source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini @ 5541

#
# NERC DataGrid Security
#
# Paste configuration for combined Attribute Authority, OpenID Relying Party 
# and Provider services
#
# The %(here)s variable will be replaced with the parent directory of this file
#
# Author: P J Kershaw
# date: 01/07/09
# Copyright: (C) 2009 Science and Technology Facilities Council
# license: BSD - see LICENSE file in top-level directory
# Contact: Philip.Kershaw@stfc.ac.uk
# Revision: $Id:$

[DEFAULT]
portNum = 7443
hostname = localhost
scheme = http
baseURI = %(scheme)s://%(hostname)s:%(portNum)s
openIDProviderIDBase = /openid
openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
testConfigDir = %(here)s/../../config

#______________________________________________________________________________
# Attribute Authority settings
# 'name' setting MUST agree with map config file 'thisHost' name attribute
attributeAuthority.name: Site A

# Lifetime is measured in seconds
attributeAuthority.attCertLifetime: 28800 

# Allow an offset for clock skew between servers running 
# security services. NB, measured in seconds - use a minus sign for time in the
# past
attributeAuthority.attCertNotBeforeOff: 0

# All Attribute Certificates issued are recorded in this dir
attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog

# Files in attCertDir are stored using a rotating file handler
# attCertFileLogCnt sets the max number of files created before the first is 
# overwritten
attributeAuthority.attCertFileName: ac.xml
attributeAuthority.attCertFileLogCnt: 16
attributeAuthority.dnSeparator:/

# Location of role mapping file
attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml

# Settings for custom AttributeInterface derived class to get user roles for given 
# user ID
#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
attributeAuthority.attributeInterface.className: TestUserRoles

# Config for XML signature of Attribute Certificate
attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt

[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = %(portNum)s

[filter-app:OpenIDProviderApp]
use = egg:Paste#httpexceptions
next = cascade

# Composite for OpenID Provider to enable settings for picking up static 
# content
[composit:cascade]
use = egg:Paste#cascade
app1 = OpenIDProviderStaticContent
app2 = OpenIDProviderMiddlewareApp
catch = 404

[app:OpenIDProviderStaticContent]
use = egg:Paste#static
document_root = %(here)s/openidprovider

[pipeline:main]
pipeline = wsseSignatureVerificationFilter 
                   AttributeAuthorityFilter 
           wsseSignatureFilter 
                   SessionMiddlewareFilter
                   OpenIDRelyingPartyFilter
                   OpenIDProviderApp

#______________________________________________________________________________
# Beaker Session Middleware (used by OpenID Provider Filter)
[filter:SessionMiddlewareFilter]
paste.filter_app_factory=beaker.middleware:SessionMiddleware
beaker.session.key = openid
beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
# These options enable cookie only type sessions with the cookie content 
# encrypted
#beaker.session.type = cookie
#beaker.session.validate_key = 0123456789abcdef
#beaker.session.encrypt_key = fedcba9876543210

# If you'd like to fine-tune the individual locations of the cache data dirs
# for the Cache data, or the Session saves, un-comment the desired settings
# here:
beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
beaker.session.cookie_expires = True

[filter:OpenIDRelyingPartyFilter]
paste.filter_app_factory = 
        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory

openid.relyingparty.sessionKey = beaker.session
openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
openid.relyingparty.priKeyPwd = 
openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
openid.relyingparty.providerWhitelistFilePath =
#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates
openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png

cache_dir = %(here)s/data

# AuthKit Set-up
authkit.setup.method=openid, cookie

# This cookie name and secret MUST agree with the name used by the 
# Authentication Filter used to secure a given app
authkit.cookie.name=ndg.security.auth
authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
authkit.cookie.signoutpath = /logout

# Disable inclusion of client IP address from cookie signature due to 
# suspected problem with AuthKit setting it when a HTTP Proxy is in place
authkit.cookie.includeip = False

authkit.openid.path.signedin=/
authkit.openid.store.type=file
authkit.openid.store.config=%(here)s/openidrelyingparty/store
authkit.openid.session.key = authkit_openid
authkit.openid.session.secret = random string

authkit.openid.baseurl = %(baseURI)s

# Template for signin
#authkit.openid.template.obj = 

# Handler for parsing OpenID and creating a session from it
#authkit.openid.urltouser = 

#______________________________________________________________________________
# OpenID Provider WSGI Settings
[app:OpenIDProviderMiddlewareApp]
paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
openid.provider.path.openidserver=/OpenID/Provider/server
openid.provider.path.login=/OpenID/Provider/login
openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit

# Yadis based discovery only - the 'id' path is configured to return 404 not
# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
# buffet.BuffetRendering class
openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}

# Yadis based discovery for idselect mode - this is where the user has entered
# a URI at the Relying Party which identifies their Provider only and not their
# full ID URI.  e.g. https://badc.nerc.ac.uk instead of 
# https://badc.nerc.ac.uk/John
openid.provider.path.serveryadis=%(openIDProviderIDBase)s
openid.provider.path.allow=/OpenID/Provider/allow
openid.provider.path.decide=/OpenID/Provider/decide
openid.provider.path.mainpage=/OpenID/Provider/home

openid.provider.session_middleware=beaker.session 
openid.provider.base_url=%(baseURI)s
openid.provider.trace=False
openid.provider.consumer_store_dirpath=%(here)s/openidprovider
openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface

openid.provider.rendering.templateType = kid
openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
openid.provider.rendering.kid.assume_encoding= utf-8
openid.provider.rendering.kid.encoding = utf-8

# Layout
openid.provider.rendering.baseURL = %(openid.provider.base_url)s
openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
openid.provider.rendering.leftAlt = Natural Environment Research Council
openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png

# Basic Authentication interface to demonstrate capabilities
openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface

# user login details format is:
# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
# Each user entry is delimited by a space. username, password and OpenID name
# list are delimited by a colon.  The list of OpenID names are delimited by
# commas.  The OpenID name represents the unique part of the OpenID URL for the
# individual user.  Each username may have more than one OpenID alias but only
# alias at a time may be registered with a given Attribute Authority
openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other

# Basic authentication for testing/admin - comma delimited list of 
# <username>:<password> pairs
#openid.provider.usercreds=pjk:test

#______________________________________________________________________________
# Attribute Authority WSGI settings
#
[filter:AttributeAuthorityFilter]
# This filter is a container for a binding to a SOAP based interface to the
# Attribute Authority
paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware

# Use this ZSI generated SOAP service interface class to handle i/o for this
# filter
ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS

# SOAP Binding Class specific keywords are in this section identified by this
# prefix:
ServiceSOAPBindingPropPrefix = AttributeAuthority

# The AttributeAuthority class has settings in the default section above 
# identified by this prefix:
AttributeAuthority.propPrefix = attributeAuthority
AttributeAuthority.propFilePath = %(here)s/securityservices.ini
AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# Provide an identifier for this filter so that main WSGI app 
# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
# directly
referencedFilters = filter:wsseSignatureVerificationFilter

# Path from URL for Attribute Authority in this Paste deployment
path = /AttributeAuthority

# External endpoint for this Attribute Authority - must agree with setting used
# to invoke this service set in:
# * serverapp.py 
# * or port in [server:main] if calling with paster serve securityservices.ini
# * or something else e.g. proxied through Apache?
# This setting is used by Attribute Authority clients in this WSGI stack to see
# if a request is being made to the local service or to another Attribute 
# Authority running elsewhere
publishedURI = %(baseURI)s%(path)s

# Enable ?wsdl query argument to list the WSDL content
enableWSDLQuery = True
charset = utf-8
filterID = %(__name__)s

#______________________________________________________________________________
# WS-Security Signature Verification
[filter:wsseSignatureVerificationFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
filterID = %(__name__)s

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Verify against known CAs - Provide a space separated list of file paths
wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt

#______________________________________________________________________________
# Apply WS-Security Signature 
[filter:wsseSignatureFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter

# Reference the verification filter in order to be able to apply signature
# confirmation
referencedFilters = filter:wsseSignatureVerificationFilter
wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# Last filter in chain of SOAP handlers writes the response
writeResponse = True

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Certificate associated with private key used to sign a message.  The sign 
# method will add this to the BinarySecurityToken element of the WSSE header.  
wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt

# PEM encoded private key file
wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key

# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
# give full namespace to alternative - see 
# ZSI.wstools.Namespaces.OASIS.X509TOKEN
#
# binSecTokValType determines whether signingCert or signingCertChain 
# attributes will be used.
wssecurity.reqBinSecTokValType=X509v3

# Add a timestamp element to an outbound message
wssecurity.addTimestamp=True

# For WSSE 1.1 - service returns signature confirmation containing signature 
# value sent by client
wssecurity.applySignatureConfirmation=True

# Logging configuration
[loggers]
keys = root, ndg

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[logger_ndg]
level = DEBUG
handlers =
qualname = ndg

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
datefmt = %H:%M:%S