source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini @ 4890

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini@4890
Revision 4890, 19.5 KB checked in by pjkersha, 11 years ago (diff)
  • fixed inclusion of badc templates and static content for SSO in ndg.security.server egg
  • fix to SSO logout controller to use WSGI client wrapper for Session Manager call
  • Refactored SM and AA WSGI client wrappers adding a base class in clientbase module and including check for match for URI request by client to URI endpoint of WSGI service running locally.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2009 Science and Technology Facilities Council
13# license: BSD - see LICENSE file in top-level directory
14# Contact: Philip.Kershaw@stfc.ac.uk
15# Revision: $Id$
16
17[DEFAULT]
18#______________________________________________________________________________
19# Attribute Authority settings
20# 'name' setting MUST agree with map config file 'thisHost' name attribute
21attributeAuthority.name: Site A
22
23# Lifetime is measured in seconds
24attributeAuthority.attCertLifetime: 28800 
25
26# Allow an offset for clock skew between servers running
27# security services. NB, measured in seconds - use a minus sign for time in the
28# past
29attributeAuthority.attCertNotBeforeOff: 0
30
31# All Attribute Certificates issued are recorded in this dir
32attributeAuthority.attCertDir: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/attributeCertificateLog
33
34# Files in attCertDir are stored using a rotating file handler
35# attCertFileLogCnt sets the max number of files created before the first is
36# overwritten
37attributeAuthority.attCertFileName: ac.xml
38attributeAuthority.attCertFileLogCnt: 16
39attributeAuthority.dnSeparator:/
40
41# Location of role mapping file
42attributeAuthority.mapConfigFile: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteAMapConfig.xml
43
44# Settings for custom AttributeInterface derived class to get user roles for given
45# user ID
46attributeAuthority.attributeInterface.modFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea
47attributeAuthority.attributeInterface.modName: siteAUserRoles
48attributeAuthority.attributeInterface.className: TestUserRoles
49
50# Config for XML signature of Attribute Certificate
51attributeAuthority.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.key
52attributeAuthority.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.crt
53attributeAuthority.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
54
55#______________________________________________________________________________
56# Session Manager specific settings - commented out settings will take their
57# default settings.  To override the defaults uncomment and set as required.
58# See ndg.security.server.sessionmanager module for details
59
60# Credential Wallet Settings - global to all user sessions
61#
62# CA certificates for Attribute Certificate signature validation
63sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
64
65# CA certificates for SSL connection peer cert. validation - required if
66# connecting to an Attribute Authority over SSL
67sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
68
69# Allow Get Attribute Certificate calls to try to get a mapped certificate
70# from another organisation trusted by the target Attribute Authority
71sessionManager.credentialWallet.mapFromTrustedHosts=True
72sessionManager.credentialWallet.rtnExtAttCertList=True
73
74# Refresh an Attribute Certificate, if an existing one in the wallet has only
75# this length of time left before it expires
76credentialWallet.attCertRefreshElapse=7200
77
78# Pointer to WS-Security settings.  These WS-Security settings are for use
79# by user credential wallets held in user sessions hosted by the Session
80# Manager.  They enable individual wallets to query Attribute Authorities for
81# user Attribute Certificates.  Nb. the difference between these settings and
82# the WS-Security section for handling requests to the Session Manager.
83#
84# Settings are identified by a prefix. 
85sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
86
87# ...A section name could also be used.
88#sessionManager.credentialWallet.wssCfgSection=
89
90# SOAP Signature Handler settings for the Credential Wallet's Attribute
91# Authority interface
92#
93# CA Certificates used to verify X.509 certs used in Attribute Certificates.
94# The CA certificates of other NDG trusted sites should go here.  NB, multiple
95# values should be delimited by a space
96sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
97
98# Signature of an outbound message
99#
100# Certificate associated with private key used to sign a message.  The sign
101# method will add this to the BinarySecurityToken element of the WSSE header. 
102# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
103# As an alternative, use signingCertChain - see below...
104
105# PEM encoded cert
106sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.crt
107
108# ... or provide file path to PEM encoded private key file
109sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.key
110
111# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
112# signed message.  See __setReqBinSecTokValType method and binSecTokValType
113# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
114# give full namespace to alternative - see
115# ZSI.wstools.Namespaces.OASIS.X509TOKEN
116#
117# binSecTokValType determines whether signingCert or signingCertChain
118# attributes will be used.
119sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
120
121# Add a timestamp element to an outbound message
122sessionManager.credentialWallet.wssecurity.addTimestamp: True
123
124# For WSSE 1.1 - service returns signature confirmation containing signature
125# value sent by client
126sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
127
128# Authentication service properties
129sessionManager.authNService.moduleFilePath: 
130sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
131sessionManager.authNService.className: UserX509CertAuthN
132
133# Specific settings for UserCertAuthN Session Manager authentication plugin
134# This sets up PKI credentials for a single test account
135sessionManager.authNService.userX509CertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.crt
136sessionManager.authNService.userPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.key
137sessionManager.authNService.userPriKeyPwd: testpassword
138
139[server:main]
140use = egg:Paste#http
141host = 0.0.0.0
142port = 8000
143
144[filter-app:mainApp]
145use = egg:Paste#httpexceptions
146next = cascade
147
148[composit:cascade]
149use = egg:Paste#cascade
150app1 = static
151app2 = SingleSignOnService
152catch = 404
153
154[app:static]
155use = egg:Paste#static
156document_root = %(here)s/openidprovider
157
158[app:SingleSignOnService]
159paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
160cache_dir = %(here)s/data
161beaker.session.key = sso
162beaker.session.secret = somesecret
163
164# If you'd like to fine-tune the individual locations of the cache data dirs
165# for the Cache data, or the Session saves, un-comment the desired settings
166# here:
167#beaker.cache.data_dir = %(here)s/data/cache
168#beaker.session.data_dir = %(here)s/data/sessions
169
170# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
171# Debug mode will enable the interactive debugging tool, allowing ANYONE to
172# execute malicious code after an exception is raised.
173set debug = true
174
175configfile = %(here)s/singlesignonservice/sso.cfg
176#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg
177
178# AuthKit Set-up
179authkit.setup.method=openid, cookie
180authkit.cookie.secret=secret encryption string
181authkit.cookie.signoutpath = /logout
182authkit.openid.path.signedin=/
183authkit.openid.store.type=file
184authkit.openid.store.config=%(here)s/data/openid
185authkit.openid.session.key = authkit_openid
186authkit.openid.sess-ion.secret = random string
187
188authkit.openid.baseurl = http://localhost
189
190# Template for signin
191authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
192
193# Handler for parsing OpenID and creating a session from it
194authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
195
196# Chain of Middleware filters
197[pipeline:main]
198pipeline = wsseSignatureVerificationFilter
199                   AttributeAuthorityFilter
200           SessionManagerFilter
201           wsseSignatureFilter
202           httpBasicAuthFilter
203           SessionMiddlewareFilter
204           OpenIDProviderFilter
205           testHarnessFilter
206           mainApp
207
208[filter:testHarnessFilter]
209paste.filter_app_factory = 
210        ndg.security.test.combinedservices.serverapp:filter_app_factory
211sessionManagerFilterID = filter:SessionManagerFilter
212attributeAuthorityFilterID = filter:AttributeAuthorityFilter
213
214#______________________________________________________________________________
215# Attribute Authority WSGI settings
216#
217[filter:AttributeAuthorityFilter]
218# This filter is a container for a binding to a SOAP based interface to the
219# Attribute Authority
220paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
221
222# Use this ZSI generated SOAP service interface class to handle i/o for this
223# filter
224ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
225
226# SOAP Binding Class specific keywords are in this section identified by this
227# prefix:
228ServiceSOAPBindingPropPrefix = AttributeAuthority
229
230# The AttributeAuthority class has settings in the default section above
231# identified by this prefix:
232AttributeAuthority.propPrefix = attributeAuthority
233AttributeAuthority.propFilePath = %(here)s/services.ini
234AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
235
236# Provide an identifier for this filter so that main WSGI app
237# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
238# directly
239referencedFilters = filter:wsseSignatureVerificationFilter
240
241# Path from URL for Attribute Authority in this Paste deployment
242path = /AttributeAuthority
243
244# External endpoint for this Attribute Authority - must agree with setting used
245# to invoke this service set in:
246# * serverapp.py
247# * or port in [server:main] if calling with paster serve services.ini
248# * or something else e.g. proxied through Apache?
