Changeset 7756 for TI12-security


Ignore:
Timestamp:
30/11/10 22:26:05 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

Location:
TI12-security/trunk/NDGSecurity/python
Files:
43 added
1 deleted
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/MANIFEST.in

    r7077 r7756  
    99#  
    1010# BSD - See LICENCE file for details 
    11 recursive-include ndg/security/server/paster_templates/default_deployment * 
     11recursive-include ndg/security/server/paster_templates/ * 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/template.py

    r7733 r7756  
    1919    # Get first alias from list if present 
    2020    _hostname = _hostTuple[1][0] 
    21 except TypeError: 
     21except IndexError: 
    2222    # ... or default to hostname 
    2323    _hostname = _hostTuple[0] 
     
    108108 
    109109         
    110 from ndg.saml.saml2.core.AbstractNameIDType import X509_SUBJECT 
     110from ndg.saml.saml2.core import Issuer 
    111111 
    112112class AuthorisationServiceTemplate(Template): 
    113113    """Paster template for the authorisation service""" 
    114     DEFAULT_MOUNT_POINT = 'AuthorisationService' 
     114     
     115    DEFAULT_MOUNT_POINT = '/AuthorisationService' 
    115116    DEFAULT_ISSUER_NAME = 'O=NDG, OU=Security, CN=localhost' 
    116     DEFAULT_ISSUER_FORMAT = X509_SUBJECT 
     117    DEFAULT_ISSUER_FORMAT = Issuer.X509_SUBJECT 
    117118     
    118119    _template_dir = 'authorisationservice' 
     
    130131        var('issuerFormat',  
    131132            ('Format of issuerName string; if using the default, ensure that ' 
    132              'the issuerName value is a correctly formatted X.509 Subject Name'), 
     133             'the issuerName value is a correctly formatted X.509 Subject ' 
     134             'Name'), 
    133135            default=DEFAULT_ISSUER_FORMAT) 
    134136    ] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authn.py

    r7077 r7756  
    196196        raise NotImplementedError() 
    197197 
    198          
     198import webob 
     199 
     200class AuthenticationEnforcementFilter(object): 
     201    """Simple filter raises HTTP 401 response code if the requested URI matches 
     202    a fixed regular expression set in the start-up configuration.  If however, 
     203    REMOTE_USER is set in environ, the request is passed through to the next 
     204    middleware or terminating app 
     205    """ 
     206    REMOTE_USER_ENVVAR_NAME = 'REMOTE_USER' 
     207    INTERCEPT_URI_PAT_OPTNAME = 'interceptUriPat' 
     208    DEFAULT_INTERCEPT_URI_PAT = re.compile(".*") 
     209    RE_PAT_TYPE = type(DEFAULT_INTERCEPT_URI_PAT) 
     210     
     211    __slots__ = ('_app', '__interceptUriPat') 
     212     
     213    def __init__(self, app): 
     214        """Create attributes, initialising intercept URI to match all incoming 
     215        requests 
     216        """ 
     217        self.__interceptUriPat = self.__class__.DEFAULT_INTERCEPT_URI_PAT 
     218        self._app = app 
     219         
     220    @property 
     221    def interceptUriPat(self): 
     222        return self.__interceptUriPat 
     223     
     224    @interceptUriPat.setter 
     225    def interceptUriPat(self, value): 
     226        if isinstance(value, basestring): 
     227            self.__interceptUriPat = re.compile(value) 
     228             
     229        elif isinstance(value, self.__class__.RE_PAT_TYPE): 
     230            self.__interceptUriPat = value 
     231             
     232        else: 
     233            raise TypeError('Expecting string or RE pattern type for "' 
     234                            'RE_PAT_TYPE" attribute') 
     235     
     236    @classmethod 
     237    def filter_app_factory(cls, app, global_conf, **app_conf): 
     238        filter = cls(app) 
     239        if cls.INTERCEPT_URI_PAT_OPTNAME in app_conf: 
     240            filter.interceptUriPat = app_conf[cls.INTERCEPT_URI_PAT_OPTNAME] 
     241             
     242        return filter 
     243     
     244    def __call__(self, environ, start_response): 
     245        request = webob.Request(environ) 
     246        if not self.interceptUriPat.match(request.url): 
     247            return self._app(environ, start_response) 
     248         
     249        if self.__class__.REMOTE_USER_ENVVAR_NAME in environ: 
     250            return self._app(environ, start_response) 
     251        else: 
     252            response = webob.Response(body="401 Unauthorized", status=401) 
     253            return response(environ, start_response) 
     254         
     255                 
    199256class AuthnRedirectMiddleware(SessionMiddlewareBase): 
    200257    """Base class for Authentication HTTP redirect initiator and redirect 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/setup.py

    r7733 r7756  
    3737    [paste.paster_create_template] 
    3838    ndgsecurity_authorisation_service=ndg.security.server.paster_templates.template:AuthorisationServiceTemplate 
    39     ndgsecurity_services_with_sso=ndg.security.server.paster_templates.template:FullDeploymentTemplate 
    4039    """ 
    4140    
     
