Source code

001/*
002 * Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the Eclipse Public License v1.0
006 * which accompanies this distribution, and is available at
007 * http://www.eclipse.org/legal/epl-v10.html
008 *
009 * Contributors:
010 *     Nuxeo - initial API and implementation
011 *
012 * $Id$
013 */
014package org.nuxeo.runtime.api.login;
015
016import java.util.ArrayList;
017import java.util.Arrays;
018import java.util.List;
019
020import org.apache.commons.logging.Log;
021import org.apache.commons.logging.LogFactory;
022import org.nuxeo.runtime.api.Framework;
023
024/**
025 * Manage restrictions for usage of SystemLogin.
026 * <p>
027 * The main point is to prevent system login from untrusted remote nuxeo runtime instances.
028 * <p>
029 * Restrictions can be adjusted via system properties :
030 * <ul>
031 * <li>org.nuxeo.systemlogin.restrict : true/false (default true) ; turns on/off restrictions
032 * <li>org.nuxeo.systemlogin.trusted.instances : comma separated list of trusted off (default : empty)
033 * </ul>
034 *
035 * @author <a href="mailto:td@nuxeo.com">Thierry Delprat</a>
036 */
037// FIXME: typos in API names.
038public class SystemLoginRestrictionManager {
039
040    public static final String RESTRICT_REMOTE_SYSTEM_LOGIN_PROP = "org.nuxeo.systemlogin.restrict";
041
042    public static final String REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP = "org.nuxeo.systemlogin.trusted.instances";
043
044    public static final String TRUSTED_INSTANCES_SEP = ",";
045
046    protected static final Log log = LogFactory.getLog(SystemLoginRestrictionManager.class);
047
048    protected Boolean restrictRemoteSystemLogin;
049
050    protected List<String> allowedInstancesForSystemLogin;
051
052    public boolean isRemoteSystemLoginRestricted() {
053        if (restrictRemoteSystemLogin == null) {
054            String prop = Framework.getProperty(RESTRICT_REMOTE_SYSTEM_LOGIN_PROP, "true");
055            this.restrictRemoteSystemLogin = !prop.equalsIgnoreCase("false");
056        }
057        return restrictRemoteSystemLogin.booleanValue();
058    }
059
060    public List<String> getAllowedInstanceForSystemLogin() {
061        if (allowedInstancesForSystemLogin == null) {
062            String instanceKeys = Framework.getProperty(REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP, null);
063            if (instanceKeys != null) {
064                instanceKeys = instanceKeys.trim();
065                if (instanceKeys.endsWith(TRUSTED_INSTANCES_SEP)) {
066                    instanceKeys = instanceKeys.substring(0, instanceKeys.length() - 1);
067                }
068                allowedInstancesForSystemLogin = Arrays.asList(instanceKeys.split(TRUSTED_INSTANCES_SEP));
069            } else {
070                allowedInstancesForSystemLogin = new ArrayList<String>();
071            }
072        }
073        return allowedInstancesForSystemLogin;
074    }
075
076    public boolean isRemoveSystemLoginAllowedForInstance(String instanceId) {
077        return getAllowedInstanceForSystemLogin().contains(instanceId);
078    }
079
080}