source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini @ 4775

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini@4775
Revision 4775, 18.6 KB checked in by pjkersha, 11 years ago (diff)
  • Moved StaticURLParser app for serving OpenID Provider static content from into a Paste ini file [composit:...] - for combined services unit tests and default and full paster templates
  • Added main_app factory class method to OpenIDProviderMiddleware to fit main_app function signature required for Paste ini file to run OpenID Provider as the main app rather than as a filter.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2009 Science and Technology Facilities Council
13# license: This software may be distributed under the terms of the Q Public
14# License, version 1.0 or later.
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19#______________________________________________________________________________
20# Attribute Authority settings
21# 'name' setting MUST agree with map config file 'thisHost' name attribute
22attributeAuthority.name: Site A
23
24# Lifetime is measured in seconds
25attributeAuthority.attCertLifetime: 28800 
26
27# Allow an offset for clock skew between servers running
28# security services. NB, measured in seconds - use a minus sign for time in the
29# past
30attributeAuthority.attCertNotBeforeOff: 0
31
32# All Attribute Certificates issued are recorded in this dir
33attributeAuthority.attCertDir: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/attributeCertificateLog
34
35# Files in attCertDir are stored using a rotating file handler
36# attCertFileLogCnt sets the max number of files created before the first is
37# overwritten
38attributeAuthority.attCertFileName: ac.xml
39attributeAuthority.attCertFileLogCnt: 16
40attributeAuthority.dnSeparator:/
41
42# Location of role mapping file
43attributeAuthority.mapConfigFile: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteAMapConfig.xml
44
45# Settings for custom AAUserRoles derived class to get user roles for given
46# user ID
47attributeAuthority.userRolesModFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea
48attributeAuthority.userRolesModName: siteAUserRoles
49attributeAuthority.userRolesClassName: TestUserRoles
50
51# Config for XML signature of Attribute Certificate
52attributeAuthority.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.key
53attributeAuthority.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.crt
54attributeAuthority.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
55
56#______________________________________________________________________________
57# Session Manager specific settings - commented out settings will take their
58# default settings.  To override the defaults uncomment and set as required.
59# See ndg.security.server.sessionmanager module for details
60
61# Credential Wallet Settings - global to all user sessions
62#
63# CA certificates for Attribute Certificate signature validation
64sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
65
66# CA certificates for SSL connection peer cert. validation - required if
67# connecting to an Attribute Authority over SSL
68sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
69
70# Allow Get Attribute Certificate calls to try to get a mapped certificate
71# from another organisation trusted by the target Attribute Authority
72sessionManager.credentialWallet.mapFromTrustedHosts=True
73sessionManager.credentialWallet.rtnExtAttCertList=True
74
75# Refresh an Attribute Certificate, if an existing one in the wallet has only
76# this length of time left before it expires
77credentialWallet.attCertRefreshElapse=7200
78
79# Pointer to WS-Security settings.  These WS-Security settings are for use
80# by user credential wallets held in user sessions hosted by the Session
81# Manager.  They enable individual wallets to query Attribute Authorities for
82# user Attribute Certificates.  Nb. the difference between these settings and
83# the WS-Security section for handling requests to the Session Manager.
84#
85# Settings are identified by a prefix. 
86sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
87
88# ...A section name could also be used.
89#sessionManager.credentialWallet.wssCfgSection=
90
91# SOAP Signature Handler settings for the Credential Wallet's Attribute
92# Authority interface
93#
94# CA Certificates used to verify X.509 certs used in Attribute Certificates.
95# The CA certificates of other NDG trusted sites should go here.  NB, multiple
96# values should be delimited by a space
97sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
98
99# Signature of an outbound message
100#
101# Certificate associated with private key used to sign a message.  The sign
102# method will add this to the BinarySecurityToken element of the WSSE header. 
103# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
104# As an alternative, use signingCertChain - see below...
105
106# PEM encoded cert
107sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.crt
108
109# ... or provide file path to PEM encoded private key file
110sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.key
111
112# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
113# signed message.  See __setReqBinSecTokValType method and binSecTokValType
114# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
115# give full namespace to alternative - see
116# ZSI.wstools.Namespaces.OASIS.X509TOKEN
117#
118# binSecTokValType determines whether signingCert or signingCertChain
119# attributes will be used.
120sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
121
122# Add a timestamp element to an outbound message
123sessionManager.credentialWallet.wssecurity.addTimestamp: True
124
125# For WSSE 1.1 - service returns signature confirmation containing signature
126# value sent by client
127sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
128
129# Authentication service properties
130sessionManager.authNService.moduleFilePath: 
131sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
132sessionManager.authNService.className: UserX509CertAuthN
133
134# Specific settings for UserCertAuthN Session Manager authentication plugin
135# This sets up PKI credentials for a single test account
136sessionManager.authNService.userX509CertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.crt
137sessionManager.authNService.userPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.key
138sessionManager.authNService.userPriKeyPwd: testpassword
139
140[server:main]
141use = egg:Paste#http
142host = 0.0.0.0
143port = 5000
144
145[filter-app:mainApp]
146use = egg:Paste#httpexceptions
147next = cascade
148
149[composit:cascade]
150use = egg:Paste#cascade
151app1 = static
152app2 = SingleSignOnService
153catch = 404
154
155[app:static]
156use = egg:Paste#static
157document_root = %(here)s/openidprovider
158
159[app:SingleSignOnService]
160paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
161cache_dir = %(here)s/data
162beaker.session.key = sso
163beaker.session.secret = somesecret
164
165# If you'd like to fine-tune the individual locations of the cache data dirs
166# for the Cache data, or the Session saves, un-comment the desired settings
167# here:
168#beaker.cache.data_dir = %(here)s/data/cache
169#beaker.session.data_dir = %(here)s/data/sessions
170
171# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
172# Debug mode will enable the interactive debugging tool, allowing ANYONE to
173# execute malicious code after an exception is raised.
174set debug = false
175
176configfile = %(here)s/singleSignOnService/sso.cfg
177#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg
178
179# AuthKit Set-up
180authkit.setup.method=openid, cookie
181authkit.cookie.secret=secret encryption string
182authkit.cookie.signoutpath = /logout
183authkit.openid.path.signedin=/
184authkit.openid.store.type=file
185authkit.openid.store.config=%(here)s/data/openid
186authkit.openid.session.key = authkit_openid
187authkit.openid.session.secret = random string
188
189authkit.openid.baseurl = http://localhost
190
191# Template for signin
192authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
193
194# Handler for parsing OpenID and creating a session from it
195authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
196
197# Chain of SOAP Middleware filters
198[pipeline:main]
199pipeline = wsseSignatureVerificationFilter
200                   AttributeAuthorityFilter
201           SessionManagerFilter
202           wsseSignatureFilter
203           httpBasicAuthFilter
204           SessionMiddlewareFilter
205           OpenIDProviderFilter
206           testHarnessFilter
207           mainApp
208
209[filter:testHarnessFilter]
210paste.filter_app_factory = 
211        ndg.security.test.combinedservices.serverapp:filter_app_factory
212sessionManagerFilterID = filter:SessionManagerFilter
213attributeAuthorityFilterID = filter:AttributeAuthorityFilter
214
215#______________________________________________________________________________
216# Attribute Authority WSGI settings
217#
218[filter:AttributeAuthorityFilter]
219# This filter is a container for a binding to a SOAP based interface to the
220# Attribute Authority
221paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
222
223# Use this ZSI generated SOAP service interface class to handle i/o for this
224# filter
225ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
226
227# SOAP Binding Class specific keywords are in this section identified by this
228# prefix:
229ServiceSOAPBindingPropPrefix = AttributeAuthority
230
231# The AttributeAuthority class has settings in the default section above
232# identified by this prefix:
233AttributeAuthority.propPrefix = attributeAuthority
234AttributeAuthority.propFilePath = %(here)s/services.ini
235AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
236
237# Provide an identifier for this filter so that main WSGI app
238# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
239# directly
240referencedFilters = filter:wsseSignatureVerificationFilter
241
242# Path from URL for Attribute Authority in this Paste deployment
243path = /AttributeAuthority
244
245# Enable ?wsdl query argument to list the WSDL content
246enableWSDLQuery = True
247charset = utf-8
248filterID = %(__name__)s
249
250#______________________________________________________________________________
251# Session Manager WSGI settings
252#
253[filter:SessionManagerFilter]
254# This filter is a container for a binding to a SOAP based interface to the
255# Session Manager
256paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
257
258# Use this ZSI generated SOAP service interface class to handle i/o for this
259# filter
260ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
261
262# SOAP Binding Class specific keywords are in this section identified by this
263# prefix:
264ServiceSOAPBindingPropPrefix = SessionManager
265
266# The SessionManager class has settings in the default section above identified
267# by this prefix:
268SessionManager.propPrefix = sessionManager
269SessionManager.propFilePath = %(here)s/services.ini
270
271# This filter references other filters - a local Attribute Authority (optional)
272# and a WS-Security signature verification filter (required if using signature
273# to authenticate user in requests
274SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
275SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
276
277# The SessionManagerWS SOAP interface class needs to know about these other
278# filters
279referencedFilters = filter:wsseSignatureVerificationFilter
280                                        filter:AttributeAuthorityFilter
281
282# Path from URL for Session Manager in this Paste deployment
283path = /SessionManager
284
285# Enable ?wsdl query argument to list the WSDL content
286enableWSDLQuery = True
287charset = utf-8
288
289# Provide an identifier for this filter so that main WSGI app
290# CombinedServicesWSGI can call this Session Manager directly
291filterID = %(__name__)s
292
293#______________________________________________________________________________
294# WS-Security Signature Verification
295[filter:wsseSignatureVerificationFilter]
296paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
297filterID = %(__name__)s
298
299# Settings for WS-Security SignatureHandler class used by this filter
300wsseCfgFilePrefix = wssecurity
301
302# Verify against known CAs - Provide a space separated list of file paths
303wssecurity.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
304
305#______________________________________________________________________________
306# Apply WS-Security Signature
307[filter:wsseSignatureFilter]
308paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
309
310# Reference the verification filter in order to be able to apply signature
311# confirmation
312referencedFilters = filter:wsseSignatureVerificationFilter
313wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
314
315# Last filter in chain of SOAP handlers writes the response
316writeResponse = True
317
318# Settings for WS-Security SignatureHandler class used by this filter
319wsseCfgFilePrefix = wssecurity
320
321# Certificate associated with private key used to sign a message.  The sign
322# method will add this to the BinarySecurityToken element of the WSSE header. 
