Changeset 7777 for TI12-security


Ignore:
Timestamp:
14/12/10 17:14:42 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • Work on generic services template
Location:
TI12-security/trunk/NDGSecurity/python
Files:
29 added
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/Makefile

    r7775 r7777  
    1111# 
    1212# $Id$ 
     13 
     14# Settings for all Templates 
    1315ROOT_FILEPATH = ../../../../../ 
    1416DEST_DIR = ./ 
     
    2123INTEGRATION_TEST_DIR = ${TEST_DIR}integration/ 
    2224 
     25USERDB_FILENAME = user.db 
     26USERDB_FILEPATH = ${TEST_CONFIG_SRC_DIR}${USERDB_FILENAME} 
     27 
     28 
     29# Generic Services Template Settings 
     30SERVICE_SRC_DIRNAME = full_system/ 
     31SERVICE_DEST_DIRNAME = services/ 
     32SERVICE_SRC_DIR = ${INTEGRATION_TEST_DIR}${SERVICE_SRC_DIRNAME} 
     33SERVICE_DEST_DIR = ${DEST_DIR}${SERVICE_DEST_DIRNAME} 
     34SERVICE_SRC_INI_FILENAME = securityservices.ini 
     35SERVICE_SRC_INI_FILEPATH = ${SERVICE_SRC_DIR}${SERVICE_SRC_INI_FILENAME} 
     36SERVICE_INI_FILEPATH_TMP = ${SERVICE_DEST_DIR}${SERVICE_SRC_INI_FILENAME} 
     37SERVICE_INI_TMPL_FILEPATH = ${SERVICE_DEST_DIR}service.ini_tmpl 
     38SERVICE_PKI_DEST_DIR = ${SERVICE_DEST_DIR}pki/ 
     39SERVICE_CA_DEST_DIR = ${SERVICE_PKI_DEST_DIR}ca/ 
     40SERVICE_SURPLUS_FILES = README __init__.* attributeinterface.* securedapp.* \ 
     41        securityservicesapp.* request-filter.xml pep_result_handler *.pyc 
     42 
     43service_tmpl: ${SERVICE_SRC_DIR} 
     44        @-echo Preparing Generic Services template ... 
     45        @-echo 
     46        @-echo Copying configuration files ... 
     47        @-cp -r ${SERVICE_SRC_DIR} ${SERVICE_DEST_DIR} 2> /dev/null 
     48        @-echo Clear out SVN directories ... 
     49        @-find ${SERVICE_DEST_DIR} -name ".svn" -print | xargs /bin/rm -rf 
     50        @-echo Remove unneeded files ... 
     51        -for i in ${SERVICE_SURPLUS_FILES} ; do \ 
     52                rm -rf ${SERVICE_DEST_DIR}$$i ; \ 
     53        done ; 
     54        @-echo Making substitutions for template variables ... 
     55        sed -e s/'portNum = .*'/'portNum = $$\{portNumber}'/ \ 
     56        -e s/'baseURI =.*'/'baseURI = $$\{baseURI}'/ \ 
     57        -e s/'saml\.soapbinding\.mountPath.*'/'saml.soapbinding.mountPath = $$\{attributeServiceMountPoint\}'/ \ 
     58        -e s/'saml\.mountPath.*'/'saml.mountPath = $$\{authorisationServiceMountPoint\}'/ \ 
     59        -e s/'saml\.soapbinding\.issuerName =.*'/'saml.soapbinding.issuerName = $$\{attributeServiceIssuerName}'/ \ 
     60        -e s/'saml\.issuerName =.*'/'samlIssuerName = $$\{authorisationServiceIssuerName}'/ \ 
     61        -e s/'saml\.soapbinding\.issuerFormat =.*'/'saml.soapbinding.issuerFormat = $$\{attributeServiceIssuerFormat}'/ \ 
     62        -e s/'saml\.issuerFormat =.*'/'saml.issuerFormat = $$\{authorisationServiceIssuerFormat}'/ \ 
     63        -e s/'authkitCookieSecret =.*'/'authkitCookieSecret = $$\{authkitCookieSecret}'/ \ 
     64        -e s/'beakerSessionCookieSecret =.*'/'beakerSessionCookieSecret = $$\{beakerSessionCookieSecret}'/ \ 
     65        -e s/'authkit.openid.session.secret = .*'/'authkit.openid.session.secret = $$\{openidRelyingPartyCookieSecret}'/ \ 
     66        -e s/'testConfigDir = .*'// \ 
     67        -e s/testConfigDir/here/g \ 
     68        ${SERVICE_INI_FILEPATH_TMP} > ${SERVICE_INI_TMPL_FILEPATH} 
     69        rm -f ${SERVICE_INI_FILEPATH_TMP} 
     70        @-echo 
     71        @-echo Create PKI directory and copying files ... 
     72        -mkdir ${SERVICE_PKI_DEST_DIR} 
     73        cp ${SERVER_CERT_SRC_FILEPATH} ${SERVICE_PKI_DEST_DIR} 
     74        cp ${SERVER_KEY_SRC_FILEPATH} ${SERVICE_PKI_DEST_DIR} 
     75        -mkdir ${SERVICE_CA_DEST_DIR} 
     76        cp ${CA_SRC_DIR}* ${SERVICE_CA_DEST_DIR} 
     77        @-echo Copying test SQLite user database ... 
     78        cp ${USERDB_FILEPATH} ${SERVICE_DEST_DIR} 
     79        @-echo 
     80        @-echo Done. 
     81         
     82service_tmpl_clean: 
     83        @-echo Clearing Services template ... 
     84        rm -rf ${SERVICE_DEST_DIR} 
     85 
     86 
     87# Authorisation Service Template Settings 
    2388AUTHZ_SERVICE_DIRNAME = authorisationservice/ 
    2489AUTHZ_SERVICE_SRC_DIR = ${TEST_CONFIG_SRC_DIR}${AUTHZ_SERVICE_DIRNAME} 
     
