source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5984

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini@5984
Revision 5984, 18.0 KB checked in by pjkersha, 10 years ago (diff)

Adding Genshi based templating plugins for OpenID Provider and Relying Party.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26# Global Attribute Authority Settings
27attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
28attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
29
30
31[server:main]
32use = egg:Paste#http
33host = 0.0.0.0
34port = %(portNum)s
35
36[filter-app:OpenIDProviderFilterApp]
37use = egg:Paste#httpexceptions
38next = cascade
39
40# Composite for OpenID Provider to enable settings for picking up static
41# content
42[composit:cascade]
43use = egg:Paste#cascade
44app1 = OpenIDProviderStaticContent
45app2 = OpenIDProviderApp
46catch = 404
47
48[app:OpenIDProviderStaticContent]
49use = egg:Paste#static
50document_root = %(here)s/openidprovider
51
52# Ordering of filters and app is critical
53[pipeline:main]
54pipeline = wsseSignatureVerificationFilter
55                   AttributeAuthorityFilter
56                   AttributeAuthorityWsdlSoapBindingFilter
57           wsseSignatureFilter
58           AttributeAuthoritySamlSoapBindingFilter
59                   SessionMiddlewareFilter
60                   SSLCientAuthKitFilter
61                   SSLClientAuthenticationFilter
62                   SSLCientAuthnRedirectResponseFilter
63                   OpenIDRelyingPartyFilter
64                   OpenIDProviderApp
65
66#______________________________________________________________________________
67# Beaker Session Middleware (used by OpenID Provider Filter)
68[filter:SessionMiddlewareFilter]
69paste.filter_app_factory=beaker.middleware:SessionMiddleware
70beaker.session.key = openid
71beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
72
73# If you'd like to fine-tune the individual locations of the cache data dirs
74# for the Cache data, or the Session saves, un-comment the desired settings
75# here:
76beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
77beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
78beaker.session.cookie_expires = True
79
80# Key name for keying into environ dictionary
81environ_key = %(beakerSessionKeyName)s
82
83[filter:SSLCientAuthKitFilter]
84paste.filter_app_factory = authkit.authenticate:middleware
85
86# AuthKit Set-up
87setup.method=cookie
88
89# This cookie name and secret MUST agree with the name used by the
90# Authentication Filter used to secure a given app
91cookie.name=ndg.security.auth
92
93cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
94cookie.signoutpath = /logout
95
96# Disable inclusion of client IP address from cookie signature due to
97# suspected problem with AuthKit setting it when a HTTP Proxy is in place
98cookie.includeip = False
99
100# SSL Client Certificate based authentication is invoked if the client passed
101# a certificate with request.  This bypasses OpenID based authn.
102[filter:SSLClientAuthenticationFilter]
103paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
104prefix = ssl.
105ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
106#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
107
108# 'HTTP_' prefix is set when passed through a proxy
109ssl.sslKeyName = HTTP_HTTPS
110ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
111
112# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
113# Party from the service running over HTTP and see if a client certificate has
114# been set
115ssl.rePathMatchList = ^/verify.*
116
117[filter:OpenIDRelyingPartyFilter]
118paste.filter_app_factory = 
119        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
120
121openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
122openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
123openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
124openid.relyingparty.priKeyPwd = 
125openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
126openid.relyingparty.providerWhitelistFilePath =
127openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
128openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
129openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
130openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
131openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
132openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
133openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
134openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
135openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
136openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
137openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
138openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
139
140cache_dir = %(here)s/data
141
142# AuthKit Set-up
143authkit.setup.method=openid, cookie
144
145# This cookie name and secret MUST agree with the name used by the
146# Authentication Filter used to secure a given app
147authkit.cookie.name=ndg.security.auth
148
149authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
150authkit.cookie.signoutpath = /logout
151
152# Disable inclusion of client IP address from cookie signature due to
153# suspected problem with AuthKit setting it when a HTTP Proxy is in place
154authkit.cookie.includeip = False
155
156authkit.openid.path.signedin=/
157authkit.openid.store.type=file
158authkit.openid.store.config=%(here)s/openidrelyingparty/store
159authkit.openid.session.key = authkit_openid
160authkit.openid.session.secret = random string
161
162# Key name for dereferencing beaker.session object held in environ
163authkit.openid.session.middleware = %(beakerSessionKeyName)s
164
165authkit.openid.baseurl = %(baseURI)s
166
167# Template for signin
168#authkit.openid.template.obj =
169
170# Handler for parsing OpenID and creating a session from it
171#authkit.openid.urltouser =
172
173# Attribute Exchange - all are optional unless the relevant ax.required.<name>
174# is set to True.  The alias defers to the parameter name given unless explicity
175# specified - see commented out entry for firstName below.  The number of
176# attributes for each attribute name defaults to 1 unless otherwise set
177authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
178#authkit.openid.ax.alias.firstName=first_name
179#authkit.openid.ax.count.firstName=1
180authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
181authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
182#authkit.openid.ax.required.emailAddress=True
183
184
185[filter:SSLCientAuthnRedirectResponseFilter]
186# Redirect to original requested URI following SSL Client Authentication.  This
187# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
188# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
189# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
190# would need to be made so that this redirect filter can still function
191paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
192prefix = ssl.
