include/authz/base.h

   1 /*
   2  * QEMU authorization framework base class
   3  *
   4  * Copyright (c) 2018 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #ifndef QAUTHZ_BASE_H__
  22 #define QAUTHZ_BASE_H__
  23
  24 #include "qemu-common.h"
  25 #include "qapi/error.h"
  26 #include "qom/object.h"
  27
  28
  29 #define TYPE_QAUTHZ "authz"
  30
  31 #define QAUTHZ_CLASS(klass) \
  32      OBJECT_CLASS_CHECK(QAuthZClass, (klass), \
  33                         TYPE_QAUTHZ)
  34 #define QAUTHZ_GET_CLASS(obj) \
  35      OBJECT_GET_CLASS(QAuthZClass, (obj), \
  36                       TYPE_QAUTHZ)
  37 #define QAUTHZ(obj) \
  38      OBJECT_CHECK(QAuthZ, (obj), \
  39                   TYPE_QAUTHZ)
  40
  41 typedef struct QAuthZ QAuthZ;
  42 typedef struct QAuthZClass QAuthZClass;
  43
  44 /**
  45  * QAuthZ:
  46  *
  47  * The QAuthZ class defines an API contract to be used
  48  * for providing an authorization driver for services
  49  * with user identities.
  50  */
  51
  52 struct QAuthZ {
  53     Object parent_obj;
  54 };
  55
  56
  57 struct QAuthZClass {
  58     ObjectClass parent_class;
  59
  60     bool (*is_allowed)(QAuthZ *authz,
  61                        const char *identity,
  62                        Error **errp);
  63 };
  64
  65
  66 /**
  67  * qauthz_is_allowed:
  68  * @authz: the authorization object
  69  * @identity: the user identity to authorize
  70  * @errp: pointer to a NULL initialized error object
  71  *
  72  * Check if a user @identity is authorized. If an error
  73  * occurs this method will return false to indicate
  74  * denial, as well as setting @errp to contain the details.
  75  * Callers are recommended to treat the denial and error
  76  * scenarios identically. Specifically the error info in
  77  * @errp should never be fed back to the user being
  78  * authorized, it is merely for benefit of administrator
  79  * debugging.
  80  *
  81  * Returns: true if @identity is authorized, false if denied or if
  82  * an error occurred.
  83  */
  84 bool qauthz_is_allowed(QAuthZ *authz,
  85                        const char *identity,
  86                        Error **errp);
  87
  88
  89 /**
  90  * qauthz_is_allowed_by_id:
  91  * @authzid: ID of the authorization object
  92  * @identity: the user identity to authorize
  93  * @errp: pointer to a NULL initialized error object
  94  *
  95  * Check if a user @identity is authorized. If an error
  96  * occurs this method will return false to indicate
  97  * denial, as well as setting @errp to contain the details.
  98  * Callers are recommended to treat the denial and error
  99  * scenarios identically. Specifically the error info in
 100  * @errp should never be fed back to the user being
 101  * authorized, it is merely for benefit of administrator
 102  * debugging.
 103  *
 104  * Returns: true if @identity is authorized, false if denied or if
 105  * an error occurred.
 106  */
 107 bool qauthz_is_allowed_by_id(const char *authzid,
 108                              const char *identity,
 109                              Error **errp);
 110
 111 #endif /* QAUTHZ_BASE_H__ */
 112