    8685    include_package_data =  True, 
    8786    package_data = { 
    88         'ndg.security.server.sso.sso': [ 
    89             'i18n/*/LC_MESSAGES/*.mo' 
    90         ], 
    91         'ndg.security.server.conf': [ 
    92             '*.xml', '*.py', '*.cfg', '*.conf' 
    93         ], 
    94         'ndg.security.server.share': ['*'], 
    95         'ndg.security.server.sso': ['*.ini', '*.cfg', '*.txt'], 
    96         'ndg.security.server.sso.sso': ['public/*.*', 'public/layout/*.*'], 
    97         'ndg.security.server.sso.sso.badc_site': [ 
    98             'public/*.*',  
    99             'public/layout/*.*', 
    100             'public/layout/logos/*.*', 
    101             'public/layout/styles/*.*', 
    102             'public/layout/tabs/*.*' 
    103         ], 
    104         'ndg.security.server.sso.sso.templates.ndg.security': ['*.kid'], 
    105         'ndg.security.server.sso.sso.badc_site.templates.ndg.security': ['*.kid'], 
    106         'ndg.security.server.pylons': ['*.ini', '*.cfg', '*.txt'], 
    107         'ndg.security.server.pylons.container': [ 
    108             'public/*.*',  
    109             'public/layout/*.*', 
    110             'public/js/*.*', 
    111             'public/js/img/*.*', 
    112             'public/js/theme/*.*', 
    113             'public/js/yui/*.*'], 
    114         'ndg.security.server.pylons.container.templates.ndg.security': [ 
    115             '*.kid' 
    116         ], 
    11787        # See MANIFEST.in for ndg.security.server.paster_templates files 
     88#        'ndg.security.server.templates.pki': ['*.crt', '*.key'], 
     89#        'ndg.security.server.templates.pki.ca': ['*.crt'], 
    11890    }, 
    11991    entry_points =           _entryPoints, 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider

    • Property svn:ignore set to
      authn
      openidrelyingparty
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/securityservices.ini

    r7153 r7756  
    22# NERC DataGrid Security 
    33# 
    4 # Paste configuration for combined Session Manager, Attribute Authority, 
    5 # OpenID Relying Party and Provider services 
     4# Paste configuration for OpenID Relying Party and Provider services  
    65# 
    76# The %(here)s variable will be replaced with the parent directory of this file 
    87# 
    98# Author: P J Kershaw 
    10 # date: 26/02/09 
    11 # Copyright: (C) 2009 Science and Technology Facilities Council 
     9# date: 01/07/09 
     10# 
     11# Copyright: (C) 2010 Science and Technology Facilities Council 
    1212# license: BSD - see LICENSE file in top-level directory 
    1313# Contact: Philip.Kershaw@stfc.ac.uk 
     