    58123        @-echo Clearing Authorisation Service template ... 
    59124        rm -rf ${AUTHZ_SERVICE_DEST_DIR} 
    60          
    61 USERDB_FILENAME = user.db 
    62 USERDB_FILEPATH = ${TEST_CONFIG_SRC_DIR}${USERDB_FILENAME} 
    63  
     125 
     126 
     127# Attribute Service Template 
    64128ATTR_SERVICE_DIRNAME = attributeservice/ 
    65129ATTR_SERVICE_SRC_DIR = ${TEST_CONFIG_SRC_DIR}attributeauthority/sitea/ 
     
    150214 
    151215         
    152 clean: authorisation_service_tmpl_clean attribute_service_tmpl_clean openidprovider_tmpl_clean 
    153  
     216clean: service_tmpl_clean authorisation_service_tmpl_clean \ 
     217                attribute_service_tmpl_clean openidprovider_tmpl_clean 
     218 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/authn

    • Property svn:ignore set to
      beaker
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/template.py

    r7775 r7777  
    1414import socket 
    1515import base64 
     16from urlparse import urlunsplit 
    1617from paste.script.templates import Template, var 
    1718_hostTuple = socket.gethostbyaddr(socket.gethostname()) 
     
    2324    _hostname = _hostTuple[0] 
    2425     
    25 vars = [ 
    26     var('siteName',  
    27         ('Full name for this site used by the Attribute Authority to describe ' 
    28          'this site'), 
    29         default='NDG Partner Site'), 
    30     var('attributeAuthorityID',  
    31         ('Unique identity by which this Attribute Authority will be known by ' 
    32          'other trusted sites'), 
    33         default=_hostname) 
    34 ] 
     26from ndg.saml.saml2.core import Issuer     
    3527 
    3628 
    37 class DefaultDeploymentTemplate(Template): 
    38     _template_dir = 'default_deployment' 
    39     summary = 'NERC DataGrid Security services deployment template' 
    40     vars = vars 
    41  
    42          
    4329class ServicesTemplate(Template): 
    4430    """Make a template containing all the Security Services avaliable with 
     
