source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openid/securityservices.ini @ 5046

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openid/securityservices.ini@5046
Revision 5046, 19.8 KB checked in by pjkersha, 10 years ago (diff)

Added integration test for OpenID Relying Party and OpenID Provider in same WSGI stack.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Session Manager, Attribute Authority,
5# OpenID Relying Party and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 26/02/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id$
15
16[DEFAULT]
17portNum = 9443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21testConfigDir = %(here)s/../../config
22
23#______________________________________________________________________________
24# Attribute Authority settings
25# 'name' setting MUST agree with map config file 'thisHost' name attribute
26attributeAuthority.name: Site A
27
28# Lifetime is measured in seconds
29attributeAuthority.attCertLifetime: 28800 
30
31# Allow an offset for clock skew between servers running
32# security services. NB, measured in seconds - use a minus sign for time in the
33# past
34attributeAuthority.attCertNotBeforeOff: 0
35
36# All Attribute Certificates issued are recorded in this dir
37attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
38
39# Files in attCertDir are stored using a rotating file handler
40# attCertFileLogCnt sets the max number of files created before the first is
41# overwritten
42attributeAuthority.attCertFileName: ac.xml
43attributeAuthority.attCertFileLogCnt: 16
44attributeAuthority.dnSeparator:/
45
46# Location of role mapping file
47attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
48
49# Settings for custom AttributeInterface derived class to get user roles for given
50# user ID
51attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
52attributeAuthority.attributeInterface.modName: siteAUserRoles
53attributeAuthority.attributeInterface.className: TestUserRoles
54
55# Config for XML signature of Attribute Certificate
56attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
57attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
58attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
59
60#______________________________________________________________________________
61# Session Manager specific settings - commented out settings will take their
62# default settings.  To override the defaults uncomment and set as required.
63# See ndg.security.server.sessionmanager module for details
64
65# Credential Wallet Settings - global to all user sessions
66#
67# CA certificates for Attribute Certificate signature validation
68sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
69
70# CA certificates for SSL connection peer cert. validation - required if
71# connecting to an Attribute Authority over SSL
72sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
73
74# Allow Get Attribute Certificate calls to try to get a mapped certificate
75# from another organisation trusted by the target Attribute Authority
76sessionManager.credentialWallet.mapFromTrustedHosts=True
77sessionManager.credentialWallet.rtnExtAttCertList=True
78
79# Refresh an Attribute Certificate, if an existing one in the wallet has only
80# this length of time left before it expires
81credentialWallet.attCertRefreshElapse=7200
82
83# Pointer to WS-Security settings.  These WS-Security settings are for use
84# by user credential wallets held in user sessions hosted by the Session
85# Manager.  They enable individual wallets to query Attribute Authorities for
86# user Attribute Certificates.  Nb. the difference between these settings and
87# the WS-Security section for handling requests to the Session Manager.
88#
89# Settings are identified by a prefix. 
90sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
91
92# ...A section name could also be used.
93#sessionManager.credentialWallet.wssCfgSection=
94
95# SOAP Signature Handler settings for the Credential Wallet's Attribute
96# Authority interface
97#
98# CA Certificates used to verify X.509 certs used in Attribute Certificates.
99# The CA certificates of other NDG trusted sites should go here.  NB, multiple
100# values should be delimited by a space
101sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
102
103# Signature of an outbound message
104#
105# Certificate associated with private key used to sign a message.  The sign
106# method will add this to the BinarySecurityToken element of the WSSE header. 
107# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
108# As an alternative, use signingCertChain - see below...
109
110# PEM encoded cert
111sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt
112
113# ... or provide file path to PEM encoded private key file
114sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key
115
116# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
117# signed message.  See __setReqBinSecTokValType method and binSecTokValType
118# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
119# give full namespace to alternative - see
120# ZSI.wstools.Namespaces.OASIS.X509TOKEN
121#
122# binSecTokValType determines whether signingCert or signingCertChain
123# attributes will be used.
124sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
125
126# Add a timestamp element to an outbound message
127sessionManager.credentialWallet.wssecurity.addTimestamp: True
128
129# For WSSE 1.1 - service returns signature confirmation containing signature
130# value sent by client
131sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
132
133# Authentication service properties
134sessionManager.authNService.moduleFilePath: 
135sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
136sessionManager.authNService.className: UserX509CertAuthN
137
138# Specific settings for UserCertAuthN Session Manager authentication plugin
139# This sets up PKI credentials for a single test account
140sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt
141sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key
142sessionManager.authNService.userPriKeyPwd: testpassword
143
144[server:main]
145use = egg:Paste#http
146host = 0.0.0.0
147port = %(portNum)s
148
149[filter-app:OpenIDProviderApp]
150use = egg:Paste#httpexceptions
151next = cascade
152
153# Composite for OpenID Provider to enable settings for picking up static
154# content
155[composit:cascade]
156use = egg:Paste#cascade
157app1 = OpenIDProviderStaticContent
158app2 = OpenIDProviderMiddlewareApp
159catch = 404
160
161[app:OpenIDProviderStaticContent]
162use = egg:Paste#static
163document_root = %(here)s/openidprovider
164
165[pipeline:main]
166pipeline = wsseSignatureVerificationFilter
167                   AttributeAuthorityFilter
168           SessionManagerFilter
169           wsseSignatureFilter
170                   SessionMiddlewareFilter
171                   OpenIDRelyingPartyFilter
172                   OpenIDProviderApp
173
174#______________________________________________________________________________
175# Beaker Session Middleware (used by OpenID Provider Filter)
176[filter:SessionMiddlewareFilter]
177paste.filter_app_factory=beaker.middleware:SessionMiddleware
178#beaker.session.key = sso
179beaker.session.secret = somesecret
180
181# If you'd like to fine-tune the individual locations of the cache data dirs
182# for the Cache data, or the Session saves, un-comment the desired settings
183# here:
184beaker.cache.data_dir = %(here)s/beaker/cache
185beaker.session.data_dir = %(here)s/beaker/sessions
186
187[filter:OpenIDRelyingPartyFilter]
188paste.filter_app_factory = 
189        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
190
191openid.relyingparty.sessionKey = beaker.session
192openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
193openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
194openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
195openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
196openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
197openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
198openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
199openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
200openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
201openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
202openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
203openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
204openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
205
206cache_dir = %(here)s/data
207
208# AuthKit Set-up
209authkit.setup.method=openid, cookie
210authkit.cookie.secret=secret encryption string
211authkit.cookie.signoutpath = /logout
212authkit.openid.path.signedin=/
213authkit.openid.store.type=file
214authkit.openid.store.config=%(here)s/data/openid
215authkit.openid.session.key = authkit_openid
216authkit.openid.session.secret = random string
217
218authkit.openid.baseurl = %(baseURI)s
219
220# Template for signin
221#authkit.openid.template.obj =
222
223# Handler for parsing OpenID and creating a session from it
224#authkit.openid.urltouser =
225
226#______________________________________________________________________________
227# OpenID Provider WSGI Settings
228[app:OpenIDProviderMiddlewareApp]
229paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
230openid.provider.path.openidserver=/openid/endpoint
231openid.provider.path.login=/openid/login
232openid.provider.path.loginsubmit=/openid/loginsubmit
233
234# Comment out next two lines and uncomment the third to disable URL based
235# discovery and allow only Yadis based instead
236#openid.provider.path.id=/openid/id
237#openid.provider.path.yadis=/openid/yadis
238openid.provider.path.yadis=/id/
239
240openid.provider.path.serveryadis=/openid/serveryadis
241openid.provider.path.allow=/openid/allow
242openid.provider.path.decide=/openid/decide
243openid.provider.path.mainpage=/openid/
244openid.provider.session_middleware=beaker.session
245openid.provider.base_url=%(baseURI)s
246openid.provider.trace=False
247openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
248#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
249
250openid.provider.rendering.templateType = kid
251openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
252openid.provider.rendering.kid.assume_encoding= utf-8
253openid.provider.rendering.kid.encoding = utf-8
254
255# Layout
256openid.provider.rendering.baseURL = %(openid.provider.base_url)s
257openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
258openid.provider.rendering.leftAlt = Natural Environment Research Council
259openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
260openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
261openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
262openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
263openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
264openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
265
266
267#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
268#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
269
270# Basic Authentication interface to demonstrate capabilities
271#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
272#openid.provider.authN.userCreds=pjk:test
273#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
274
275# Link Authentication to a Session Manager instance running in the same WSGI
276# stack or on a remote service
277openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
278
279# Omit or leave as blank if the Session Manager is accessible locally in the
280# same WSGI stack.
281openid.provider.authN.sessionManagerURI=
282
283# environ dictionary key to Session Manager WSGI instance held locally.  The
284# setting below is the default and can be omitted if it matches the filterID
285# set for the Session Manager
286#openid.provider.authN.environKey=filter:SessionManagerFilter
287
288# Database connection to enable check between username and OpenID identifier
289openid.provider.authN.connectionString: postgres://postgres:testpassword@%(hostname)s/testUserDb
290openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
291openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
292
293# Basic authentication for testing/admin - comma delimited list of
294# <username>:<password> pairs
295#openid.provider.usercreds=pjk:test
296
297#______________________________________________________________________________
298# Attribute Authority WSGI settings
299#
300[filter:AttributeAuthorityFilter]
301# This filter is a container for a binding to a SOAP based interface to the
302# Attribute Authority
303paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
304
305# Use this ZSI generated SOAP service interface class to handle i/o for this
306# filter
307ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
308
309# SOAP Binding Class specific keywords are in this section identified by this
310# prefix:
311ServiceSOAPBindingPropPrefix = AttributeAuthority
312
313# The AttributeAuthority class has settings in the default section above
314# identified by this prefix:
315AttributeAuthority.propPrefix = attributeAuthority
316AttributeAuthority.propFilePath = %(here)s/securityservices.ini
317AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
318
319# Provide an identifier for this filter so that main WSGI app
320# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
321# directly
322referencedFilters = filter:wsseSignatureVerificationFilter
323
324# Path from URL for Attribute Authority in this Paste deployment
325path = /AttributeAuthority
326
327# External endpoint for this Attribute Authority - must agree with setting used
328# to invoke this service set in:
329# * serverapp.py
330# * or port in [server:main] if calling with paster serve securityservices.ini
331# * or something else e.g. proxied through Apache?
