source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/combinedservices/services.ini @ 5656

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/combinedservices/services.ini@5656
Revision 5656, 19.5 KB checked in by pjkersha, 10 years ago (diff)
  • Added factory methods to ndg.security.server.attributeauthority.AttributeAuthority? in order to create getAttCert and samlAttributeQuery wrapper functions. These can then be added to the WSGI environ to be referenced by other middleware.
  • ndg.security.test.unit.saml.test_soapattributeinterface: started work on unit tests for SAML 2.0 SOAP binding to attribute query interface.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2009 Science and Technology Facilities Council
13# license: BSD - see LICENSE file in top-level directory
14# Contact: Philip.Kershaw@stfc.ac.uk
15# Revision: $Id$
16
17[DEFAULT]
18portNum = 9443
19hostname = localhost
20scheme = http
21baseURI = %(scheme)s://%(hostname)s:%(portNum)s
22testConfigDir = %(here)s/../../config
23
24#______________________________________________________________________________
25# Attribute Authority settings
26# 'name' setting MUST agree with map config file 'thisHost' name attribute
27attributeAuthority.name: Site A
28
29# Lifetime is measured in seconds
30attributeAuthority.attCertLifetime: 28800 
31
32# Allow an offset for clock skew between servers running
33# security services. NB, measured in seconds - use a minus sign for time in the
34# past
35attributeAuthority.attCertNotBeforeOff: 0
36
37# All Attribute Certificates issued are recorded in this dir
38attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
39
40# Files in attCertDir are stored using a rotating file handler
41# attCertFileLogCnt sets the max number of files created before the first is
42# overwritten
43attributeAuthority.attCertFileName: ac.xml
44attributeAuthority.attCertFileLogCnt: 16
45attributeAuthority.dnSeparator:/
46
47# Location of role mapping file
48attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
49
50# Settings for custom AttributeInterface derived class to get user roles for given
51# user ID
52attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
53attributeAuthority.attributeInterface.modName: siteAUserRoles
54attributeAuthority.attributeInterface.className: TestUserRoles
55
56# Config for XML signature of Attribute Certificate
57attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
58attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
59attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
60
61#______________________________________________________________________________
62# Session Manager specific settings - commented out settings will take their
63# default settings.  To override the defaults uncomment and set as required.
64# See ndg.security.server.sessionmanager module for details
65
66# Credential Wallet Settings - global to all user sessions
67#
68# CA certificates for Attribute Certificate signature validation
69sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
70
71# CA certificates for SSL connection peer cert. validation - required if
72# connecting to an Attribute Authority over SSL
73sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
74
75# Allow Get Attribute Certificate calls to try to get a mapped certificate
76# from another organisation trusted by the target Attribute Authority
77sessionManager.credentialWallet.mapFromTrustedHosts=True
78sessionManager.credentialWallet.rtnExtAttCertList=True
79
80# Refresh an Attribute Certificate, if an existing one in the wallet has only
81# this length of time left before it expires
82credentialWallet.attCertRefreshElapse=7200
83
84# Pointer to WS-Security settings.  These WS-Security settings are for use
85# by user credential wallets held in user sessions hosted by the Session
86# Manager.  They enable individual wallets to query Attribute Authorities for
87# user Attribute Certificates.  Nb. the difference between these settings and
88# the WS-Security section for handling requests to the Session Manager.
89#
90# Settings are identified by a prefix. 
91sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
92
93# ...A section name could also be used.
94#sessionManager.credentialWallet.wssCfgSection=
95
96# SOAP Signature Handler settings for the Credential Wallet's Attribute
97# Authority interface
98#
99# CA Certificates used to verify X.509 certs used in Attribute Certificates.
100# The CA certificates of other NDG trusted sites should go here.  NB, multiple
101# values should be delimited by a space
102sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
103
104# Signature of an outbound message
105#
106# Certificate associated with private key used to sign a message.  The sign
107# method will add this to the BinarySecurityToken element of the WSSE header. 
108# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
109# As an alternative, use signingCertChain - see below...
110
111# PEM encoded cert
112sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt
113
114# ... or provide file path to PEM encoded private key file
115sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key
116
117# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
118# signed message.  See __setReqBinSecTokValType method and binSecTokValType
119# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
120# give full namespace to alternative - see
121# ZSI.wstools.Namespaces.OASIS.X509TOKEN
122#
123# binSecTokValType determines whether signingCert or signingCertChain
124# attributes will be used.
125sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
126
127# Add a timestamp element to an outbound message
128sessionManager.credentialWallet.wssecurity.addTimestamp: True
129
130# For WSSE 1.1 - service returns signature confirmation containing signature
131# value sent by client
132sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
133
134# Authentication service properties
135sessionManager.authNService.moduleFilePath: 
136sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
137sessionManager.authNService.className: UserX509CertAuthN
138
139# Specific settings for UserCertAuthN Session Manager authentication plugin
140# This sets up PKI credentials for a single test account
141sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt
142sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key
143sessionManager.authNService.userPriKeyPwd: testpassword
144
145[server:main]
146use = egg:Paste#http
147host = 0.0.0.0
148port = %(portNum)s
149
150[filter-app:mainApp]
151use = egg:Paste#httpexceptions
152next = cascade
153
154[composit:cascade]
155use = egg:Paste#cascade
156app1 = static
157app2 = SingleSignOnService
158catch = 404
159
160[app:static]
161use = egg:Paste#static
162document_root = %(here)s/openidprovider
163
164[app:SingleSignOnService]
165paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
166cache_dir = %(here)s/data
167beaker.session.key = sso
168beaker.session.secret = somesecret
169
170# If you'd like to fine-tune the individual locations of the cache data dirs
171# for the Cache data, or the Session saves, un-comment the desired settings
172# here:
173#beaker.cache.data_dir = %(here)s/data/cache
174#beaker.session.data_dir = %(here)s/data/sessions
175
176# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
177# Debug mode will enable the interactive debugging tool, allowing ANYONE to
178# execute malicious code after an exception is raised.
179set debug = true
180
181configfile = %(here)s/singlesignonservice/sso.cfg
182#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg
183
184# AuthKit Set-up
185authkit.setup.method=openid, cookie
186authkit.cookie.secret=secret encryption string
187authkit.cookie.signoutpath = /logout
188authkit.openid.path.signedin=/
189authkit.openid.store.type=file
190authkit.openid.store.config=%(here)s/data/openid
191authkit.openid.session.key = authkit_openid
192authkit.openid.session.secret = random string
193
194authkit.openid.baseurl = http://localhost
195
196# Template for signin
197authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
198
199# Handler for parsing OpenID and creating a session from it
200authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
201
202# Chain of Middleware filters
203[pipeline:main]
204pipeline = wsseSignatureVerificationFilter
205                   AttributeAuthorityFilter
206           SessionManagerFilter
207           wsseSignatureFilter
208           httpBasicAuthFilter
209           SessionMiddlewareFilter
210           OpenIDProviderFilter
211           testHarnessFilter
212           mainApp
213
214[filter:testHarnessFilter]
215paste.filter_app_factory = 
216        ndg.security.test.integration.combinedservices.serverapp:filter_app_factory
217sessionManagerFilterID = filter:SessionManagerFilter
218attributeAuthorityFilterID = filter:AttributeAuthorityFilter
219
220#______________________________________________________________________________
221# Attribute Authority WSGI settings
222#
223[filter:AttributeAuthorityFilter]
224# This filter is a container for a binding to a SOAP based interface to the
225# Attribute Authority
226paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
227
228# Use this ZSI generated SOAP service interface class to handle i/o for this
229# filter
230ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
231
232# SOAP Binding Class specific keywords are in this section identified by this
233# prefix:
234ServiceSOAPBindingPropPrefix = AttributeAuthority
235
236# The AttributeAuthority class has settings in the default section above
237# identified by this prefix:
238AttributeAuthority.propPrefix = attributeAuthority
239AttributeAuthority.propFilePath = %(here)s/services.ini
240AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
241
242# Provide an identifier for this filter so that main WSGI app
243# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
244# directly
245referencedFilters = filter:wsseSignatureVerificationFilter
246
247# Path from URL for Attribute Authority in this Paste deployment
248path = /AttributeAuthority
249
250# External endpoint for this Attribute Authority - must agree with setting used
251# to invoke this service set in:
252# * serverapp.py
253# * or port in [server:main] if calling with paster serve services.ini
254# * or something else e.g. proxied through Apache?
255# This setting is used by Attribute Authority clients in this WSGI stack to see
256# if a request is being made to the local service or to another Attribute
257# Authority running elsewhere
258publishedURI = %(baseURI)s%(path)s
259
260# Enable ?wsdl query argument to list the WSDL content
261enableWSDLQuery = True
262charset = utf-8
263filterID = %(__name__)s
264
265#______________________________________________________________________________
266# Session Manager WSGI settings
267#
268[filter:SessionManagerFilter]
269# This filter is a container for a binding to a SOAP based interface to the
270# Session Manager
271paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
272
273# Use this ZSI generated SOAP service interface class to handle i/o for this
274# filter
275ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
276
277# SOAP Binding Class specific keywords are in this section identified by this
278# prefix:
279ServiceSOAPBindingPropPrefix = SessionManager
280
281# The SessionManager class has settings in the default section above identified
282# by this prefix:
283SessionManager.propPrefix = sessionManager
284SessionManager.propFilePath = %(here)s/services.ini
285
286# This filter references other filters - a local Attribute Authority (optional)
287# and a WS-Security signature verification filter (required if using signature
288# to authenticate user in requests
289SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
290SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
291
292# The SessionManagerWS SOAP interface class needs to know about these other
293# filters
294referencedFilters = filter:wsseSignatureVerificationFilter
295                                        filter:AttributeAuthorityFilter
296
297# Path from URI for Session Manager in this Paste deployment
298path = /SessionManager
299
300# External endpoint for this Session Manager - must agree with setting used to
301# invoke this service set in:
302# * serverapp.py
303# * or port in [server:main] if calling with paster serve services.ini
304# * or something else e.g. proxied through Apache?
305# This setting is used by Session Manager clients in this WSGI stack to see if
306# a request is being made to the local service or to another session manager
307# running elsewhere
308publishedURI = %(baseURI)s%(path)s
309
310# Enable ?wsdl query argument to list the WSDL content
311enableWSDLQuery = True
312charset = utf-8
313
314# Provide an identifier for this filter so that main WSGI app
315# CombinedServicesWSGI can call this Session Manager directly
316filterID = %(__name__)s
317
318#______________________________________________________________________________
319# WS-Security Signature Verification
320[filter:wsseSignatureVerificationFilter]
321paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
322filterID = %(__name__)s
323
324# Settings for WS-Security SignatureHandler class used by this filter
325wsseCfgFilePrefix = wssecurity
326
327# Verify against known CAs - Provide a space separated list of file paths
328wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
329
330#______________________________________________________________________________
331# Apply WS-Security Signature
332[filter:wsseSignatureFilter]
333paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
334
335# Reference the verification filter in order to be able to apply signature
336# confirmation
337referencedFilters = filter:wsseSignatureVerificationFilter
338wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
339
340# Last filter in chain of SOAP handlers writes the response
341writeResponse = True
342
343# Settings for WS-Security SignatureHandler class used by this filter
344wsseCfgFilePrefix = wssecurity
345
346# Certificate associated with private key used to sign a message.  The sign
347# method will add this to the BinarySecurityToken element of the WSSE header. 
348wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
349
350# PEM encoded private key file
351wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
352
353# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
354# signed message.  See __setReqBinSecTokValType method and binSecTokValType
355# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
356# give full namespace to alternative - see
357# ZSI.wstools.Namespaces.OASIS.X509TOKEN
358#
359# binSecTokValType determines whether signingCert or signingCertChain
360# attributes will be used.
361wssecurity.reqBinSecTokValType=X509v3
362
363# Add a timestamp element to an outbound message
364wssecurity.addTimestamp=True
365
366# For WSSE 1.1 - service returns signature confirmation containing signature
367# value sent by client
368wssecurity.applySignatureConfirmation=True
369
370#______________________________________________________________________________
371# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
372# based call to Session Manager connect method
373[filter:httpBasicAuthFilter]
374paste.filter_app_factory = authkit.authenticate:middleware
375setup_method=basic
376basic_realm=NDG Security Combined Services Tests
377basic_authenticate_function=ndg.security.test.integration.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
378
379
380#______________________________________________________________________________
381# OpenID Provider WSGI Settings
382[filter:OpenIDProviderFilter]
383paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
384openid.provider.path.openidserver=/openid/endpoint
385openid.provider.path.login=/openid/login
386openid.provider.path.loginsubmit=/openid/loginsubmit
387
388# Comment out next two lines and uncomment the third to disable URL based
389# discovery and allow only Yadis based instead
390openid.provider.path.id=/openid/id
391openid.provider.path.yadis=/openid/yadis
392#openid.provider.path.yadis=/id/
393
394openid.provider.path.serveryadis=/openid/serveryadis
395openid.provider.path.allow=/openid/allow
396openid.provider.path.decide=/openid/decide
397openid.provider.path.mainpage=/openid/
398openid.provider.session_middleware=beaker.session
399openid.provider.base_url=%(baseURI)s
400openid.provider.trace=False
401openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
402#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
403
404openid.provider.rendering.templateType = kid
405openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
406openid.provider.rendering.kid.assume_encoding= utf-8
407openid.provider.rendering.kid.encoding = utf-8
408
409# Layout
410openid.provider.rendering.baseURL = %(openid.provider.base_url)s
411openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
412openid.provider.rendering.leftAlt = Natural Environment Research Council
413openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
414openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
415openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
416openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
417openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
418openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
419
420
421#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
422#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
423
424# Basic Authentication interface to demonstrate capabilities
425#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
426#openid.provider.authN.userCreds=pjk:test
427#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
428
429# Link Authentication to a Session Manager instance running in the same WSGI
430# stack or on a remote service
431openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
432
433# Omit or leave as blank if the Session Manager is accessible locally in the
434# same WSGI stack.
435openid.provider.authN.sessionManagerURI=
436
437# environ dictionary key to Session Manager WSGI instance held locally.  The
438# setting below is the default and can be omitted if it matches the filterID
439# set for the Session Manager
440#openid.provider.authN.environKeyName=filter:SessionManagerFilter
441
442# Database connection to enable check between username and OpenID identifier
443openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
444openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
445openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
446
447# Basic authentication for testing/admin - comma delimited list of
448# <username>:<password> pairs
449#openid.provider.usercreds=pjk:test
450
451#______________________________________________________________________________
452# Beaker Session Middleware (used by OpenID Provider Filter)
453[filter:SessionMiddlewareFilter]
454paste.filter_app_factory=beaker.middleware:SessionMiddleware
455
456# Logging configuration
457[loggers]
458keys = root, ndg
459
460[handlers]
461keys = console
462
463[formatters]
464keys = generic
465
466[logger_root]
467level = INFO
468handlers = console
469
470[logger_ndg]
471level = DEBUG
472handlers =
473qualname = ndg
474
475[handler_console]
476class = StreamHandler
477args = (sys.stderr,)
478level = NOTSET
479formatter = generic
480
481[formatter_generic]
482format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
483datefmt = %H:%M:%S
484
Note: See TracBrowser for help on using the repository browser.