001/* 002 * Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the Eclipse Public License v1.0 006 * which accompanies this distribution, and is available at 007 * http://www.eclipse.org/legal/epl-v10.html 008 * 009 * Contributors: 010 * Nuxeo - initial API and implementation 011 * 012 * $Id$ 013 */ 014package org.nuxeo.runtime.api.login; 015 016import java.util.ArrayList; 017import java.util.Arrays; 018import java.util.List; 019 020import org.apache.commons.logging.Log; 021import org.apache.commons.logging.LogFactory; 022import org.nuxeo.runtime.api.Framework; 023 024/** 025 * Manage restrictions for usage of SystemLogin. 026 * <p> 027 * The main point is to prevent system login from untrusted remote nuxeo runtime instances. 028 * <p> 029 * Restrictions can be adjusted via system properties : 030 * <ul> 031 * <li>org.nuxeo.systemlogin.restrict : true/false (default true) ; turns on/off restrictions 032 * <li>org.nuxeo.systemlogin.trusted.instances : comma separated list of trusted off (default : empty) 033 * </ul> 034 * 035 * @author <a href="mailto:td@nuxeo.com">Thierry Delprat</a> 036 */ 037// FIXME: typos in API names. 038public class SystemLoginRestrictionManager { 039 040 public static final String RESTRICT_REMOTE_SYSTEM_LOGIN_PROP = "org.nuxeo.systemlogin.restrict"; 041 042 public static final String REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP = "org.nuxeo.systemlogin.trusted.instances"; 043 044 public static final String TRUSTED_INSTANCES_SEP = ","; 045 046 protected static final Log log = LogFactory.getLog(SystemLoginRestrictionManager.class); 047 048 protected Boolean restrictRemoteSystemLogin; 049 050 protected List<String> allowedInstancesForSystemLogin; 051 052 public boolean isRemoteSystemLoginRestricted() { 053 if (restrictRemoteSystemLogin == null) { 054 String prop = Framework.getProperty(RESTRICT_REMOTE_SYSTEM_LOGIN_PROP, "true"); 055 this.restrictRemoteSystemLogin = !prop.equalsIgnoreCase("false"); 056 } 057 return restrictRemoteSystemLogin.booleanValue(); 058 } 059 060 public List<String> getAllowedInstanceForSystemLogin() { 061 if (allowedInstancesForSystemLogin == null) { 062 String instanceKeys = Framework.getProperty(REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP, null); 063 if (instanceKeys != null) { 064 instanceKeys = instanceKeys.trim(); 065 if (instanceKeys.endsWith(TRUSTED_INSTANCES_SEP)) { 066 instanceKeys = instanceKeys.substring(0, instanceKeys.length() - 1); 067 } 068 allowedInstancesForSystemLogin = Arrays.asList(instanceKeys.split(TRUSTED_INSTANCES_SEP)); 069 } else { 070 allowedInstancesForSystemLogin = new ArrayList<String>(); 071 } 072 } 073 return allowedInstancesForSystemLogin; 074 } 075 076 public boolean isRemoveSystemLoginAllowedForInstance(String instanceId) { 077 return getAllowedInstanceForSystemLogin().contains(instanceId); 078 } 079 080}