source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini @ 7828

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini@7828
Revision 7828, 6.4 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • improved ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface so that it can retrieve attributes and set them into custom SAML Attribute Value types. Previously it only supported xs:string type values. Custom types can be set by specifying a special callback set in the samlAttributeSqlQuery property or via the equivalent ini file option. - See site-a.ini
  • Unit test site-a attribute authority now uses the SQLite test user db instead of fixed constants from the unit test base class. This makes it easier to customise into a paster ini template.
  • Property svn:keywords set to Id
Line 
1#
2# Description: PasteDeploy ini file for Attribute Authority Unit tests Site A Server
3#
4# NERC Data Grid Project
5#
6# Author: P J Kershaw
7#
8# Date: 12/09/08
9#
10# Copyright (C) 2010 Science and Technology Facilities Council
11#
12# BSD - See LICENCE file for details
13
14[DEFAULT]
15attributeAuthorityEnvironKeyName = attribute-authority
16attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
17
18# This is set to a test SQLite database alter as needed
19dbConnectionString = sqlite:///%(here)s/../../user.db
20
21[server:main]
22use = egg:Paste#http
23host = 0.0.0.0
24port = 5000
25
26[app:mainApp]
27paste.app_factory = ndg.security.test.config.attributeauthority.sitea.sitea_attributeauthority:app_factory
28
29# Chain of SOAP Middleware filters - Nb. WS-Security filters apply to the SOAP
30# Binding filter only.
31[pipeline:main]
32pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter mainApp
33
34
35[filter:AttributeAuthorityFilter]
36paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
37prefix = attributeAuthority.
38
39# Key name by which the WSDL SOAP based interface may reference this
40# service
41attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
42
43# Key name for the SAML SOAP binding based interface to reference this
44# service's attribute query method
45attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
46
47# Attribute Authority settings...
48
49# Lifetime is measured in seconds
50attributeAuthority.assertionLifetime: 28800 
51
52# Attribute Interface - determines how a given attribute query interfaces with a
53# backend database or other persistent store.  The one here is an SQLAlchemy
54# based one.  The database connection string is the global setting - see the
55# DEFAULT section.
56attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
57attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
58
59# This does a sanity check to ensure the subject of the query is known to this
60# authority.
61attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
62
63# Map the given SAML attributes identifiers to the equivalent SQL query to
64# retrieve them.  Any number can be set.  They should have the form,
65#
66# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
67#
68# where <id> can be any unique string.  The userId string is the value passed
69# from the client subject NameID field.  Each value consists of double quoted
70# space delimited entries.  The first entry is the attribute type, the second
71# is the SQL query needed to retrieve the attributes for the given type and
72# used id.  A third entry may be added to specify a conversion routine which
73# converts the retrieved attribute value(s) into a SAML Attribute Value instance.
74# If this omitted, then the retrieved value is converted by default into an
75# xs:string type.  All the options below are set to do this apart from the last
76# which uses a special test routine to convert to the ESGF Group/Role Attribute
77# Value type
78attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
79attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
80attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
81attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where attributetype = 'urn:siteA:security:authz:1.0:attr' and openid = '${userId}'"
82attributeAuthority.attributeInterface.samlAttribute2SqlQuery.esgGroupRole = 
83        "urn:esg:sitea:grouprole" "select attributename from attributes where attributetype = 'urn:esg:sitea:grouprole' and openid = '${userId}'" "ndg.security.test.unit.dbAttr2ESGFGroupRole"
84
85# Set the permissable requestor Distinguished Names as set in the SAML client
86# query issuer field.  Comment out or remove if this is not required.  Nb.
87# filtering of clients can be more securely applied by whitelisting at the SSL
88# level.
89attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
90                                                           /O=Site B/CN=Authorisation Service,
91                                                           /CN=test/O=NDG/OU=BADC,
92                                                           /O=NDG/OU=Security/CN=localhost
93
94# Settings for a test AttributeInterface class
95#attributeAuthority.attributeInterface.modFilePath: %(here)s
96#attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles
97
98# SAML SOAP Binding to the Attribute Authority
99[filter:AttributeAuthoritySamlSoapBindingFilter]
100paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
101prefix = saml.soapbinding.
102
103saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
104
105# Specialisation to incorporate ESG Group/Role type
106saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
107
108# Otherwise use default
109#saml.soapbinding.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
110
111saml.soapbinding.mountPath = /AttributeAuthority
112saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
113
114# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
115# tolerance for query issueInstant parameter. Set here to 3 minutes
116saml.soapbinding.clockSkewTolerance: 180.0
117
118saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
119saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
120
121# Logging configuration
122[loggers]
123keys = root, ndg
124
125[handlers]
126keys = console, logfile
127
128[formatters]
129keys = generic
130
131[logger_root]
132level = INFO
133handlers = console
134
135[logger_ndg]
136level = DEBUG
137handlers = 
138qualname = ndg
139
140[handler_console]
141class = StreamHandler
142args = (sys.stderr,)
143level = NOTSET
144formatter = generic
145
146[formatter_generic]
147format = %(asctime)s.%(msecs)03d %(levelname)-8.8s [%(name)s:%(lineno)d] %(message)s
148datefmt = %Y/%m/%d %H:%M:%S
149
150[handler_logfile]
151class = handlers.RotatingFileHandler
152level=NOTSET
153formatter=generic
154#args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2)
155args=(os.path.join('./', 'service.log'), 'a', 10000, 2)
Note: See TracBrowser for help on using the repository browser.