source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5786

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini@5786
Revision 5786, 18.4 KB checked in by pjkersha, 11 years ago (diff)

Updated OpenID AX (Attribute Exchange) interface. Attributes passed over this interface are now stored in the authentication session at the Relying Party.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26# Global Attribute Authority Settings
27attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
28attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
29
30
31[server:main]
32use = egg:Paste#http
33host = 0.0.0.0
34port = %(portNum)s
35
36[filter-app:OpenIDProviderFilterApp]
37use = egg:Paste#httpexceptions
38next = cascade
39
40# Composite for OpenID Provider to enable settings for picking up static
41# content
42[composit:cascade]
43use = egg:Paste#cascade
44app1 = OpenIDProviderStaticContent
45app2 = OpenIDProviderApp
46catch = 404
47
48[app:OpenIDProviderStaticContent]
49use = egg:Paste#static
50document_root = %(here)s/openidprovider
51
52# Ordering of filters and app is critical
53[pipeline:main]
54pipeline = wsseSignatureVerificationFilter
55                   AttributeAuthorityFilter
56                   AttributeAuthorityWsdlSoapBindingFilter
57           wsseSignatureFilter
58           AttributeAuthoritySamlSoapBindingFilter
59                   SessionMiddlewareFilter
60                   SSLCientAuthKitFilter
61                   SSLClientAuthenticationFilter
62                   SSLCientAuthnRedirectResponseFilter
63                   OpenIDRelyingPartyFilter
64                   OpenIDProviderApp
65
66#______________________________________________________________________________
67# Beaker Session Middleware (used by OpenID Provider Filter)
68[filter:SessionMiddlewareFilter]
69paste.filter_app_factory=beaker.middleware:SessionMiddleware
70beaker.session.key = openid
71beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
72
73# If you'd like to fine-tune the individual locations of the cache data dirs
74# for the Cache data, or the Session saves, un-comment the desired settings
75# here:
76beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
77beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
78beaker.session.cookie_expires = True
79
80# Key name for keying into environ dictionary
81environ_key = %(beakerSessionKeyName)s
82
83[filter:SSLCientAuthKitFilter]
84paste.filter_app_factory = authkit.authenticate:middleware
85
86# AuthKit Set-up
87setup.method=cookie
88
89# This cookie name and secret MUST agree with the name used by the
90# Authentication Filter used to secure a given app
91cookie.name=ndg.security.auth
92
93cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
94cookie.signoutpath = /logout
95
96# Disable inclusion of client IP address from cookie signature due to
97# suspected problem with AuthKit setting it when a HTTP Proxy is in place
98cookie.includeip = False
99
100# SSL Client Certificate based authentication is invoked if the client passed
101# a certificate with request.  This bypasses OpenID based authn.
102[filter:SSLClientAuthenticationFilter]
103paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
104prefix = ssl.
105ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
106#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
107
108# 'HTTP_' prefix is set when passed through a proxy
109ssl.sslKeyName = HTTP_HTTPS
110ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
111
112# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
113# Party from the service running over HTTP and see if a client certificate has
114# been set
115ssl.rePathMatchList = ^/verify.*
116
117[filter:OpenIDRelyingPartyFilter]
118paste.filter_app_factory = 
119        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
120
121openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
122openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
123openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
124openid.relyingparty.priKeyPwd = 
125openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
126openid.relyingparty.providerWhitelistFilePath =
127openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
128openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
129openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
130openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
131openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
132openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
133openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
134openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
135openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
136openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
137openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
138openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
139openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
140
141cache_dir = %(here)s/data
142
143# AuthKit Set-up
144authkit.setup.method=openid, cookie
145
146# This cookie name and secret MUST agree with the name used by the
147# Authentication Filter used to secure a given app
148authkit.cookie.name=ndg.security.auth
149
150authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
151authkit.cookie.signoutpath = /logout
152
153# Disable inclusion of client IP address from cookie signature due to
154# suspected problem with AuthKit setting it when a HTTP Proxy is in place
155authkit.cookie.includeip = False
156
157authkit.openid.path.signedin=/
158authkit.openid.store.type=file
159authkit.openid.store.config=%(here)s/openidrelyingparty/store
160authkit.openid.session.key = authkit_openid
161authkit.openid.session.secret = random string
162
163# Key name for dereferencing beaker.session object held in environ
164authkit.openid.session.middleware = %(beakerSessionKeyName)s
165
166authkit.openid.baseurl = %(baseURI)s
167
168# Template for signin
169#authkit.openid.template.obj =
170
171# Handler for parsing OpenID and creating a session from it
172#authkit.openid.urltouser =
173
174# Attribute Exchange - all are optional unless the relevant ax.required.<name>
175# is set to True.  The alias defers to the parameter name given unless explicity
176# specified - see commented out entry for firstName below.  The number of
177# attributes for each attribute name defaults to 1 unless otherwise set
178authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
179#authkit.openid.ax.alias.firstName=first_name
180#authkit.openid.ax.count.firstName=1
181authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
182authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
183#authkit.openid.ax.required.emailAddress=True
184
185
186[filter:SSLCientAuthnRedirectResponseFilter]
187# Redirect to original requested URI following SSL Client Authentication.  This
188# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
189# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
190# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
191# would need to be made so that this redirect filter can still function
192paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
193prefix = ssl.
