source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5648

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini@5648
Revision 5648, 14.4 KB checked in by pjkersha, 11 years ago (diff)

ndg.security.server.attributeauthority.AttributeAuthority?: added samlAttributeQuery method and new AttributeInterface?.getAttributes plugin class method to enable SAML support as need for ESG.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26#______________________________________________________________________________
27# Attribute Authority settings
28# 'name' setting MUST agree with map config file 'thisHost' name attribute
29attributeAuthority.name: Site A
30
31# Lifetime is measured in seconds
32attributeAuthority.attCertLifetime: 28800 
33
34# Allow an offset for clock skew between servers running
35# security services. NB, measured in seconds - use a minus sign for time in the
36# past
37attributeAuthority.attCertNotBeforeOff: 0
38
39# All Attribute Certificates issued are recorded in this dir
40attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
41
42# Files in attCertDir are stored using a rotating file handler
43# attCertFileLogCnt sets the max number of files created before the first is
44# overwritten
45attributeAuthority.attCertFileName: ac.xml
46attributeAuthority.attCertFileLogCnt: 16
47attributeAuthority.dnSeparator:/
48
49# Location of role mapping file
50attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
51
52# Settings for custom AttributeInterface derived class to get user roles for given
53# user ID
54#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
55attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
56attributeAuthority.attributeInterface.className: TestUserRoles
57
58# Config for XML signature of Attribute Certificate
59attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
60attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
61attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
62
63[server:main]
64use = egg:Paste#http
65host = 0.0.0.0
66port = %(portNum)s
67
68[filter-app:OpenIDProviderFilterApp]
69use = egg:Paste#httpexceptions
70next = cascade
71
72# Composite for OpenID Provider to enable settings for picking up static
73# content
74[composit:cascade]
75use = egg:Paste#cascade
76app1 = OpenIDProviderStaticContent
77app2 = OpenIDProviderApp
78catch = 404
79
80[app:OpenIDProviderStaticContent]
81use = egg:Paste#static
82document_root = %(here)s/openidprovider
83
84[pipeline:main]
85pipeline = wsseSignatureVerificationFilter
86                   AttributeAuthorityFilter
87           wsseSignatureFilter
88                   SessionMiddlewareFilter
89                   OpenIDRelyingPartyFilter
90                   OpenIDProviderApp
91
92#______________________________________________________________________________
93# Beaker Session Middleware (used by OpenID Provider Filter)
94[filter:SessionMiddlewareFilter]
95paste.filter_app_factory=beaker.middleware:SessionMiddleware
96beaker.session.key = openid
97beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
98
99# If you'd like to fine-tune the individual locations of the cache data dirs
100# for the Cache data, or the Session saves, un-comment the desired settings
101# here:
102beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
103beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
104beaker.session.cookie_expires = True
105
106# Key name for keying into environ dictionary
107environ_key = %(beakerSessionKeyName)s
108
109[filter:OpenIDRelyingPartyFilter]
110paste.filter_app_factory = 
111        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
112
113openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
114openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
115openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
116openid.relyingparty.priKeyPwd = 
117openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
118openid.relyingparty.providerWhitelistFilePath =
119openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
120openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
121openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
122openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
123openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
124openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
125openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
126openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
127openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
128openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
129openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
130openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
131openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
132
133cache_dir = %(here)s/data
134
135# AuthKit Set-up
136authkit.setup.method=openid, cookie
137
138# This cookie name and secret MUST agree with the name used by the
139# Authentication Filter used to secure a given app
140authkit.cookie.name=ndg.security.auth
141
142authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
143authkit.cookie.signoutpath = /logout
144
145# Disable inclusion of client IP address from cookie signature due to
146# suspected problem with AuthKit setting it when a HTTP Proxy is in place
147authkit.cookie.includeip = False
148
149authkit.openid.path.signedin=/
150authkit.openid.store.type=file
151authkit.openid.store.config=%(here)s/openidrelyingparty/store
152authkit.openid.session.key = authkit_openid
153authkit.openid.session.secret = random string
154
155# Key name for dereferencing beaker.session object held in environ
156authkit.openid.session.middleware = %(beakerSessionKeyName)s
157
158authkit.openid.baseurl = %(baseURI)s
159
160# Template for signin
161#authkit.openid.template.obj =
162
163# Handler for parsing OpenID and creating a session from it
164#authkit.openid.urltouser =
165
166#______________________________________________________________________________
167# OpenID Provider WSGI Settings
168[app:OpenIDProviderApp]
169paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
170
171openid.provider.path.openidserver=/OpenID/Provider/server
172openid.provider.path.login=/OpenID/Provider/login
173openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
174
175# Yadis based discovery only - the 'id' path is configured to return 404 not
176# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
177# buffet.BuffetRendering class
178openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
179openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
180
181# Yadis based discovery for idselect mode - this is where the user has entered
182# a URI at the Relying Party which identifies their Provider only and not their
183# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