    4733    to suit 
    4834    """ 
     35    DEFAULT_PORT_NUM = 7443 
     36    DEFAULT_URI = urlparse.urlunsplit(('https', _hostname, '/', None, None)) 
     37     
     38    ATTRIBUTE_SERVICE_DEFAULT_MOUNT_POINT = '/AttributeService' 
     39    ATTRIBUTE_SERVICE_DEFAULT_ISSUER_NAME = '/O=Site A/CN=Attribute Authority' 
     40    ATTRIBUTE_SERVICE_DEFAULT_ISSUER_FORMAT = Issuer.X509_SUBJECT 
     41     
     42    AUTHORISATION_SERVICE_DEFAULT_ISSUER_NAME = '/O=Site A/CN=Authorisation Service' 
     43    AUTHORISATION_SERVICE_DEFAULT_ISSUER_FORMAT = Issuer.X509_SUBJECT 
     44    AUTHORISATION_SERVICE_DEFAULT_MOUNT_POINT = '/AuthorisationService' 
     45     
    4946    _template_dir = 'services' 
    5047    summary = ('NERC DataGrid Security services full deployment template ' 
     
    5249               'OpenID Provider application, OpenID Relying Party and SSL ' 
    5350               'client authentication services') 
    54     vars = vars 
     51    vars = [ 
     52        var('portNumber', 
     53            'Port number to run service on (applies to paster ONLY)', 
     54            default=DEFAULT_PORT_NUM), 
     55             
     56        var('baseURI', 
     57            'Base URI for the service', 
     58            default=DEFAULT_URI), 
     59             
     60        var('attributeServiceMountPoint', 
     61            'Mount point for Attribute Service', 
     62            ATTRIBUTE_SERVICE_DEFAULT_MOUNT_POINT), 
     63             
     64        var('authorisationServiceMountPoint', 
     65            'Mount point for Authorisation Service', 
     66            AUTHORISATION_SERVICE_DEFAULT_MOUNT_POINT), 
     67             
     68        var('attributeServiceIssuerName', 
     69            'SAML Issuer Name field for Attribute Service SAML responses', 
     70            ATTRIBUTE_SERVICE_DEFAULT_ISSUER_NAME), 
     71             
     72        var('authorisationServiceIssuerName', 
     73            'SAML Issuer Name field for Authorisation Service SAML responses', 
     74            AUTHORISATION_SERVICE_DEFAULT_ISSUER_NAME), 
     75             
     76        var('attributeServiceIssuerFormat', 
     77            'SAML Issuer Name field for Attribute Service SAML responses', 
     78            ATTRIBUTE_SERVICE_DEFAULT_ISSUER_FORMAT), 
     79             
     80        var('authorisationServiceIssuerFormat', 
     81            'SAML Issuer Name field for Authorisation Service SAML responses', 
     82            AUTHORISATION_SERVICE_DEFAULT_ISSUER_FORMAT), 
    5583 
     84        var('authkitCookieSecret',  
     85            ('Cookie secret for AuthKit authentication middleware.  This value ' 
     86             'MUST agree with the one used for the ini file of the application ' 
     87             'to be secured'), 
     88            default=base64.b64encode(os.urandom(32))[:32]), 
     89 
     90        var('beakerSessionCookieSecret',  
     91            'Secret for securing the OpenID Provider and SSL Client ' 
     92            'authenticationsession cookie', 
     93            default=base64.b64encode(os.urandom(32))[:32]), 
     94             
     95        var('openidRelyingPartyCookieSecret', 
     96            'Secret for secuing OpenID Relying Party session cookie', 
     97            default=base64.b64encode(os.urandom(32))[:32])     
     98        ] 
     99             
    56100         
    57101class SecuredAppTemplate(Template): 
    58     _template_dir = 'full_deployment' 
     102    """Create a template for a secured application with authentication and 
     103    authorisation filters""" 
     104     
     105    _template_dir = 'secured_application' 
    59106    summary = ( 
    60107        'Template to secure an application with NERC DataGrid Security ' 
     