    1515 
    1616[DEFAULT] 
    17 portNum = 9443 
     17portNum = 7443 
    1818hostname = localhost 
    19 scheme = http 
     19scheme = https 
    2020baseURI = %(scheme)s://%(hostname)s:%(portNum)s 
     21openIDProviderIDBase = /openid 
     22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
    2123testConfigDir = %(here)s/../../config 
    22  
    23 #______________________________________________________________________________ 
    24 # Attribute Authority settings 
    25 # 'name' setting MUST agree with map config file 'thisHost' name attribute 
    26 attributeAuthority.name: Site A 
    27  
    28 # Lifetime is measured in seconds 
    29 attributeAuthority.attCertLifetime: 28800  
    30  
    31 # Allow an offset for clock skew between servers running  
    32 # security services. NB, measured in seconds - use a minus sign for time in the 
    33 # past 
    34 attributeAuthority.attCertNotBeforeOff: 0 
    35  
    36 # All Attribute Certificates issued are recorded in this dir 
    37 attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog 
    38  
    39 # Files in attCertDir are stored using a rotating file handler 
    40 # attCertFileLogCnt sets the max number of files created before the first is  
    41 # overwritten 
    42 attributeAuthority.attCertFileName: ac.xml 
    43 attributeAuthority.attCertFileLogCnt: 16 
    44 attributeAuthority.dnSeparator:/ 
    45  
    46 # Location of role mapping file 
    47 attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml 
    48  
    49 # Settings for custom AttributeInterface derived class to get user roles for given  
    50 # user ID 
    51 attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea 
    52 attributeAuthority.attributeInterface.modName: siteAUserRoles 
    53 attributeAuthority.attributeInterface.className: TestUserRoles 
    54  
    55 # Config for XML signature of Attribute Certificate 
    56 attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key 
    57 attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt 
    58 attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/d573507a.0 
    59  
    60 #______________________________________________________________________________ 
    61 # Session Manager specific settings - commented out settings will take their 
    62 # default settings.  To override the defaults uncomment and set as required. 
    63 # See ndg.security.server.sessionmanager module for details 
    64  
    65 # Credential Wallet Settings - global to all user sessions 
    66 # 
    67 # CA certificates for Attribute Certificate signature validation 
    68 sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/d573507a.0 
    69  
    70 # CA certificates for SSL connection peer cert. validation - required if 
    71 # connecting to an Attribute Authority over SSL 
    72 sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/d573507a.0 
    73  
    74 # Allow Get Attribute Certificate calls to try to get a mapped certificate 
    75 # from another organisation trusted by the target Attribute Authority 
    76 sessionManager.credentialWallet.mapFromTrustedHosts=True 
    77 sessionManager.credentialWallet.rtnExtAttCertList=True 
    78  
    79 # Refresh an Attribute Certificate, if an existing one in the wallet has only 
    80 # this length of time left before it expires 
    81 credentialWallet.attCertRefreshElapse=7200 
    82  
    83 # Pointer to WS-Security settings.  These WS-Security settings are for use 
    84 # by user credential wallets held in user sessions hosted by the Session 
    85 # Manager.  They enable individual wallets to query Attribute Authorities for 
    86 # user Attribute Certificates.  Nb. the difference between these settings and 
    87 # the WS-Security section for handling requests to the Session Manager. 
    88 # 
    89 # Settings are identified by a prefix.   
    90 sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity 
    91  
    92 # ...A section name could also be used. 
    93 #sessionManager.credentialWallet.wssCfgSection= 
    94  
    95 # SOAP Signature Handler settings for the Credential Wallet's Attribute  
    96 # Authority interface 
    97 # 
    98 # CA Certificates used to verify X.509 certs used in Attribute Certificates. 
    99 # The CA certificates of other NDG trusted sites should go here.  NB, multiple 
    100 # values should be delimited by a space 
    101 sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/d573507a.0 
    102  
    103 # Signature of an outbound message 
    104 # 
    105 # Certificate associated with private key used to sign a message.  The sign  
    106 # method will add this to the BinarySecurityToken element of the WSSE header.   
    107 # binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.   
    108 # As an alternative, use signingCertChain - see below... 
    109  
    110 # PEM encoded cert 
    111 sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt 
    112  
    113 # ... or provide file path to PEM encoded private key file 
    114 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key 
    115  
    116 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
    117 # signed message.  See __setReqBinSecTokValType method and binSecTokValType  
    118 # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
    119 # give full namespace to alternative - see  
    120 # ZSI.wstools.Namespaces.OASIS.X509TOKEN 
    121 # 
    122 # binSecTokValType determines whether signingCert or signingCertChain  
    123 # attributes will be used. 
    124 sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3 
    125  
    126 # Add a timestamp element to an outbound message 
    127 sessionManager.credentialWallet.wssecurity.addTimestamp: True 
    128  
    129 # For WSSE 1.1 - service returns signature confirmation containing signature  
    130 # value sent by client 
    131 sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True 
    132  
    133 # Authentication service properties  
    134 sessionManager.authNService.moduleFilePath:  
    135 sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn 
    136 sessionManager.authNService.className: UserX509CertAuthN 
    137  
    138 # Specific settings for UserCertAuthN Session Manager authentication plugin 
    139 # This sets up PKI credentials for a single test account 
    140 sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt 
    141 sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key 
    142 sessionManager.authNService.userPriKeyPwd: testpassword 
     24beakerSessionKeyName = beaker.session.ndg.security.services 
     25 
     26dbConnectionString = sqlite:///%(testConfigDir)s/user.db 
    14327 
    14428[server:main] 
     
