source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini @ 7827

#
# Title:        NERC DataGrid Security Paste INI file template for all services
#
# Description:  Paste configuration for combined SAML Attribute Authority and 
#               Authorisation Services, OpenID Relying Party and Provider 
#               services and SSL client authentication filters.  This is for 
#               test purposes only.  A production system might deploy these on 
#               different hosts or separate WSGI scripts.
#
#               The %(here)s variable will be replaced with the parent directory 
#               of this file
#
# Author:       P J Kershaw
# Date:         01/07/09
# Copyright:    (C) 2009 Science and Technology Facilities Council
# license:      BSD - see LICENSE file in top-level directory
# Contact:      Philip.Kershaw@stfc.ac.uk
# Revision:     $Id$

# Settings global to all sections
[DEFAULT]
portNum = 7443
hostname = localhost
scheme = https
baseURI = %(scheme)s://%(hostname)s:%(portNum)s/
openIDProviderIDBase = openid/

# The default OpenID set in the Relying Party form text field.  As shown it is
# set so that the special IDSelect mode can be used where the user enters only
# the portion of the URI identifying their Provider instead of their full
# OpenID URI
openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
testConfigDir = %(here)s/../../config

# Beaker session is used across multiple sections so is set here to ensure 
# consistency
beakerSessionKeyName = beaker.session.ndg.security.services

# Environ dict key name for Attribute Authority's SAML attribute query callback
attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface

# Similarly the environ key name for the Authorisation Service's SAML 
# authorisation decision query callback 
authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface

# This is set to a test SQLite database alter as needed
dbConnectionString = sqlite:///%(testConfigDir)s/user.db
        
# AuthKit Cookie secret used to secure it.  This secret must be the same as the
# one used in the equivalent secured application(s) ini file(s) that use this
# ini file's OpenID Relying Party and SSL authentication service.  This is
# because the cookie is shared between the secured app(s) and this app so that
# a user's OpenID can be communicated between them.
authkitCookieSecret = 9wvZObs9anUEhSIAnJNoY2iJq59FfYZr

# Secret for OpenID Provider cookie
beakerSessionCookieSecret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU


[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = %(portNum)s

# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
# pipeline below if the RelyingParty filter is removed.  The RelyingParty
# provides static content to both it and the Provider in this configuration.
# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
#[filter-app:OpenIDProviderFilterApp]
#use = egg:Paste#httpexceptions
#next = cascade
#
## Composite for OpenID Provider to enable settings for picking up static 
## content
#[composit:cascade]
#use = egg:Paste#cascade
#app1 = OpenIDProviderApp
#app2 = OpenIDProviderStaticContent
#catch = 404
#
#[app:OpenIDProviderStaticContent]
#use = egg:Paste#static
#document_root = %(here)s/openidprovider

# Ordering of filters and final app is critical
[pipeline:main]
pipeline = AttributeAuthorityFilter 
           AttributeAuthoritySamlSoapBindingFilter
           AuthorisationServiceFilter
           AuthorisationSamlSoapBindingFilter
           SessionMiddlewareFilter
           SSLClientAuthKitFilter
           SSLClientAuthenticationFilter
           SSLClientAuthnRedirectResponseFilter
           OpenIDRelyingPartyFilter
           OpenIDProviderApp

#______________________________________________________________________________
# Beaker Session Middleware (used by OpenID Provider)
[filter:SessionMiddlewareFilter]
paste.filter_app_factory=beaker.middleware:SessionMiddleware
beaker.session.key = openid
beaker.session.secret = %(beakerSessionCookieSecret)s

# If you'd like to fine-tune the individual locations of the cache data dirs
# for the Cache data, or the Session saves, un-comment the desired settings
# here:
beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
beaker.session.cookie_expires = True

# Key name for keying into environ dictionary
environ_key = %(beakerSessionKeyName)s

#______________________________________________________________________________
# Sets AuthKit cookie for SSL Client based authentication method
[filter:SSLClientAuthKitFilter]
paste.filter_app_factory = authkit.authenticate:middleware

# AuthKit Set-up
setup.method=cookie

# This cookie name and secret MUST agree with the name used by the 
# Authentication Filter used to secure a given app
cookie.name=ndg.security.auth

cookie.secret=%(authkitCookieSecret)s
cookie.signoutpath = /logout

# Disable inclusion of client IP address from cookie signature due to 
# suspected problem with AuthKit setting it when a HTTP Proxy is in place
cookie.includeip = False

#______________________________________________________________________________
# SSL Client Certificate based authentication is invoked if the client passed
# a certificate with request.  This bypasses OpenID based authentication
[filter:SSLClientAuthenticationFilter]
paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
prefix = ssl.

