source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5738

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini@5738
Revision 5738, 14.9 KB checked in by pjkersha, 10 years ago (diff)

saml.xml.etree: important fixes to ElementTree based Status element serialisation and de-serialisation
ndg.security.server.attributeauthority: added clockSkew parameter to provide some leeway in SAML attribute query clock checks. Also added StatusMessage? element for additional error info in responses.
ndg.security.common.soap.client: added check of HTTP Content-type in SOAP responses.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26# Global Attribute Authority Settings
27attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
28attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
29
30
31[server:main]
32use = egg:Paste#http
33host = 0.0.0.0
34port = %(portNum)s
35
36[filter-app:OpenIDProviderFilterApp]
37use = egg:Paste#httpexceptions
38next = cascade
39
40# Composite for OpenID Provider to enable settings for picking up static
41# content
42[composit:cascade]
43use = egg:Paste#cascade
44app1 = OpenIDProviderStaticContent
45app2 = OpenIDProviderApp
46catch = 404
47
48[app:OpenIDProviderStaticContent]
49use = egg:Paste#static
50document_root = %(here)s/openidprovider
51
52[pipeline:main]
53pipeline = wsseSignatureVerificationFilter
54                   AttributeAuthorityFilter
55                   AttributeAuthorityWsdlSoapBindingFilter
56           wsseSignatureFilter
57           AttributeAuthoritySamlSoapBindingFilter
58                   SessionMiddlewareFilter
59                   OpenIDRelyingPartyFilter
60                   OpenIDProviderApp
61
62#______________________________________________________________________________
63# Beaker Session Middleware (used by OpenID Provider Filter)
64[filter:SessionMiddlewareFilter]
65paste.filter_app_factory=beaker.middleware:SessionMiddleware
66beaker.session.key = openid
67beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
68
69# If you'd like to fine-tune the individual locations of the cache data dirs
70# for the Cache data, or the Session saves, un-comment the desired settings
71# here:
72beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
73beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
74beaker.session.cookie_expires = True
75
76# Key name for keying into environ dictionary
77environ_key = %(beakerSessionKeyName)s
78
79[filter:OpenIDRelyingPartyFilter]
80paste.filter_app_factory = 
81        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
82
83openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
84openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
85openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
86openid.relyingparty.priKeyPwd = 
87openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
88openid.relyingparty.providerWhitelistFilePath =
89openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
90openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
91openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
92openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
93openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
94openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
95openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
96openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
97openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
98openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
99openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
100openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
101openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
102
103cache_dir = %(here)s/data
104
105# AuthKit Set-up
106authkit.setup.method=openid, cookie
107
108# This cookie name and secret MUST agree with the name used by the
109# Authentication Filter used to secure a given app
110authkit.cookie.name=ndg.security.auth
111
112authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
113authkit.cookie.signoutpath = /logout
114
115# Disable inclusion of client IP address from cookie signature due to
116# suspected problem with AuthKit setting it when a HTTP Proxy is in place
117authkit.cookie.includeip = False
118
119authkit.openid.path.signedin=/
120authkit.openid.store.type=file
121authkit.openid.store.config=%(here)s/openidrelyingparty/store
122authkit.openid.session.key = authkit_openid
123authkit.openid.session.secret = random string
124
125# Key name for dereferencing beaker.session object held in environ
126authkit.openid.session.middleware = %(beakerSessionKeyName)s
127
128authkit.openid.baseurl = %(baseURI)s
129
130# Template for signin
131#authkit.openid.template.obj =
132
133# Handler for parsing OpenID and creating a session from it
134#authkit.openid.urltouser =
135
136#______________________________________________________________________________
137# OpenID Provider WSGI Settings
138[app:OpenIDProviderApp]
139paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
140
141openid.provider.path.openidserver=/OpenID/Provider/server
142openid.provider.path.login=/OpenID/Provider/login
143openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
144
145# Yadis based discovery only - the 'id' path is configured to return 404 not
146# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
147# buffet.BuffetRendering class
148openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
149openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
150
151# Yadis based discovery for idselect mode - this is where the user has entered
152# a URI at the Relying Party which identifies their Provider only and not their
153# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
154# https://badc.nerc.ac.uk/John
155openid.provider.path.serveryadis=%(openIDProviderIDBase)s
156openid.provider.path.allow=/OpenID/Provider/allow
157openid.provider.path.decide=/OpenID/Provider/decide
158openid.provider.path.mainpage=/OpenID/Provider/home
159
160openid.provider.session_middleware=%(beakerSessionKeyName)s
161openid.provider.base_url=%(baseURI)s
162openid.provider.trace=False
163openid.provider.consumer_store_dirpath=%(here)s/openidprovider
164openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
165#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
166
167openid.provider.rendering.templateType = kid
168openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
169openid.provider.rendering.kid.assume_encoding= utf-8
170openid.provider.rendering.kid.encoding = utf-8
171
172# Layout
173openid.provider.rendering.baseURL = %(openid.provider.base_url)s
174openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
175openid.provider.rendering.leftAlt = Natural Environment Research Council
176openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
177openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
178openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
179openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
180openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
181openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
182
183# Basic Authentication interface to demonstrate capabilities
184openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
185
186# user login details format is:
187# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
188# Each user entry is delimited by a space. username, password and OpenID name
189# list are delimited by a colon.  The list of OpenID names are delimited by
190# commas.  The OpenID name represents the unique part of the OpenID URL for the
191# individual user.  Each username may have more than one OpenID alias but only
192# alias at a time may be registered with a given Attribute Authority
193openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
194
195# Basic authentication for testing/admin - comma delimited list of
196# <username>:<password> pairs
197#openid.provider.usercreds=pjk:test
198
199#______________________________________________________________________________
200# Attribute Authority WSGI settings
201#
202[filter:AttributeAuthorityFilter]
203# This filter publishes an Attribute Authority instance as a key in environ
204# to enable other middleware to access it
205paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
206prefix = attributeAuthority.
