1 | # |
---|
2 | # NERC DataGrid Security |
---|
3 | # |
---|
4 | # Paste configuration for combined Attribute Authority, OpenID Relying Party |
---|
5 | # and Provider services |
---|
6 | # |
---|
7 | # The %(here)s variable will be replaced with the parent directory of this file |
---|
8 | # |
---|
9 | # Author: P J Kershaw |
---|
10 | # date: 01/07/09 |
---|
11 | # Copyright: (C) 2009 Science and Technology Facilities Council |
---|
12 | # license: BSD - see LICENSE file in top-level directory |
---|
13 | # Contact: Philip.Kershaw@stfc.ac.uk |
---|
14 | # Revision: $Id:$ |
---|
15 | |
---|
16 | [DEFAULT] |
---|
17 | portNum = 7443 |
---|
18 | hostname = localhost |
---|
19 | scheme = http |
---|
20 | baseURI = %(scheme)s://%(hostname)s:%(portNum)s |
---|
21 | openIDProviderIDBase = /openid |
---|
22 | openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s |
---|
23 | testConfigDir = %(here)s/../../config |
---|
24 | |
---|
25 | #______________________________________________________________________________ |
---|
26 | # Attribute Authority settings |
---|
27 | # 'name' setting MUST agree with map config file 'thisHost' name attribute |
---|
28 | attributeAuthority.name: Site A |
---|
29 | |
---|
30 | # Lifetime is measured in seconds |
---|
31 | attributeAuthority.attCertLifetime: 28800 |
---|
32 | |
---|
33 | # Allow an offset for clock skew between servers running |
---|
34 | # security services. NB, measured in seconds - use a minus sign for time in the |
---|
35 | # past |
---|
36 | attributeAuthority.attCertNotBeforeOff: 0 |
---|
37 | |
---|
38 | # All Attribute Certificates issued are recorded in this dir |
---|
39 | attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog |
---|
40 | |
---|
41 | # Files in attCertDir are stored using a rotating file handler |
---|
42 | # attCertFileLogCnt sets the max number of files created before the first is |
---|
43 | # overwritten |
---|
44 | attributeAuthority.attCertFileName: ac.xml |
---|
45 | attributeAuthority.attCertFileLogCnt: 16 |
---|
46 | attributeAuthority.dnSeparator:/ |
---|
47 | |
---|
48 | # Location of role mapping file |
---|
49 | attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml |
---|
50 | |
---|
51 | # Settings for custom AttributeInterface derived class to get user roles for given |
---|
52 | # user ID |
---|
53 | #attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea |
---|
54 | attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface |
---|
55 | attributeAuthority.attributeInterface.className: TestUserRoles |
---|
56 | |
---|
57 | # Config for XML signature of Attribute Certificate |
---|
58 | attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key |
---|
59 | attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt |
---|
60 | attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt |
---|
61 | |
---|
62 | [server:main] |
---|
63 | use = egg:Paste#http |
---|
64 | host = 0.0.0.0 |
---|
65 | port = %(portNum)s |
---|
66 | |
---|
67 | [filter-app:OpenIDProviderApp] |
---|
68 | use = egg:Paste#httpexceptions |
---|
69 | next = cascade |
---|
70 | |
---|
71 | # Composite for OpenID Provider to enable settings for picking up static |
---|
72 | # content |
---|
73 | [composit:cascade] |
---|
74 | use = egg:Paste#cascade |
---|
75 | app1 = OpenIDProviderStaticContent |
---|
76 | app2 = OpenIDProviderMiddlewareApp |
---|
77 | catch = 404 |
---|
78 | |
---|
79 | [app:OpenIDProviderStaticContent] |
---|
80 | use = egg:Paste#static |
---|
81 | document_root = %(here)s/openidprovider |
---|
82 | |
---|
83 | [pipeline:main] |
---|
84 | pipeline = wsseSignatureVerificationFilter |
---|
85 | AttributeAuthorityFilter |
---|
86 | wsseSignatureFilter |
---|
87 | SessionMiddlewareFilter |
---|
88 | OpenIDRelyingPartyFilter |
---|
89 | OpenIDProviderApp |
---|
90 | |
---|
91 | #______________________________________________________________________________ |
---|
92 | # Beaker Session Middleware (used by OpenID Provider Filter) |
---|
93 | [filter:SessionMiddlewareFilter] |
---|
94 | paste.filter_app_factory=beaker.middleware:SessionMiddleware |
---|
95 | beaker.session.key = openid |
---|
96 | beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU |
---|
97 | # These options enable cookie only type sessions with the cookie content |
---|
98 | # encrypted |
---|
99 | #beaker.session.type = cookie |
---|
