Changeset 4682 for TI12-security/trunk/python

Timestamp:

18/12/08 17:05:05 (11 years ago)

Author:

pjkersha

Message:

• paster template - updated .ini_tmpl file adding $$ escapes for $ vars to be left in place
• configfileparsers: added 'here' variable as default for INIPropertyFile class in the style of Paste Deploy ini file handling
• WSGISessionManagerClient and WSGIAttributeAuthorityClient: more robust error handling and fixes for keying filter names from environ
• Combined services tests: make use name substitution for section names

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/X509.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/utils/configfileparsers.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/templates/default_project/services.ini_tmpl (modified) (19 diffs)
• ndg.security.server/ndg/security/server/templates/template.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py (modified) (5 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py (modified) (8 diffs)
• ndg.security.test/ndg/security/test/combinedservices/serverapp.py (modified) (9 diffs)
• ndg.security.test/ndg/security/test/combinedservices/services.ini (modified) (16 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

@@ -13 +13 @@
 import logging
 log = logging.getLogger(__name__)
-from warnings import warn # warn of impendiong certificate expiry
+from warnings import warn # warn of impending certificate expiry
 
 import types

TI12-security/trunk/python/ndg.security.common/ndg/security/common/utils/configfileparsers.py

@@ -171 +171 @@
             
         if cfg is None:
-            self.cfg = CaseSensitiveConfigParser()
+            hereDef = {'here': os.path.dirname(propFilePath)}
+            self.cfg = CaseSensitiveConfigParser(defaults=hereDef)
             self.cfg.read(propFilePath)
             if not os.path.isfile(propFilePath):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/templates/default_project/services.ini_tmpl

@@ -5 +5 @@
 # * Session Manager
 # * Attribute Authority
-# * OpenID Provider
 #
 # The %(here)s variable will be replaced with the parent directory of this file
@@ -11 +10 @@
 # Author: P J Kershaw
 # date: 30/11/05
-# Copyright: (C) 2008 STFC
+# Copyright: (C) 2008 STFC & NERC
 # license: This software may be distributed under the terms of the Q Public 
 # License, version 1.0 or later.
 # Contact: Philip.Kershaw@stfc.ac.uk
+# Revision: $$Id$$
 
 [DEFAULT]
@@ -20 +20 @@
 # Attribute Authority settings
 # 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: ${attributeAuthorityID}
+attributeAuthority.name: Site A
 
 # Lifetime is measured in seconds
@@ -31 +31 @@
 
 # All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/attCertLog
+attributeAuthority.attCertDir: %(here)s/siteAAttributeAuthority/attCertLog
 
 # Files in attCertDir are stored using a rotating file handler
@@ -41 +41 @@
 
 # Location of role mapping file
-attributeAuthority.mapConfigFile: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteAMapConfig.xml
+attributeAuthority.mapConfigFile: %(here)s/siteAAttributeAuthority/siteAMapConfig.xml
 
 # Settings for custom AAUserRoles derived class to get user roles for given 
 # user ID
-attributeAuthority.userRolesModFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority
+attributeAuthority.userRolesModFilePath: %(here)s/siteAAttributeAuthority
 attributeAuthority.userRolesModName: siteAUserRoles
 attributeAuthority.userRolesClassName: TestUserRoles
 
 # Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteA-aa.key
-attributeAuthority.signingCertFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteA-aa.crt
-attributeAuthority.caCertFilePathList: $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt
+attributeAuthority.signingPriKeyFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.key
+attributeAuthority.signingCertFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.crt
+attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
 
 #______________________________________________________________________________
@@ -62 +62 @@
 #
 # CA certificates for Attribute Certificate signature validation
-sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 # CA certificates for SSL connection peer cert. validation - required if
 # connecting to an Attribute Authority over SSL
-sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 # Allow Get Attribute Certificate calls to try to get a mapped certificate
@@ -95 +95 @@
 # The CA certificates of other NDG trusted sites should go here.  NB, multiple
 # values should be delimited by a space
-sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
 
