 | */ | |
| 76 | bool qauthz_is_allowed(QAuthZ *authz, | |
| 77 | const char *identity, | |
| 78 | Error **errp); | |
| 79 | ||
| 80 | ||
| 81 | /** | |
| 82 | * qauthz_is_allowed_by_id: | |
| 83 | * @authzid: ID of the authorization object | |
| 84 | * @identity: the user identity to authorize | |
| 85 | * @errp: pointer to a NULL initialized error object | |
| 86 | * | |
| 87 | * Check if a user @identity is authorized. If an error | |
| 88 | * occurs this method will return false to indicate | |
| 89 | * denial, as well as setting @errp to contain the details. | |
| 90 | * Callers are recommended to treat the denial and error | |
| 91 | * scenarios identically. Specifically the error info in | |
| 92 | * @errp should never be fed back to the user being | |
| 93 | * authorized, it is merely for benefit of administrator | |
| 94 | * debugging. | |
| 95 | * | |
| 96 | * Returns: true if @identity is authorized, false if denied or if | |
| 97 | * an error occurred. | |
| 98 | */ | |
| 99 | bool qauthz_is_allowed_by_id(const char *authzid, | |
| 100 | const char *identity, | |
| 101 | Error **errp); | |
| 102 | ||
| a8b991b5 | 103 | #endif /* QAUTHZ_BASE_H */ |