source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 6127

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini@6127
Revision 6127, 20.4 KB checked in by pjkersha, 10 years ago (diff)

Fixed updated templates and stylesheet for OpenID Provider

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = https
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26# Global Attribute Authority Settings
27attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
28attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
29
30dbConnectionString = sqlite:///%(testConfigDir)s/user.db
31
32[server:main]
33use = egg:Paste#http
34host = 0.0.0.0
35port = %(portNum)s
36
37[filter-app:OpenIDProviderFilterApp]
38use = egg:Paste#httpexceptions
39next = cascade
40
41# Composite for OpenID Provider to enable settings for picking up static
42# content
43[composit:cascade]
44use = egg:Paste#cascade
45app1 = OpenIDProviderStaticContent
46app2 = OpenIDProviderApp
47catch = 404
48
49[app:OpenIDProviderStaticContent]
50use = egg:Paste#static
51document_root = %(here)s/openidprovider
52
53# Ordering of filters and app is critical
54[pipeline:main]
55pipeline = wsseSignatureVerificationFilter
56                   AttributeAuthorityFilter
57                   AttributeAuthorityWsdlSoapBindingFilter
58           wsseSignatureFilter
59           AttributeAuthoritySamlSoapBindingFilter
60                   SessionMiddlewareFilter
61                   SSLCientAuthKitFilter
62                   SSLClientAuthenticationFilter
63                   SSLCientAuthnRedirectResponseFilter
64                   OpenIDRelyingPartyFilter
65                   OpenIDProviderApp
66
67#______________________________________________________________________________
68# Beaker Session Middleware (used by OpenID Provider Filter)
69[filter:SessionMiddlewareFilter]
70paste.filter_app_factory=beaker.middleware:SessionMiddleware
71beaker.session.key = openid
72beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
73
74# If you'd like to fine-tune the individual locations of the cache data dirs
75# for the Cache data, or the Session saves, un-comment the desired settings
76# here:
77beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
78beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
79beaker.session.cookie_expires = True
80
81# Key name for keying into environ dictionary
82environ_key = %(beakerSessionKeyName)s
83
84[filter:SSLCientAuthKitFilter]
85paste.filter_app_factory = authkit.authenticate:middleware
86
87# AuthKit Set-up
88setup.method=cookie
89
90# This cookie name and secret MUST agree with the name used by the
91# Authentication Filter used to secure a given app
92cookie.name=ndg.security.auth
93
94cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
95cookie.signoutpath = /logout
96
97# Disable inclusion of client IP address from cookie signature due to
98# suspected problem with AuthKit setting it when a HTTP Proxy is in place
99cookie.includeip = False
100
101# SSL Client Certificate based authentication is invoked if the client passed
102# a certificate with request.  This bypasses OpenID based authn.
103[filter:SSLClientAuthenticationFilter]
104paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
105prefix = ssl.
106ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
107#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
108
109# 'HTTP_' prefix is set when passed through a proxy
110ssl.sslKeyName = HTTP_HTTPS
111ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
112
113# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
114# Party from the service running over HTTP and see if a client certificate has
115# been set
116ssl.rePathMatchList = ^/verify.*
117
118[filter:OpenIDRelyingPartyFilter]
119paste.filter_app_factory = 
120        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
121
122openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
123openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
124openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
125openid.relyingparty.priKeyPwd = 
126openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
127openid.relyingparty.providerWhitelistFilePath =
128openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
129#openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
130openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
131openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
132openid.relyingparty.signinInterface.heading = OpenID Sign-in
133#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
134#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
135#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
136#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
137openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
138openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
139openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
140openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
141openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
142
143cache_dir = %(here)s/data
144
145# AuthKit Set-up
146authkit.setup.method=openid, cookie
147
148# This cookie name and secret MUST agree with the name used by the
149# Authentication Filter used to secure a given app
150authkit.cookie.name=ndg.security.auth
151
152authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
153authkit.cookie.signoutpath = /logout
154
155# Disable inclusion of client IP address from cookie signature due to
156# suspected problem with AuthKit setting it when a HTTP Proxy is in place
157authkit.cookie.includeip = False
158
159authkit.openid.path.signedin=/
160authkit.openid.store.type=file
161authkit.openid.store.config=%(here)s/openidrelyingparty/store
162authkit.openid.session.key = authkit_openid
163authkit.openid.session.secret = random string
164
165# Key name for dereferencing beaker.session object held in environ
166authkit.openid.session.middleware = %(beakerSessionKeyName)s
167
168authkit.openid.baseurl = %(baseURI)s
169
170# Template for signin
171#authkit.openid.template.obj =
172
173# Handler for parsing OpenID and creating a session from it
174#authkit.openid.urltouser =
175
176# Attribute Exchange - all are optional unless the relevant ax.required.<name>
177# is set to True.  The alias defers to the parameter name given unless explicity
178# specified - see commented out entry for firstName below.  The number of
179# attributes for each attribute name defaults to 1 unless otherwise set
180authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
181#authkit.openid.ax.alias.firstName=first_name
182#authkit.openid.ax.count.firstName=1
183authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
184authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
185#authkit.openid.ax.required.emailAddress=True
186
187
188[filter:SSLCientAuthnRedirectResponseFilter]
189# Redirect to original requested URI following SSL Client Authentication.  This
190# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
191# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
192# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
193# would need to be made so that this redirect filter can still function
194paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
195prefix = ssl.