 # Signature of an outbound message
@@ -105 +105 @@
 
 # PEM encoded cert
-sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/sm.crt
+sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt
 
 # ... or provide file path to PEM encoded private key file
-sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/sm.key
+sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key
 
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a
@@ -134 +134 @@
 # Specific settings for UserCertAuthN Session Manager authentication plugin
 # This sets up PKI credentials for a single test account
-sessionManager.authNService.userX509CertFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/user.crt
-sessionManager.authNService.userPriKeyFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/user.key
+sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
+sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
 sessionManager.authNService.userPriKeyPwd: testpassword
 
@@ -196 +196 @@
 paste.filter_app_factory = 
         ndg.security.test.combinedservices.serverapp:filter_app_factory
-
+sessionManagerFilterID = filter:SessionManagerFilter
+attributeAuthorityFilterID = filter:AttributeAuthorityFilter
 
 #______________________________________________________________________________
@@ -217 +218 @@
 # identified by this prefix:
 AttributeAuthority.propPrefix = attributeAuthority
-AttributeAuthority.propFilePath = $NDGSEC_CONFIG_DIR/services.ini
-AttributeAuthority.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+AttributeAuthority.propFilePath = %(here)s/services.ini
+AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # Provide an identifier for this filter so that main WSGI app 
 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority
 # directly
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+referencedFilters = filter:wsseSignatureVerificationFilter
 
 # Path from URL for Attribute Authority in this Paste deployment
@@ -231 +232 @@
 enableWSDLQuery = True
 charset = utf-8
-filterID = ndg.security.server.wsgi.attributeAuthorityFilter
+filterID = %(__name__)s
 
 #______________________________________________________________________________
@@ -252 +253 @@
 # by this prefix:
 SessionManager.propPrefix = sessionManager
-SessionManager.propFilePath = $NDGSEC_CONFIG_DIR/services.ini
+SessionManager.propFilePath = %(here)s/services.ini
 
 # This filter references other filters - a local Attribute Authority (optional)
 # and a WS-Security signature verification filter (required if using signature
 # to authenticate user in requests
-SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter
-SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
+SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # The SessionManagerWS SOAP interface class needs to know about these other 
 # filters
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01 
-                                        ndg.security.server.wsgi.attributeAuthorityFilter
+referencedFilters = filter:wsseSignatureVerificationFilter 
+                                        filter:AttributeAuthorityFilter
 
 # Path from URL for Session Manager in this Paste deployment
@@ -274 +275 @@
 # Provide an identifier for this filter so that main WSGI app 
 # CombinedServicesWSGI can call this Session Manager directly
-filterID = ndg.security.server.wsgi.sessionManagerFilter
+filterID = %(__name__)s
 
 #______________________________________________________________________________
@@ -280 +281 @@
 [filter:wsseSignatureVerificationFilter]
 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
-filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+filterID = %(__name__)s
 
 # Settings for WS-Security SignatureHandler class used by this filter
@@ -286 +287 @@
 
 # Verify against known CAs - Provide a space separated list of file paths
-wssecurity.caCertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt
-#wssecurity.caCertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt $NDGSEC_CONFIG_DIR/ca/java-ca.crt
+wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 #______________________________________________________________________________
@@ -296 +296 @@
 # Reference the verification filter in order to be able to apply signature
 # confirmation
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
-wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+referencedFilters = filter:wsseSignatureVerificationFilter
+wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # Last filter in chain of SOAP handlers writes the response
@@ -307 +307 @@
 # Certificate associated with private key used to sign a message.  The sign 
 # method will add this to the BinarySecurityToken element of the WSSE header.  
-wssecurity.signingCertFilePath=$NDGSEC_CONFIG_DIR/server.crt
+wssecurity.signingCertFilePath=%(here)s/server.crt
 
