Update to Debian 12 Bookworm

- improve README.md add test scenarios
- update Vagrant setup to Debian 12
- update dependency installation to be compatible with Debian 12
- use mkcert from Debian 12 package

README.md

@@ -14,35 +14,51 @@ git config submodule.recurse true
 
 ## Get started
 
-- [setup Hydra](https://code.cacert.org/cacert/oidc-hydra-config/src/branch/main/README.md)
-- build CAcert web application resources
-- setup IDP (provides login and consent screens)
-- setup demo application
-- setup OpenID Connect client registration application
-
-## Local development setup
-
-Make sure you have the necessary prerequisites installed (tested on Debian 11
-Bullseye) and `~/.local/bin` is in your `$PATH` variable:
+Make sure you have the necessary prerequisites installed (tested on Debian 12
+Bookworm) and `~/.local/bin` in your `$PATH`
+variable:
 
 ```shell
 sudo apt update
-sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg
-python3 -m pip install --user -U pip
-python3 -m pip install --user ansible
+sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg
+mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin
+python3 -m venv $HOME/.local/share/virtualenvs/ansible
+$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible
+ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/
 export PATH=$HOME/.local/bin:$PATH
 ```
 
 *Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or
 `.zshenv`.
 
+### Build the applications
+
 Use `make` to build the web app resources and applications:
 
+
 ```shell
 go install github.com/nicksnyder/go-i18n/v2/goi18n@latest
 make
 ```
 
+## Deployment options
+
+There are two deployment options for the Hydra server and for the custom applications:
+
+1. local deployment
+2. Vagrant deployment
+
+You only need one of these options.
+
+Both options use [ansible](https://docs.ansible.com/) to:
+
+- setup the Hydra authorization server
+- setup IDP (provides login and consent screens)
+- setup demo application
+- setup OpenID Connect client registration application
+
+### Local deployment
+
 Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo
 application:
 
@@ -58,8 +74,11 @@ then confirm that your user has sudo privileges and execute that command like
 ansible-playbook -K 01_install_cacert_oidc.yml
 ```
 
+### Vagrant setup
 
-## Vagrant setup
+You can also use [Vagrant](https://www.vagrantup.com/) with the
+libvirt-provider. The included Vagrantfile is configured to apply the
+ansible-playbook to the Vagrant managed virtual machine.
 
 ```shell
 sudo apt install vagrant-libvirt virt-manager libvirt-clients
@@ -67,3 +86,28 @@ vagrant up
 vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt
 sudo update-ca-certificates
 ```
+
+Note: You may also want to configure your browser to trust the CA certificate
+in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not
+add this trust configuration you will get browser warnings for an unknown
+certificate authority.
+
+## Testing your local setup
+
+### Test the authorization server
+
+Request the OpenID connect auto discovery information from Hydra
+
+```shell
+curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool
+```
+
+This should give you a JSON document with information about the authorization server.
+
+### Test the identity provider
+
+Open
+[https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/)
+this should ask you for a CAcert class 3 client certificate and should render a
+404 page with a CAcert logo.
+

Vagrantfile

@@ -2,7 +2,7 @@
 # vi: set ft=ruby :
 
 Vagrant.configure("2") do |config|
-  config.vm.box = "generic/debian11"
+  config.vm.box = "debian/bookworm64"
 
   config.vm.define "oidcbox"
 
@@ -15,7 +15,11 @@ Vagrant.configure("2") do |config|
     lv.memory = "2048"
     lv.cpus = 2
     lv.machine_virtual_size = 10
+    lv.memorybacking :access, :mode => "shared"
   end
+
+  config.vm.synced_folder "./", "/vagrant", type: "virtiofs"
+
   config.vm.provision "ansible" do |ansible|
     ansible.playbook = "deployment/01_install_cacert_oidc.yml"
     ansible.verbose = true

deployment/01_install_cacert_oidc.yml

@@ -13,14 +13,14 @@
   pre_tasks:
 
     - name: Install package python3-psycopg2
-      ansible.builtin.package:
+      ansible.builtin.apt:
         name: python3-psycopg2
         state: present
 
     # The ACL package is required to run commands as the postgres user
     # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user
     - name: Install package acl
-      ansible.builtin.package:
+      ansible.builtin.apt:
         name: acl
         state: present
 

deployment/roles/hydra_server/tasks/main.yml

@@ -71,7 +71,7 @@
 
     - name: Create Hydra key and certificate
       ansible.builtin.command:
-        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
+        cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
 
     - name: Move Hydra certificate and key to target
       ansible.builtin.copy:

deployment/roles/oidc_idp/tasks/main.yml

@@ -49,7 +49,7 @@
 
     - name: Create IDP key and certificate
       ansible.builtin.command:
-        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"
+        cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"
 
     - name: Move IDP certificate and key to target
       ansible.builtin.copy:

deployment/roles/prepare_devtools/defaults/main.yml

@@ -1,3 +0,0 @@
----
-mkcert_version: v1.4.4
-mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52

deployment/roles/prepare_devtools/tasks/main.yml

@@ -1,27 +1,16 @@
 ---
-- name: Create .local/bin for ansible user
-  ansible.builtin.file:
-    path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin"
-    state: directory
-    owner: "{{ ansible_user | default(ansible_env.USER) }}"
-    group: "{{ ansible_user | default(ansible_env.USER) }}"
-    mode: "0750"
-
 - name: Prepare mkcert
   block:
 
-    - name: Download mkcert binary
-      ansible.builtin.get_url:
-        url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64"
-        dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert"
-        checksum: "sha256:{{ mkcert_checksum }}"
-        owner: "{{ ansible_user | default(ansible_env.USER) }}"
-        group: "{{ ansible_user | default(ansible_env.USER) }}"
-        mode: "0750"
+    - name: Install mkcert
+      ansible.builtin.apt:
+        name: mkcert
+        update_cache: true
+      become: true
 
     - name: Install mkcert CA
       ansible.builtin.command:
-        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install"
+        cmd: "mkcert -install"
       changed_when: false
 
   when: use_mkcert