100 | #beaker.session.validate_key = 0123456789abcdef |
---|
101 | #beaker.session.encrypt_key = fedcba9876543210 |
---|
102 | |
---|
103 | # If you'd like to fine-tune the individual locations of the cache data dirs |
---|
104 | # for the Cache data, or the Session saves, un-comment the desired settings |
---|
105 | # here: |
---|
106 | beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache |
---|
107 | beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions |
---|
108 | beaker.session.cookie_expires = True |
---|
109 | |
---|
110 | [filter:OpenIDRelyingPartyFilter] |
---|
111 | paste.filter_app_factory = |
---|
112 | ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory |
---|
113 | |
---|
114 | openid.relyingparty.sessionKey = beaker.session |
---|
115 | openid.relyingparty.baseURL = %(authkit.openid.baseurl)s |
---|
116 | openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt |
---|
117 | openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key |
---|
118 | openid.relyingparty.priKeyPwd = |
---|
119 | openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca |
---|
120 | openid.relyingparty.providerWhitelistFilePath = |
---|
121 | #openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface |
---|
122 | #openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates |
---|
123 | openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate |
---|
124 | openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates |
---|
125 | openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public |
---|
126 | openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s |
---|
127 | openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s |
---|
128 | openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif |
---|
129 | openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council |
---|
130 | openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/ |
---|
131 | openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif |
---|
132 | openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development. |
---|
133 | openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/ |
---|
134 | openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif |
---|
135 | openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png |
---|
136 | |
---|
137 | cache_dir = %(here)s/data |
---|
138 | |
---|
139 | # AuthKit Set-up |
---|
140 | authkit.setup.method=openid, cookie |
---|
141 | |
---|
142 | # This cookie name and secret MUST agree with the name used by the |
---|
143 | # Authentication Filter used to secure a given app |
---|
144 | authkit.cookie.name=ndg.security.auth |
---|
145 | authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr |
---|
146 | authkit.cookie.signoutpath = /logout |
---|
147 | |
---|
148 | # Disable inclusion of client IP address from cookie signature due to |
---|
149 | # suspected problem with AuthKit setting it when a HTTP Proxy is in place |
---|
150 | authkit.cookie.includeip = False |
---|
151 | |
---|
152 | authkit.openid.path.signedin=/ |
---|
153 | authkit.openid.store.type=file |
---|
154 | authkit.openid.store.config=%(here)s/openidrelyingparty/store |
---|
155 | authkit.openid.session.key = authkit_openid |
---|
156 | authkit.openid.session.secret = random string |
---|
157 | |
---|
158 | authkit.openid.baseurl = %(baseURI)s |
---|
159 | |
---|
160 | # Template for signin |
---|
161 | #authkit.openid.template.obj = |
---|
162 | |
---|
163 | # Handler for parsing OpenID and creating a session from it |
---|
164 | #authkit.openid.urltouser = |
---|
165 | |
---|
166 | #______________________________________________________________________________ |
---|
167 | # OpenID Provider WSGI Settings |
---|
168 | [app:OpenIDProviderMiddlewareApp] |
---|
169 | paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory |
---|
170 | openid.provider.path.openidserver=/OpenID/Provider/server |
---|
171 | openid.provider.path.login=/OpenID/Provider/login |
---|
172 | openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit |
---|
173 | |
---|
174 | # Yadis based discovery only - the 'id' path is configured to return 404 not |
---|
175 | # found - see ndg.security.server.wsgi.openid.provider.renderinginterface. |
---|
176 | # buffet.BuffetRendering class |
---|
177 | openid.provider.path.id=/OpenID/Provider/id/${userIdentifier} |
---|
178 | openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier} |