 # PEM encoded private key file
-wssecurity.signingPriKeyFilePath=$NDGSEC_CONFIG_DIR/server.key
+wssecurity.signingPriKeyFilePath=%(here)s/server.key
 
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a
@@ -399 +399 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-#openid.provider.authN.environKey=ndg.security.server.wsgi.sessionManagerFilter
+#openid.provider.authN.environKey=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier

TI12-security/trunk/python/ndg.security.server/ndg/security/server/templates/template.py

@@ -1 +1 @@
 #!/usr/bin/env python
 
-from paste.script.templates import Template, var
+from paste.script.templates import Template, var, _skip_variables
 
 vars = [

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py

@@ -18 +18 @@
 from ndg.security.common.attributeauthority import AttributeAuthorityClient
 
+class WSGIAttributeAuthorityClientError(Exception):
+    """Base class for WSGIAttributeAuthorityClient exceptions"""
+    
+class WSGIAttributeAuthorityClientConfigError(
+                                        WSGIAttributeAuthorityClientError):
+    """Configuration error"""
+    
 class WSGIAttributeAuthorityClient(object):
     """Client interface to Attribute Authority for WSGI based applications
@@ -76 +83 @@
             # Connect to local instance
             return self.ref.hostInfo
-        else:
+        
+        elif self._soapClient is None:            
+            raise WSGIAttributeAuthorityClientConfigError("No reference to a "
+                        "local Attribute Authority is set and no SOAP client "
+                        "to a remote service has been initialized")
+        else:            
             # Make connection to remote service
             return self._soapClient.getHostInfo()
@@ -97 +109 @@
             # Connect to local instance
             return self.ref.getTrustedHostInfo(**kw)
+        elif self._soapClient is None:            
+            raise WSGIAttributeAuthorityClientConfigError("No reference to a "
+                        "local Attribute Authority is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             # Make connection to remote service
@@ -116 +132 @@
             allHostsInfo.update(self.ref.getTrustedHostInfo())
             return allHostsInfo
+        elif self._soapClient is None:            
+            raise WSGIAttributeAuthorityClientConfigError("No reference to a "
+                        "local Attribute Authority is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             # Make connection to remote service
@@ -142 +162 @@
 
             return self.ref.getAttCert(**kw)
+        elif self._soapClient is None:            
+            raise WSGIAttributeAuthorityClientConfigError("No reference to a "
+                        "local Attribute Authority is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             # Make connection to remote service

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py

@@ -57 +57 @@
     SessionManagerClientError, SessionCertTimeError
 
-# Combine Session not found exception classes as raised from server and
-# client side to enable convenient exception handling by a client to this
-# class.  e.g. a call to WSGISessionManager.connect without the need to know 
-# whether the wrapper is calling a remote service over the SOAP interface or
-# the service locally via a reference a Session Manager in environ:
-# 
-# try:
-#     wsgiClnt.connect(username, passphrase=p)
-# except SessionNotFound, e:
-#     #  do something
-#     raise
-#     
-# Rather than having to do:
-# 
-# try:
-#     wsgiClnt.connect(username, passphrase=p)
-# except (ndg.security.server.sessionmanager.SessionNotFound,
-#         ndg.security.common.sessionmanager.SessionNotFound), e:
-#     #  do something
-#     raise
 SessionNotFound = (_SrvSessionNotFound, _ClntSessionNotFound)
 
@@ -116 +96 @@
     a Session Manager instance in the same code stack available via an environ
     keyword
+    
+    @type environKey: basestring
+    @cvar environKey: default WSGI environ keyword name for reference to a 
+    local Session Manager instance.  Override with the environKey keyword to 
+    __init__
+    
+    @type attributeAuthorityEnvironKey: basestring
+    @cvar attributeAuthorityEnvironKey: default WSGI environ keyword name for 
+    reference to a local Attribute Authority instance used in calls to 
+    getAttCert().  Override with the attributeAuthorityEnvironKey keyword to
+    __init__
     """
     environKey = "ndg.security.server.wsgi.sessionManagerFilter"
-
+    attributeAuthorityEnvironKey = WSGIAttributeAuthorityClient.environKey
+    
     _refInEnviron = lambda self: self._environKey in self._environ
     
