Update to Debian 12 Bookworm

- improve README.md add test scenarios
- update Vagrant setup to Debian 12
- update dependency installation to be compatible with Debian 12
- use mkcert from Debian 12 package
This commit is contained in:
Jan Dittberner 2023-06-19 19:46:25 +02:00
parent f64476a176
commit 4023cfc718
7 changed files with 73 additions and 39 deletions

View file

@ -14,35 +14,51 @@ git config submodule.recurse true
## Get started ## Get started
- [setup Hydra](https://code.cacert.org/cacert/oidc-hydra-config/src/branch/main/README.md) Make sure you have the necessary prerequisites installed (tested on Debian 12
- build CAcert web application resources Bookworm) and `~/.local/bin` in your `$PATH`
- setup IDP (provides login and consent screens) variable:
- setup demo application
- setup OpenID Connect client registration application
## Local development setup
Make sure you have the necessary prerequisites installed (tested on Debian 11
Bullseye) and `~/.local/bin` is in your `$PATH` variable:
```shell ```shell
sudo apt update sudo apt update
sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg
python3 -m pip install --user -U pip mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
python3 -m pip install --user ansible python3 -m venv $HOME/.local/share/virtualenvs/ansible
$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
export PATH=$HOME/.local/bin:$PATH export PATH=$HOME/.local/bin:$PATH
``` ```
*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or *Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
`.zshenv`. `.zshenv`.
### Build the applications
Use `make` to build the web app resources and applications: Use `make` to build the web app resources and applications:
```shell ```shell
go install github.com/nicksnyder/go-i18n/v2/goi18n@latest go install github.com/nicksnyder/go-i18n/v2/goi18n@latest
make make
``` ```
## Deployment options
There are two deployment options for the Hydra server and for the custom applications:
1. local deployment
2. Vagrant deployment
You only need one of these options.
Both options use [ansible](https://docs.ansible.com/) to:
- setup the Hydra authorization server
- setup IDP (provides login and consent screens)
- setup demo application
- setup OpenID Connect client registration application
### Local deployment
Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
application: application:
@ -58,8 +74,11 @@ then confirm that your user has sudo privileges and execute that command like
ansible-playbook -K 01_install_cacert_oidc.yml ansible-playbook -K 01_install_cacert_oidc.yml
``` ```
### Vagrant setup
## Vagrant setup You can also use [Vagrant](https://www.vagrantup.com/) with the
libvirt-provider. The included Vagrantfile is configured to apply the
ansible-playbook to the Vagrant managed virtual machine.
```shell ```shell
sudo apt install vagrant-libvirt virt-manager libvirt-clients sudo apt install vagrant-libvirt virt-manager libvirt-clients
@ -67,3 +86,28 @@ vagrant up
vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt
sudo update-ca-certificates sudo update-ca-certificates
``` ```
Note: You may also want to configure your browser to trust the CA certificate
in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not
add this trust configuration you will get browser warnings for an unknown
certificate authority.
## Testing your local setup
### Test the authorization server
Request the OpenID connect auto discovery information from Hydra
```shell
curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool
```
This should give you a JSON document with information about the authorization server.
### Test the identity provider
Open
[https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/)
this should ask you for a CAcert class 3 client certificate and should render a
404 page with a CAcert logo.

6
Vagrantfile vendored
View file

@ -2,7 +2,7 @@
# vi: set ft=ruby : # vi: set ft=ruby :
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
config.vm.box = "generic/debian11" config.vm.box = "debian/bookworm64"
config.vm.define "oidcbox" config.vm.define "oidcbox"
@ -15,7 +15,11 @@ Vagrant.configure("2") do |config|
lv.memory = "2048" lv.memory = "2048"
lv.cpus = 2 lv.cpus = 2
lv.machine_virtual_size = 10 lv.machine_virtual_size = 10
lv.memorybacking :access, :mode => "shared"
end end
config.vm.synced_folder "./", "/vagrant", type: "virtiofs"
config.vm.provision "ansible" do |ansible| config.vm.provision "ansible" do |ansible|
ansible.playbook = "deployment/01_install_cacert_oidc.yml" ansible.playbook = "deployment/01_install_cacert_oidc.yml"
ansible.verbose = true ansible.verbose = true

View file

@ -13,14 +13,14 @@
pre_tasks: pre_tasks:
- name: Install package python3-psycopg2 - name: Install package python3-psycopg2
ansible.builtin.package: ansible.builtin.apt:
name: python3-psycopg2 name: python3-psycopg2
state: present state: present
# The ACL package is required to run commands as the postgres user # The ACL package is required to run commands as the postgres user
# See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
- name: Install package acl - name: Install package acl
ansible.builtin.package: ansible.builtin.apt:
name: acl name: acl
state: present state: present

View file

@ -71,7 +71,7 @@
- name: Create Hydra key and certificate - name: Create Hydra key and certificate
ansible.builtin.command: ansible.builtin.command:
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
- name: Move Hydra certificate and key to target - name: Move Hydra certificate and key to target
ansible.builtin.copy: ansible.builtin.copy:

View file

@ -49,7 +49,7 @@
- name: Create IDP key and certificate - name: Create IDP key and certificate
ansible.builtin.command: ansible.builtin.command:
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"
- name: Move IDP certificate and key to target - name: Move IDP certificate and key to target
ansible.builtin.copy: ansible.builtin.copy:

View file

@ -1,3 +0,0 @@
---
mkcert_version: v1.4.4
mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52

View file

@ -1,27 +1,16 @@
--- ---
- name: Create .local/bin for ansible user
ansible.builtin.file:
path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
state: directory
owner: "{{ ansible_user | default(ansible_env.USER) }}"
group: "{{ ansible_user | default(ansible_env.USER) }}"
mode: "0750"
- name: Prepare mkcert - name: Prepare mkcert
block: block:
- name: Download mkcert binary - name: Install mkcert
ansible.builtin.get_url: ansible.builtin.apt:
url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64" name: mkcert
dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert" update_cache: true
checksum: "sha256:{{ mkcert_checksum }}" become: true
owner: "{{ ansible_user | default(ansible_env.USER) }}"
group: "{{ ansible_user | default(ansible_env.USER) }}"
mode: "0750"
- name: Install mkcert CA - name: Install mkcert CA
ansible.builtin.command: ansible.builtin.command:
cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install" cmd: "mkcert -install"
changed_when: false changed_when: false
when: use_mkcert when: use_mkcert