193ssl.sessionKey = %(beakerSessionKeyName)s
194
195#______________________________________________________________________________
196# OpenID Provider WSGI Settings
197[app:OpenIDProviderApp]
198paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
199
200openid.provider.path.openidserver=/OpenID/Provider/server
201openid.provider.path.login=/OpenID/Provider/login
202openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
203
204# Yadis based discovery only - the 'id' path is configured may be set to page
205# with <link rel="openid.server" href="..."> and Yadis
206# <meta http-equiv="x-xrds-location" content="..."> links if required but in
207# this implementation it set to return 404 not found - see
208# ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
209# class
210openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
211openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
212
213# Yadis based discovery for idselect mode - this is where the user has entered
214# a URI at the Relying Party which identifies their Provider only and not their
215# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
216# https://badc.nerc.ac.uk/John
217openid.provider.path.serveryadis=%(openIDProviderIDBase)s
218openid.provider.path.allow=/OpenID/Provider/allow
219openid.provider.path.decide=/OpenID/Provider/decide
220openid.provider.path.mainpage=/OpenID/Provider/home
221
222openid.provider.session_middleware=%(beakerSessionKeyName)s
223openid.provider.base_url=%(baseURI)s
224
225# Enable login to construct an identity URI if IDSelect mode was chosen and
226# no identity URI was passed from the Relying Party.  This value should
227# match openid.provider.path.id and/or openid.provider.path.yadis - see above
228identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
229
230openid.provider.trace=False
231openid.provider.consumer_store_dirpath=%(here)s/openidprovider
232openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
233#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
234
235# Layout
236openid.provider.rendering.baseURL = %(openid.provider.base_url)s
237openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
238openid.provider.rendering.leftAlt = Natural Environment Research Council
239openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
240openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
241openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
242openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
243openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
244openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
245
246# Basic Authentication interface to demonstrate capabilities
247openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
248
249# user login details format is:
250# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
251# Each user entry is delimited by a space. username, password and OpenID name
252# list are delimited by a colon.  The list of OpenID names are delimited by
253# commas.  The OpenID name represents the unique part of the OpenID URL for the
254# individual user.  Each username may have more than one OpenID alias but only
255# alias at a time may be registered with a given Attribute Authority
256openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
257
258# Basic authentication for testing/admin - comma delimited list of
259# <username>:<password> pairs
260#openid.provider.usercreds=pjk:test
261
262# Attribute Exchange interface
263openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
264openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
265openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
266    http://openid.net/schema/namePerson/last
267    http://openid.net/schema/contact/internet/email
268
269#______________________________________________________________________________
270# Attribute Authority WSGI settings
271#
272[filter:AttributeAuthorityFilter]
273# This filter publishes an Attribute Authority instance as a key in environ
274# to enable other middleware to access it
275paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
276prefix = attributeAuthority.