    14731port = %(portNum)s 
    14832 
    149 [filter-app:OpenIDProviderFilterApp] 
    150 use = egg:Paste#httpexceptions 
    151 next = cascade 
    152  
    153 # Composite for OpenID Provider to enable settings for picking up static  
    154 # content 
    155 [composit:cascade] 
    156 use = egg:Paste#cascade 
    157 app1 = OpenIDProviderStaticContent 
    158 app2 = OpenIDProviderApp 
    159 catch = 404 
    160  
    161 [app:OpenIDProviderStaticContent] 
    162 use = egg:Paste#static 
    163 document_root = %(here)s/openidprovider 
    164  
     33# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the 
     34# pipeline below if the RelyingParty filter is removed.  The RelyingParty 
     35# provides static content to both it and the Provider in this configuration. 
     36# See the staticContentDir setting in the OpenIDRelyingPartyFilter section 
     37#[filter-app:OpenIDProviderFilterApp] 
     38#use = egg:Paste#httpexceptions 
     39#next = cascade 
     40# 
     41## Composite for OpenID Provider to enable settings for picking up static  
     42## content 
     43#[composit:cascade] 
     44#use = egg:Paste#cascade 
     45#app1 = OpenIDProviderStaticContent 
     46#catch = 404 
     47# 
     48#[app:OpenIDProviderStaticContent] 
     49#use = egg:Paste#static 
     50#document_root = %(here)s/openidprovider 
     51 
     52# Ordering of filters and app is critical 
    16553[pipeline:main] 
    166 pipeline = wsseSignatureVerificationFilter  
    167                    AttributeAuthorityFilter  
    168            SessionManagerFilter  
    169            wsseSignatureFilter  
    170                    SessionMiddlewareFilter 
    171                    OpenIDProviderFilterApp 
     54pipeline = SessionMiddlewareFilter 
     55                   OpenIDRelyingPartyFilter 
     56                   OpenIDProviderApp 
    17257 
    17358#______________________________________________________________________________ 
     
    17560[filter:SessionMiddlewareFilter] 
    17661paste.filter_app_factory=beaker.middleware:SessionMiddleware 
    177 #beaker.session.key = sso 
    178 beaker.session.secret = somesecret 
     62beaker.session.key = openid 
     63beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU 
    17964 
    18065# If you'd like to fine-tune the individual locations of the cache data dirs 
    18166# for the Cache data, or the Session saves, un-comment the desired settings 
    18267# here: 
    183 beaker.cache.data_dir = %(here)s/beaker/cache 
    184 beaker.session.data_dir = %(here)s/beaker/sessions 
     68beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache 
     69beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions 
     70beaker.session.cookie_expires = True 
     71 
     72#beaker.session.cookie_domain = .localhost 
     73 
     74# Key name for keying into environ dictionary 
     75environ_key = %(beakerSessionKeyName)s 
     76 
     77[filter:SSLCientAuthKitFilter] 
     78paste.filter_app_factory = authkit.authenticate:middleware 
     79 
     80# AuthKit Set-up 
     81setup.method=cookie 
     82 
     83# This cookie name and secret MUST agree with the name used by the  
     84# Authentication Filter used to secure a given app 
     85cookie.name=ndg.security.auth 
     86 
     87cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
     88cookie.signoutpath = /logout 
     89 
     90# Disable inclusion of client IP address from cookie signature due to  
     91# suspected problem with AuthKit setting it when a HTTP Proxy is in place 
     92cookie.includeip = False 
     93 
     94#cookie.params.domain = .localhost 
     95 
     96[filter:OpenIDRelyingPartyFilter] 
     97paste.filter_app_factory =  
     98        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory 
     99 
     100openid.relyingparty.baseURL = %(authkit.openid.baseurl)s 
     101 
     102# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers. 
     103#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml 
     104 
     105openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate 
     106 
     107# Nb. in this configuration, this directory is provider static content for both  
     108# this filter and the OpenID Provider app downstream in the WSGI stack. 
     109openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public 
     110 
     111openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s 