@@ -130 +122 @@
 
     
-    def __init__(self, environKey=None, environ={}, **soapClientKw):
+    def __init__(self, 
+                 environKey=None, 
+                 attributeAuthorityEnvironKey=None,
+                 environ={}, 
+                 **soapClientKw):
  
         log.debug("WSGISessionManagerClient.__init__ ...")
         
         self._environKey = environKey or WSGISessionManagerClient.environKey
-        
+        self._attributeAuthorityEnvironKey = attributeAuthorityEnvironKey or \
+                        WSGISessionManagerClient.attributeAuthorityEnvironKey
+                        
         # Standard WSGI environment dict
         self._environ = environ
@@ -171 +169 @@
             # Connect to local instance
             res = self.ref.connect(username=username, **kw)
+            
+        elif self._soapClient is None:            
+            raise WSGISessionManagerClientConfigError("No reference to a "
+                        "local Session Manager is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             log.debug("Connecting to remote Session Manager service")
@@ -207 +210 @@
                 
             self.ref.deleteUserSession(**kw)
+            
+        elif self._soapClient is None:            
+            raise WSGISessionManagerClientConfigError("No reference to a "
+                        "local Session Manager is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             if 'userX509Cert' in kw:
@@ -226 +234 @@
         if self.refInEnviron:
             return self.ref.getSessionStatus(**kw)
+        
+        elif self._soapClient is None:            
+            raise WSGISessionManagerClientConfigError("No reference to a "
+                        "local Session Manager is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             return self._soapClient.getSessionStatus(**kw)
@@ -249 +262 @@
                kw.get('attributeAuthority') is None:
                 wsgiAttributeAuthorityClient = WSGIAttributeAuthorityClient(
-                                                        environ=self._environ)
+                                environ=self._environ,
+                                environKey=self._attributeAuthorityEnvironKey)
 
                 if wsgiAttributeAuthorityClient.refInEnviron:
@@ -259 +273 @@
                     
             return self.ref.getAttCert(**kw)
+    
+        elif self._soapClient is None:            
+            raise WSGISessionManagerClientConfigError("No reference to a "
+                        "local Session Manager is set and no SOAP client "
+                        "to a remote service has been initialized")
         else:
             # Filter out keywords which apply to a Session Manager local 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/serverapp.py

@@ -31 +31 @@
         """validation function"""
         try:
-            client = WSGISessionManagerClient(environ=environ)
+            client = WSGISessionManagerClient(environ=environ,
+                                        environKey=self.sessionManagerFilterID)
             res = client.connect(username, passphrase=password)
 
@@ -61 +62 @@
     def __init__(self, app, globalConfig, **localConfig):
         self.app = app
-        
+        self.sessionManagerFilterID = localConfig.get('sessionManagerFilterID')
+        self.attributeAuthorityFilterID = \
+                                localConfig.get('attributeAuthorityFilterID')
+                                
+        CombinedServicesWSGI.httpBasicAuthentication.sessionManagerFilterID = \
+            self.sessionManagerFilterID
+            
     def __call__(self, environ, start_response):
         
@@ -85 +92 @@
     @authorize(httpBasicAuthentication._userIn)
     def test_localSessionManagerGetSessionStatus(self, environ,start_response):
-        client = WSGISessionManagerClient(environ=environ)
+        client = WSGISessionManagerClient(environ=environ,
+                                        environKey=self.sessionManagerFilterID)
         stat=client.getSessionStatus(sessID=environ[client.environKey+'.user'])
         start_response('200 OK', [('Content-type', 'text/xml')])
@@ -93 +101 @@
     @authorize(httpBasicAuthentication._userIn)
     def test_localSessionManagerDisconnect(self, environ, start_response):
-        client = WSGISessionManagerClient(environ=environ)
+        client = WSGISessionManagerClient(environ=environ,
+                                        environKey=self.sessionManagerFilterID)
         client.disconnect(sessID=environ[client.environKey+'.user'])
         
