source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl @ 7077

#
# NERC DataGrid Security
#
# Paste configuration for combined security web services deployment:
# * Session Manager
# * Attribute Authority
# * OpenID Provider
#
# The %(here)s variable will be replaced with the parent directory of this file
#
# Author: P J Kershaw
# date: 30/11/05
# Copyright: (C) 2008 STFC
# license: BSD - see LICENSE file in top-level directory
# Contact: Philip.Kershaw@stfc.ac.uk
# Revision: $$Id$$

[DEFAULT]
#______________________________________________________________________________
# Attribute Authority settings
# 'name' setting MUST agree with map config file 'thisHost' name attribute
attributeAuthority.name: ${attributeAuthorityID}

# Lifetime is measured in seconds
attributeAuthority.attCertLifetime: 28800 

# Allow an offset for clock skew between servers running 
# security services. NB, measured in seconds - use a minus sign for time in the
# past
attributeAuthority.attCertNotBeforeOff: 0

# All Attribute Certificates issued are recorded in this dir
attributeAuthority.attCertDir: %(here)s/attributeauthority/attCertLog

# Files in attCertDir are stored using a rotating file handler
# attCertFileLogCnt sets the max number of files created before the first is 
# overwritten
attributeAuthority.attCertFileName: ac.xml
attributeAuthority.attCertFileLogCnt: 16
attributeAuthority.dnSeparator:/

# Location of role mapping file
attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml

# Settings for custom AttributeInterface derived class to get user roles for given 
# user ID
attributeAuthority.userRolesModFilePath: %(here)s/attributeauthority
attributeAuthority.userRolesModName: attributeinterface
attributeAuthority.userRolesClassName: TestAttributeInterface

# Config for XML signature of Attribute Certificate
attributeAuthority.signingPriKeyFilePath: %(here)s/attributeauthority/aa.key
attributeAuthority.signingCertFilePath: %(here)s/attributeauthority/aa.crt
attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt

#______________________________________________________________________________
# Session Manager specific settings - commented out settings will take their
# default settings.  To override the defaults uncomment and set as required.
# See ndg.security.server.sessionmanager module for details

# Credential Wallet Settings - global to all user sessions
#
# CA certificates for Attribute Certificate signature validation
sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt

# CA certificates for SSL connection peer cert. validation - required if
# connecting to an Attribute Authority over SSL
sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt

# Allow Get Attribute Certificate calls to try to get a mapped certificate
# from another organisation trusted by the target Attribute Authority
sessionManager.credentialWallet.mapFromTrustedHosts=True
sessionManager.credentialWallet.rtnExtAttCertList=True

# Refresh an Attribute Certificate, if an existing one in the wallet has only
# this length of time left before it expires
credentialWallet.attCertRefreshElapse=7200

# Pointer to WS-Security settings.  These WS-Security settings are for use
# by user credential wallets held in user sessions hosted by the Session
# Manager.  They enable individual wallets to query Attribute Authorities for
# user Attribute Certificates.  Nb. the difference between these settings and
# the WS-Security section for handling requests to the Session Manager.
#
# Settings are identified by a prefix.  
sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity

# ...A section name could also be used.
#sessionManager.credentialWallet.wssCfgSection=

# SOAP Signature Handler settings for the Credential Wallet's Attribute 
# Authority interface
#
# CA Certificates used to verify X.509 certs used in Attribute Certificates.
# The CA certificates of other NDG trusted sites should go here.  NB, multiple
# values should be delimited by a space
sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt

# Signature of an outbound message
#
# Certificate associated with private key used to sign a message.  The sign 
# method will add this to the BinarySecurityToken element of the WSSE header.  
# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
# As an alternative, use signingCertChain - see below...

# PEM encoded cert
sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt

# ... or provide file path to PEM encoded private key file
sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key

# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
# give full namespace to alternative - see 
# ZSI.wstools.Namespaces.OASIS.X509TOKEN
#
# binSecTokValType determines whether signingCert or signingCertChain 
# attributes will be used.
sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3

# Add a timestamp element to an outbound message
sessionManager.credentialWallet.wssecurity.addTimestamp: True

# For WSSE 1.1 - service returns signature confirmation containing signature 
# value sent by client
sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True

# Authentication service properties 
sessionManager.authNService.moduleFilePath: 
sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
sessionManager.authNService.className: UserX509CertAuthN

# Specific settings for UserCertAuthN Session Manager authentication plugin
# This sets up PKI credentials for a single test account
sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
sessionManager.authNService.userPriKeyPwd: testpassword

[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = 8000

[filter-app:mainApp]
use = egg:Paste#httpexceptions
next = cascade

# Put OpenID Provider and Static URL parser together in a cascade
[composit:cascade]
use = egg:Paste#cascade
app1 = StaticOpenIDProviderContent
app2 = OpenIDProviderApp
catch = 404

[app:StaticOpenIDProviderContent]
# Static URL Parser to serve OpenID Provider static page content such as CSS
# and graphics
use = egg:Paste#static
document_root = %(here)s/openidprovider

[app:OpenIDProviderApp]
# OpenID Provider set as the main application
paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.main_app
openid.provider.path.openidserver=/openid/endpoint
openid.provider.path.login=/openid/login
openid.provider.path.loginsubmit=/openid/loginsubmit

