001/*
002 * (C) Copyright 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Nuxeo - initial API and implementation
018 *
019 * $Id$
020 */
021package org.nuxeo.runtime.api.login;
022
023import java.util.ArrayList;
024import java.util.Arrays;
025import java.util.List;
026
027import org.apache.commons.logging.Log;
028import org.apache.commons.logging.LogFactory;
029import org.nuxeo.runtime.api.Framework;
030
031/**
032 * Manage restrictions for usage of SystemLogin.
033 * <p>
034 * The main point is to prevent system login from untrusted remote nuxeo runtime instances.
035 * <p>
036 * Restrictions can be adjusted via system properties :
037 * <ul>
038 * <li>org.nuxeo.systemlogin.restrict : true/false (default true) ; turns on/off restrictions
039 * <li>org.nuxeo.systemlogin.trusted.instances : comma separated list of trusted off (default : empty)
040 * </ul>
041 *
042 * @author <a href="mailto:td@nuxeo.com">Thierry Delprat</a>
043 */
044// FIXME: typos in API names.
045public class SystemLoginRestrictionManager {
046
047    public static final String RESTRICT_REMOTE_SYSTEM_LOGIN_PROP = "org.nuxeo.systemlogin.restrict";
048
049    public static final String REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP = "org.nuxeo.systemlogin.trusted.instances";
050
051    public static final String TRUSTED_INSTANCES_SEP = ",";
052
053    protected static final Log log = LogFactory.getLog(SystemLoginRestrictionManager.class);
054
055    protected Boolean restrictRemoteSystemLogin;
056
057    protected List<String> allowedInstancesForSystemLogin;
058
059    public boolean isRemoteSystemLoginRestricted() {
060        if (restrictRemoteSystemLogin == null) {
061            String prop = Framework.getProperty(RESTRICT_REMOTE_SYSTEM_LOGIN_PROP, "true");
062            this.restrictRemoteSystemLogin = !prop.equalsIgnoreCase("false");
063        }
064        return restrictRemoteSystemLogin.booleanValue();
065    }
066
067    public List<String> getAllowedInstanceForSystemLogin() {
068        if (allowedInstancesForSystemLogin == null) {
069            String instanceKeys = Framework.getProperty(REMOTE_SYSTEM_LOGIN_TRUSTED_INSTANCES_PROP, null);
070            if (instanceKeys != null) {
071                instanceKeys = instanceKeys.trim();
072                if (instanceKeys.endsWith(TRUSTED_INSTANCES_SEP)) {
073                    instanceKeys = instanceKeys.substring(0, instanceKeys.length() - 1);
074                }
075                allowedInstancesForSystemLogin = Arrays.asList(instanceKeys.split(TRUSTED_INSTANCES_SEP));
076            } else {
077                allowedInstancesForSystemLogin = new ArrayList<String>();
078            }
079        }
080        return allowedInstancesForSystemLogin;
081    }
082
083    public boolean isRemoveSystemLoginAllowedForInstance(String instanceId) {
084        return getAllowedInstanceForSystemLogin().contains(instanceId);
085    }
086
087}