source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 7077

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini@7077
Revision 7077, 18.6 KB checked in by pjkersha, 9 years ago (diff)
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = https
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26# Global Attribute Authority Settings
27attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
28
29dbConnectionString = sqlite:///%(testConfigDir)s/user.db
30
31[server:main]
32use = egg:Paste#http
33host = 0.0.0.0
34port = %(portNum)s
35
36# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
37# pipeline below if the RelyingParty filter is removed.  The RelyingParty
38# provides static content to both it and the Provider in this configuration.
39# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
40#[filter-app:OpenIDProviderFilterApp]
41#use = egg:Paste#httpexceptions
42#next = cascade
43#
44## Composite for OpenID Provider to enable settings for picking up static
45## content
46#[composit:cascade]
47#use = egg:Paste#cascade
48#app1 = OpenIDProviderStaticContent
49#catch = 404
50#
51#[app:OpenIDProviderStaticContent]
52#use = egg:Paste#static
53#document_root = %(here)s/openidprovider
54
55# Ordering of filters and app is critical
56[pipeline:main]
57pipeline = AttributeAuthorityFilter
58           AttributeAuthoritySamlSoapBindingFilter
59                   SessionMiddlewareFilter
60                   SSLCientAuthKitFilter
61                   SSLClientAuthenticationFilter
62                   SSLCientAuthnRedirectResponseFilter
63                   OpenIDRelyingPartyFilter
64                   OpenIDProviderApp
65
66#______________________________________________________________________________
67# Beaker Session Middleware (used by OpenID Provider Filter)
68[filter:SessionMiddlewareFilter]
69paste.filter_app_factory=beaker.middleware:SessionMiddleware
70beaker.session.key = openid
71beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
72
73# If you'd like to fine-tune the individual locations of the cache data dirs
74# for the Cache data, or the Session saves, un-comment the desired settings
75# here:
76beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
77beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
78beaker.session.cookie_expires = True
79
80#beaker.session.cookie_domain = .localhost
81
82# Key name for keying into environ dictionary
83environ_key = %(beakerSessionKeyName)s
84
85[filter:SSLCientAuthKitFilter]
86paste.filter_app_factory = authkit.authenticate:middleware
87
88# AuthKit Set-up
89setup.method=cookie
90
91# This cookie name and secret MUST agree with the name used by the
92# Authentication Filter used to secure a given app
93cookie.name=ndg.security.auth
94
95cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
96cookie.signoutpath = /logout
97
98# Disable inclusion of client IP address from cookie signature due to
99# suspected problem with AuthKit setting it when a HTTP Proxy is in place
100cookie.includeip = False
101
102#cookie.params.domain = .localhost
103
104# SSL Client Certificate based authentication is invoked if the client passed
105# a certificate with request.  This bypasses OpenID based authn.
106[filter:SSLClientAuthenticationFilter]
107paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
108prefix = ssl.
109
110# Apply verification against a list of trusted CAs.  To skip this step, comment
111# out or remove this item.  e.g. set CA verification in the Apache config file.
112ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
113#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
114
115# 'HTTP_' prefix is set when passed through a proxy
116ssl.sslKeyName = HTTP_HTTPS
117ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
118
119# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
120# Party from the service running over HTTP and see if a client certificate has
121# been set
122ssl.rePathMatchList = ^/verify.*
123
124[filter:OpenIDRelyingPartyFilter]
125paste.filter_app_factory = 
126        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
127
128openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
129
130# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
131#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
132
133openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
134
135# Nb. in this configuration, this directory is provider static content for both
136# this filter and the OpenID Provider app downstream in the WSGI stack.
137openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
138
139openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
140openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
141openid.relyingparty.signinInterface.heading = OpenID Sign-in
142#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
143#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
144#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
145#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
146
147# This setting will accept HTML mark-up
148openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
149openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
150openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
151openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
152openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
153
154cache_dir = %(here)s/data
155
156# AuthKit Set-up
157authkit.setup.method=openid, cookie
158
159# This cookie name and secret MUST agree with the name used by the
160# Authentication Filter used to secure a given app
161authkit.cookie.name=ndg.security.auth
162
163authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
164authkit.cookie.signoutpath = /logout
165#authkit.cookie.params.domain = .localhost
166
167# Disable inclusion of client IP address from cookie signature due to
168# suspected problem with AuthKit setting it when a HTTP Proxy is in place
169authkit.cookie.includeip = False
170
171authkit.openid.path.signedin=/
172authkit.openid.store.type=file
173authkit.openid.store.config=%(here)s/openidrelyingparty/store
174authkit.openid.session.key = authkit_openid
175authkit.openid.session.secret = random string
176
177# Key name for dereferencing beaker.session object held in environ
178authkit.openid.session.middleware = %(beakerSessionKeyName)s
179
180authkit.openid.baseurl = %(baseURI)s
181
182# Template for signin
183#authkit.openid.template.obj =
184
185# Handler for parsing OpenID and creating a session from it
186#authkit.openid.urltouser =
187
188# Attribute Exchange - all are optional unless the relevant ax.required.<name>
189# is set to True.  The alias defers to the parameter name given unless explicity
190# specified - see commented out entry for firstName below.  The number of
191# attributes for each attribute name defaults to 1 unless otherwise set
192#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
193#authkit.openid.ax.alias.firstName=firstName
194##authkit.openid.ax.count.firstName=1
195#authkit.openid.ax.required.firstName=True
196#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
197#authkit.openid.ax.alias.lastName=lastName
198#authkit.openid.ax.required.lastName=True
199#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
200#authkit.openid.ax.alias.emailAddress=emailAddress
201#authkit.openid.ax.required.emailAddress=True
202
203# ESG Gateway requested parameters
204authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
205authkit.openid.ax.alias.uuid=uuid
206authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
207authkit.openid.ax.alias.username=username
208authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
209authkit.openid.ax.alias.firstname=firstname
210authkit.openid.ax.required.firstname:True
211authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
212authkit.openid.ax.alias.middlename=middlename
213authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
214authkit.openid.ax.required.lastname:True
215authkit.openid.ax.alias.lastname=lastname
216authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
217authkit.openid.ax.required.email:True
218authkit.openid.ax.alias.email=email
219authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
220authkit.openid.ax.alias.gateway=gateway
221authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
222authkit.openid.ax.alias.organization=organization
223authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
224authkit.openid.ax.alias.city=city
225authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
226authkit.openid.ax.alias.state=state
227authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
228authkit.openid.ax.alias.country=country
229
230[filter:SSLCientAuthnRedirectResponseFilter]
231# Redirect to original requested URI following SSL Client Authentication.  This
232# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
233# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
234# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
235# would need to be made so that this redirect filter can still function
236paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
237prefix = ssl.
238ssl.sessionKey = %(beakerSessionKeyName)s
239
240#______________________________________________________________________________
241# OpenID Provider WSGI Settings
242[app:OpenIDProviderApp]
243paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
244
245openid.provider.path.openidserver=/OpenID/Provider/server
246openid.provider.path.login=/OpenID/Provider/login
247openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
248
249# Yadis based discovery only - the 'id' path is configured may be set to page
250# with <link rel="openid.server" href="..."> and Yadis
251# <meta http-equiv="x-xrds-location" content="..."> links if required but in
252# this implementation it set to return 404 not found - see
253# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
254# class
255openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
256openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
257
258# Yadis based discovery for idselect mode - this is where the user has entered
259# a URI at the Relying Party which identifies their Provider only and not their
260# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
261# https://badc.nerc.ac.uk/John
262openid.provider.path.serveryadis=%(openIDProviderIDBase)s
263openid.provider.path.allow=/OpenID/Provider/allow
264openid.provider.path.decide=/OpenID/Provider/decide
265openid.provider.path.mainpage=/OpenID/Provider/home
266
267openid.provider.session_middleware=%(beakerSessionKeyName)s
268openid.provider.base_url=%(baseURI)s
269
270# Enable login to construct an identity URI if IDSelect mode was chosen and
271# no identity URI was passed from the Relying Party.  This value should
272# match openid.provider.path.id and/or openid.provider.path.yadis - see above
273identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
274
275openid.provider.trace=False
276openid.provider.consumer_store_dirpath=%(here)s/openidprovider
277openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
278#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
279
280# Layout
281openid.provider.rendering.baseURL = %(openid.provider.base_url)s
282#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
283#openid.provider.rendering.leftAlt = Natural Environment Research Council
284#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
285#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
286openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
287openid.provider.rendering.footerText = This site is for test purposes only.