249# This setting is used by Attribute Authority clients in this WSGI stack to see
250# if a request is being made to the local service or to another Attribute
251# Authority running elsewhere
252publishedURI = http://localhost:8000%(path)s
253
254# Enable ?wsdl query argument to list the WSDL content
255enableWSDLQuery = True
256charset = utf-8
257filterID = %(__name__)s
258
259#______________________________________________________________________________
260# Session Manager WSGI settings
261#
262[filter:SessionManagerFilter]
263# This filter is a container for a binding to a SOAP based interface to the
264# Session Manager
265paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
266
267# Use this ZSI generated SOAP service interface class to handle i/o for this
268# filter
269ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
270
271# SOAP Binding Class specific keywords are in this section identified by this
272# prefix:
273ServiceSOAPBindingPropPrefix = SessionManager
274
275# The SessionManager class has settings in the default section above identified
276# by this prefix:
277SessionManager.propPrefix = sessionManager
278SessionManager.propFilePath = %(here)s/services.ini
279
280# This filter references other filters - a local Attribute Authority (optional)
281# and a WS-Security signature verification filter (required if using signature
282# to authenticate user in requests
283SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
284SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
285
286# The SessionManagerWS SOAP interface class needs to know about these other
287# filters
288referencedFilters = filter:wsseSignatureVerificationFilter
289                                        filter:AttributeAuthorityFilter
290
291# Path from URI for Session Manager in this Paste deployment
292path = /SessionManager
293
294# External endpoint for this Session Manager - must agree with setting used to
295# invoke this service set in:
296# * serverapp.py
297# * or port in [server:main] if calling with paster serve services.ini
298# * or something else e.g. proxied through Apache?
299# This setting is used by Session Manager clients in this WSGI stack to see if
300# a request is being made to the local service or to another session manager
301# running elsewhere
302publishedURI = http://localhost:8000%(path)s
303
304# Enable ?wsdl query argument to list the WSDL content
305enableWSDLQuery = True
306charset = utf-8
307
308# Provide an identifier for this filter so that main WSGI app
309# CombinedServicesWSGI can call this Session Manager directly
310filterID = %(__name__)s
311
312#______________________________________________________________________________
313# WS-Security Signature Verification
314[filter:wsseSignatureVerificationFilter]
315paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
316filterID = %(__name__)s
317
318# Settings for WS-Security SignatureHandler class used by this filter
319wsseCfgFilePrefix = wssecurity
320
321# Verify against known CAs - Provide a space separated list of file paths
322wssecurity.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt
323
324#______________________________________________________________________________
325# Apply WS-Security Signature
326[filter:wsseSignatureFilter]
327paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
328
329# Reference the verification filter in order to be able to apply signature
330# confirmation
331referencedFilters = filter:wsseSignatureVerificationFilter
332wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
333
334# Last filter in chain of SOAP handlers writes the response
335writeResponse = True
336
337# Settings for WS-Security SignatureHandler class used by this filter
338wsseCfgFilePrefix = wssecurity
339
340# Certificate associated with private key used to sign a message.  The sign
341# method will add this to the BinarySecurityToken element of the WSSE header. 
