source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini @ 6441

#
# NERC DataGrid Security
#
# Paste configuration for combined Attribute Authority, OpenID Relying Party 
# and Provider services
#
# The %(here)s variable will be replaced with the parent directory of this file
#
# Author: P J Kershaw
# date: 01/07/09
# Copyright: (C) 2009 Science and Technology Facilities Council
# license: BSD - see LICENSE file in top-level directory
# Contact: Philip.Kershaw@stfc.ac.uk
# Revision: $Id:$

[DEFAULT]
portNum = 7443
hostname = localhost
scheme = https
baseURI = %(scheme)s://%(hostname)s:%(portNum)s
openIDProviderIDBase = /openid
openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
testConfigDir = %(here)s/../../config
beakerSessionKeyName = beaker.session.ndg.security.services

# Global Attribute Authority Settings
attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface

dbConnectionString = sqlite:///%(testConfigDir)s/user.db

[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = %(portNum)s

# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
# pipeline below if the RelyingParty filter is removed.  The RelyingParty
# provides static content to both it and the Provider in this configuration.
# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
#[filter-app:OpenIDProviderFilterApp]
#use = egg:Paste#httpexceptions
#next = cascade
#
## Composite for OpenID Provider to enable settings for picking up static 
## content
#[composit:cascade]
#use = egg:Paste#cascade
#app1 = OpenIDProviderStaticContent
#catch = 404
#
#[app:OpenIDProviderStaticContent]
#use = egg:Paste#static
#document_root = %(here)s/openidprovider

# Ordering of filters and app is critical
[pipeline:main]
pipeline = wsseSignatureVerificationFilter 
                   AttributeAuthorityFilter 
                   AttributeAuthorityWsdlSoapBindingFilter
           wsseSignatureFilter 
           AttributeAuthoritySamlSoapBindingFilter
                   SessionMiddlewareFilter
                   SSLCientAuthKitFilter
                   SSLClientAuthenticationFilter
                   SSLCientAuthnRedirectResponseFilter
                   OpenIDRelyingPartyFilter
                   OpenIDProviderApp

#______________________________________________________________________________
# Beaker Session Middleware (used by OpenID Provider Filter)
[filter:SessionMiddlewareFilter]
paste.filter_app_factory=beaker.middleware:SessionMiddleware
beaker.session.key = openid
beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU

# If you'd like to fine-tune the individual locations of the cache data dirs
# for the Cache data, or the Session saves, un-comment the desired settings
# here:
beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
beaker.session.cookie_expires = True

# Key name for keying into environ dictionary
environ_key = %(beakerSessionKeyName)s

[filter:SSLCientAuthKitFilter]
paste.filter_app_factory = authkit.authenticate:middleware

# AuthKit Set-up
setup.method=cookie

# This cookie name and secret MUST agree with the name used by the 
# Authentication Filter used to secure a given app
cookie.name=ndg.security.auth

cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
cookie.signoutpath = /logout

# Disable inclusion of client IP address from cookie signature due to 
# suspected problem with AuthKit setting it when a HTTP Proxy is in place
cookie.includeip = False

# SSL Client Certificate based authentication is invoked if the client passed
# a certificate with request.  This bypasses OpenID based authn.
[filter:SSLClientAuthenticationFilter]
paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
prefix = ssl.
ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test

# 'HTTP_' prefix is set when passed through a proxy
ssl.sslKeyName = HTTP_HTTPS
ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT

# Set the URI pattern match here to interrupt a redirect to the OpenID Relying 
# Party from the service running over HTTP and see if a client certificate has 
# been set
ssl.rePathMatchList = ^/verify.*

[filter:OpenIDRelyingPartyFilter]
paste.filter_app_factory = 
        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory

openid.relyingparty.baseURL = %(authkit.openid.baseurl)s

# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml

openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate

# Nb. in this configuration, this directory is provider static content for both 
# this filter and the OpenID Provider app downstream in the WSGI stack.
openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public

openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
openid.relyingparty.signinInterface.heading = OpenID Sign-in
#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif

# This setting will accept HTML mark-up
openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png

cache_dir = %(here)s/data

# AuthKit Set-up
authkit.setup.method=openid, cookie

# This cookie name and secret MUST agree with the name used by the 
# Authentication Filter used to secure a given app
authkit.cookie.name=ndg.security.auth

authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
authkit.cookie.signoutpath = /logout

