source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini @ 7877

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini@7877
Revision 7877, 7.0 KB checked in by pjkersha, 10 years ago (diff)
  • ndg.security.common.utils.pyopenssl: PyOpenSSL based implementations of SSL Socket and HTTPSConnection compatible with httplib/urllib2
  • ndg.security.server.attributeauthority: tidying and refactoring, incls fix for SAML assertion issuer format - now reflects Response.Issuer format set be query interface caller
  • test attribute and authorisation services - fixed logging format
  • Property svn:keywords set to Id
Line 
1#
2# Description: NDG Security Authorisation Service for unit tests
3#
4# Author: P J Kershaw
5#
6# Date: 16/11/10
7#
8# Copyright: STFC 2010
9#
10# Licence: BSD - See top-level LICENCE file for licence details
11#
12# The %(here)s variable will be replaced with the parent directory of this file
13#
14[DEFAULT]
15authorisationDecisionFuncEnvironKeyName = saml.authz.queryInterfaceEnvironKey
16
17# Name of this authorisation service and the format of name.  Both are used in
18# SAML query/responses
19
20# This name must follow X.509 Subject Name format if following 'samlIssuerFormat'
21# is set as shown
22samlIssuerName = O=NDG, OU=Security, CN=localhost
23samlIssuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
24
25testConfigDir = %(here)s/../
26
27[server:main]
28use = egg:Paste#http
29host = 0.0.0.0
30port = 5100
31
32# Add static content here if required but note that none is needed for the
33# service to function
34[app:AuthorisationServiceStaticContent]
35use = egg:Paste#static
36document_root = %(here)s/public
37
38[pipeline:main]
39pipeline = AuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter AuthorisationServiceStaticContent
40
41#______________________________________________________________________________
42# SAML/SOAP query interface to the Authorisation Service
43[filter:SAMLSoapAuthzDecisionInterfaceFilter]
44paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
45prefix = saml.
46
47# The URI path for this service
48saml.mountPath = /authorisation-service
49
50# The key name in environ which the upstream authorisation service must assign
51# to its authorisation query callback
52saml.queryInterfaceKeyName = %(authorisationDecisionFuncEnvironKeyName)s
53
54# ElementTree based XML parsing and serialisation used for SAML messages
55saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
56saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
57
58# Sets the identity of THIS authorisation service when filling in SAML responses
59#saml.issuerName = /O=Test/OU=Authorisation Service
60saml.issuerName = %(samlIssuerName)s
61saml.issuerFormat = %(samlIssuerFormat)s
62
63#______________________________________________________________________________
64# Authorisation Service WSGI settings
65[filter:AuthorisationServiceFilter]
66# This filter is a container for a binding to a SOAP/SAML based interface to the
67# Authorisation Service.  It contains a XACML Context handler which manages
68# requests from Policy Enforcement Points to the PDP and also enables the PDP
69# to make attribute queries to Policy Information Point
70paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
71prefix = authz.
72authz.queryInterfaceKeyName = %(authorisationDecisionFuncEnvironKeyName)s
73
74# Lifetime for authorisation assertions issued from this service
75authz.xacmlContext.assertionLifetime = 86400
76
77#
78# XACML Context handler manages PEP (Policy Information Point) requests and the
79# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point)
80#
81
82# XACML Policy file
83authz.ctx_handler.policyFilePath = %(here)s/policy.xml
84
85# Settings for SAML authorisation decision response to a Policy Enforcement Point
86# making a decision query
87authz.ctx_handler.issuerName = %(samlIssuerName)s
88authz.ctx_handler.issuerFormat = %(samlIssuerFormat)s
89authz.ctx_handler.assertionLifetime = 86400
90
91# Add Earth System Grid custom types and functions to XACML
92authz.ctx_handler.xacmlExtFunc = ndg.security.server.xacml.esgf_ext:addEsgfXacmlSupport
93
94#
95# Policy Information Point interface settings
96#
97# The Context handler is a client to the PIP, passing on attribute queries
98# on behalf of the PDP onwards to the PIP
99
100# The PIP can cache assertions retrieved from Attribute Authority calls to
101# optimise performance.  Set this flag to True/False to enable/disable caching
102# respectively.  If this setting is omitted it defaults to True
103#authz.ctx_handler.pip.cacheSessions = False
104
105# Set the directory for cached information to be stored.  This options is
106# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
107# sessions will be cached in memory only.  In this case, if the service is
108# stopped all cached information would be lost
109#authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
110
111# Set timeout (seconds) for a cached session - following the timeout any existing
112# session will be deleted.  This option is ignored if
113# authz.ctx_handler.pip.cacheSessions = False.  If this option is omitted, no
114# timeout is set.  If none is set and authz.ctx_handler.pip.sessionCacheDataDir
115# is set, sessions will be effectively cached permanently(!) only an assertion
116# expiry could invalidate a given assertion previously cached.
117#authz.ctx_handler.pip.sessionCacheTimeout = 3600
118
119# Allow for a clock skew of +/- 3 seconds when checking validity times of
120# SAML assertions cached from attribute service queries
121authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0
122
123#
124# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
125# query from the XACML context handler, checks the attribute(s) being queried
126# for and looks up this mapping to determine which attribute authority to query
127# to find out if the subject has the attribute in their entitlement
128authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
129
130# The attribute ID of the subject value to extract from the XACML request
131# context and pass in the SAML attribute query
132authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
133
134# The context handler
135authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
136authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
137
138authz.ctx_handler.pip.attributeQuery.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
139
140# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries
141#authz.ctx_handler.pip.attributeQuery.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
142authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
143
144# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
145authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
146authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
147authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/pki/ca
148
149
150# Logging configuration
151[loggers]
152keys = root, ndg
153
154[handlers]
155keys = console, logfile
156
157[formatters]
158keys = generic
159
160[logger_root]
161level = DEBUG
162handlers = console, logfile
163
164[logger_ndg]
165level = DEBUG
166handlers = 
167qualname = ndg
168
169[handler_console]
170class = StreamHandler
171args = (sys.stderr,)
172level = NOTSET
173formatter = generic
174
175[formatter_generic]
176format = %(asctime)s.%(msecs)03d %(levelname)-8.8s [%(name)s:%(lineno)d] %(message)s
177datefmt = %Y/%m/%d %H:%M:%S
178
179[handler_logfile]
180class = handlers.RotatingFileHandler
181level=NOTSET
182formatter=generic
183args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2)
Note: See TracBrowser for help on using the repository browser.