---|
179 | |
---|
180 | # Yadis based discovery for idselect mode - this is where the user has entered |
---|
181 | # a URI at the Relying Party which identifies their Provider only and not their |
---|
182 | # full ID URI. e.g. https://badc.nerc.ac.uk instead of |
---|
183 | # https://badc.nerc.ac.uk/John |
---|
184 | openid.provider.path.serveryadis=%(openIDProviderIDBase)s |
---|
185 | openid.provider.path.allow=/OpenID/Provider/allow |
---|
186 | openid.provider.path.decide=/OpenID/Provider/decide |
---|
187 | openid.provider.path.mainpage=/OpenID/Provider/home |
---|
188 | |
---|
189 | openid.provider.session_middleware=beaker.session |
---|
190 | openid.provider.base_url=%(baseURI)s |
---|
191 | openid.provider.trace=False |
---|
192 | openid.provider.consumer_store_dirpath=%(here)s/openidprovider |
---|
193 | openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering |
---|
194 | #openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface |
---|
195 | |
---|
196 | openid.provider.rendering.templateType = kid |
---|
197 | openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates |
---|
198 | openid.provider.rendering.kid.assume_encoding= utf-8 |
---|
199 | openid.provider.rendering.kid.encoding = utf-8 |
---|
200 | |
---|
201 | # Layout |
---|
202 | openid.provider.rendering.baseURL = %(openid.provider.base_url)s |
---|
203 | openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif |
---|
204 | openid.provider.rendering.leftAlt = Natural Environment Research Council |
---|
205 | openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/ |
---|
206 | openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif |
---|
207 | openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development. |
---|
208 | openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/ |
---|
209 | openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif |
---|
210 | openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png |
---|
211 | |
---|
212 | # Basic Authentication interface to demonstrate capabilities |
---|
213 | openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface |
---|
214 | |
---|
215 | # user login details format is: |
---|
216 | # <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc |
---|
217 | # Each user entry is delimited by a space. username, password and OpenID name |
---|
218 | # list are delimited by a colon. The list of OpenID names are delimited by |
---|
219 | # commas. The OpenID name represents the unique part of the OpenID URL for the |
---|
220 | # individual user. Each username may have more than one OpenID alias but only |
---|
221 | # alias at a time may be registered with a given Attribute Authority |
---|
222 | openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other |
---|
223 | |
---|
224 | # Basic authentication for testing/admin - comma delimited list of |
---|
225 | # <username>:<password> pairs |
---|
226 | #openid.provider.usercreds=pjk:test |
---|
227 | |
---|
228 | #______________________________________________________________________________ |
---|
229 | # Attribute Authority WSGI settings |
---|
230 | # |
---|
231 | [filter:AttributeAuthorityFilter] |
---|
232 | # This filter is a container for a binding to a SOAP based interface to the |
---|
233 | # Attribute Authority |
---|
234 | paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware |
---|
235 | |
---|
236 | # Use this ZSI generated SOAP service interface class to handle i/o for this |
---|
237 | # filter |
---|
238 | ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS |
---|
239 | |
---|
240 | # SOAP Binding Class specific keywords are in this section identified by this |
---|
241 | # prefix: |
---|
242 | ServiceSOAPBindingPropPrefix = AttributeAuthority |
---|
243 | |
---|
244 | # The AttributeAuthority class has settings in the default section above |
---|
245 | # identified by this prefix: |
---|
246 | AttributeAuthority.propPrefix = attributeAuthority |
---|
247 | AttributeAuthority.propFilePath = %(here)s/securityservices.ini |
---|
248 | AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter |
---|
249 | |
---|
250 | # Provide an identifier for this filter so that main WSGI app |
---|
251 | # CombinedServicesWSGI Session Manager filter can call this Attribute Authority |
---|
252 | # directly |
---|
253 | referencedFilters = filter:wsseSignatureVerificationFilter |
---|