     112openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s 
     113openid.relyingparty.signinInterface.heading = OpenID Sign-in 
     114 
     115# This setting will accept HTML mark-up 
     116openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a> 
     117openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/ 
     118openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png 
     119openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival 
     120openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png 
     121 
     122cache_dir = %(here)s/data 
     123 
     124# AuthKit Set-up 
     125authkit.setup.method=openid, cookie 
     126 
     127# This cookie name and secret MUST agree with the name used by the  
     128# Authentication Filter used to secure a given app 
     129authkit.cookie.name=ndg.security.auth 
     130 
     131authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
     132authkit.cookie.signoutpath = /logout 
     133#authkit.cookie.params.domain = .localhost 
     134 
     135# Disable inclusion of client IP address from cookie signature due to  
     136# suspected problem with AuthKit setting it when a HTTP Proxy is in place 
     137authkit.cookie.includeip = False 
     138 
     139authkit.openid.path.signedin=/ 
     140authkit.openid.store.type=file 
     141authkit.openid.store.config=%(here)s/openidrelyingparty/store 
     142authkit.openid.session.key = authkit_openid 
     143authkit.openid.session.secret = random string 
     144 
     145# Key name for dereferencing beaker.session object held in environ 
     146authkit.openid.session.middleware = %(beakerSessionKeyName)s 
     147 
     148authkit.openid.baseurl = %(baseURI)s 
     149 
     150# Template for signin 
     151#authkit.openid.template.obj =  
     152 
     153# Handler for parsing OpenID and creating a session from it 
     154#authkit.openid.urltouser =  
     155 
     156# Attribute Exchange - all are optional unless the relevant ax.required.<name>  
     157# is set to True.  The alias defers to the parameter name given unless explicity 
     158# specified - see commented out entry for firstName below.  The number of 
     159# attributes for each attribute name defaults to 1 unless otherwise set 
     160#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first 
     161#authkit.openid.ax.alias.firstName=firstName 
     162##authkit.openid.ax.count.firstName=1 
     163#authkit.openid.ax.required.firstName=True 
     164#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last 
     165#authkit.openid.ax.alias.lastName=lastName 
     166#authkit.openid.ax.required.lastName=True 
     167#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email 
     168#authkit.openid.ax.alias.emailAddress=emailAddress 
     169#authkit.openid.ax.required.emailAddress=True 
     170 
     171# ESG Gateway requested parameters 
     172authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid 
     173authkit.openid.ax.alias.uuid=uuid 
     174authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly 
     175authkit.openid.ax.alias.username=username 
     176authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first 
     177authkit.openid.ax.alias.firstname=firstname 
     178authkit.openid.ax.required.firstname:True 
     179authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle 
     180authkit.openid.ax.alias.middlename=middlename 
     181authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last 
     182authkit.openid.ax.required.lastname:True 
     183authkit.openid.ax.alias.lastname=lastname 
     184authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email 
     185authkit.openid.ax.required.email:True 
     186authkit.openid.ax.alias.email=email 
     187authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway 
     188authkit.openid.ax.alias.gateway=gateway 
     189authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name 
     190authkit.openid.ax.alias.organization=organization 
     191authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home 
     192authkit.openid.ax.alias.city=city 
     193authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home 
     194authkit.openid.ax.alias.state=state 
     195authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home 
     196authkit.openid.ax.alias.country=country 
    185197 
    186198#______________________________________________________________________________ 
     