@@ -103 +112 @@
     @authorize(httpBasicAuthentication._userIn)
     def test_localSessionManagerGetAttCert(self, environ, start_response):
-        client = WSGISessionManagerClient(environ=environ)
+        client = WSGISessionManagerClient(environ=environ,
+                environKey=self.sessionManagerFilterID,
+                attributeAuthorityEnvironKey=self.attributeAuthorityFilterID)
+
         attCert = client.getAttCert(sessID=environ[client.environKey+'.user'])
         start_response('200 OK', [('Content-type', 'text/xml')])
@@ -109 +121 @@
 
     def test_localAttributeAuthorityGetHostInfo(self, environ, start_response):
-        client = WSGIAttributeAuthorityClient(environ=environ)
+        client = WSGIAttributeAuthorityClient(environ=environ,
+                                    environKey=self.attributeAuthorityFilterID)
         hostInfo = client.getHostInfo()
         start_response('200 OK', [('Content-type', 'text/html')])
@@ -118 +131 @@
                                                        environ, 
                                                        start_response):
-        client = WSGIAttributeAuthorityClient(environ=environ)
+        client = WSGIAttributeAuthorityClient(environ=environ,
+                                    environKey=self.attributeAuthorityFilterID)
         role = environ.get('QUERY_STRING', '').split('=')[-1] or None
         hostInfo = client.getTrustedHostInfo(role=role)
@@ -128 +142 @@
                                                     environ, 
                                                     start_response):
-        client = WSGIAttributeAuthorityClient(environ=environ)
+        client = WSGIAttributeAuthorityClient(environ=environ,
+                                    environKey=self.attributeAuthorityFilterID)
         hostInfo = client.getAllHostsInfo()
         start_response('200 OK', [('Content-type', 'text/html')])
@@ -137 +152 @@
     def test_localAttributeAuthorityGetAttCert(self, environ, start_response):
         
-        client = WSGIAttributeAuthorityClient(environ=environ)
+        client = WSGIAttributeAuthorityClient(environ=environ,
+                                    environKey=self.attributeAuthorityFilterID)
         username=CombinedServicesWSGI.httpBasicAuthentication._userIn.users[-1]
         

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

@@ -31 +31 @@
 
 # All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/attCertLog
+attributeAuthority.attCertDir: %(here)s/siteAAttributeAuthority/attCertLog
 
 # Files in attCertDir are stored using a rotating file handler
@@ -41 +41 @@
 
 # Location of role mapping file
-attributeAuthority.mapConfigFile: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteAMapConfig.xml
+attributeAuthority.mapConfigFile: %(here)s/siteAAttributeAuthority/siteAMapConfig.xml
 
 # Settings for custom AAUserRoles derived class to get user roles for given 
 # user ID
-attributeAuthority.userRolesModFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority
+attributeAuthority.userRolesModFilePath: %(here)s/siteAAttributeAuthority
 attributeAuthority.userRolesModName: siteAUserRoles
 attributeAuthority.userRolesClassName: TestUserRoles
 
 # Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
-attributeAuthority.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
-attributeAuthority.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
+attributeAuthority.signingPriKeyFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.key
+attributeAuthority.signingCertFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.crt
+attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
 
 #______________________________________________________________________________
@@ -62 +62 @@
 #
 # CA certificates for Attribute Certificate signature validation
-sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 # CA certificates for SSL connection peer cert. validation - required if
 # connecting to an Attribute Authority over SSL
-sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 # Allow Get Attribute Certificate calls to try to get a mapped certificate
@@ -95 +95 @@
 # The CA certificates of other NDG trusted sites should go here.  NB, multiple
 # values should be delimited by a space
-sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
+sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
 