184# https://badc.nerc.ac.uk/John
185openid.provider.path.serveryadis=%(openIDProviderIDBase)s
186openid.provider.path.allow=/OpenID/Provider/allow
187openid.provider.path.decide=/OpenID/Provider/decide
188openid.provider.path.mainpage=/OpenID/Provider/home
189
190openid.provider.session_middleware=%(beakerSessionKeyName)s
191openid.provider.base_url=%(baseURI)s
192openid.provider.trace=False
193openid.provider.consumer_store_dirpath=%(here)s/openidprovider
194openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
195#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
196
197openid.provider.rendering.templateType = kid
198openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
199openid.provider.rendering.kid.assume_encoding= utf-8
200openid.provider.rendering.kid.encoding = utf-8
201
202# Layout
203openid.provider.rendering.baseURL = %(openid.provider.base_url)s
204openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
205openid.provider.rendering.leftAlt = Natural Environment Research Council
206openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
207openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
208openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
209openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
210openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
211openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
212
213# Basic Authentication interface to demonstrate capabilities
214openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
215
216# user login details format is:
217# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
218# Each user entry is delimited by a space. username, password and OpenID name
219# list are delimited by a colon.  The list of OpenID names are delimited by
220# commas.  The OpenID name represents the unique part of the OpenID URL for the
221# individual user.  Each username may have more than one OpenID alias but only
222# alias at a time may be registered with a given Attribute Authority
223openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
224
225# Basic authentication for testing/admin - comma delimited list of
226# <username>:<password> pairs
227#openid.provider.usercreds=pjk:test
228
229#______________________________________________________________________________
230# Attribute Authority WSGI settings
231#
232[filter:AttributeAuthorityFilter]
233# This filter is a container for a binding to a SOAP based interface to the
234# Attribute Authority
235paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
236
237# Use this ZSI generated SOAP service interface class to handle i/o for this
238# filter
239ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
240
241# SOAP Binding Class specific keywords are in this section identified by this
242# prefix:
243ServiceSOAPBindingPropPrefix = AttributeAuthority
244
245# The AttributeAuthority class has settings in the default section above
246# identified by this prefix:
247AttributeAuthority.propPrefix = attributeAuthority
248AttributeAuthority.propFilePath = %(here)s/securityservices.ini
249AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
250
251# Provide an identifier for this filter so that main WSGI app
252# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
253# directly
254referencedFilters = filter:wsseSignatureVerificationFilter
255
256# Path from URL for Attribute Authority in this Paste deployment
257path = /AttributeAuthority
258
259# External endpoint for this Attribute Authority - must agree with setting used
260# to invoke this service set in:
261# * serverapp.py
262# * or port in [server:main] if calling with paster serve securityservices.ini
263# * or something else e.g. proxied through Apache?
264# This setting is used by Attribute Authority clients in this WSGI stack to see
265# if a request is being made to the local service or to another Attribute
266# Authority running elsewhere
267publishedURI = %(baseURI)s%(path)s
268
269# Enable ?wsdl query argument to list the WSDL content
270enableWSDLQuery = True
271charset = utf-8
272filterID = %(__name__)s
273
274#______________________________________________________________________________
275# WS-Security Signature Verification
276[filter:wsseSignatureVerificationFilter]
277paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
278filterID = %(__name__)s
279
280# Settings for WS-Security SignatureHandler class used by this filter
281wsseCfgFilePrefix = wssecurity
282
283# Verify against known CAs - Provide a space separated list of file paths
284wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
285
286#______________________________________________________________________________
287# Apply WS-Security Signature
288[filter:wsseSignatureFilter]
289paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
290
291# Reference the verification filter in order to be able to apply signature
292# confirmation
293referencedFilters = filter:wsseSignatureVerificationFilter
294wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
295
296# Last filter in chain of SOAP handlers writes the response
297writeResponse = True
298
299# Settings for WS-Security SignatureHandler class used by this filter
300wsseCfgFilePrefix = wssecurity
301
302# Certificate associated with private key used to sign a message.  The sign
303# method will add this to the BinarySecurityToken element of the WSSE header. 
304wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
305
306# PEM encoded private key file
307wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
308
309# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
310# signed message.  See __setReqBinSecTokValType method and binSecTokValType
311# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
312# give full namespace to alternative - see
313# ZSI.wstools.Namespaces.OASIS.X509TOKEN
314#
315# binSecTokValType determines whether signingCert or signingCertChain
316# attributes will be used.
317wssecurity.reqBinSecTokValType=X509v3
318
319# Add a timestamp element to an outbound message
320wssecurity.addTimestamp=True
321
322# For WSSE 1.1 - service returns signature confirmation containing signature
323# value sent by client
324wssecurity.applySignatureConfirmation=True
325
326# Logging configuration
327[loggers]
328keys = root, ndg
329
330[handlers]
331keys = console
332
333[formatters]
334keys = generic
335
336[logger_root]
337level = INFO
338handlers = console
339
340[logger_ndg]
341level = DEBUG
342handlers =
343qualname = ndg
344
345[handler_console]
346class = StreamHandler
347args = (sys.stderr,)
348level = NOTSET
349formatter = generic
350
351[formatter_generic]
352format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
353datefmt = %H:%M:%S
354
Note: See TracBrowser for help on using the repository browser.