# Apply verification against a list of trusted CAs.  To skip this step, comment
# out or remove this item.  e.g. set CA verification in the Apache config file.
ssl.caCertFilePathList = %(testConfigDir)s/pki/ca/d573507a.0

# Apply whitelisting of client certificate DNs.  This should never be needed in
# this context.  The only reason to use it might be as a means to set a crude 
# access control list of DNs
#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test

# The 'HTTP_' prefix is set when passed through a proxy with Apache, for example
# if it's possible to run this ini file with paster and expose it through port
# 443 via ProxyPass and ProxyPassReverse Apache directives.
#ssl.sslKeyName = HTTP_HTTPS
#ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT

# Set the intercept URI.  Request URIs matching this pattern will be processed
# by this filter.  The pattern is set here to match the URI that would normally
# be processed by the OpenID Relying Party.  If this filter finds a client 
# cert set from the SSL handshake it will apply authentication based on this, if
# not it will let the request pass by and on to the OpenID Relying Party.  The
# latter is then therefore the default and 'catch all' for authentication 
# requests. 
ssl.rePathMatchList = ^/verify.*

#______________________________________________________________________________
# OpenID Relying Party.  This filter is set to run over SSL so that it can work
# together with the SSL Client Authentication filter above so that tandem
# authentication methods are supported.  It can be invoked from a HTTP app by 
# the ndg.security.server.wsgi.authn.AuthenticationMiddleware which causes a 
# redirect to this endpoint.
[filter:OpenIDRelyingPartyFilter]
paste.filter_app_factory = 
        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory

openid.relyingparty.baseURL = %(authkit.openid.baseurl)s

# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml

openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate

# Nb. in this configuration, this directory is provider static content for both 
# this filter and the OpenID Provider app downstream in the WSGI stack.
openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public

openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
openid.relyingparty.signinInterface.heading = OpenID Sign-in
#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif

# This setting will accept HTML mark-up
openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png

cache_dir = %(here)s/data

# AuthKit Set-up
authkit.setup.method=openid, cookie

# This cookie name and secret MUST agree with the name used by the 
# Authentication Filter used to secure a given app
authkit.cookie.name=ndg.security.auth

authkit.cookie.secret=%(authkitCookieSecret)s
authkit.cookie.signoutpath = /logout
#authkit.cookie.params.domain = .localhost

# Disable inclusion of client IP address from cookie signature due to 
# suspected problem with AuthKit setting it when a HTTP Proxy is in place
authkit.cookie.includeip = False

authkit.openid.path.signedin=/
authkit.openid.store.type=file
authkit.openid.store.config=%(here)s/openidrelyingparty/store
authkit.openid.session.key = authkit_openid
authkit.openid.session.secret = random string

# Key name for dereferencing beaker.session object held in environ
authkit.openid.session.middleware = %(beakerSessionKeyName)s

authkit.openid.baseurl = %(baseURI)s

# Attribute Exchange - all are optional unless the relevant ax.required.<name> 
# is set to True.  The alias defers to the parameter name given unless explicity
# specified - see commented out entry for firstName below.  The number of
# attributes for each attribute name defaults to 1 unless otherwise set
#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
#authkit.openid.ax.alias.firstName=firstName
##authkit.openid.ax.count.firstName=1
#authkit.openid.ax.required.firstName=True
#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
#authkit.openid.ax.alias.lastName=lastName
#authkit.openid.ax.required.lastName=True
#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
#authkit.openid.ax.alias.emailAddress=emailAddress
#authkit.openid.ax.required.emailAddress=True

# ESG Gateway requested parameters
authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
authkit.openid.ax.alias.uuid=uuid
authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
authkit.openid.ax.alias.username=username
authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
authkit.openid.ax.alias.firstname=firstname
authkit.openid.ax.required.firstname:True
authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
authkit.openid.ax.alias.middlename=middlename
authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
authkit.openid.ax.required.lastname:True
authkit.openid.ax.alias.lastname=lastname
authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
authkit.openid.ax.required.email:True
authkit.openid.ax.alias.email=email
authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
authkit.openid.ax.alias.gateway=gateway
authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
authkit.openid.ax.alias.organization=organization
authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
authkit.openid.ax.alias.city=city
authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
authkit.openid.ax.alias.state=state
authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
authkit.openid.ax.alias.country=country

#______________________________________________________________________________
# Redirect to original requested URI following SSL Client Authentication.  This
# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
# case here it's configured in the OpenIDRelyingPartyMiddleware filter.  If the
# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
# would need to be made so that this redirect filter can still function
[filter:SSLClientAuthnRedirectResponseFilter]
paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
prefix = ssl.
ssl.sessionKey = %(beakerSessionKeyName)s

#______________________________________________________________________________
# OpenID Provider WSGI Settings
[app:OpenIDProviderApp]
paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory

openid.provider.path.openidserver=/OpenID/Provider/server
openid.provider.path.login=/OpenID/Provider/login
openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit

# Yadis based discovery only - the 'id' path is configured may be set to page
# with <link rel="openid.server" href="..."> and Yadis 
# <meta http-equiv="x-xrds-location" content="..."> links if required but in 
# this implementation it set to return 404 not found - see 
# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering 
# class
openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
openid.provider.path.yadis=%(openIDProviderIDBase)s${userIdentifier}

# Yadis based discovery for idselect mode - this is where the user has entered
# a URI at the Relying Party which identifies their Provider only and not their
# full ID URI.  e.g. https://badc.nerc.ac.uk instead of 
# https://badc.nerc.ac.uk/John
openid.provider.path.serveryadis=%(openIDProviderIDBase)s
openid.provider.path.allow=/OpenID/Provider/allow
openid.provider.path.decide=/OpenID/Provider/decide
openid.provider.path.mainpage=/OpenID/Provider/home

openid.provider.session_middleware=%(beakerSessionKeyName)s
openid.provider.base_url=%(baseURI)s

# Enable login to construct an identity URI if IDSelect mode was chosen and
# no identity URI was passed from the Relying Party.  This value should
# match openid.provider.path.id and/or openid.provider.path.yadis - see above
identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s${userIdentifier}

openid.provider.trace=False
openid.provider.consumer_store_dirpath=%(here)s/openidprovider

# A custom rendering class can be plugged in here.  A Genshi based renderer is 
# currently set
openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface

# Template directory
openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates

# Layout
openid.provider.rendering.baseURL = %(openid.provider.base_url)s
openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
openid.provider.rendering.footerText = This site is for test purposes only.
openid.provider.rendering.rightLink = http://ceda.ac.uk/
openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
openid.provider.rendering.rightAlt = Centre for Environmental Data Archival

# SQLAlchemy based authentication interface
openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface

# See the connection string setting set in the DEFAULT section
openid.provider.authN.connectionString=%(dbConnectionString)s
openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'

# Set to true if the password in the database is MD5 encrypted.
openid.provider.authN.isMD5EncodedPwd=True

# This is a more interface which makes settings via this INI parameters instead 
# of a database
#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface

# This setting applies to the BasicAuthNInterface only 
# user login details format is:
# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
# Each user entry is delimited by a space. username, password and OpenID name
# list are delimited by a colon.  The list of OpenID names are delimited by
# commas.  The OpenID name represents the unique part of the OpenID URL for the
# individual user.  Each username may have more than one OpenID alias but only
# alias at a time may be registered with a given Attribute Authority
#openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other

# Basic authentication for testing/admin - comma delimited list of 
# <username>:<password> pairs
#openid.provider.usercreds=pjk:test

# Attribute Exchange interface - extract attributes from a database based on the
# username of the client
openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
openid.provider.axResponse.connectionString=%(dbConnectionString)s

# Ordering is important here: the query results and names fields should exactly 
# map one to the other
openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
    http://openid.net/schema/namePerson/last
    http://openid.net/schema/contact/internet/email
    
# This is an alternative simple CSV file based AX interface class
#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv

# This setting can be used to enable the confirmation form to be omitted for 
# known Relying Parties (RP)s.  The confirmation form is part of the user 
# interface which prompts the user to confirm they wish to return their 
# credentials back to the given RP.
openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
        https://badc.somewhere.ac.uk

#______________________________________________________________________________
# Attribute Authority WSGI settings
#
# This filter publishes an Attribute Authority instance as a key in environ
# to enable the SAML query interface middleware to access and invoke it.
[filter:AttributeAuthorityFilter]
paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
prefix = attributeAuthority.

# Lifetime is measured in seconds for attribute assertions made
attributeAuthority.assertionLifetime: 28800 

# Key name for the SAML SOAP binding based query interface to reference this
# service's attribute query method
attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s

# Attribute Interface - determines how a given attribute query interfaces with a
# backend database or other persistent store.  The one here is an SQLAlchemy
# based one.  The database connection string is the global setting - see the 
# DEFAULT section. 
attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s

# This does a sanity check to ensure the subject of the query is known to this
# authority.
attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'

# Map the given SAML attributes identifiers to the equivalent SQL query to 
# retrieve them.  Any number can be set.  They should have the form,
#
# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id>
#
# where <id> can be any unique string.  The userId string is the value passed
# from the client subject NameID field
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"

# Set the permissable requestor Distinguished Names as set in the SAML client 
# query issuer field.  Comment out or remove if this is not required.  Nb.
# filtering of clients can be more securely applied by whitelisting at the SSL
# level.
attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
                                                           /O=Site B/CN=Authorisation Service, 
                                                           /CN=test/O=NDG/OU=BADC,
                                                           /O=NDG/OU=Security/CN=localhost

# Alternate custom AttributeInterface derived class to get user roles for given 
# user ID
#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
#attributeAuthority.attributeInterface.modName: siteAUserRoles
#attributeAuthority.attributeInterface.className: TestUserRoles

# SAML SOAP Binding to the Attribute Authority
[filter:AttributeAuthoritySamlSoapBindingFilter]
paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
prefix = saml.soapbinding.

