source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini @ 5541

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini@5541
Revision 5541, 14.6 KB checked in by pjkersha, 11 years ago (diff)

New integration test for trying out OpenID Relying Party running in the application code stack instead of the separate services stack.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24
25#______________________________________________________________________________
26# Attribute Authority settings
27# 'name' setting MUST agree with map config file 'thisHost' name attribute
28attributeAuthority.name: Site A
29
30# Lifetime is measured in seconds
31attributeAuthority.attCertLifetime: 28800 
32
33# Allow an offset for clock skew between servers running
34# security services. NB, measured in seconds - use a minus sign for time in the
35# past
36attributeAuthority.attCertNotBeforeOff: 0
37
38# All Attribute Certificates issued are recorded in this dir
39attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
40
41# Files in attCertDir are stored using a rotating file handler
42# attCertFileLogCnt sets the max number of files created before the first is
43# overwritten
44attributeAuthority.attCertFileName: ac.xml
45attributeAuthority.attCertFileLogCnt: 16
46attributeAuthority.dnSeparator:/
47
48# Location of role mapping file
49attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
50
51# Settings for custom AttributeInterface derived class to get user roles for given
52# user ID
53#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
54attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
55attributeAuthority.attributeInterface.className: TestUserRoles
56
57# Config for XML signature of Attribute Certificate
58attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
59attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
60attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
61
62[server:main]
63use = egg:Paste#http
64host = 0.0.0.0
65port = %(portNum)s
66
67[filter-app:OpenIDProviderApp]
68use = egg:Paste#httpexceptions
69next = cascade
70
71# Composite for OpenID Provider to enable settings for picking up static
72# content
73[composit:cascade]
74use = egg:Paste#cascade
75app1 = OpenIDProviderStaticContent
76app2 = OpenIDProviderMiddlewareApp
77catch = 404
78
79[app:OpenIDProviderStaticContent]
80use = egg:Paste#static
81document_root = %(here)s/openidprovider
82
83[pipeline:main]
84pipeline = wsseSignatureVerificationFilter
85                   AttributeAuthorityFilter
86           wsseSignatureFilter
87                   SessionMiddlewareFilter
88                   OpenIDRelyingPartyFilter
89                   OpenIDProviderApp
90
91#______________________________________________________________________________
92# Beaker Session Middleware (used by OpenID Provider Filter)
93[filter:SessionMiddlewareFilter]
94paste.filter_app_factory=beaker.middleware:SessionMiddleware
95beaker.session.key = openid
96beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
97# These options enable cookie only type sessions with the cookie content
98# encrypted
99#beaker.session.type = cookie
100#beaker.session.validate_key = 0123456789abcdef
101#beaker.session.encrypt_key = fedcba9876543210
102
103# If you'd like to fine-tune the individual locations of the cache data dirs
104# for the Cache data, or the Session saves, un-comment the desired settings
105# here:
106beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
107beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
108beaker.session.cookie_expires = True
109
110[filter:OpenIDRelyingPartyFilter]
111paste.filter_app_factory = 
112        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
113
114openid.relyingparty.sessionKey = beaker.session
115openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
116openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
117openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
118openid.relyingparty.priKeyPwd = 
119openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
120openid.relyingparty.providerWhitelistFilePath =
121#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
122#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates
123openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
124openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
125openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
126openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
127openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
128openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
129openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
130openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
131openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
132openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
133openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
134openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
135openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
136
137cache_dir = %(here)s/data
138
139# AuthKit Set-up
140authkit.setup.method=openid, cookie
141
142# This cookie name and secret MUST agree with the name used by the
143# Authentication Filter used to secure a given app
144authkit.cookie.name=ndg.security.auth
145authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
146authkit.cookie.signoutpath = /logout
147
148# Disable inclusion of client IP address from cookie signature due to
149# suspected problem with AuthKit setting it when a HTTP Proxy is in place
150authkit.cookie.includeip = False
151
152authkit.openid.path.signedin=/
153authkit.openid.store.type=file
154authkit.openid.store.config=%(here)s/openidrelyingparty/store
155authkit.openid.session.key = authkit_openid
156authkit.openid.session.secret = random string
157
158authkit.openid.baseurl = %(baseURI)s
159
160# Template for signin
161#authkit.openid.template.obj =
162
163# Handler for parsing OpenID and creating a session from it
164#authkit.openid.urltouser =
165
166#______________________________________________________________________________
167# OpenID Provider WSGI Settings
168[app:OpenIDProviderMiddlewareApp]
169paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
170openid.provider.path.openidserver=/OpenID/Provider/server
171openid.provider.path.login=/OpenID/Provider/login
172openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
173
174# Yadis based discovery only - the 'id' path is configured to return 404 not
175# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
176# buffet.BuffetRendering class
177openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
178openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
179
180# Yadis based discovery for idselect mode - this is where the user has entered
181# a URI at the Relying Party which identifies their Provider only and not their
182# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
183# https://badc.nerc.ac.uk/John
184openid.provider.path.serveryadis=%(openIDProviderIDBase)s
185openid.provider.path.allow=/OpenID/Provider/allow
186openid.provider.path.decide=/OpenID/Provider/decide
187openid.provider.path.mainpage=/OpenID/Provider/home
188
189openid.provider.session_middleware=beaker.session
190openid.provider.base_url=%(baseURI)s
191openid.provider.trace=False
192openid.provider.consumer_store_dirpath=%(here)s/openidprovider
193openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
194#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
195
196openid.provider.rendering.templateType = kid
197openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
198openid.provider.rendering.kid.assume_encoding= utf-8
199openid.provider.rendering.kid.encoding = utf-8
200
201# Layout
202openid.provider.rendering.baseURL = %(openid.provider.base_url)s
203openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
204openid.provider.rendering.leftAlt = Natural Environment Research Council
205openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
206openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
207openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
208openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
209openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
210openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
211
212# Basic Authentication interface to demonstrate capabilities
213openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
214
215# user login details format is:
216# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
217# Each user entry is delimited by a space. username, password and OpenID name
218# list are delimited by a colon.  The list of OpenID names are delimited by
219# commas.  The OpenID name represents the unique part of the OpenID URL for the
220# individual user.  Each username may have more than one OpenID alias but only
221# alias at a time may be registered with a given Attribute Authority
222openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
223
224# Basic authentication for testing/admin - comma delimited list of
225# <username>:<password> pairs
226#openid.provider.usercreds=pjk:test
227
228#______________________________________________________________________________
229# Attribute Authority WSGI settings
230#
231[filter:AttributeAuthorityFilter]
232# This filter is a container for a binding to a SOAP based interface to the
233# Attribute Authority
234paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
235
236# Use this ZSI generated SOAP service interface class to handle i/o for this
237# filter
238ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
239
240# SOAP Binding Class specific keywords are in this section identified by this
241# prefix:
242ServiceSOAPBindingPropPrefix = AttributeAuthority
243
244# The AttributeAuthority class has settings in the default section above
245# identified by this prefix:
246AttributeAuthority.propPrefix = attributeAuthority
247AttributeAuthority.propFilePath = %(here)s/securityservices.ini
248AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
249
250# Provide an identifier for this filter so that main WSGI app
251# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
252# directly
253referencedFilters = filter:wsseSignatureVerificationFilter
254
255# Path from URL for Attribute Authority in this Paste deployment
256path = /AttributeAuthority
257
258# External endpoint for this Attribute Authority - must agree with setting used
259# to invoke this service set in:
260# * serverapp.py
261# * or port in [server:main] if calling with paster serve securityservices.ini
262# * or something else e.g. proxied through Apache?
263# This setting is used by Attribute Authority clients in this WSGI stack to see
264# if a request is being made to the local service or to another Attribute
265# Authority running elsewhere
266publishedURI = %(baseURI)s%(path)s
267
268# Enable ?wsdl query argument to list the WSDL content
269enableWSDLQuery = True
270charset = utf-8
271filterID = %(__name__)s
272
273#______________________________________________________________________________
274# WS-Security Signature Verification
275[filter:wsseSignatureVerificationFilter]
276paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
277filterID = %(__name__)s
278
279# Settings for WS-Security SignatureHandler class used by this filter
280wsseCfgFilePrefix = wssecurity
281
282# Verify against known CAs - Provide a space separated list of file paths
283wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
284
285#______________________________________________________________________________
286# Apply WS-Security Signature
287[filter:wsseSignatureFilter]
288paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
289
290# Reference the verification filter in order to be able to apply signature
291# confirmation
292referencedFilters = filter:wsseSignatureVerificationFilter
293wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
294
295# Last filter in chain of SOAP handlers writes the response
296writeResponse = True
297
298# Settings for WS-Security SignatureHandler class used by this filter
299wsseCfgFilePrefix = wssecurity
300
301# Certificate associated with private key used to sign a message.  The sign
302# method will add this to the BinarySecurityToken element of the WSSE header. 
303wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
304
305# PEM encoded private key file
306wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
307
308# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
309# signed message.  See __setReqBinSecTokValType method and binSecTokValType
310# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
311# give full namespace to alternative - see
312# ZSI.wstools.Namespaces.OASIS.X509TOKEN
313#
314# binSecTokValType determines whether signingCert or signingCertChain
315# attributes will be used.
316wssecurity.reqBinSecTokValType=X509v3
317
318# Add a timestamp element to an outbound message
319wssecurity.addTimestamp=True
320
321# For WSSE 1.1 - service returns signature confirmation containing signature
322# value sent by client
323wssecurity.applySignatureConfirmation=True
324
325# Logging configuration
326[loggers]
327keys = root, ndg
328
329[handlers]
330keys = console
331
332[formatters]
333keys = generic
334
335[logger_root]
336level = INFO
337handlers = console
338
339[logger_ndg]
340level = DEBUG
341handlers =
342qualname = ndg
343
344[handler_console]
345class = StreamHandler
346args = (sys.stderr,)
347level = NOTSET
348formatter = generic
349
350[formatter_generic]
351format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
352datefmt = %H:%M:%S
353
Note: See TracBrowser for help on using the repository browser.