source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini @ 7829

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini@7829
Revision 7829, 6.4 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • Completed Attribute Service template and tested standalone
  • Property svn:keywords set to Id
Line 
1#
2# Description: PasteDeploy ini file for Attribute Authority Unit tests Site A Server
3#
4# NERC Data Grid Project
5#
6# Author: P J Kershaw
7#
8# Date: 12/09/08
9#
10# Copyright (C) 2010 Science and Technology Facilities Council
11#
12# BSD - See LICENCE file for details
13
14[DEFAULT]
15attributeAuthorityEnvironKeyName = attribute-authority
16attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
17
18# This is set to a test SQLite database alter as needed
19dbConnectionString = sqlite:///%(here)s/../../user.db
20
21[server:main]
22use = egg:Paste#http
23host = 0.0.0.0
24port = 5000
25
26[app:AttributeAuthorityStaticContent]
27use = egg:Paste#static
28document_root = %(here)s/public
29
30# Chain of Middleware filters
31[pipeline:main]
32pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter AttributeAuthorityStaticContent
33
34
35[filter:AttributeAuthorityFilter]
36paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
37prefix = attributeAuthority.
38
39# Key name by which the WSDL SOAP based interface may reference this
40# service
41attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
42
43# Key name for the SAML SOAP binding based interface to reference this
44# service's attribute query method
45attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
46
47# Attribute Authority settings...
48
49# Lifetime is measured in seconds
50attributeAuthority.assertionLifetime: 28800 
51
52# Attribute Interface - determines how a given attribute query interfaces with a
53# backend database or other persistent store.  The one here is an SQLAlchemy
54# based one.  The database connection string is the global setting - see the
55# DEFAULT section.
56attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
57attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
58
59# This does a sanity check to ensure the subject of the query is known to this
60# authority.
61attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
62
63# Map the given SAML attributes identifiers to the equivalent SQL query to
64# retrieve them.  Any number can be set.  They should have the form,
65#
66# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
67#
68# where <id> can be any unique string.  The userId string is the value passed
69# from the client subject NameID field.  Each value consists of double quoted
70# space delimited entries.  The first entry is the attribute type, the second
71# is the SQL query needed to retrieve the attributes for the given type and
72# used id.  A third entry may be added to specify a conversion routine which
73# converts the retrieved attribute value(s) into a SAML Attribute Value instance.
74# If this omitted, then the retrieved value is converted by default into an
75# xs:string type.  All the options below are set to do this apart from the last
76# which uses a special test routine to convert to the ESGF Group/Role Attribute
77# Value type
78attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
79attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
80attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
81attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where attributetype = 'urn:siteA:security:authz:1.0:attr' and openid = '${userId}'"
82attributeAuthority.attributeInterface.samlAttribute2SqlQuery.esgGroupRole = 
83        "urn:esg:sitea:grouprole" "select attributename from attributes where attributetype = 'urn:esg:sitea:grouprole' and openid = '${userId}'" "ndg.security.test.unit.dbAttr2ESGFGroupRole"
84
85# Set the permissable requestor Distinguished Names as set in the SAML client
86# query issuer field.  Comment out or remove if this is not required.  Nb.
87# filtering of clients can be more securely applied by whitelisting at the SSL
88# level.
89attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
90                                                           /O=Site B/CN=Authorisation Service,
91                                                           /CN=test/O=NDG/OU=BADC,
92                                                           /O=NDG/OU=Security/CN=localhost
93
94# Alternative test AttributeInterface class.  This uses fixed parameter values
95# instead of a database
96#attributeAuthority.attributeInterface.modFilePath: %(here)s
97#attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles
98
99# SAML SOAP Binding to the Attribute Authority
100[filter:AttributeAuthoritySamlSoapBindingFilter]
101paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
102prefix = saml.soapbinding.
103
104saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
105
106# Specialisation to incorporate ESG Group/Role type
107saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
108
109# Otherwise use default
110#saml.soapbinding.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
111
112saml.soapbinding.mountPath = /AttributeAuthority
113saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
114
115# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
116# tolerance for query issueInstant parameter. Set here to 3 minutes
117saml.soapbinding.clockSkewTolerance: 180.0
118
119saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
120saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
121
122# Logging configuration
123[loggers]
124keys = root, ndg
125
126[handlers]
127keys = console, logfile
128
129[formatters]
130keys = generic
131
132[logger_root]
133level = INFO
134handlers = console
135
136[logger_ndg]
137level = DEBUG
138handlers = 
139qualname = ndg
140
141[handler_console]
142class = StreamHandler
143args = (sys.stderr,)
144level = NOTSET
145formatter = generic
146
147[formatter_generic]
148format = %(asctime)s.%(msecs)03d %(levelname)-8.8s [%(name)s:%(lineno)d] %(message)s
149datefmt = %Y/%m/%d %H:%M:%S
150
151[handler_logfile]
152class = handlers.RotatingFileHandler
153level=NOTSET
154formatter=generic
155args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2)
Note: See TracBrowser for help on using the repository browser.