    76123    ] 
    77124 
    78          
    79 from ndg.saml.saml2.core import Issuer 
    80125 
    81126class AuthorisationServiceTemplate(Template): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

    r7733 r7777  
    11# 
    2 # PasteDeploy ini file for Attribute Authority Unit tests Site A Server 
     2# Description: PasteDeploy ini file for Attribute Authority Unit tests Site A Server 
    33#  
    44# NERC Data Grid Project 
    55#  
    6 # P J Kershaw 12/09/08 
     6# Author: P J Kershaw 
     7# 
     8# Date: 12/09/08 
    79#  
    810# Copyright (C) 2010 Science and Technology Facilities Council 
     
    2527# Binding filter only. 
    2628[pipeline:main] 
    27 pipeline = AttributeAuthorityFilter  
    28                    AttributeAuthoritySamlSoapBindingFilter 
    29                    mainApp 
     29pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter mainApp 
    3030 
    3131 
     
    7373 
    7474saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority 
     75saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 
    7576 
    7677# Logging configuration 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/README

    r7077 r7777  
    1 Integration Tests to test NDG Authorisation without a Session Manager 
    2 ===================================================================== 
    3 In the authz integration test parallel to this directory, a Session Manager is 
    4 included in the security services paster application.  This service caches 
    5 security credentials for efficiency.  It is queried by the  
    6 AuthorizationFilter's Policy Information Point in order to retrieve user 
    7 attribute certificates.  In this configuration, the PIP contacts the  
    8 Attribute Authority directly to retrieving Attribute Certificates rather than 
    9 going via the Session Manager intermediary.  This simplifies the configuration 
    10 but with a possible performance penalty. 
     1Integration Tests to test NDG Security Authentication and Authorisation 
     2======================================================================= 
     3Test an example HTTP WSGI application with the full security system including  
     4OpenID Relying Party, Provider, SAML Attribute and Authorisation services and 
     5SSL client based authentication. 
    116 
    127To run, 
     
    2621 
    2722The links are secured with the policy file, policy.xml.  User attributes are 
    28 determined by the Attribute Authority configuration set in  
    29 ndg.security.test.config.attributeauthority.sitea.siteAUserRoles 
     23determined by the Attribute Authority configuration set in the user.db example 
     24database 
    3025 
    31 P J Kershaw 19/05/09 
     26P J Kershaw 14/12/10 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7709 r7777  
    11# 
    2 # NERC DataGrid Security 
    3 # 
    4 # Paste configuration for combined SAML Attribute Authority and Authorisation 
    5 # Services, OpenID Relying Party and Provider services and SSL client  
    6 # authentication filters.  This is for test purposes only.  A production system 
    7 # might deploy these on different hosts or separate WSGI scripts. 
    8 # 
    9 # The %(here)s variable will be replaced with the parent directory of this file 
    10 # 
    11 # Author: P J Kershaw 
    12 # date: 01/07/09 
    13 # Copyright: (C) 2009 Science and Technology Facilities Council 
    14 # license: BSD - see LICENSE file in top-level directory 
    15 # Contact: Philip.Kershaw@stfc.ac.uk 
    16 # Revision: $Id$ 
    17  
     2# Title:        NERC DataGrid Security Paste INI file template for all services 
     3# 
     4# Description:  Paste configuration for combined SAML Attribute Authority and  
     5#               Authorisation Services, OpenID Relying Party and Provider  
     6#               services and SSL client authentication filters.  This is for  
     7#               test purposes only.  A production system might deploy these on  
     8#               different hosts or separate WSGI scripts. 
     9# 
     10#               The %(here)s variable will be replaced with the parent directory  
     11#               of this file 
     12# 
     13# Author:       P J Kershaw 
     14# Date:         01/07/09 
     15# Copyright:    (C) 2009 Science and Technology Facilities Council 
     16# license:      BSD - see LICENSE file in top-level directory 
     17# Contact:      Philip.Kershaw@stfc.ac.uk 
     18# Revision:     $Id$ 
     19 
     20# Settings global to all sections 
    1821[DEFAULT] 
    1922portNum = 7443 
    2023hostname = localhost 
    2124scheme = https 
    22 baseURI = %(scheme)s://%(hostname)s:%(portNum)s 
    23 openIDProviderIDBase = /openid 
     25baseURI = %(scheme)s://%(hostname)s:%(portNum)s/ 
     26openIDProviderIDBase = openid/ 
     27 
     28# The default OpenID set in the Relying Party form text field.  As shown it is 
     29# set so that the special IDSelect mode can be used where the user enters only 
     30# the portion of the URI identifying their Provider instead of their full 
     31# OpenID URI 
    2432openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
    2533testConfigDir = %(here)s/../../config 
     34 
     35# Beaker session is used across multiple sections so is set here to ensure  
     36# consistency 
    2637beakerSessionKeyName = beaker.session.ndg.security.services 
    2738 
    28 # Global Attribute Authority Settings 
     39# Environ dict key name for Attribute Authority's SAML attribute query callback 
    2940attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface 
    3041 
    31 # ... and Authorisation Service 
     42# Similarly the environ key name for the Authorisation Service's SAML  
     43# authorisation decision query callback  
    3244authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface 
    3345 
     46# This is set to a test SQLite database alter as needed 
    3447dbConnectionString = sqlite:///%(testConfigDir)s/user.db 
     48         
     49# AuthKit Cookie secret used to secure it.  This secret must be the same as the 
     50# one used in the equivalent secured application(s) ini file(s) that use this 
     51# ini file's OpenID Relying Party and SSL authentication service.  This is 
     52# because the cookie is shared between the secured app(s) and this app so that 
     53# a user's OpenID can be communicated between them. 
     54authkitCookieSecret = 9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
     55 
     56# Secret for OpenID Provider cookie 
     57beakerSessionCookieSecret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU 
     58 
    3559 
    3660[server:main] 
     
