source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/openidprovider.ini @ 7793

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/openidprovider.ini@7793
Revision 7793, 13.0 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • Revising openidprovider integration test.
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Description: Paste configuration for OpenID Relying Party and Provider services
5#
6# The %(here)s variable will be replaced with the parent directory of this file
7#
8# Author: P J Kershaw
9# date: 01/07/09
10#
11# Copyright: (C) 2010 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = https
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26dbConnectionString = sqlite:///%(testConfigDir)s/user.db
27
28[server:main]
29use = egg:Paste#http
30host = 0.0.0.0
31port = %(portNum)s
32
33# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
34# pipeline below if the RelyingParty filter is removed.  The RelyingParty
35# provides static content to both it and the Provider in this configuration.
36# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
37#[filter-app:OpenIDProviderFilterApp]
38#use = egg:Paste#httpexceptions
39#next = cascade
40#
41## Composite for OpenID Provider to enable settings for picking up static
42## content
43#[composit:cascade]
44#use = egg:Paste#cascade
45#app1 = OpenIDProviderStaticContent
46#catch = 404
47#
48#[app:OpenIDProviderStaticContent]
49#use = egg:Paste#static
50#document_root = %(here)s/openidprovider
51
52# Ordering of filters and app is critical
53[pipeline:main]
54pipeline = SessionMiddlewareFilter
55                   OpenIDRelyingPartyFilter
56                   OpenIDProviderApp
57
58#______________________________________________________________________________
59# Beaker Session Middleware (used by OpenID Provider Filter)
60[filter:SessionMiddlewareFilter]
61paste.filter_app_factory=beaker.middleware:SessionMiddleware
62beaker.session.key = openid
63beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
64
65# If you'd like to fine-tune the individual locations of the cache data dirs
66# for the Cache data, or the Session saves, un-comment the desired settings
67# here:
68beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
69beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
70beaker.session.cookie_expires = True
71
72#beaker.session.cookie_domain = .localhost
73
74# Key name for keying into environ dictionary
75environ_key = %(beakerSessionKeyName)s
76
77[filter:SSLCientAuthKitFilter]
78paste.filter_app_factory = authkit.authenticate:middleware
79
80# AuthKit Set-up
81setup.method=cookie
82
83# This cookie name and secret MUST agree with the name used by the
84# Authentication Filter used to secure a given app
85cookie.name=ndg.security.auth
86
87cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
88cookie.signoutpath = /logout
89
90# Disable inclusion of client IP address from cookie signature due to
91# suspected problem with AuthKit setting it when a HTTP Proxy is in place
92cookie.includeip = False
93
94#cookie.params.domain = .localhost
95
96[filter:OpenIDRelyingPartyFilter]
97paste.filter_app_factory = 
98        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
99
100openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
101
102# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
103#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
104
105openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
106
107# Nb. in this configuration, this directory is provider static content for both
108# this filter and the OpenID Provider app downstream in the WSGI stack.
109openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
110
111openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
112openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
113openid.relyingparty.signinInterface.heading = OpenID Sign-in
114
115# This setting will accept HTML mark-up
116openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
117openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
118openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
119openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
120openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
121
122cache_dir = %(here)s/data
123
124# AuthKit Set-up
125authkit.setup.method=openid, cookie
126
127# This cookie name and secret MUST agree with the name used by the
128# Authentication Filter used to secure a given app
129authkit.cookie.name=ndg.security.auth
130
131authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
132authkit.cookie.signoutpath = /logout
133#authkit.cookie.params.domain = .localhost
134
135# Disable inclusion of client IP address from cookie signature due to
136# suspected problem with AuthKit setting it when a HTTP Proxy is in place
137authkit.cookie.includeip = False
138
139authkit.openid.path.signedin=/
140authkit.openid.store.type=file
141authkit.openid.store.config=%(here)s/openidrelyingparty/store
142authkit.openid.session.key = authkit_openid
143authkit.openid.session.secret = random string
144
145# Key name for dereferencing beaker.session object held in environ
146authkit.openid.session.middleware = %(beakerSessionKeyName)s
147
148authkit.openid.baseurl = %(baseURI)s
149
150# Template for signin
151#authkit.openid.template.obj =
152
153# Handler for parsing OpenID and creating a session from it
154#authkit.openid.urltouser =
155
156# Attribute Exchange - all are optional unless the relevant ax.required.<name>
157# is set to True.  The alias defers to the parameter name given unless explicity
158# specified - see commented out entry for firstName below.  The number of
159# attributes for each attribute name defaults to 1 unless otherwise set
160#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
161#authkit.openid.ax.alias.firstName=firstName
162##authkit.openid.ax.count.firstName=1
163#authkit.openid.ax.required.firstName=True
164#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
165#authkit.openid.ax.alias.lastName=lastName
166#authkit.openid.ax.required.lastName=True
167#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
168#authkit.openid.ax.alias.emailAddress=emailAddress
