source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini @ 7827

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini@7827
Revision 7827, 5.8 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • integrating SQLite test user db into 'Site A' test Attribute Authority
  • Property svn:keywords set to Id
Line 
1#
2# Description: PasteDeploy ini file for Attribute Authority Unit tests Site A Server
3#
4# NERC Data Grid Project
5#
6# Author: P J Kershaw
7#
8# Date: 12/09/08
9#
10# Copyright (C) 2010 Science and Technology Facilities Council
11#
12# BSD - See LICENCE file for details
13
14[DEFAULT]
15attributeAuthorityEnvironKeyName = attribute-authority
16attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
17
18# This is set to a test SQLite database alter as needed
19dbConnectionString = sqlite:///%(here)s/../../user.db
20
21[server:main]
22use = egg:Paste#http
23host = 0.0.0.0
24port = 5000
25
26[app:mainApp]
27paste.app_factory = ndg.security.test.config.attributeauthority.sitea.sitea_attributeauthority:app_factory
28
29# Chain of SOAP Middleware filters - Nb. WS-Security filters apply to the SOAP
30# Binding filter only.
31[pipeline:main]
32pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter mainApp
33
34
35[filter:AttributeAuthorityFilter]
36paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
37prefix = attributeAuthority.
38
39# Key name by which the WSDL SOAP based interface may reference this
40# service
41attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
42
43# Key name for the SAML SOAP binding based interface to reference this
44# service's attribute query method
45attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
46
47# Attribute Authority settings...
48
49# Lifetime is measured in seconds
50attributeAuthority.assertionLifetime: 28800 
51
52# Attribute Interface - determines how a given attribute query interfaces with a
53# backend database or other persistent store.  The one here is an SQLAlchemy
54# based one.  The database connection string is the global setting - see the
55# DEFAULT section.
56attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
57attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
58
59# This does a sanity check to ensure the subject of the query is known to this
60# authority.
61attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
62
63# Map the given SAML attributes identifiers to the equivalent SQL query to
64# retrieve them.  Any number can be set.  They should have the form,
65#
66# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
67#
68# where <id> can be any unique string.  The userId string is the value passed
69# from the client subject NameID field
70attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
71attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
72attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
73attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where attributetype = 'urn:siteA:security:authz:1.0:attr' and openid = '${userId}'"
74attributeAuthority.attributeInterface.samlAttribute2SqlQuery.esgGroupRole = 
75        "urn:esg:sitea:grouprole" "select attributename from attributes where attributetype = 'urn:esg:sitea:grouprole' and openid = '${userId}'" "ndg.security.test.unit.dbAttr2ESGFGroupRole"
76
77# Set the permissable requestor Distinguished Names as set in the SAML client
78# query issuer field.  Comment out or remove if this is not required.  Nb.
79# filtering of clients can be more securely applied by whitelisting at the SSL
80# level.
81attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
82                                                           /O=Site B/CN=Authorisation Service,
83                                                           /CN=test/O=NDG/OU=BADC,
84                                                           /O=NDG/OU=Security/CN=localhost
85
86# Settings for a test AttributeInterface class
87#attributeAuthority.attributeInterface.modFilePath: %(here)s
88#attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles
89
90# SAML SOAP Binding to the Attribute Authority
91[filter:AttributeAuthoritySamlSoapBindingFilter]
92paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
93prefix = saml.soapbinding.
94
95saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
96
97# Specialisation to incorporate ESG Group/Role type
98saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
99
100# Otherwise use default
101#saml.soapbinding.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
102
103saml.soapbinding.mountPath = /AttributeAuthority
104saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
105
106# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
107# tolerance for query issueInstant parameter. Set here to 3 minutes
108saml.soapbinding.clockSkewTolerance: 180.0
109
110saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
111saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
112
113# Logging configuration
114[loggers]
115keys = root, ndg
116
117[handlers]
118keys = console, logfile
119
120[formatters]
121keys = generic
122
123[logger_root]
124level = INFO
125handlers = console
126
127[logger_ndg]
128level = DEBUG
129handlers = 
130qualname = ndg
131
132[handler_console]
133class = StreamHandler
134args = (sys.stderr,)
135level = NOTSET
136formatter = generic
137
138[formatter_generic]
139format = %(asctime)s.%(msecs)03d %(levelname)-8.8s [%(name)s:%(lineno)d] %(message)s
140datefmt = %Y/%m/%d %H:%M:%S
141
142[handler_logfile]
143class = handlers.RotatingFileHandler
144level=NOTSET
145formatter=generic
146#args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2)
147args=(os.path.join('./', 'service.log'), 'a', 10000, 2)
Note: See TracBrowser for help on using the repository browser.