    5882#document_root = %(here)s/openidprovider 
    5983 
    60 # Ordering of filters and app is critical 
     84# Ordering of filters and final app is critical 
    6185[pipeline:main] 
    6286pipeline = AttributeAuthorityFilter  
     
    6488           AuthorisationServiceFilter 
    6589           AuthorisationSamlSoapBindingFilter 
    66                    SessionMiddlewareFilter 
    67                    SSLCientAuthKitFilter 
    68                    SSLClientAuthenticationFilter 
    69                    SSLCientAuthnRedirectResponseFilter 
    70                    OpenIDRelyingPartyFilter 
    71                    OpenIDProviderApp 
    72  
    73 #______________________________________________________________________________ 
    74 # Beaker Session Middleware (used by OpenID Provider Filter) 
     90           SessionMiddlewareFilter 
     91           SSLClientAuthKitFilter 
     92           SSLClientAuthenticationFilter 
     93           SSLClientAuthnRedirectResponseFilter 
     94           OpenIDRelyingPartyFilter 
     95           OpenIDProviderApp 
     96 
     97#______________________________________________________________________________ 
     98# Beaker Session Middleware (used by OpenID Provider) 
    7599[filter:SessionMiddlewareFilter] 
    76100paste.filter_app_factory=beaker.middleware:SessionMiddleware 
    77101beaker.session.key = openid 
    78 beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU 
     102beaker.session.secret = %(beakerSessionCookieSecret)s 
    79103 
    80104# If you'd like to fine-tune the individual locations of the cache data dirs 
     
    85109beaker.session.cookie_expires = True 
    86110 
    87 #beaker.session.cookie_domain = .localhost 
    88  
    89111# Key name for keying into environ dictionary 
    90112environ_key = %(beakerSessionKeyName)s 
    91113 
    92 [filter:SSLCientAuthKitFilter] 
     114#______________________________________________________________________________ 
     115# Sets AuthKit cookie for SSL Client based authentication method 
     116[filter:SSLClientAuthKitFilter] 
    93117paste.filter_app_factory = authkit.authenticate:middleware 
    94118 
     
    100124cookie.name=ndg.security.auth 
    101125 
    102 cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
     126cookie.secret=%(authkitCookieSecret)s 
    103127cookie.signoutpath = /logout 
    104128 
     
    107131cookie.includeip = False 
    108132 
    109 #cookie.params.domain = .localhost 
    110  
     133#______________________________________________________________________________ 
    111134# SSL Client Certificate based authentication is invoked if the client passed 
    112 # a certificate with request.  This bypasses OpenID based authn. 
     135# a certificate with request.  This bypasses OpenID based authentication 
    113136[filter:SSLClientAuthenticationFilter] 
    114137paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware 
     