169#authkit.openid.ax.required.emailAddress=True
170
171# ESG Gateway requested parameters
172authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
173authkit.openid.ax.alias.uuid=uuid
174authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
175authkit.openid.ax.alias.username=username
176authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
177authkit.openid.ax.alias.firstname=firstname
178authkit.openid.ax.required.firstname:True
179authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
180authkit.openid.ax.alias.middlename=middlename
181authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
182authkit.openid.ax.required.lastname:True
183authkit.openid.ax.alias.lastname=lastname
184authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
185authkit.openid.ax.required.email:True
186authkit.openid.ax.alias.email=email
187authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
188authkit.openid.ax.alias.gateway=gateway
189authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
190authkit.openid.ax.alias.organization=organization
191authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
192authkit.openid.ax.alias.city=city
193authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
194authkit.openid.ax.alias.state=state
195authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
196authkit.openid.ax.alias.country=country
197
198#______________________________________________________________________________
199# OpenID Provider WSGI Settings
200[app:OpenIDProviderApp]
201paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
202
203openid.provider.path.openidserver=/OpenID/Provider/server
204openid.provider.path.login=/OpenID/Provider/login
205openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
206
207# Yadis based discovery only - the 'id' path is configured may be set to page
208# with <link rel="openid.server" href="..."> and Yadis
209# <meta http-equiv="x-xrds-location" content="..."> links if required but in
210# this implementation it set to return 404 not found - see
211# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
212# class
213openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
214openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
215
216# Yadis based discovery for idselect mode - this is where the user has entered
217# a URI at the Relying Party which identifies their Provider only and not their
218# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
219# https://badc.nerc.ac.uk/John
220openid.provider.path.serveryadis=%(openIDProviderIDBase)s
221openid.provider.path.allow=/OpenID/Provider/allow
222openid.provider.path.decide=/OpenID/Provider/decide
223openid.provider.path.mainpage=/OpenID/Provider/home
224
225openid.provider.session_middleware=%(beakerSessionKeyName)s
226openid.provider.base_url=%(baseURI)s
227
228# Enable login to construct an identity URI if IDSelect mode was chosen and
229# no identity URI was passed from the Relying Party.  This value should
230# match openid.provider.path.id and/or openid.provider.path.yadis - see above
231identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
232
233openid.provider.trace=False
234openid.provider.consumer_store_dirpath=%(here)s/openidprovider
235openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
236#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
237
238# Templates
239openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates
240
241# Layout
242openid.provider.rendering.baseURL = %(openid.provider.base_url)s
243openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
244openid.provider.rendering.footerText = This site is for test purposes only.
245openid.provider.rendering.rightLink = http://ceda.ac.uk/
246openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
247openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
248
249# Basic Authentication interface to demonstrate capabilities
250#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
251openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
252openid.provider.authN.connectionString=%(dbConnectionString)s
253openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
254openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
255openid.provider.authN.isMD5EncodedPwd=True
256
257# user login details format is:
258# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
259# Each user entry is delimited by a space. username, password and OpenID name
260# list are delimited by a colon.  The list of OpenID names are delimited by
261# commas.  The OpenID name represents the unique part of the OpenID URL for the
262# individual user.  Each username may have more than one OpenID alias but only
263# alias at a time may be registered with a given Attribute Authority
264openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
265
266# Basic authentication for testing/admin - comma delimited list of
267# <username>:<password> pairs
268#openid.provider.usercreds=pjk:test
269
270# Attribute Exchange interface
271#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
272#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
273openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
274openid.provider.axResponse.connectionString=%(dbConnectionString)s
275openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
276openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
277    http://openid.net/schema/namePerson/last
278    http://openid.net/schema/contact/internet/email
279   
280openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
281        https://badc.somewhere.ac.uk
282
283# Logging configuration
284[loggers]
285keys = root, ndg
286
287[handlers]
288keys = console
289
290[formatters]
291keys = generic
292
293[logger_root]
294level = INFO
295handlers = console
296
297[logger_ndg]
298level = DEBUG
299handlers =
300qualname = ndg
301
302[handler_console]
303class = StreamHandler
304args = (sys.stderr,)
305level = NOTSET
306formatter = generic
307
308[formatter_generic]
309format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s
310datefmt = %Y-%m-%d %H:%M:%S
311
Note: See TracBrowser for help on using the repository browser.