194ssl.sessionKey = %(beakerSessionKeyName)s
195
196#______________________________________________________________________________
197# OpenID Provider WSGI Settings
198[app:OpenIDProviderApp]
199paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
200
201openid.provider.path.openidserver=/OpenID/Provider/server
202openid.provider.path.login=/OpenID/Provider/login
203openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
204
205# Yadis based discovery only - the 'id' path is configured may be set to page
206# with <link rel="openid.server" href="..."> and Yadis
207# <meta http-equiv="x-xrds-location" content="..."> links if required but in
208# this implementation it set to return 404 not found - see
209# ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
210# class
211openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
212openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
213
214# Yadis based discovery for idselect mode - this is where the user has entered
215# a URI at the Relying Party which identifies their Provider only and not their
216# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
217# https://badc.nerc.ac.uk/John
218openid.provider.path.serveryadis=%(openIDProviderIDBase)s
219openid.provider.path.allow=/OpenID/Provider/allow
220openid.provider.path.decide=/OpenID/Provider/decide
221openid.provider.path.mainpage=/OpenID/Provider/home
222
223openid.provider.session_middleware=%(beakerSessionKeyName)s
224openid.provider.base_url=%(baseURI)s
225
226# Enable login to construct an identity URI if IDSelect mode was chosen and
227# no identity URI was passed from the Relying Party.  This value should
228# match openid.provider.path.id and/or openid.provider.path.yadis - see above
229identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
230
231openid.provider.trace=False
232openid.provider.consumer_store_dirpath=%(here)s/openidprovider
233openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
234#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
235
236openid.provider.rendering.templateType = kid
237openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
238openid.provider.rendering.kid.assume_encoding= utf-8
239openid.provider.rendering.kid.encoding = utf-8
240
241# Layout
242openid.provider.rendering.baseURL = %(openid.provider.base_url)s
243openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
244openid.provider.rendering.leftAlt = Natural Environment Research Council
245openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
246openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
247openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
248openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
249openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
250openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
251
252# Basic Authentication interface to demonstrate capabilities
253openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
254
255# user login details format is:
256# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
257# Each user entry is delimited by a space. username, password and OpenID name
258# list are delimited by a colon.  The list of OpenID names are delimited by
259# commas.  The OpenID name represents the unique part of the OpenID URL for the
260# individual user.  Each username may have more than one OpenID alias but only
261# alias at a time may be registered with a given Attribute Authority
262openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
263
264# Basic authentication for testing/admin - comma delimited list of
265# <username>:<password> pairs
266#openid.provider.usercreds=pjk:test
267
268# Attribute Exchange interface
269openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
270openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
271openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
272    http://openid.net/schema/namePerson/last
273    http://openid.net/schema/contact/internet/email
274
275#______________________________________________________________________________
276# Attribute Authority WSGI settings
277#
278[filter:AttributeAuthorityFilter]
279# This filter publishes an Attribute Authority instance as a key in environ
280# to enable other middleware to access it
281paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
282prefix = attributeAuthority.