323wssecurity.signingCertFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.crt
324
325# PEM encoded private key file
326wssecurity.signingPriKeyFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.key
327
328# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
329# signed message.  See __setReqBinSecTokValType method and binSecTokValType
330# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
331# give full namespace to alternative - see
332# ZSI.wstools.Namespaces.OASIS.X509TOKEN
333#
334# binSecTokValType determines whether signingCert or signingCertChain
335# attributes will be used.
336wssecurity.reqBinSecTokValType=X509v3
337
338# Add a timestamp element to an outbound message
339wssecurity.addTimestamp=True
340
341# For WSSE 1.1 - service returns signature confirmation containing signature
342# value sent by client
343wssecurity.applySignatureConfirmation=True
344
345#______________________________________________________________________________
346# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
347# based call to Session Manager connect method
348[filter:httpBasicAuthFilter]
349paste.filter_app_factory = authkit.authenticate:middleware
350setup_method=basic
351basic_realm=NDG Security Combined Services Tests
352basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
353
354
355#______________________________________________________________________________
356# OpenID Provider WSGI Settings
357[filter:OpenIDProviderFilter]
358paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
359openid.provider.path.openidserver=/openid/endpoint
360openid.provider.path.login=/openid/login
361openid.provider.path.loginsubmit=/openid/loginsubmit
362
363# Comment out next two lines and uncomment the third to disable URL based
364# discovery and allow only Yadis based instead
365openid.provider.path.id=/openid/id
366openid.provider.path.yadis=/openid/yadis
367#openid.provider.path.yadis=/id/
368
369openid.provider.path.serveryadis=/openid/serveryadis
370openid.provider.path.allow=/openid/allow
371openid.provider.path.decide=/openid/decide
372openid.provider.path.mainpage=/openid/
373openid.provider.session_middleware=beaker.session
374openid.provider.base_url=http://localhost:8000
375openid.provider.trace=False
376openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
377#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
378
379openid.provider.rendering.templateType = kid
380openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
381openid.provider.rendering.kid.assume_encoding= utf-8
382openid.provider.rendering.kid.encoding = utf-8
383
384# Layout
385openid.provider.rendering.baseURL = %(openid.provider.base_url)s
386openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
387openid.provider.rendering.leftAlt = Natural Environment Research Council
388openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
389openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
390openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
391openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
392openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
393openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
394
395
396#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
397#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
398
399# Basic Authentication interface to demonstrate capabilities
400#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.BasicAuthNInterface
401#openid.provider.authN.userCreds=pjk:test
402#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
403
404# Link Authentication to a Session Manager instance running in the same WSGI
405# stack or on a remote service
406openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
407
408# Omit or leave as blank if the Session Manager is accessible locally in the
409# same WSGI stack.
410openid.provider.authN.sessionManagerURI=
411
412# environ dictionary key to Session Manager WSGI instance held locally.  The
413# setting below is the default and can be omitted if it matches the filterID
414# set for the Session Manager
415#openid.provider.authN.environKey=filter:SessionManagerFilter
416
417# Database connection to enable check between username and OpenID identifier
418openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
419openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
420openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
421
422# Basic authentication for testing/admin - comma delimited list of
423# <username>:<password> pairs
424#openid.provider.usercreds=pjk:test
425
426#______________________________________________________________________________
427# Beaker Session Middleware (used by OpenID Provider Filter)
428[filter:SessionMiddlewareFilter]
429paste.filter_app_factory=beaker.middleware:SessionMiddleware
430
431# Logging configuration
432[loggers]
433keys = root, ndg
434
435[handlers]
436keys = console
437
438[formatters]
439keys = generic
440
441[logger_root]
442level = INFO
443handlers = console
444
445[logger_ndg]
446level = DEBUG
447handlers =
448qualname = ndg
449
450[handler_console]
451class = StreamHandler
452args = (sys.stderr,)
453level = NOTSET
454formatter = generic
455
456[formatter_generic]
457format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
458datefmt = %H:%M:%S
459
Note: See TracBrowser for help on using the repository browser.