196ssl.sessionKey = %(beakerSessionKeyName)s
197
198#______________________________________________________________________________
199# OpenID Provider WSGI Settings
200[app:OpenIDProviderApp]
201paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
202
203openid.provider.path.openidserver=/OpenID/Provider/server
204openid.provider.path.login=/OpenID/Provider/login
205openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
206
207# Yadis based discovery only - the 'id' path is configured may be set to page
208# with <link rel="openid.server" href="..."> and Yadis
209# <meta http-equiv="x-xrds-location" content="..."> links if required but in
210# this implementation it set to return 404 not found - see
211# ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
212# class
213openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
214openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
215
216# Yadis based discovery for idselect mode - this is where the user has entered
217# a URI at the Relying Party which identifies their Provider only and not their
218# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
219# https://badc.nerc.ac.uk/John
220openid.provider.path.serveryadis=%(openIDProviderIDBase)s
221openid.provider.path.allow=/OpenID/Provider/allow
222openid.provider.path.decide=/OpenID/Provider/decide
223openid.provider.path.mainpage=/OpenID/Provider/home
224
225openid.provider.session_middleware=%(beakerSessionKeyName)s
226openid.provider.base_url=%(baseURI)s
227
228# Enable login to construct an identity URI if IDSelect mode was chosen and
229# no identity URI was passed from the Relying Party.  This value should
230# match openid.provider.path.id and/or openid.provider.path.yadis - see above
231identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
232
233openid.provider.trace=False
234openid.provider.consumer_store_dirpath=%(here)s/openidprovider
235openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
236#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
237
238# Layout
239openid.provider.rendering.baseURL = %(openid.provider.base_url)s
240#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
241#openid.provider.rendering.leftAlt = Natural Environment Research Council
242#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
243#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
244openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
245openid.provider.rendering.footerText = This site is for test purposes only.
246openid.provider.rendering.rightLink = http://ceda.ac.uk/
247openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
248openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
249
250# Basic Authentication interface to demonstrate capabilities
251#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
252openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
253openid.provider.authN.connectionString=%(dbConnectionString)s
254openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
255openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
256openid.provider.authN.isMD5EncodedPwd=True
257
258# user login details format is:
259# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
260# Each user entry is delimited by a space. username, password and OpenID name
261# list are delimited by a colon.  The list of OpenID names are delimited by
262# commas.  The OpenID name represents the unique part of the OpenID URL for the
263# individual user.  Each username may have more than one OpenID alias but only
264# alias at a time may be registered with a given Attribute Authority
265openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
266
267# Basic authentication for testing/admin - comma delimited list of
268# <username>:<password> pairs
269#openid.provider.usercreds=pjk:test
270
271# Attribute Exchange interface
272#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
273#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
274openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
275openid.provider.axResponse.connectionString=%(dbConnectionString)s
276openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
277openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
278    http://openid.net/schema/namePerson/last
279    http://openid.net/schema/contact/internet/email
280
281#______________________________________________________________________________
282# Attribute Authority WSGI settings
283#
284[filter:AttributeAuthorityFilter]
285# This filter publishes an Attribute Authority instance as a key in environ
286# to enable other middleware to access it
287paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
288prefix = attributeAuthority.