    118141# out or remove this item.  e.g. set CA verification in the Apache config file. 
    119142ssl.caCertFilePathList = %(testConfigDir)s/ca/d573507a.0 
     143 
     144# Apply whitelisting of client certificate DNs.  This should never be needed in 
     145# this context.  The only reason to use it might be as a means to set a crude  
     146# access control list of DNs 
    120147#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test 
    121148 
    122 # 'HTTP_' prefix is set when passed through a proxy 
    123 ssl.sslKeyName = HTTP_HTTPS 
    124 ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT 
    125  
    126 # Set the URI pattern match here to interrupt a redirect to the OpenID Relying  
    127 # Party from the service running over HTTP and see if a client certificate has  
    128 # been set 
     149# The 'HTTP_' prefix is set when passed through a proxy with Apache, for example 
     150# if it's possible to run this ini file with paster and expose it through port 
     151# 443 via ProxyPass and ProxyPassReverse Apache directives. 
     152#ssl.sslKeyName = HTTP_HTTPS 
     153#ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT 
     154 
     155# Set the intercept URI.  Request URIs matching this pattern will be processed 
     156# by this filter.  The pattern is set here to match the URI that would normally 
     157# be processed by the OpenID Relying Party.  If this filter finds a client  
     158# cert set from the SSL handshake it will apply authentication based on this, if 
     159# not it will let the request pass by and on to the OpenID Relying Party.  The 
     160# latter is then therefore the default and 'catch all' for authentication  
     161# requests.  
    129162ssl.rePathMatchList = ^/verify.* 
    130163 
     164#______________________________________________________________________________ 
     165# OpenID Relying Party.  This filter is set to run over SSL so that it can work 
     166# together with the SSL Client Authentication filter above so that tandem 
     167# authentication methods are supported.  It can be invoked from a HTTP app by  
     168# the ndg.security.server.wsgi.authn.AuthenticationMiddleware which causes a  
     169# redirect to this endpoint. 
    131170[filter:OpenIDRelyingPartyFilter] 
    132171paste.filter_app_factory =  
     
    168207authkit.cookie.name=ndg.security.auth 
    169208 
    170 authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
     209authkit.cookie.secret=%(authkitCookieSecret)s 
    171210authkit.cookie.signoutpath = /logout 
    172211#authkit.cookie.params.domain = .localhost 
     
    186225 
    187226authkit.openid.baseurl = %(baseURI)s 
    188  
    189 # Template for signin 
    190 #authkit.openid.template.obj =  
    191  
    192 # Handler for parsing OpenID and creating a session from it 
    193 #authkit.openid.urltouser =  
    194227 
    195228# Attribute Exchange - all are optional unless the relevant ax.required.<name>  
     
    235268authkit.openid.ax.alias.country=country 
    236269 
    237 [filter:SSLCientAuthnRedirectResponseFilter] 
     270#______________________________________________________________________________ 
    238271# Redirect to original requested URI following SSL Client Authentication.  This 
    239272# filter must be placed AFTER the AuthKit cookie setting middleware.  In this 
    240 # case its configured in the OpenIDRelyingPartyMiddleware filter.  If the 
     273# case here it's configured in the OpenIDRelyingPartyMiddleware filter.  If the 
    241274# OpenID Relying Party filter is removed, a separate AuthKit middleware entry 
    242275# would need to be made so that this redirect filter can still function 
     276[filter:SSLClientAuthnRedirectResponseFilter] 
    243277paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware 
    244278prefix = ssl. 
     