342wssecurity.signingCertFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.crt
343
344# PEM encoded private key file
345wssecurity.signingPriKeyFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.key
346
347# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
348# signed message.  See __setReqBinSecTokValType method and binSecTokValType
349# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
350# give full namespace to alternative - see
351# ZSI.wstools.Namespaces.OASIS.X509TOKEN
352#
353# binSecTokValType determines whether signingCert or signingCertChain
354# attributes will be used.
355wssecurity.reqBinSecTokValType=X509v3
356
357# Add a timestamp element to an outbound message
358wssecurity.addTimestamp=True
359
360# For WSSE 1.1 - service returns signature confirmation containing signature
361# value sent by client
362wssecurity.applySignatureConfirmation=True
363
364#______________________________________________________________________________
365# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
366# based call to Session Manager connect method
367[filter:httpBasicAuthFilter]
368paste.filter_app_factory = authkit.authenticate:middleware
369setup_method=basic
370basic_realm=NDG Security Combined Services Tests
371basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
372
373
374#______________________________________________________________________________
375# OpenID Provider WSGI Settings
376[filter:OpenIDProviderFilter]
377paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
378openid.provider.path.openidserver=/openid/endpoint
379openid.provider.path.login=/openid/login
380openid.provider.path.loginsubmit=/openid/loginsubmit
381
382# Comment out next two lines and uncomment the third to disable URL based
383# discovery and allow only Yadis based instead
384openid.provider.path.id=/openid/id
385openid.provider.path.yadis=/openid/yadis
386#openid.provider.path.yadis=/id/
387
388openid.provider.path.serveryadis=/openid/serveryadis
389openid.provider.path.allow=/openid/allow
390openid.provider.path.decide=/openid/decide
391openid.provider.path.mainpage=/openid/
392openid.provider.session_middleware=beaker.session
393openid.provider.base_url=http://localhost:8000
394openid.provider.trace=False
395openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
396#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
397
398openid.provider.rendering.templateType = kid
399openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
400openid.provider.rendering.kid.assume_encoding= utf-8
401openid.provider.rendering.kid.encoding = utf-8
402
403# Layout
404openid.provider.rendering.baseURL = %(openid.provider.base_url)s
405openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
406openid.provider.rendering.leftAlt = Natural Environment Research Council
407openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
408openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
409openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
410openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
411openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
412openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
413
414
415#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
416#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
417
418# Basic Authentication interface to demonstrate capabilities
419#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
420#openid.provider.authN.userCreds=pjk:test
421#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
422
423# Link Authentication to a Session Manager instance running in the same WSGI
424# stack or on a remote service
425openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
426
427# Omit or leave as blank if the Session Manager is accessible locally in the
428# same WSGI stack.
429openid.provider.authN.sessionManagerURI=
430
431# environ dictionary key to Session Manager WSGI instance held locally.  The
432# setting below is the default and can be omitted if it matches the filterID
433# set for the Session Manager
434#openid.provider.authN.environKey=filter:SessionManagerFilter
435
436# Database connection to enable check between username and OpenID identifier
437openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
438openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
439openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
440
441# Basic authentication for testing/admin - comma delimited list of
442# <username>:<password> pairs
443#openid.provider.usercreds=pjk:test
444
445#______________________________________________________________________________
446# Beaker Session Middleware (used by OpenID Provider Filter)
447[filter:SessionMiddlewareFilter]
448paste.filter_app_factory=beaker.middleware:SessionMiddleware
449
450# Logging configuration
451[loggers]
452keys = root, ndg
453
454[handlers]
455keys = console
456
457[formatters]
458keys = generic
459
460[logger_root]
461level = INFO
462handlers = console
463
464[logger_ndg]
465level = DEBUG
466handlers =
467qualname = ndg
468
469[handler_console]
470class = StreamHandler
471args = (sys.stderr,)
472level = NOTSET
473formatter = generic
474
475[formatter_generic]
476format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
477datefmt = %H:%M:%S
478
Note: See TracBrowser for help on using the repository browser.