207
208# Key name by which the WSDL SOAP based interface may reference this
209# service
210attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
211
212# Key name for the SAML SOAP binding based interface to reference this
213# service's attribute query method
214attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
215
216# Attribute Authority settings
217# 'name' setting MUST agree with map config file 'thisHost' name attribute
218attributeAuthority.name: Site A
219
220# Lifetime is measured in seconds
221attributeAuthority.attCertLifetime: 28800 
222
223# Allow an offset for clock skew between servers running
224# security services. NB, measured in seconds - use a minus sign for time in the
225# past
226attributeAuthority.attCertNotBeforeOff: 0
227
228# All Attribute Certificates issued are recorded in this dir
229attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
230
231# Files in attCertDir are stored using a rotating file handler
232# attCertFileLogCnt sets the max number of files created before the first is
233# overwritten
234attributeAuthority.attCertFileName: ac.xml
235attributeAuthority.attCertFileLogCnt: 16
236attributeAuthority.dnSeparator:/
237
238# Location of role mapping file
239attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
240
241# Settings for custom AttributeInterface derived class to get user roles for given
242# user ID
243#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
244attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
245attributeAuthority.attributeInterface.className: TestUserRoles
246
247# Config for XML signature of Attribute Certificate
248attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
249attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
250attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
251
252
253# SOAP WSDL Based Binding to the Attribute Authority
254[filter:AttributeAuthorityWsdlSoapBindingFilter]
255paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
256prefix = service.soap.binding.
257attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
258
259service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
260service.soap.binding.path = /AttributeAuthority
261service.soap.binding.enableWSDLQuery = True
262service.soap.binding.charset = utf-8
263service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
264
265attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
266attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
267
268
269# SAML SOAP Binding to the Attribute Authority
270[filter:AttributeAuthoritySamlSoapBindingFilter]
271paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPAttributeInterfaceMiddleware.filter_app_factory
272prefix = saml.soapbinding.
273
274saml.soapbinding.pathMatchList = /AttributeAuthority/saml
275saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
276
277
278#______________________________________________________________________________
279# WS-Security Signature Verification
280[filter:wsseSignatureVerificationFilter]
281paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
282filterID = %(__name__)s
283
284# Settings for WS-Security SignatureHandler class used by this filter
285wsseCfgFilePrefix = wssecurity
286
287# Verify against known CAs - Provide a space separated list of file paths
288wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
289
290
291#______________________________________________________________________________
292# Apply WS-Security Signature
293[filter:wsseSignatureFilter]
294paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
295
296# Reference the verification filter in order to be able to apply signature
297# confirmation
298referencedFilters = filter:wsseSignatureVerificationFilter
299wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
300
301# Last filter in chain of SOAP handlers writes the response
302writeResponse = True
303
304# Settings for WS-Security SignatureHandler class used by this filter
305wsseCfgFilePrefix = wssecurity
306
307# Certificate associated with private key used to sign a message.  The sign
308# method will add this to the BinarySecurityToken element of the WSSE header. 
309wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
310
311# PEM encoded private key file
312wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
313
314# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
315# signed message.  See __setReqBinSecTokValType method and binSecTokValType
316# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
317# give full namespace to alternative - see
318# ZSI.wstools.Namespaces.OASIS.X509TOKEN
319#
320# binSecTokValType determines whether signingCert or signingCertChain
321# attributes will be used.
322wssecurity.reqBinSecTokValType=X509v3
323
324# Add a timestamp element to an outbound message
325wssecurity.addTimestamp=True
326
327# For WSSE 1.1 - service returns signature confirmation containing signature
328# value sent by client
329wssecurity.applySignatureConfirmation=True
330
331# Logging configuration
332[loggers]
333keys = root, ndg
334
335[handlers]
336keys = console
337
338[formatters]
339keys = generic
340
341[logger_root]
342level = INFO
343handlers = console
344
345[logger_ndg]
346level = DEBUG
347handlers =
348qualname = ndg
349
350[handler_console]
351class = StreamHandler
352args = (sys.stderr,)
353level = NOTSET
354formatter = generic
355
356[formatter_generic]
357format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
358datefmt = %H:%M:%S
359
Note: See TracBrowser for help on using the repository browser.