289
290# Key name by which the WSDL SOAP based interface may reference this
291# service
292attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
293
294# Key name for the SAML SOAP binding based interface to reference this
295# service's attribute query method
296attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
297
298# Attribute Authority settings
299# 'name' setting MUST agree with map config file 'thisHost' name attribute
300attributeAuthority.name: Site A
301
302# Lifetime is measured in seconds
303attributeAuthority.attCertLifetime: 28800 
304
305# Allow an offset for clock skew between servers running
306# security services. NB, measured in seconds - use a minus sign for time in the
307# past
308attributeAuthority.attCertNotBeforeOff: 0
309
310# All Attribute Certificates issued are recorded in this dir
311attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
312
313# Files in attCertDir are stored using a rotating file handler
314# attCertFileLogCnt sets the max number of files created before the first is
315# overwritten
316attributeAuthority.attCertFileName: ac.xml
317attributeAuthority.attCertFileLogCnt: 16
318attributeAuthority.dnSeparator:/
319
320# Location of role mapping file
321attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
322
323# Settings for custom AttributeInterface derived class to get user roles for given
324# user ID
325#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
326#attributeAuthority.attributeInterface.modName: siteAUserRoles
327#attributeAuthority.attributeInterface.className: TestUserRoles
328
329# SQLAlchemy Attribute Interface
330attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
331attributeAuthority.attributeInterface.modName: ndg.security.server.attributeauthority
332attributeAuthority.attributeInterface.className: SQLAlchemyAttributeInterface
333attributeAuthority.attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
334attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
335attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
336attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
337attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
338attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
339attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
340                                                           /O=Site B/CN=Authorisation Service,
341                                                           /CN=test/O=NDG/OU=BADC
342
343# Config for XML signature of Attribute Certificate
344attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
345attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
346attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
347
348
349# SOAP WSDL Based Binding to the Attribute Authority
350[filter:AttributeAuthorityWsdlSoapBindingFilter]
351paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
352prefix = service.soap.binding.
353attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
354
355service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
356service.soap.binding.path = /AttributeAuthority
357service.soap.binding.enableWSDLQuery = True
358service.soap.binding.charset = utf-8
359service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
360
361attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
362attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
363
364
365# SAML SOAP Binding to the Attribute Authority
366[filter:AttributeAuthoritySamlSoapBindingFilter]
367paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPAttributeInterfaceMiddleware.filter_app_factory
368prefix = saml.soapbinding.
369
370saml.soapbinding.pathMatchList = /AttributeAuthority/saml
371saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
372
373
374#______________________________________________________________________________
375# WS-Security Signature Verification
376[filter:wsseSignatureVerificationFilter]
377paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
378filterID = %(__name__)s
379
380# Settings for WS-Security SignatureHandler class used by this filter
381wsseCfgFilePrefix = wssecurity
382
383# Verify against known CAs - Provide a space separated list of file paths
384wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
385
386
387#______________________________________________________________________________
388# Apply WS-Security Signature
389[filter:wsseSignatureFilter]
390paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
391
392# Reference the verification filter in order to be able to apply signature
393# confirmation
394referencedFilters = filter:wsseSignatureVerificationFilter
395wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
396
397# Last filter in chain of SOAP handlers writes the response
398writeResponse = True
399
400# Settings for WS-Security SignatureHandler class used by this filter
401wsseCfgFilePrefix = wssecurity
402
403# Certificate associated with private key used to sign a message.  The sign
404# method will add this to the BinarySecurityToken element of the WSSE header. 
405wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
406
407# PEM encoded private key file
408wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
409
410# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
411# signed message.  See __setReqBinSecTokValType method and binSecTokValType
412# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
413# give full namespace to alternative - see
414# ZSI.wstools.Namespaces.OASIS.X509TOKEN
415#
416# binSecTokValType determines whether signingCert or signingCertChain
417# attributes will be used.
418wssecurity.reqBinSecTokValType=X509v3
419
420# Add a timestamp element to an outbound message
421wssecurity.addTimestamp=True
422
423# For WSSE 1.1 - service returns signature confirmation containing signature
424# value sent by client
425wssecurity.applySignatureConfirmation=True
426
427# Logging configuration
428[loggers]
429keys = root, ndg
430
431[handlers]
432keys = console
433
434[formatters]
435keys = generic
436
437[logger_root]
438level = INFO
439handlers = console
440
441[logger_ndg]
442level = DEBUG
443handlers =
444qualname = ndg
445
446[handler_console]
447class = StreamHandler
448args = (sys.stderr,)
449level = NOTSET
450formatter = generic
451
452[formatter_generic]
453format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
454datefmt = %Y-%m-%d %H:%M:%S
455
Note: See TracBrowser for help on using the repository browser.