    188200[app:OpenIDProviderApp] 
    189201paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory 
    190 #openid.provider.path.openidserver=/openidserver 
    191 #openid.provider.path.login=/openid/login 
    192 #openid.provider.path.loginsubmit=/openid/loginsubmit 
    193 # 
    194 ## Comment out next two lines and uncomment the third to disable URL based  
    195 ## discovery and allow only Yadis based instead 
    196 ##openid.provider.path.id=/openid/id 
    197 ##openid.provider.path.yadis=/openid/yadis 
    198 #openid.provider.path.yadis=/openid/id/ 
    199 # 
    200 #openid.provider.path.serveryadis=/openid/serveryadis 
    201 #openid.provider.path.allow=/openid/allow 
    202 #openid.provider.path.decide=/openid/decide 
    203 #openid.provider.path.mainpage=/openid/ 
    204202 
    205203openid.provider.path.openidserver=/OpenID/Provider/server 
     
    207205openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit 
    208206 
    209 # Yadis based discovery only - the id path is configured to return 404 not 
    210 # found - see ndg.security.server.wsgi.openid.provider.renderinginterface. 
    211 # buffet.BuffetRendering class 
     207# Yadis based discovery only - the 'id' path is configured may be set to page 
     208# with <link rel="openid.server" href="..."> and Yadis  
     209# <meta http-equiv="x-xrds-location" content="..."> links if required but in  
     210# this implementation it set to return 404 not found - see  
     211# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering  
     212# class 
    212213openid.provider.path.id=/OpenID/Provider/id/${userIdentifier} 
    213 openid.provider.path.yadis=/openid/${userIdentifier} 
    214  
    215 openid.provider.path.serveryadis=/openid 
     214openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier} 
     215 
     216# Yadis based discovery for idselect mode - this is where the user has entered 
     217# a URI at the Relying Party which identifies their Provider only and not their 
     218# full ID URI.  e.g. https://badc.nerc.ac.uk instead of  
     219# https://badc.nerc.ac.uk/John 
     220openid.provider.path.serveryadis=%(openIDProviderIDBase)s 
    216221openid.provider.path.allow=/OpenID/Provider/allow 
    217222openid.provider.path.decide=/OpenID/Provider/decide 
    218 openid.provider.path.mainpage=/OpenID/Provider/main 
    219  
    220 openid.provider.session_middleware=beaker.session  
     223openid.provider.path.mainpage=/OpenID/Provider/home 
     224 
     225openid.provider.session_middleware=%(beakerSessionKeyName)s 
    221226openid.provider.base_url=%(baseURI)s 
     227 
     228# Enable login to construct an identity URI if IDSelect mode was chosen and 
     229# no identity URI was passed from the Relying Party.  This value should 
     230# match openid.provider.path.id and/or openid.provider.path.yadis - see above 
     231identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier} 
     232 
    222233openid.provider.trace=False 
    223234openid.provider.consumer_store_dirpath=%(here)s/openidprovider 
    224 openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering 
     235openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering 
    225236#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface 
    226237 
    227 openid.provider.rendering.templateType = kid 
    228 openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates 
    229 openid.provider.rendering.kid.assume_encoding= utf-8 
    230 openid.provider.rendering.kid.encoding = utf-8 
     238# Templates 
     239openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates 
    231240 
    232241# Layout 
    233242openid.provider.rendering.baseURL = %(openid.provider.base_url)s 
    234 openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif 
    235 openid.provider.rendering.leftAlt = Natural Environment Research Council 
    236 openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/ 
    237 openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif 
    238 openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development. 
    239 openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/ 
    240 openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif 
    241243openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png 
    242  
    243  
    244 #openid.provider.sregResponse=ndg.security.server.pylons.container.lib.openid_provider_util:esgSregResponse 
    245 #openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler 
     244openid.provider.rendering.footerText = This site is for test purposes only. 
     245openid.provider.rendering.rightLink = http://ceda.ac.uk/ 
     246openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png 
     247openid.provider.rendering.rightAlt = Centre for Environmental Data Archival 
    246248 
    247249# Basic Authentication interface to demonstrate capabilities 
    248250#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface 
    249 #openid.provider.authN.userCreds=pjk:test 
    250 #openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw 
    251  
    252 # Link Authentication to a Session Manager instance running in the same WSGI 
    253 # stack or on a remote service 
    254 openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface 
    255  
    256 # Omit or leave as blank if the Session Manager is accessible locally in the 
    257 # same WSGI stack. 
    258 #openid.provider.authN.sessionManagerURI= 
    259  
    260 # environ dictionary key to Session Manager WSGI instance held locally.  The 
    261 # setting below is the default and can be omitted if it matches the filterID 
    262 # set for the Session Manager 
    263 openid.provider.authN.environKeyName=filter:SessionManagerFilter 
    264  
    265 # Database connection to enable check between username and OpenID identifier 
    266 openid.provider.authN.connectionString: postgres://postgres:testpassword@%(hostname)s/testUserDb 
    267 openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier' 
    268 openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username' 
     251openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface 
     252openid.provider.authN.connectionString=%(dbConnectionString)s 
     253openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}' 
     254openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}' 
     255openid.provider.authN.isMD5EncodedPwd=True 
     256 
     257# user login details format is: 
     258# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc 
     259# Each user entry is delimited by a space. username, password and OpenID name 
     260# list are delimited by a colon.  The list of OpenID names are delimited by 
     261# commas.  The OpenID name represents the unique part of the OpenID URL for the 
     262# individual user.  Each username may have more than one OpenID alias but only 
     263# alias at a time may be registered with a given Attribute Authority 
     264openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other 
    269265 
    270266# Basic authentication for testing/admin - comma delimited list of  
     