254 | |
---|
255 | # Path from URL for Attribute Authority in this Paste deployment |
---|
256 | path = /AttributeAuthority |
---|
257 | |
---|
258 | # External endpoint for this Attribute Authority - must agree with setting used |
---|
259 | # to invoke this service set in: |
---|
260 | # * serverapp.py |
---|
261 | # * or port in [server:main] if calling with paster serve securityservices.ini |
---|
262 | # * or something else e.g. proxied through Apache? |
---|
263 | # This setting is used by Attribute Authority clients in this WSGI stack to see |
---|
264 | # if a request is being made to the local service or to another Attribute |
---|
265 | # Authority running elsewhere |
---|
266 | publishedURI = %(baseURI)s%(path)s |
---|
267 | |
---|
268 | # Enable ?wsdl query argument to list the WSDL content |
---|
269 | enableWSDLQuery = True |
---|
270 | charset = utf-8 |
---|
271 | filterID = %(__name__)s |
---|
272 | |
---|
273 | #______________________________________________________________________________ |
---|
274 | # WS-Security Signature Verification |
---|
275 | [filter:wsseSignatureVerificationFilter] |
---|
276 | paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter |
---|
277 | filterID = %(__name__)s |
---|
278 | |
---|
279 | # Settings for WS-Security SignatureHandler class used by this filter |
---|
280 | wsseCfgFilePrefix = wssecurity |
---|
281 | |
---|
282 | # Verify against known CAs - Provide a space separated list of file paths |
---|
283 | wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt |
---|
284 | |
---|
285 | #______________________________________________________________________________ |
---|
286 | # Apply WS-Security Signature |
---|
287 | [filter:wsseSignatureFilter] |
---|
288 | paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter |
---|
289 | |
---|
290 | # Reference the verification filter in order to be able to apply signature |
---|
291 | # confirmation |
---|
292 | referencedFilters = filter:wsseSignatureVerificationFilter |
---|
293 | wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter |
---|
294 | |
---|
295 | # Last filter in chain of SOAP handlers writes the response |
---|
296 | writeResponse = True |
---|
297 | |
---|
298 | # Settings for WS-Security SignatureHandler class used by this filter |
---|
299 | wsseCfgFilePrefix = wssecurity |
---|
300 | |
---|
301 | # Certificate associated with private key used to sign a message. The sign |
---|
302 | # method will add this to the BinarySecurityToken element of the WSSE header. |
---|
303 | wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt |
---|
304 | |
---|
305 | # PEM encoded private key file |
---|
306 | wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key |
---|
307 | |
---|
308 | # Set the ValueType for the BinarySecurityToken added to the WSSE header for a |
---|
309 | # signed message. See __setReqBinSecTokValType method and binSecTokValType |
---|
310 | # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or |
---|
311 | # give full namespace to alternative - see |
---|
312 | # ZSI.wstools.Namespaces.OASIS.X509TOKEN |
---|
313 | # |
---|
314 | # binSecTokValType determines whether signingCert or signingCertChain |
---|
315 | # attributes will be used. |
---|
316 | wssecurity.reqBinSecTokValType=X509v3 |
---|
317 | |
---|
318 | # Add a timestamp element to an outbound message |
---|
319 | wssecurity.addTimestamp=True |
---|
320 | |
---|
321 | # For WSSE 1.1 - service returns signature confirmation containing signature |
---|
322 | # value sent by client |
---|
323 | wssecurity.applySignatureConfirmation=True |
---|
324 | |
---|
325 | # Logging configuration |
---|
326 | [loggers] |
---|
327 | keys = root, ndg |
---|
328 | |
---|
329 | [handlers] |
---|
330 | keys = console |
---|
331 | |
---|
332 | [formatters] |
---|
333 | keys = generic |
---|
334 | |
---|
335 | [logger_root] |
---|
336 | level = INFO |
---|
337 | handlers = console |
---|
338 | |
---|
339 | [logger_ndg] |
---|
340 | level = DEBUG |
---|
341 | handlers = |
---|
342 | qualname = ndg |
---|
343 | |
---|
344 | [handler_console] |
---|
345 | class = StreamHandler |
---|
346 | args = (sys.stderr,) |
---|
347 | level = NOTSET |
---|
348 | formatter = generic |
---|
349 | |
---|
350 | [formatter_generic] |
---|
351 | format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s |
---|
352 | datefmt = %H:%M:%S |
---|
353 | |
---|