    261295# class 
    262296openid.provider.path.id=/OpenID/Provider/id/${userIdentifier} 
    263 openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier} 
     297openid.provider.path.yadis=%(openIDProviderIDBase)s${userIdentifier} 
    264298 
    265299# Yadis based discovery for idselect mode - this is where the user has entered 
     
    278312# no identity URI was passed from the Relying Party.  This value should 
    279313# match openid.provider.path.id and/or openid.provider.path.yadis - see above 
    280 identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier} 
     314identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s${userIdentifier} 
    281315 
    282316openid.provider.trace=False 
    283317openid.provider.consumer_store_dirpath=%(here)s/openidprovider 
     318 
     319# A custom rendering class can be plugged in here.  A Genshi based renderer is  
     320# currently set 
    284321openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering 
    285322#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface 
    286323 
    287 # Templates 
     324# Template directory 
    288325openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates 
    289326 
    290327# Layout 
    291328openid.provider.rendering.baseURL = %(openid.provider.base_url)s 
    292 #openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif 
    293 #openid.provider.rendering.leftAlt = Natural Environment Research Council 
    294 #openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/ 
    295 #openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif 
    296329openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png 
    297330openid.provider.rendering.footerText = This site is for test purposes only. 
     
    300333openid.provider.rendering.rightAlt = Centre for Environmental Data Archival 
    301334 
    302 # Basic Authentication interface to demonstrate capabilities 
    303 #openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface 
     335# SQLAlchemy based authentication interface 
    304336openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface 
     337 
     338# See the connection string setting set in the DEFAULT section 
    305339openid.provider.authN.connectionString=%(dbConnectionString)s 
    306340openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}' 
    307341openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}' 
     342 
     343# Set to true if the password in the database is MD5 encrypted. 
    308344openid.provider.authN.isMD5EncodedPwd=True 
    309345 
     346# This is a more interface which makes settings via this INI parameters instead  
     347# of a database 
     348#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface 
     349 
     350# This setting applies to the BasicAuthNInterface only  
    310351# user login details format is: 
    311352# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc 
     
    315356# individual user.  Each username may have more than one OpenID alias but only 
    316357# alias at a time may be registered with a given Attribute Authority 
    317 openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other 
     358#openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other 
    318359 
    319360# Basic authentication for testing/admin - comma delimited list of  
     
    321362#openid.provider.usercreds=pjk:test 
    322363 
    323 # Attribute Exchange interface 
    324 #openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface 
    325 #openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv 
     364# Attribute Exchange interface - extract attributes from a database based on the 
     365# username of the client 
    326366openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface 
    327367openid.provider.axResponse.connectionString=%(dbConnectionString)s 
     368 
     369# Ordering is important here: the query results and names fields should exactly  
     370# map one to the other 
    328371openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}' 
    329372openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first 
     
    331374    http://openid.net/schema/contact/internet/email 
    332375     
     376# This is an alternative simple CSV file based AX interface class 
     377#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface 
     378#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv 
     379 
     380# This setting can be used to enable the confirmation form to be omitted for  
     381# known Relying Parties (RP)s.  The confirmation form is part of the user  
     382# interface which prompts the user to confirm they wish to return their  
     383# credentials back to the given RP. 
    333384openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk, 
    334385        https://badc.somewhere.ac.uk 
     
    337388# Attribute Authority WSGI settings 
    338389# 
     390# This filter publishes an Attribute Authority instance as a key in environ 
     391# to enable the SAML query interface middleware to access and invoke it. 
    339392[filter:AttributeAuthorityFilter] 
    340 # This filter publishes an Attribute Authority instance as a key in environ 
    341 # to enable other middleware to access it 
    342393paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory 
    343394prefix = attributeAuthority. 
    344395 
    345 # Lifetime is measured in seconds 
     396# Lifetime is measured in seconds for attribute assertions made 
    346397attributeAuthority.assertionLifetime: 28800  
    347398 
    348 # Settings for custom AttributeInterface derived class to get user roles for given  
     399# Key name for the SAML SOAP binding based query interface to reference this 
     400# service's attribute query method 
     401attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s 
     402 
     403# Attribute Interface - determines how a given attribute query interfaces with a 
     404# backend database or other persistent store.  The one here is an SQLAlchemy 
     405# based one.  The database connection string is the global setting - see the  
     406# DEFAULT section.  
     407attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s 
     408attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface 
     409 
     410# This does a sanity check to ensure the subject of the query is known to this 
     411# authority. 
     412attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}' 
     413 
     414# Map the given SAML attributes identifiers to the equivalent SQL query to  
     415# retrieve them.  Any number can be set.  They should have the form, 
     416# 
     417# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id> 
     418# 
     419# where <id> can be any unique string.  The userId string is the value passed 
     420# from the client subject NameID field 
     421attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'" 
     422attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'" 
     423attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'" 
     424attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'" 
     425 
     426# Set the permissable requestor Distinguished Names as set in the SAML client  
     427# query issuer field.  Comment out or remove if this is not required.  Nb. 
     428# filtering of clients can be more securely applied by whitelisting at the SSL 
     429# level. 
     430attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority, 
     431                                                           /O=Site B/CN=Authorisation Service,  
     432                                                           /CN=test/O=NDG/OU=BADC, 
     433                                                           /O=NDG/OU=Security/CN=localhost 
     434 
     435# Alternate custom AttributeInterface derived class to get user roles for given  
    349436# user ID 
    350437#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea 
     