332# This setting is used by Attribute Authority clients in this WSGI stack to see
333# if a request is being made to the local service or to another Attribute
334# Authority running elsewhere
335publishedURI = %(baseURI)s%(path)s
336
337# Enable ?wsdl query argument to list the WSDL content
338enableWSDLQuery = True
339charset = utf-8
340filterID = %(__name__)s
341
342#______________________________________________________________________________
343# Session Manager WSGI settings
344#
345[filter:SessionManagerFilter]
346# This filter is a container for a binding to a SOAP based interface to the
347# Session Manager
348paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
349
350# Use this ZSI generated SOAP service interface class to handle i/o for this
351# filter
352ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
353
354# SOAP Binding Class specific keywords are in this section identified by this
355# prefix:
356ServiceSOAPBindingPropPrefix = SessionManager
357
358# The SessionManager class has settings in the default section above identified
359# by this prefix:
360SessionManager.propPrefix = sessionManager
361SessionManager.propFilePath = %(here)s/securityservices.ini
362
363# This filter references other filters - a local Attribute Authority (optional)
364# and a WS-Security signature verification filter (required if using signature
365# to authenticate user in requests
366SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
367SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
368
369# The SessionManagerWS SOAP interface class needs to know about these other
370# filters
371referencedFilters = filter:wsseSignatureVerificationFilter
372                                        filter:AttributeAuthorityFilter
373
374# Path from URI for Session Manager in this Paste deployment
375path = /SessionManager
376
377# External endpoint for this Session Manager - must agree with setting used to
378# invoke this service set in:
379# * securityservicesapp.py
380# * or port in [server:main] if calling with paster serve securityservices.ini
381# * or something else e.g. proxied through Apache?
382# This setting is used by Session Manager clients in this WSGI stack to see if
383# a request is being made to the local service or to another session manager
384# running elsewhere
385publishedURI = %(baseURI)s%(path)s
386
387# Enable ?wsdl query argument to list the WSDL content
388enableWSDLQuery = True
389charset = utf-8
390
391# Provide an identifier for this filter so that main WSGI app
392# CombinedServicesWSGI can call this Session Manager directly
393filterID = %(__name__)s
394
395#______________________________________________________________________________
396# WS-Security Signature Verification
397[filter:wsseSignatureVerificationFilter]
398paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
399filterID = %(__name__)s
400
401# Settings for WS-Security SignatureHandler class used by this filter
402wsseCfgFilePrefix = wssecurity
403
404# Verify against known CAs - Provide a space separated list of file paths
405wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
406
407#______________________________________________________________________________
408# Apply WS-Security Signature
409[filter:wsseSignatureFilter]
410paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
411
412# Reference the verification filter in order to be able to apply signature
413# confirmation
414referencedFilters = filter:wsseSignatureVerificationFilter
415wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
416
417# Last filter in chain of SOAP handlers writes the response
418writeResponse = True
419
420# Settings for WS-Security SignatureHandler class used by this filter
421wsseCfgFilePrefix = wssecurity
422
423# Certificate associated with private key used to sign a message.  The sign
424# method will add this to the BinarySecurityToken element of the WSSE header. 
425wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
426
427# PEM encoded private key file
428wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
429
430# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
431# signed message.  See __setReqBinSecTokValType method and binSecTokValType
432# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
433# give full namespace to alternative - see
434# ZSI.wstools.Namespaces.OASIS.X509TOKEN
435#
436# binSecTokValType determines whether signingCert or signingCertChain
437# attributes will be used.
438wssecurity.reqBinSecTokValType=X509v3
439
440# Add a timestamp element to an outbound message
441wssecurity.addTimestamp=True
442
443# For WSSE 1.1 - service returns signature confirmation containing signature
444# value sent by client
445wssecurity.applySignatureConfirmation=True
446
447# Logging configuration
448[loggers]
449keys = root, ndg
450
451[handlers]
452keys = console
453
454[formatters]
455keys = generic
456
457[logger_root]
458level = INFO
459handlers = console
460
461[logger_ndg]
462level = DEBUG
463handlers =
464qualname = ndg
465
466[handler_console]
467class = StreamHandler
468args = (sys.stderr,)
469level = NOTSET
470formatter = generic
471
472[formatter_generic]
473format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
474datefmt = %H:%M:%S
475
Note: See TracBrowser for help on using the repository browser.