# Disable inclusion of client IP address from cookie signature due to 
# suspected problem with AuthKit setting it when a HTTP Proxy is in place
authkit.cookie.includeip = False

authkit.openid.path.signedin=/
authkit.openid.store.type=file
authkit.openid.store.config=%(here)s/openidrelyingparty/store
authkit.openid.session.key = authkit_openid
authkit.openid.session.secret = random string

# Key name for dereferencing beaker.session object held in environ
authkit.openid.session.middleware = %(beakerSessionKeyName)s

authkit.openid.baseurl = %(baseURI)s

# Template for signin
#authkit.openid.template.obj = 

# Handler for parsing OpenID and creating a session from it
#authkit.openid.urltouser = 

# Attribute Exchange - all are optional unless the relevant ax.required.<name> 
# is set to True.  The alias defers to the parameter name given unless explicity
# specified - see commented out entry for firstName below.  The number of
# attributes for each attribute name defaults to 1 unless otherwise set
#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
#authkit.openid.ax.alias.firstName=firstName
##authkit.openid.ax.count.firstName=1
#authkit.openid.ax.required.firstName=True
#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
#authkit.openid.ax.alias.lastName=lastName
#authkit.openid.ax.required.lastName=True
#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
#authkit.openid.ax.alias.emailAddress=emailAddress
#authkit.openid.ax.required.emailAddress=True

# ESG Gateway requested parameters
authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
authkit.openid.ax.alias.uuid=uuid
authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
authkit.openid.ax.alias.username=username
authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
authkit.openid.ax.alias.firstname=firstname
authkit.openid.ax.required.firstname:True
authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
authkit.openid.ax.alias.middlename=middlename
authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
authkit.openid.ax.required.lastname:True
authkit.openid.ax.alias.lastname=lastname
authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
authkit.openid.ax.required.email:True
authkit.openid.ax.alias.email=email
authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
authkit.openid.ax.alias.gateway=gateway
authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
authkit.openid.ax.alias.organization=organization
authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
authkit.openid.ax.alias.city=city
authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
authkit.openid.ax.alias.state=state
authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
authkit.openid.ax.alias.country=country

[filter:SSLCientAuthnRedirectResponseFilter]
# Redirect to original requested URI following SSL Client Authentication.  This
# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
# would need to be made so that this redirect filter can still function
paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
prefix = ssl.
ssl.sessionKey = %(beakerSessionKeyName)s

#______________________________________________________________________________
# OpenID Provider WSGI Settings
[app:OpenIDProviderApp]
paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory

openid.provider.path.openidserver=/OpenID/Provider/server
openid.provider.path.login=/OpenID/Provider/login
openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit

# Yadis based discovery only - the 'id' path is configured may be set to page
# with <link rel="openid.server" href="..."> and Yadis 
# <meta http-equiv="x-xrds-location" content="..."> links if required but in 
# this implementation it set to return 404 not found - see 
# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering 
# class
openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}

# Yadis based discovery for idselect mode - this is where the user has entered
# a URI at the Relying Party which identifies their Provider only and not their
# full ID URI.  e.g. https://badc.nerc.ac.uk instead of 
# https://badc.nerc.ac.uk/John
openid.provider.path.serveryadis=%(openIDProviderIDBase)s
openid.provider.path.allow=/OpenID/Provider/allow
openid.provider.path.decide=/OpenID/Provider/decide
openid.provider.path.mainpage=/OpenID/Provider/home

openid.provider.session_middleware=%(beakerSessionKeyName)s
openid.provider.base_url=%(baseURI)s

# Enable login to construct an identity URI if IDSelect mode was chosen and
# no identity URI was passed from the Relying Party.  This value should
# match openid.provider.path.id and/or openid.provider.path.yadis - see above
identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}

openid.provider.trace=False
openid.provider.consumer_store_dirpath=%(here)s/openidprovider
openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface

# Layout
openid.provider.rendering.baseURL = %(openid.provider.base_url)s
#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
#openid.provider.rendering.leftAlt = Natural Environment Research Council
#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
openid.provider.rendering.footerText = This site is for test purposes only.
openid.provider.rendering.rightLink = http://ceda.ac.uk/
openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
openid.provider.rendering.rightAlt = Centre for Environmental Data Archival

# Basic Authentication interface to demonstrate capabilities
#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
openid.provider.authN.connectionString=%(dbConnectionString)s
openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
openid.provider.authN.isMD5EncodedPwd=True

# user login details format is:
# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
# Each user entry is delimited by a space. username, password and OpenID name
# list are delimited by a colon.  The list of OpenID names are delimited by
# commas.  The OpenID name represents the unique part of the OpenID URL for the
# individual user.  Each username may have more than one OpenID alias but only
# alias at a time may be registered with a given Attribute Authority
openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other