277
278# Key name by which the WSDL SOAP based interface may reference this
279# service
280attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
281
282# Key name for the SAML SOAP binding based interface to reference this
283# service's attribute query method
284attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
285
286# Attribute Authority settings
287# 'name' setting MUST agree with map config file 'thisHost' name attribute
288attributeAuthority.name: Site A
289
290# Lifetime is measured in seconds
291attributeAuthority.attCertLifetime: 28800 
292
293# Allow an offset for clock skew between servers running
294# security services. NB, measured in seconds - use a minus sign for time in the
295# past
296attributeAuthority.attCertNotBeforeOff: 0
297
298# All Attribute Certificates issued are recorded in this dir
299attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
300
301# Files in attCertDir are stored using a rotating file handler
302# attCertFileLogCnt sets the max number of files created before the first is
303# overwritten
304attributeAuthority.attCertFileName: ac.xml
305attributeAuthority.attCertFileLogCnt: 16
306attributeAuthority.dnSeparator:/
307
308# Location of role mapping file
309attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
310
311# Settings for custom AttributeInterface derived class to get user roles for given
312# user ID
313#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
314attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz_lite.attributeinterface
315attributeAuthority.attributeInterface.className: TestUserRoles
316
317# Config for XML signature of Attribute Certificate
318attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
319attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
320attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
321
322
323# SOAP WSDL Based Binding to the Attribute Authority
324[filter:AttributeAuthorityWsdlSoapBindingFilter]
325paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
326prefix = service.soap.binding.
327attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
328
329service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
330service.soap.binding.path = /AttributeAuthority
331service.soap.binding.enableWSDLQuery = True
332service.soap.binding.charset = utf-8
333service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
334
335attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
336attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
337
338
339# SAML SOAP Binding to the Attribute Authority
340[filter:AttributeAuthoritySamlSoapBindingFilter]
341paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPAttributeInterfaceMiddleware.filter_app_factory
342prefix = saml.soapbinding.
343
344saml.soapbinding.pathMatchList = /AttributeAuthority/saml
345saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
346
347
348#______________________________________________________________________________
349# WS-Security Signature Verification
350[filter:wsseSignatureVerificationFilter]
351paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
352filterID = %(__name__)s
353
354# Settings for WS-Security SignatureHandler class used by this filter
355wsseCfgFilePrefix = wssecurity
356
357# Verify against known CAs - Provide a space separated list of file paths
358wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
359
360
361#______________________________________________________________________________
362# Apply WS-Security Signature
363[filter:wsseSignatureFilter]
364paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
365
366# Reference the verification filter in order to be able to apply signature
367# confirmation
368referencedFilters = filter:wsseSignatureVerificationFilter
369wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
370
371# Last filter in chain of SOAP handlers writes the response
372writeResponse = True
373
374# Settings for WS-Security SignatureHandler class used by this filter
375wsseCfgFilePrefix = wssecurity
376
377# Certificate associated with private key used to sign a message.  The sign
378# method will add this to the BinarySecurityToken element of the WSSE header. 
379wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
380
381# PEM encoded private key file
382wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
383
384# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
385# signed message.  See __setReqBinSecTokValType method and binSecTokValType
386# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
387# give full namespace to alternative - see
388# ZSI.wstools.Namespaces.OASIS.X509TOKEN
389#
390# binSecTokValType determines whether signingCert or signingCertChain
391# attributes will be used.
392wssecurity.reqBinSecTokValType=X509v3
393
394# Add a timestamp element to an outbound message
395wssecurity.addTimestamp=True
396
397# For WSSE 1.1 - service returns signature confirmation containing signature
398# value sent by client
399wssecurity.applySignatureConfirmation=True
400
401# Logging configuration
402[loggers]
403keys = root, ndg
404
405[handlers]
406keys = console
407
408[formatters]
409keys = generic
410
411[logger_root]
412level = INFO
413handlers = console
414
415[logger_ndg]
416level = DEBUG
417handlers =
418qualname = ndg
419
420[handler_console]
421class = StreamHandler
422args = (sys.stderr,)
423level = NOTSET
424formatter = generic
425
426[formatter_generic]
427format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
428datefmt = %H:%M:%S
429
Note: See TracBrowser for help on using the repository browser.