283
284# Key name by which the WSDL SOAP based interface may reference this
285# service
286attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
287
288# Key name for the SAML SOAP binding based interface to reference this
289# service's attribute query method
290attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
291
292# Attribute Authority settings
293# 'name' setting MUST agree with map config file 'thisHost' name attribute
294attributeAuthority.name: Site A
295
296# Lifetime is measured in seconds
297attributeAuthority.attCertLifetime: 28800 
298
299# Allow an offset for clock skew between servers running
300# security services. NB, measured in seconds - use a minus sign for time in the
301# past
302attributeAuthority.attCertNotBeforeOff: 0
303
304# All Attribute Certificates issued are recorded in this dir
305attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
306
307# Files in attCertDir are stored using a rotating file handler
308# attCertFileLogCnt sets the max number of files created before the first is
309# overwritten
310attributeAuthority.attCertFileName: ac.xml
311attributeAuthority.attCertFileLogCnt: 16
312attributeAuthority.dnSeparator:/
313
314# Location of role mapping file
315attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
316
317# Settings for custom AttributeInterface derived class to get user roles for given
318# user ID
319#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
320attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz_lite.attributeinterface
321attributeAuthority.attributeInterface.className: TestUserRoles
322
323# Config for XML signature of Attribute Certificate
324attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
325attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
326attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
327
328
329# SOAP WSDL Based Binding to the Attribute Authority
330[filter:AttributeAuthorityWsdlSoapBindingFilter]
331paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
332prefix = service.soap.binding.
333attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
334
335service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
336service.soap.binding.path = /AttributeAuthority
337service.soap.binding.enableWSDLQuery = True
338service.soap.binding.charset = utf-8
339service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
340
341attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
342attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
343
344
345# SAML SOAP Binding to the Attribute Authority
346[filter:AttributeAuthoritySamlSoapBindingFilter]
347paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPAttributeInterfaceMiddleware.filter_app_factory
348prefix = saml.soapbinding.
349
350saml.soapbinding.pathMatchList = /AttributeAuthority/saml
351saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
352
353
354#______________________________________________________________________________
355# WS-Security Signature Verification
356[filter:wsseSignatureVerificationFilter]
357paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
358filterID = %(__name__)s
359
360# Settings for WS-Security SignatureHandler class used by this filter
361wsseCfgFilePrefix = wssecurity
362
363# Verify against known CAs - Provide a space separated list of file paths
364wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
365
366
367#______________________________________________________________________________
368# Apply WS-Security Signature
369[filter:wsseSignatureFilter]
370paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
371
372# Reference the verification filter in order to be able to apply signature
373# confirmation
374referencedFilters = filter:wsseSignatureVerificationFilter
375wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
376
377# Last filter in chain of SOAP handlers writes the response
378writeResponse = True
379
380# Settings for WS-Security SignatureHandler class used by this filter
381wsseCfgFilePrefix = wssecurity
382
383# Certificate associated with private key used to sign a message.  The sign
384# method will add this to the BinarySecurityToken element of the WSSE header. 
385wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
386
387# PEM encoded private key file
388wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
389
390# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
391# signed message.  See __setReqBinSecTokValType method and binSecTokValType
392# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
393# give full namespace to alternative - see
394# ZSI.wstools.Namespaces.OASIS.X509TOKEN
395#
396# binSecTokValType determines whether signingCert or signingCertChain
397# attributes will be used.
398wssecurity.reqBinSecTokValType=X509v3
399
400# Add a timestamp element to an outbound message
401wssecurity.addTimestamp=True
402
403# For WSSE 1.1 - service returns signature confirmation containing signature
404# value sent by client
405wssecurity.applySignatureConfirmation=True
406
407# Logging configuration
408[loggers]
409keys = root, ndg
410
411[handlers]
412keys = console
413
414[formatters]
415keys = generic
416
417[logger_root]
418level = INFO
419handlers = console
420
421[logger_ndg]
422level = DEBUG
423handlers =
424qualname = ndg
425
426[handler_console]
427class = StreamHandler
428args = (sys.stderr,)
429level = NOTSET
430formatter = generic
431
432[formatter_generic]
433format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
434datefmt = %H:%M:%S
435
Note: See TracBrowser for help on using the repository browser.