    272268#openid.provider.usercreds=pjk:test 
    273269 
    274 #______________________________________________________________________________ 
    275 # Attribute Authority WSGI settings 
    276 # 
    277 [filter:AttributeAuthorityFilter] 
    278 # This filter is a container for a binding to a SOAP based interface to the 
    279 # Attribute Authority 
    280 paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware 
    281  
    282 # Use this ZSI generated SOAP service interface class to handle i/o for this 
    283 # filter 
    284 ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS 
    285  
    286 # SOAP Binding Class specific keywords are in this section identified by this 
    287 # prefix: 
    288 ServiceSOAPBindingPropPrefix = AttributeAuthority 
    289  
    290 # The AttributeAuthority class has settings in the default section above  
    291 # identified by this prefix: 
    292 AttributeAuthority.propPrefix = attributeAuthority 
    293 AttributeAuthority.propFilePath = %(here)s/securityservices.ini 
    294 AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    295  
    296 # Provide an identifier for this filter so that main WSGI app  
    297 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority 
    298 # directly 
    299 referencedFilters = filter:wsseSignatureVerificationFilter 
    300  
    301 # Path from URL for Attribute Authority in this Paste deployment 
    302 path = /AttributeAuthority 
    303  
    304 # External endpoint for this Attribute Authority - must agree with setting used 
    305 # to invoke this service set in: 
    306 # * serverapp.py  
    307 # * or port in [server:main] if calling with paster serve securityservices.ini 
    308 # * or something else e.g. proxied through Apache? 
    309 # This setting is used by Attribute Authority clients in this WSGI stack to see 
    310 # if a request is being made to the local service or to another Attribute  
    311 # Authority running elsewhere 
    312 publishedURI = %(baseURI)s%(path)s 
    313  
    314 # Enable ?wsdl query argument to list the WSDL content 
    315 enableWSDLQuery = True 
    316 charset = utf-8 
    317 filterID = %(__name__)s 
    318  
    319 #______________________________________________________________________________ 
    320 # Session Manager WSGI settings 
    321 # 
    322 [filter:SessionManagerFilter] 
    323 # This filter is a container for a binding to a SOAP based interface to the 
    324 # Session Manager 
    325 paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware 
    326  
    327 # Use this ZSI generated SOAP service interface class to handle i/o for this 
    328 # filter 
    329 ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS 
    330  
    331 # SOAP Binding Class specific keywords are in this section identified by this 
    332 # prefix: 
    333 ServiceSOAPBindingPropPrefix = SessionManager 
    334  
    335 # The SessionManager class has settings in the default section above identified 
    336 # by this prefix: 
    337 SessionManager.propPrefix = sessionManager 
    338 SessionManager.propFilePath = %(here)s/securityservices.ini 
    339  
    340 # This filter references other filters - a local Attribute Authority (optional) 
    341 # and a WS-Security signature verification filter (required if using signature 
    342 # to authenticate user in requests 
    343 SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
    344 SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    345  
    346 # The SessionManagerWS SOAP interface class needs to know about these other  
    347 # filters 
    348 referencedFilters = filter:wsseSignatureVerificationFilter  
    349                                         filter:AttributeAuthorityFilter 
    350  
    351 # Path from URI for Session Manager in this Paste deployment 
    352 path = /SessionManager 
    353  
    354 # External endpoint for this Session Manager - must agree with setting used to 
    355 # invoke this service set in: 
    356 # * securityservicesapp.py  
    357 # * or port in [server:main] if calling with paster serve securityservices.ini 
    358 # * or something else e.g. proxied through Apache? 
    359 # This setting is used by Session Manager clients in this WSGI stack to see if 
    360 # a request is being made to the local service or to another session manager 
    361 # running elsewhere 
    362 publishedURI = %(baseURI)s%(path)s 
    363  
    364 # Enable ?wsdl query argument to list the WSDL content 
    365 enableWSDLQuery = True 
    366 charset = utf-8 
    367  
    368 # Provide an identifier for this filter so that main WSGI app  
    369 # CombinedServicesWSGI can call this Session Manager directly 
    370 filterID = %(__name__)s 
    371  
    372 #______________________________________________________________________________ 
    373 # WS-Security Signature Verification 
    374 [filter:wsseSignatureVerificationFilter] 
    375 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 
    376 filterID = %(__name__)s 
    377  
    378 # Settings for WS-Security SignatureHandler class used by this filter 
    379 wsseCfgFilePrefix = wssecurity 
    380  
    381 # Verify against known CAs - Provide a space separated list of file paths 
    382 wssecurity.caCertFilePathList=%(testConfigDir)s/ca/d573507a.0 
    383  
    384 #______________________________________________________________________________ 
    385 # Apply WS-Security Signature  
    386 [filter:wsseSignatureFilter] 
    387 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter 
    388  
    389 # Reference the verification filter in order to be able to apply signature 
    390 # confirmation 
    391 referencedFilters = filter:wsseSignatureVerificationFilter 
    392 wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    393  
    394 # Last filter in chain of SOAP handlers writes the response 
    395 writeResponse = True 
    396  
    397 # Settings for WS-Security SignatureHandler class used by this filter 
    398 wsseCfgFilePrefix = wssecurity 
    399  
    400 # Certificate associated with private key used to sign a message.  The sign  
    401 # method will add this to the BinarySecurityToken element of the WSSE header.   
    402 wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 
    403  
    404 # PEM encoded private key file 
    405 wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 
    406  
    407 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
    408 # signed message.  See __setReqBinSecTokValType method and binSecTokValType  
    409 # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
    410 # give full namespace to alternative - see  
    411 # ZSI.wstools.Namespaces.OASIS.X509TOKEN 
    412 # 
    413 # binSecTokValType determines whether signingCert or signingCertChain  
    414 # attributes will be used. 
    415 wssecurity.reqBinSecTokValType=X509v3 
    416  
    417 # Add a timestamp element to an outbound message 
    418 wssecurity.addTimestamp=True 
    419  
    420 # For WSSE 1.1 - service returns signature confirmation containing signature  
    421 # value sent by client 
    422 wssecurity.applySignatureConfirmation=True 
     270# Attribute Exchange interface 
     271#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface 
     272#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv 
     273openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface 
     274openid.provider.axResponse.connectionString=%(dbConnectionString)s 
     275openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}' 
     276openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first 
     277    http://openid.net/schema/namePerson/last 
     278    http://openid.net/schema/contact/internet/email 
     279     
     280openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk, 
     281        https://badc.somewhere.ac.uk 
    423282 
    424283# Logging configuration 
     