# Callback to deserialise a string format query received from the client into 
# to the relevant ElementTree instance
saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML

# Corresponding callback to serialise an ElementTree instance response into a 
# string ready for dispatch back to the client
#
# Specialisation to incorporate ESG Group/Role type.  The deserialise method
# doesn't need any specialised setting because no custom ESG types are required 
# in order to invoke it
saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML

# Equivalent setting if no ESG customisation is required.
#saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML

# Path following the FQDN from which this service will be mounted
saml.soapbinding.mountPath = /AttributeAuthority

# The key name for the environ dict item holding the Attribute Authority's 
# query callback method.  See the Attribute Authority filter.
saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s

# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
# tolerance for query issueInstant parameter. Set here to 3 minutes
saml.soapbinding.clockSkewTolerance: 180.0

# The issuer name for this Attribute Authority expressed as a X.509 subject 
# name.  See ndg.saml.saml2.core or the SAML 2.0 spec for alternatives.
saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 

#______________________________________________________________________________
# SAML/SOAP query interface to the Authorisation Service
[filter:AuthorisationSamlSoapBindingFilter]
paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
prefix = saml.

# The URI path for this service
saml.mountPath = /AuthorisationService

# The key name in environ which the upstream authorisation service must assign
# to its authorisation query callback - see the AuthorisationServiceFilter 
# settings below...
saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s

# ElementTree based XML parsing and serialisation used for SAML messages
saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML

# Sets the identity of THIS authorisation service when filling in SAML responses
saml.issuerName = /O=Site A/CN=Authorisation Service
saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

#______________________________________________________________________________
# Authorisation Service WSGI settings
#
# This filter is a container for a binding to a SOAP/SAML based interface to the
# Authorisation Service.  It contains a XACML Context handler which manages
# requests from Policy Enforcement Points to the PDP and also enables the PDP
# to make attribute queries to Policy Information Point
[filter:AuthorisationServiceFilter]
paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
prefix = authz.

# Expose this filter's authorisation decision query callback via this key name
# in environ
authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s

# Lifetime for authorisation assertions issued from this service
authz.xacmlContext.assertionLifetime = 86400

#
# XACML Context handler manages PEP (Policy Information Point) requests and the 
# PDP's (Policy Decision Point's) interface to the PIP (Policy Information 
# Point)

# XACML Policy file
authz.ctx_handler.policyFilePath = %(here)s/policy.xml

# Settings for SAML authorisation decision response to a Policy Enforcement Point
# making a decision query
authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
authz.ctx_handler.assertionLifetime = 86400

#
# Policy Information Point interface settings
#
# The Context handler is a client to the PIP, passing on attribute queries 
# on behalf of the PDP onwards to the PIP

# The PIP can cache assertions retrieved from Attribute Authority calls to
# optimise performance.  Set this flag to True/False to enable/disable caching
# respectively.  If this setting is omitted it defaults to True
authz.ctx_handler.pip.cacheSessions = True

# Set the directory for cached information to be stored.  This options is 
# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
# sessions will be cached in memory only.  If the service is stopped all cached
# information would be lost
authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache

# Set timeout (seconds) for a cached session - following the timeout any existing
# session will be deleted.  This option is ignored if 
# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is
# omitted, no timeout is set.  If none is set and 
# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively
# cached permanently(!) only an assertion expiry could invalidate a given assertion
# previously cached.
authz.ctx_handler.pip.sessionCacheTimeout = 3600

# Allow for a clock skew of +/- 3 seconds when checking validity times of
# SAML assertions cached from attribute service queries
authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0

# 
# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a 
# query from the XACML context handler, checks the attribute(s) being queried 
# for and looks up this mapping to determine which attribute authority to query 
# to find out if the subject has the attribute in their entitlement
authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt

# The attribute ID of the subject value to extract from the XACML request
# context and pass in the SAML attribute query
authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid

# The context handler 
authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s

# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries
authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML

# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/pki/ca

#______________________________________________________________________________
# Logging configuration
[loggers]
keys = root, ndg

[handlers]
keys = console, logfile

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[logger_ndg]
level = DEBUG
handlers =
qualname = ndg

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s
datefmt = %Y-%m-%d %H:%M:%S

[handler_logfile]
class = handlers.RotatingFileHandler
level=NOTSET
formatter=generic
args=(os.path.join('%(here)s', 'log', 'service.log'), 'a', 50000, 2)