    352439#attributeAuthority.attributeInterface.className: TestUserRoles 
    353440 
    354 # Key name for the SAML SOAP binding based interface to reference this 
    355 # service's attribute query method 
    356 attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s 
    357  
    358 # SQLAlchemy Attribute Interface 
    359 attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s 
    360 attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface 
    361 attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}' 
    362 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'" 
    363 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'" 
    364 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'" 
    365 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'" 
    366 attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority, 
    367                                                            /O=Site B/CN=Authorisation Service,  
    368                                                            /CN=test/O=NDG/OU=BADC, 
    369                                                            /O=NDG/OU=Security/CN=localhost 
    370  
    371441# SAML SOAP Binding to the Attribute Authority 
    372442[filter:AttributeAuthoritySamlSoapBindingFilter] 
     
    374444prefix = saml.soapbinding. 
    375445 
     446# Callback to deserialise a string format query received from the client into  
     447# to the relevant ElementTree instance 
    376448saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML 
    377449 
    378 # Specialisation to incorporate ESG Group/Role type 
     450# Corresponding callback to serialise an ElementTree instance response into a  
     451# string ready for dispatch back to the client 
     452# 
     453# Specialisation to incorporate ESG Group/Role type.  The deserialise method 
     454# doesn't need any specialised setting because no custom ESG types are required  
     455# in order to invoke it 
    379456saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML 
    380457 
     458# Equivalent setting if no ESG customisation is required. 
     459#saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML 
     460 
     461# Path following the FQDN from which this service will be mounted 
    381462saml.soapbinding.mountPath = /AttributeAuthority 
     463 
     464# The key name for the environ dict item holding the Attribute Authority's  
     465# query callback method.  See the Attribute Authority filter. 
    382466saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 
    383467 
     
    386470saml.soapbinding.clockSkewTolerance: 180.0 
    387471 
     472# The issuer name for this Attribute Authority expressed as a X.509 subject  
     473# name.  See ndg.saml.saml2.core or the SAML 2.0 spec for alternatives. 
    388474saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority 
    389475saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName  
     
    413499#______________________________________________________________________________ 
    414500# Authorisation Service WSGI settings 
    415 [filter:AuthorisationServiceFilter] 
     501# 
    416502# This filter is a container for a binding to a SOAP/SAML based interface to the 
    417503# Authorisation Service.  It contains a XACML Context handler which manages 
    418504# requests from Policy Enforcement Points to the PDP and also enables the PDP 
    419505# to make attribute queries to Policy Information Point 
     506[filter:AuthorisationServiceFilter] 
    420507paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory 
    421508prefix = authz. 
     
    495582authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/ca 
    496583 
     584#______________________________________________________________________________ 
    497585# Logging configuration 
    498586[loggers] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/securityservices.ini

    r7756 r7777  
    22# NERC DataGrid Security 
    33# 
    4 # Paste configuration for OpenID Relying Party and Provider services  
     4# Description: Paste configuration for OpenID Relying Party and Provider services  
    55# 
    66# The %(here)s variable will be replaced with the parent directory of this file 
Note: See TracChangeset for help on using the changeset viewer.