summaryrefslogtreecommitdiffstats
path: root/include/authz/base.h
blob: b53e4e4507eedf25c960b9e3104c6e41ca7eff74 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/*
 * QEMU authorization framework base class
 *
 * Copyright (c) 2018 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 *
 */

#ifndef QAUTHZ_BASE_H
#define QAUTHZ_BASE_H

#include "qapi/error.h"
#include "qom/object.h"


#define TYPE_QAUTHZ "authz"

OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass,
                    QAUTHZ)


/**
 * QAuthZ:
 *
 * The QAuthZ class defines an API contract to be used
 * for providing an authorization driver for services
 * with user identities.
 */

struct QAuthZ {
    Object parent_obj;
};


struct QAuthZClass {
    ObjectClass parent_class;

    bool (*is_allowed)(QAuthZ *authz,
                       const char *identity,
                       Error **errp);
};


/**
 * qauthz_is_allowed:
 * @authz: the authorization object
 * @identity: the user identity to authorize
 * @errp: pointer to a NULL initialized error object
 *
 * Check if a user @identity is authorized. If an error
 * occurs this method will return false to indicate
 * denial, as well as setting @errp to contain the details.
 * Callers are recommended to treat the denial and error
 * scenarios identically. Specifically the error info in
 * @errp should never be fed back to the user being
 * authorized, it is merely for benefit of administrator
 * debugging.
 *
 * Returns: true if @identity is authorized, false if denied or if
 * an error occurred.
 */
bool qauthz_is_allowed(QAuthZ *authz,
                       const char *identity,
                       Error **errp);


/**
 * qauthz_is_allowed_by_id:
 * @authzid: ID of the authorization object
 * @identity: the user identity to authorize
 * @errp: pointer to a NULL initialized error object
 *
 * Check if a user @identity is authorized. If an error
 * occurs this method will return false to indicate
 * denial, as well as setting @errp to contain the details.
 * Callers are recommended to treat the denial and error
 * scenarios identically. Specifically the error info in
 * @errp should never be fed back to the user being
 * authorized, it is merely for benefit of administrator
 * debugging.
 *
 * Returns: true if @identity is authorized, false if denied or if
 * an error occurred.
 */
bool qauthz_is_allowed_by_id(const char *authzid,
                             const char *identity,
                             Error **errp);

#endif /* QAUTHZ_BASE_H */