 # Signature of an outbound message
@@ -105 +105 @@
 
 # PEM encoded cert
-sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.crt
+sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt
 
 # ... or provide file path to PEM encoded private key file
-sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.key
+sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key
 
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a
@@ -134 +134 @@
 # Specific settings for UserCertAuthN Session Manager authentication plugin
 # This sets up PKI credentials for a single test account
-sessionManager.authNService.userX509CertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.crt
-sessionManager.authNService.userPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.key
+sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
+sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
 sessionManager.authNService.userPriKeyPwd: testpassword
 
@@ -196 +196 @@
 paste.filter_app_factory = 
         ndg.security.test.combinedservices.serverapp:filter_app_factory
-
+sessionManagerFilterID = filter:SessionManagerFilter
+attributeAuthorityFilterID = filter:AttributeAuthorityFilter
 
 #______________________________________________________________________________
@@ -217 +218 @@
 # identified by this prefix:
 AttributeAuthority.propPrefix = attributeAuthority
-AttributeAuthority.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
-AttributeAuthority.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+AttributeAuthority.propFilePath = %(here)s/services.ini
+AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # Provide an identifier for this filter so that main WSGI app 
 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority
 # directly
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+referencedFilters = filter:wsseSignatureVerificationFilter
 
 # Path from URL for Attribute Authority in this Paste deployment
@@ -231 +232 @@
 enableWSDLQuery = True
 charset = utf-8
-filterID = ndg.security.server.wsgi.attributeAuthorityFilter
+filterID = %(__name__)s
 
 #______________________________________________________________________________
@@ -252 +253 @@
 # by this prefix:
 SessionManager.propPrefix = sessionManager
-SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
+SessionManager.propFilePath = %(here)s/services.ini
 
 # This filter references other filters - a local Attribute Authority (optional)
 # and a WS-Security signature verification filter (required if using signature
 # to authenticate user in requests
-SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter
-SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
+SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # The SessionManagerWS SOAP interface class needs to know about these other 
 # filters
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01 
-                                        ndg.security.server.wsgi.attributeAuthorityFilter
+referencedFilters = filter:wsseSignatureVerificationFilter 
+                                        filter:AttributeAuthorityFilter
 
 # Path from URL for Session Manager in this Paste deployment
@@ -274 +275 @@
 # Provide an identifier for this filter so that main WSGI app 
 # CombinedServicesWSGI can call this Session Manager directly
-filterID = ndg.security.server.wsgi.sessionManagerFilter
+filterID = %(__name__)s
 
 #______________________________________________________________________________
@@ -280 +281 @@
 [filter:wsseSignatureVerificationFilter]
 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
-filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+filterID = %(__name__)s
 
 # Settings for WS-Security SignatureHandler class used by this filter
@@ -286 +287 @@
 
 # Verify against known CAs - Provide a space separated list of file paths
-wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
-#wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt
+wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
 
 #______________________________________________________________________________
@@ -296 +296 @@
 # Reference the verification filter in order to be able to apply signature
 # confirmation
-referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
-wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
+referencedFilters = filter:wsseSignatureVerificationFilter
+wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
 # Last filter in chain of SOAP handlers writes the response
@@ -307 +307 @@
 # Certificate associated with private key used to sign a message.  The sign 
 # method will add this to the BinarySecurityToken element of the WSSE header.  
-wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.crt
+wssecurity.signingCertFilePath=%(here)s/server.crt
 
 # PEM encoded private key file
-wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.key
+wssecurity.signingPriKeyFilePath=%(here)s/server.key
 
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a
@@ -399 +399 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-#openid.provider.authN.environKey=ndg.security.server.wsgi.sessionManagerFilter
+#openid.provider.authN.environKey=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier