Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
[qemu.git] / include / authz / base.h
1 /*
2 * QEMU authorization framework base class
3 *
4 * Copyright (c) 2018 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #ifndef QAUTHZ_BASE_H
22 #define QAUTHZ_BASE_H
23
24 #include "qapi/error.h"
25 #include "qom/object.h"
26
27
28 #define TYPE_QAUTHZ "authz"
29
30 OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass,
31 QAUTHZ)
32
33
34 /**
35 * QAuthZ:
36 *
37 * The QAuthZ class defines an API contract to be used
38 * for providing an authorization driver for services
39 * with user identities.
40 */
41
42 struct QAuthZ {
43 Object parent_obj;
44 };
45
46
47 struct QAuthZClass {
48 ObjectClass parent_class;
49
50 bool (*is_allowed)(QAuthZ *authz,
51 const char *identity,
52 Error **errp);
53 };
54
55
56 /**
57 * qauthz_is_allowed:
58 * @authz: the authorization object
59 * @identity: the user identity to authorize
60 * @errp: pointer to a NULL initialized error object
61 *
62 * Check if a user @identity is authorized. If an error
63 * occurs this method will return false to indicate
64 * denial, as well as setting @errp to contain the details.
65 * Callers are recommended to treat the denial and error
66 * scenarios identically. Specifically the error info in
67 * @errp should never be fed back to the user being
68 * authorized, it is merely for benefit of administrator
69 * debugging.
70 *
71 * Returns: true if @identity is authorized, false if denied or if
72 * an error occurred.
73 */
74 bool qauthz_is_allowed(QAuthZ *authz,
75 const char *identity,
76 Error **errp);
77
78
79 /**
80 * qauthz_is_allowed_by_id:
81 * @authzid: ID of the authorization object
82 * @identity: the user identity to authorize
83 * @errp: pointer to a NULL initialized error object
84 *
85 * Check if a user @identity is authorized. If an error
86 * occurs this method will return false to indicate
87 * denial, as well as setting @errp to contain the details.
88 * Callers are recommended to treat the denial and error
89 * scenarios identically. Specifically the error info in
90 * @errp should never be fed back to the user being
91 * authorized, it is merely for benefit of administrator
92 * debugging.
93 *
94 * Returns: true if @identity is authorized, false if denied or if
95 * an error occurred.
96 */
97 bool qauthz_is_allowed_by_id(const char *authzid,
98 const char *identity,
99 Error **errp);
100
101 #endif /* QAUTHZ_BASE_H */