# Basic authentication for testing/admin - comma delimited list of 
# <username>:<password> pairs
#openid.provider.usercreds=pjk:test

# Attribute Exchange interface
#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
openid.provider.axResponse.connectionString=%(dbConnectionString)s
openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
    http://openid.net/schema/namePerson/last
    http://openid.net/schema/contact/internet/email
    
openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
        https://badc.somewhere.ac.uk

#______________________________________________________________________________
# Attribute Authority WSGI settings
#
[filter:AttributeAuthorityFilter]
# This filter publishes an Attribute Authority instance as a key in environ
# to enable other middleware to access it
paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
prefix = attributeAuthority.

# Key name by which the WSDL SOAP based interface may reference this
# service
attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s

# Key name for the SAML SOAP binding based interface to reference this
# service's attribute query method
attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s

# Attribute Authority settings
# 'name' setting MUST agree with map config file 'thisHost' name attribute
attributeAuthority.name: Site A

# Lifetime is measured in seconds
attributeAuthority.attCertLifetime: 28800 

# Allow an offset for clock skew between servers running 
# security services. NB, measured in seconds - use a minus sign for time in the
# past
attributeAuthority.attCertNotBeforeOff: 0

# All Attribute Certificates issued are recorded in this dir
attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog

# Files in attCertDir are stored using a rotating file handler
# attCertFileLogCnt sets the max number of files created before the first is 
# overwritten
attributeAuthority.attCertFileName: ac.xml
attributeAuthority.attCertFileLogCnt: 16
attributeAuthority.dnSeparator:/

# Location of role mapping file
attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml

# Settings for custom AttributeInterface derived class to get user roles for given 
# user ID
#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
#attributeAuthority.attributeInterface.modName: siteAUserRoles
#attributeAuthority.attributeInterface.className: TestUserRoles

# SQLAlchemy Attribute Interface
attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
attributeAuthority.attributeInterface.modName: ndg.security.server.attributeauthority
attributeAuthority.attributeInterface.className: SQLAlchemyAttributeInterface
attributeAuthority.attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
                                                           /O=Site B/CN=Authorisation Service, 
                                                           /CN=test/O=NDG/OU=BADC

# Config for XML signature of Attribute Certificate
attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt


# SOAP WSDL Based Binding to the Attribute Authority
[filter:AttributeAuthorityWsdlSoapBindingFilter]
paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
prefix = service.soap.binding.
attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.

service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
service.soap.binding.path = /AttributeAuthority
service.soap.binding.enableWSDLQuery = True
service.soap.binding.charset = utf-8
service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware

attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter


# SAML SOAP Binding to the Attribute Authority
[filter:AttributeAuthoritySamlSoapBindingFilter]
paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPAttributeInterfaceMiddleware.filter_app_factory
prefix = saml.soapbinding.

saml.soapbinding.pathMatchList = /AttributeAuthority/saml
saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s


#______________________________________________________________________________
# WS-Security Signature Verification
[filter:wsseSignatureVerificationFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
filterID = %(__name__)s

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Verify against known CAs - Provide a space separated list of file paths
wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt


#______________________________________________________________________________
# Apply WS-Security Signature 
[filter:wsseSignatureFilter]
paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory

# Reference the verification filter in order to be able to apply signature
# confirmation
referencedFilters = filter:wsseSignatureVerificationFilter
wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter

# Last filter in chain of SOAP handlers writes the response
writeResponse = True

# Settings for WS-Security SignatureHandler class used by this filter
wsseCfgFilePrefix = wssecurity

# Certificate associated with private key used to sign a message.  The sign 
# method will add this to the BinarySecurityToken element of the WSSE header.  
wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt

# PEM encoded private key file
wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key

# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
# give full namespace to alternative - see 
# ZSI.wstools.Namespaces.OASIS.X509TOKEN
#
# binSecTokValType determines whether signingCert or signingCertChain 
# attributes will be used.
wssecurity.reqBinSecTokValType=X509v3

# Add a timestamp element to an outbound message
wssecurity.addTimestamp=True

# For WSSE 1.1 - service returns signature confirmation containing signature 
# value sent by client
wssecurity.applySignatureConfirmation=True

# Logging configuration
[loggers]
keys = root, ndg

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[logger_ndg]
level = DEBUG
handlers =
qualname = ndg

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
datefmt = %Y-%m-%d %H:%M:%S