    448307 
    449308[formatter_generic] 
    450 format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s 
    451 datefmt = %H:%M:%S 
    452  
     309format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s 
     310datefmt = %Y-%m-%d %H:%M:%S 
     311 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/securityservicesapp.py

    r7077 r7756  
    11#!/usr/bin/env python 
    2 """NDG Security test harness for securing an application with OpenID middleware 
     2"""NDG Security test harness for security web services middleware stack 
    33 
    44NERC DataGrid Project 
     
    66""" 
    77__author__ = "P J Kershaw" 
    8 __date__ = "26/02/09" 
     8__date__ = "20/11/08" 
    99__copyright__ = "(C) 2009 Science and Technology Facilities Council" 
    10 __license__ = "BSD - See top-level directory for LICENSE file." 
    1110__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1211__revision__ = "$Id$" 
    1312import os 
    1413from os.path import dirname, abspath, join 
     14       
     15from OpenSSL import SSL 
     16 
     17from ndg.security.test.unit import BaseTestCase, TEST_CONFIG_DIR 
     18from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     19 
     20INI_FILEPATH = 'securityservices.ini' 
     21 
     22os.environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname( 
     23                                                                    __file__)) 
     24os.environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR 
     25 
     26import optparse 
     27 
     28# To start run  
     29# $ paster serve services.ini or run this file as a script, see 
     30# $ ./securityservicesapp.py -h 
     31if __name__ == '__main__':     
     32    cfgFileName = INI_FILEPATH 
     33    cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)   
     34         
     35    parser = optparse.OptionParser() 
     36    parser.add_option("-p", 
     37                      "--port", 
     38                      dest="port", 
     39                      default=7443, 
     40                      type='int', 
     41                      help="port number to run under") 
     42 
     43    parser.add_option("-s", 
     44                      "--with-ssl", 
     45                      dest="withSSL", 
     46                      default='True', 
     47                      help="Run with SSL") 
     48 
     49    parser.add_option("-c", 
     50                      "--conf", 
     51                      dest="configFilePath", 
     52                      default=cfgFilePath, 
     53                      help="Configuration file path") 
    1554     
    16 # To start run  
    17 # $ paster serve securityservices.ini or run this file as a script 
    18 # $ ./securityservicesapp.py [port #] 
    19 if __name__ == '__main__': 
    20     import sys 
    21     import logging 
    22     logging.basicConfig(level=logging.DEBUG) 
     55    # Initialise test user database 
     56    from ndg.security.test.unit import BaseTestCase 
     57    BaseTestCase.initDb() 
     58     
     59    opt = parser.parse_args()[0] 
     60     
     61    if opt.withSSL.lower() == 'true': 
     62        certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     63                                    'pki',  
     64                                    'localhost.crt') 
     65        priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     66                                      'pki',  
     67                                      'localhost.key') 
     68         
     69        ssl_context = SSL.Context(SSL.SSLv23_METHOD) 
     70        ssl_context.set_options(SSL.OP_NO_SSLv2) 
     71     
     72        ssl_context.use_privatekey_file(priKeyFilePath) 
     73        ssl_context.use_certificate_file(certFilePath) 
     74    else: 
     75        ssl_context = None 
    2376 
    24     if len(sys.argv) > 1: 
    25         port = int(sys.argv[1]) 
    26     else: 
    27         port = 9443 
    28          
    29     cfgFilePath = os.path.join(dirname(abspath(__file__)),  
    30                                'securityservices.ini') 
    31          
    32     from paste.httpserver import serve 
    33     from paste.deploy import loadapp 
    34     from paste.script.util.logging_config import fileConfig 
    35      
    36     fileConfig(cfgFilePath) 
    37     app = loadapp('config:%s' % cfgFilePath) 
    38     serve(app, host='0.0.0.0', port=port) 
     77    server = PasteDeployAppServer(cfgFilePath=opt.configFilePath,  
     78                                  port=opt.port, 
     79                                  ssl_context=ssl_context)  
     80    server.start() 
Note: See TracChangeset for help on using the changeset viewer.