# Comment out next two lines and uncomment the third to disable URL based 
# discovery and allow only Yadis based instead
openid.provider.path.id=/openid/id
openid.provider.path.yadis=/openid/yadis
#openid.provider.path.yadis=/id/

openid.provider.path.serveryadis=/openid/serveryadis
openid.provider.path.allow=/openid/allow
openid.provider.path.decide=/openid/decide
openid.provider.path.mainpage=/openid/
openid.provider.session_middleware=beaker.session 
openid.provider.base_url=http://localhost:8000
openid.provider.trace=False
openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface

openid.provider.rendering.templateType = kid
openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
openid.provider.rendering.kid.assume_encoding= utf-8
openid.provider.rendering.kid.encoding = utf-8

# Layout
openid.provider.rendering.baseURL = %(openid.provider.base_url)s
openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
openid.provider.rendering.leftAlt = Natural Environment Research Council
openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png


#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler

# Basic Authentication interface to demonstrate capabilities
#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
#openid.provider.authN.userCreds=pjk:test
#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw

# Link Authentication to a Session Manager instance running in the same WSGI
# stack or on a remote service
openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface

# Omit or leave as blank if the Session Manager is accessible locally in the
# same WSGI stack.
openid.provider.authN.sessionManagerURI=

# environ dictionary key to Session Manager WSGI instance held locally.  The
# setting below is the default and can be omitted if it matches the filterID
# set for the Session Manager
#openid.provider.authN.environKey=filter:SessionManagerFilter

# Database connection to enable check between username and OpenID identifier
openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
openid.provider.authN.logonSQLQuery: select username from openid where username = '$$username' and ident = '$$userIdentifier'
openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$$username'

# Basic authentication for testing/admin - comma delimited list of 
# <username>:<password> pairs
#openid.provider.usercreds=pjk:test

#______________________________________________________________________________
# Beaker Session Middleware (used by OpenID Provider Filter)
[filter:SessionMiddlewareFilter]
paste.filter_app_factory=beaker.middleware:SessionMiddleware

# Chain of SOAP Middleware filters
[pipeline:main]
pipeline = wsseSignatureVerificationFilter 
                   AttributeAuthorityFilter 
           SessionManagerFilter 
           wsseSignatureFilter 
           SessionMiddlewareFilter
           mainApp


#______________________________________________________________________________
# Attribute Authority WSGI settings
#
[filter:AttributeAuthorityFilter]
# This filter is a container for a binding to a SOAP based interface to the
# Attribute Authority
paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware

# Use this ZSI generated SOAP service interface class to handle i/o for this
# filter
ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS

# SOAP Binding Class specific keywords are in this section identified by this
# prefix:
ServiceSOAPBindingPropPrefix = AttributeAuthority

# The AttributeAuthority class has settings in the default section above 
# identified by this prefix:
AttributeAuthority.propPrefix = attributeAuthority
AttributeAuthority.propFilePath = %(here)s/services.ini
AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# Provide an identifier for this filter so that main WSGI app 
# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
# directly
referencedFilters = filter:wsseSignatureVerificationFilter

# Path from URL for Attribute Authority in this Paste deployment
path = /AttributeAuthority

# Enable ?wsdl query argument to list the WSDL content
enableWSDLQuery = True
charset = utf-8
filterID = %(__name__)s

#______________________________________________________________________________
# Session Manager WSGI settings
#
[filter:SessionManagerFilter]
# This filter is a container for a binding to a SOAP based interface to the
# Session Manager
paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware

# Use this ZSI generated SOAP service interface class to handle i/o for this
# filter
ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS

# SOAP Binding Class specific keywords are in this section identified by this
# prefix:
ServiceSOAPBindingPropPrefix = SessionManager

# The SessionManager class has settings in the default section above identified
# by this prefix:
SessionManager.propPrefix = sessionManager
SessionManager.propFilePath = %(here)s/services.ini

# This filter references other filters - a local Attribute Authority (optional)
# and a WS-Security signature verification filter (required if using signature
# to authenticate user in requests
SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# The SessionManagerWS SOAP interface class needs to know about these other 
# filters
referencedFilters = filter:wsseSignatureVerificationFilter 
                                        filter:AttributeAuthorityFilter

# Path from URL for Session Manager in this Paste deployment
path = /SessionManager

# Enable ?wsdl query argument to list the WSDL content
enableWSDLQuery = True
charset = utf-8

# Provide an identifier for this filter so that main WSGI app 
# CombinedServicesWSGI can call this Session Manager directly
filterID = %(__name__)s

#______________________________________________________________________________
# WS-Security Signature Verification
[filter:wsseSignatureVerificationFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
filterID = %(__name__)s

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Verify against known CAs - Provide a space separated list of file paths
wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt

#______________________________________________________________________________
# Apply WS-Security Signature 
[filter:wsseSignatureFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter

# Reference the verification filter in order to be able to apply signature
# confirmation
referencedFilters = filter:wsseSignatureVerificationFilter
wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# Last filter in chain of SOAP handlers writes the response
writeResponse = True

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Certificate associated with private key used to sign a message.  The sign 
# method will add this to the BinarySecurityToken element of the WSSE header.  
wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt

# PEM encoded private key file
wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key

# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
# give full namespace to alternative - see 
# ZSI.wstools.Namespaces.OASIS.X509TOKEN
#
# binSecTokValType determines whether signingCert or signingCertChain 
# attributes will be used.
wssecurity.reqBinSecTokValType=X509v3

# Add a timestamp element to an outbound message
wssecurity.addTimestamp=True

# For WSSE 1.1 - service returns signature confirmation containing signature 
# value sent by client
wssecurity.applySignatureConfirmation=True


# Logging configuration
[loggers]
keys = root, ndg

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[logger_ndg]
level = DEBUG
handlers =
qualname = ndg

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
datefmt = %H:%M:%S