288openid.provider.rendering.rightLink = http://ceda.ac.uk/
289openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
290openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
291
292# Basic Authentication interface to demonstrate capabilities
293#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
294openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
295openid.provider.authN.connectionString=%(dbConnectionString)s
296openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
297openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
298openid.provider.authN.isMD5EncodedPwd=True
299
300# user login details format is:
301# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
302# Each user entry is delimited by a space. username, password and OpenID name
303# list are delimited by a colon.  The list of OpenID names are delimited by
304# commas.  The OpenID name represents the unique part of the OpenID URL for the
305# individual user.  Each username may have more than one OpenID alias but only
306# alias at a time may be registered with a given Attribute Authority
307openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
308
309# Basic authentication for testing/admin - comma delimited list of
310# <username>:<password> pairs
311#openid.provider.usercreds=pjk:test
312
313# Attribute Exchange interface
314#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
315#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
316openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
317openid.provider.axResponse.connectionString=%(dbConnectionString)s
318openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
319openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
320    http://openid.net/schema/namePerson/last
321    http://openid.net/schema/contact/internet/email
322   
323openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
324        https://badc.somewhere.ac.uk
325
326#______________________________________________________________________________
327# Attribute Authority WSGI settings
328#
329[filter:AttributeAuthorityFilter]
330# This filter publishes an Attribute Authority instance as a key in environ
331# to enable other middleware to access it
332paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
333prefix = attributeAuthority.
334
335# Lifetime is measured in seconds
336attributeAuthority.assertionLifetime: 28800 
337
338# Settings for custom AttributeInterface derived class to get user roles for given
339# user ID
340#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
341#attributeAuthority.attributeInterface.modName: siteAUserRoles
342#attributeAuthority.attributeInterface.className: TestUserRoles
343
344# Key name for the SAML SOAP binding based interface to reference this
345# service's attribute query method
346attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
347
348# SQLAlchemy Attribute Interface
349attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
350attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
351attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
352attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
353attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
354attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
355attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
356attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
357                                                           /O=Site B/CN=Authorisation Service,
358                                                           /CN=test/O=NDG/OU=BADC
359
360# SAML SOAP Binding to the Attribute Authority
361[filter:AttributeAuthoritySamlSoapBindingFilter]
362paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
363prefix = saml.soapbinding.
364
365saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
366
367# Specialisation to incorporate ESG Group/Role type
368saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
369
370saml.soapbinding.pathMatchList = /AttributeAuthority
371saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
372
373# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
374# tolerance for query issueInstant parameter. Set here to 3 minutes
375saml.soapbinding.clockSkewTolerance: 180.0
376
377saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
378saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
379
380# Logging configuration
381[loggers]
382keys = root, ndg
383
384[handlers]
385keys = console
386
387[formatters]
388keys = generic
389
390[logger_root]
391level = INFO
392handlers = console
393
394[logger_ndg]
395level = DEBUG
396handlers =
397qualname = ndg
398
399[handler_console]
400class = StreamHandler
401args = (sys.stderr,)
402level = NOTSET
403formatter = generic
404
405[formatter_generic]
406format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
407datefmt = %Y-%m-%d %H:%M:%S
408
Note: See TracBrowser for help on using the repository browser.