]>
Commit | Line | Data |
---|---|---|
5b76dd13 DB |
1 | /* |
2 | * QEMU authorization framework base class | |
3 | * | |
4 | * Copyright (c) 2018 Red Hat, Inc. | |
5 | * | |
6 | * This library is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU Lesser General Public | |
8 | * License as published by the Free Software Foundation; either | |
9 | * version 2 of the License, or (at your option) any later version. | |
10 | * | |
11 | * This library is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | * Lesser General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU Lesser General Public | |
17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
18 | * | |
19 | */ | |
20 | ||
a8b991b5 MA |
21 | #ifndef QAUTHZ_BASE_H |
22 | #define QAUTHZ_BASE_H | |
5b76dd13 | 23 | |
5b76dd13 DB |
24 | #include "qapi/error.h" |
25 | #include "qom/object.h" | |
26 | ||
27 | ||
28 | #define TYPE_QAUTHZ "authz" | |
29 | ||
db1015e9 EH |
30 | typedef struct QAuthZ QAuthZ; |
31 | typedef struct QAuthZClass QAuthZClass; | |
8110fa1d EH |
32 | DECLARE_OBJ_CHECKERS(QAuthZ, QAuthZClass, |
33 | QAUTHZ, TYPE_QAUTHZ) | |
5b76dd13 | 34 | |
5b76dd13 DB |
35 | |
36 | /** | |
37 | * QAuthZ: | |
38 | * | |
39 | * The QAuthZ class defines an API contract to be used | |
40 | * for providing an authorization driver for services | |
41 | * with user identities. | |
42 | */ | |
43 | ||
44 | struct QAuthZ { | |
45 | Object parent_obj; | |
46 | }; | |
47 | ||
48 | ||
49 | struct QAuthZClass { | |
50 | ObjectClass parent_class; | |
51 | ||
52 | bool (*is_allowed)(QAuthZ *authz, | |
53 | const char *identity, | |
54 | Error **errp); | |
55 | }; | |
56 | ||
57 | ||
58 | /** | |
59 | * qauthz_is_allowed: | |
60 | * @authz: the authorization object | |
61 | * @identity: the user identity to authorize | |
62 | * @errp: pointer to a NULL initialized error object | |
63 | * | |
64 | * Check if a user @identity is authorized. If an error | |
65 | * occurs this method will return false to indicate | |
66 | * denial, as well as setting @errp to contain the details. | |
67 | * Callers are recommended to treat the denial and error | |
68 | * scenarios identically. Specifically the error info in | |
69 | * @errp should never be fed back to the user being | |
70 | * authorized, it is merely for benefit of administrator | |
71 | * debugging. | |
72 | * | |
73 | * Returns: true if @identity is authorized, false if denied or if | |
74 | * an error occurred. | |
75 | */ | |
76 | bool qauthz_is_allowed(QAuthZ *authz, | |
77 | const char *identity, | |
78 | Error **errp); | |
79 | ||
80 | ||
81 | /** | |
82 | * qauthz_is_allowed_by_id: | |
83 | * @authzid: ID of the authorization object | |
84 | * @identity: the user identity to authorize | |
85 | * @errp: pointer to a NULL initialized error object | |
86 | * | |
87 | * Check if a user @identity is authorized. If an error | |
88 | * occurs this method will return false to indicate | |
89 | * denial, as well as setting @errp to contain the details. | |
90 | * Callers are recommended to treat the denial and error | |
91 | * scenarios identically. Specifically the error info in | |
92 | * @errp should never be fed back to the user being | |
93 | * authorized, it is merely for benefit of administrator | |
94 | * debugging. | |
95 | * | |
96 | * Returns: true if @identity is authorized, false if denied or if | |
97 | * an error occurred. | |
98 | */ | |
99 | bool qauthz_is_allowed_by_id(const char *authzid, | |
100 | const char *identity, | |
101 | Error **errp); | |
102 | ||
a8b991b5 | 103 | #endif /* QAUTHZ_BASE_H */ |