diff --git a/README.md b/README.md index 1426e56..a8f80ea 100644 --- a/README.md +++ b/README.md @@ -14,35 +14,51 @@ git config submodule.recurse true ## Get started -- [setup Hydra](https://code.cacert.org/cacert/oidc-hydra-config/src/branch/main/README.md) -- build CAcert web application resources -- setup IDP (provides login and consent screens) -- setup demo application -- setup OpenID Connect client registration application - -## Local development setup - -Make sure you have the necessary prerequisites installed (tested on Debian 11 -Bullseye) and `~/.local/bin` is in your `$PATH` variable: +Make sure you have the necessary prerequisites installed (tested on Debian 12 +Bookworm) and `~/.local/bin` in your `$PATH` +variable: ```shell sudo apt update -sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg -python3 -m pip install --user -U pip -python3 -m pip install --user ansible +sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg +mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin +python3 -m venv $HOME/.local/share/virtualenvs/ansible +$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible +ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/ export PATH=$HOME/.local/bin:$PATH ``` *Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or `.zshenv`. +### Build the applications + Use `make` to build the web app resources and applications: + ```shell go install github.com/nicksnyder/go-i18n/v2/goi18n@latest make ``` +## Deployment options + +There are two deployment options for the Hydra server and for the custom applications: + +1. local deployment +2. Vagrant deployment + +You only need one of these options. + +Both options use [ansible](https://docs.ansible.com/) to: + +- setup the Hydra authorization server +- setup IDP (provides login and consent screens) +- setup demo application +- setup OpenID Connect client registration application + +### Local deployment + Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo application: @@ -58,8 +74,11 @@ then confirm that your user has sudo privileges and execute that command like ansible-playbook -K 01_install_cacert_oidc.yml ``` +### Vagrant setup -## Vagrant setup +You can also use [Vagrant](https://www.vagrantup.com/) with the +libvirt-provider. The included Vagrantfile is configured to apply the +ansible-playbook to the Vagrant managed virtual machine. ```shell sudo apt install vagrant-libvirt virt-manager libvirt-clients @@ -67,3 +86,28 @@ vagrant up vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt sudo update-ca-certificates ``` + +Note: You may also want to configure your browser to trust the CA certificate +in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not +add this trust configuration you will get browser warnings for an unknown +certificate authority. + +## Testing your local setup + +### Test the authorization server + +Request the OpenID connect auto discovery information from Hydra + +```shell +curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool +``` + +This should give you a JSON document with information about the authorization server. + +### Test the identity provider + +Open +[https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/) +this should ask you for a CAcert class 3 client certificate and should render a +404 page with a CAcert logo. + diff --git a/Vagrantfile b/Vagrantfile index 93e3ec9..2c41041 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "generic/debian11" + config.vm.box = "debian/bookworm64" config.vm.define "oidcbox" @@ -15,7 +15,11 @@ Vagrant.configure("2") do |config| lv.memory = "2048" lv.cpus = 2 lv.machine_virtual_size = 10 + lv.memorybacking :access, :mode => "shared" end + + config.vm.synced_folder "./", "/vagrant", type: "virtiofs" + config.vm.provision "ansible" do |ansible| ansible.playbook = "deployment/01_install_cacert_oidc.yml" ansible.verbose = true diff --git a/deployment/01_install_cacert_oidc.yml b/deployment/01_install_cacert_oidc.yml index 1b7cc20..b826065 100644 --- a/deployment/01_install_cacert_oidc.yml +++ b/deployment/01_install_cacert_oidc.yml @@ -13,14 +13,14 @@ pre_tasks: - name: Install package python3-psycopg2 - ansible.builtin.package: + ansible.builtin.apt: name: python3-psycopg2 state: present # The ACL package is required to run commands as the postgres user # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user - name: Install package acl - ansible.builtin.package: + ansible.builtin.apt: name: acl state: present diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index c144888..ad1d1df 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -71,7 +71,7 @@ - name: Create Hydra key and certificate ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" + cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" - name: Move Hydra certificate and key to target ansible.builtin.copy: diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 32e1070..202912c 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -49,7 +49,7 @@ - name: Create IDP key and certificate ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" + cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" - name: Move IDP certificate and key to target ansible.builtin.copy: diff --git a/deployment/roles/prepare_devtools/defaults/main.yml b/deployment/roles/prepare_devtools/defaults/main.yml deleted file mode 100644 index 63680a6..0000000 --- a/deployment/roles/prepare_devtools/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -mkcert_version: v1.4.4 -mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52 diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml index 7f6506f..b35e34f 100644 --- a/deployment/roles/prepare_devtools/tasks/main.yml +++ b/deployment/roles/prepare_devtools/tasks/main.yml @@ -1,27 +1,16 @@ --- -- name: Create .local/bin for ansible user - ansible.builtin.file: - path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin" - state: directory - owner: "{{ ansible_user | default(ansible_env.USER) }}" - group: "{{ ansible_user | default(ansible_env.USER) }}" - mode: "0750" - - name: Prepare mkcert block: - - name: Download mkcert binary - ansible.builtin.get_url: - url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64" - dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert" - checksum: "sha256:{{ mkcert_checksum }}" - owner: "{{ ansible_user | default(ansible_env.USER) }}" - group: "{{ ansible_user | default(ansible_env.USER) }}" - mode: "0750" + - name: Install mkcert + ansible.builtin.apt: + name: mkcert + update_cache: true + become: true - name: Install mkcert CA ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install" + cmd: "mkcert -install" changed_when: false when: use_mkcert