From 00c0d3de1a7e316d6b7e39dbf0cf78d84a0aece2 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 10 Aug 2022 20:35:03 +0200 Subject: [PATCH 01/33] Create basic local playbook and roles - create ansible structure - create generated roles - add hydra_database role --- deployment/README.md | 4 ++ deployment/ansible.cfg | 35 +++++++++++++ deployment/inventory/group_vars/all.yml | 2 + deployment/inventory/local | 10 ++++ .../playbooks/01_install_cacert_oidc.yml | 23 ++++++++ deployment/roles/hydra_database/README.md | 38 ++++++++++++++ .../roles/hydra_database/defaults/main.yml | 3 ++ .../roles/hydra_database/handlers/main.yml | 2 + deployment/roles/hydra_database/meta/main.yml | 17 ++++++ .../roles/hydra_database/tasks/main.yml | 29 +++++++++++ deployment/roles/hydra_server/README.md | 38 ++++++++++++++ .../roles/hydra_server/defaults/main.yml | 2 + .../roles/hydra_server/handlers/main.yml | 2 + deployment/roles/hydra_server/meta/main.yml | 52 +++++++++++++++++++ deployment/roles/hydra_server/tasks/main.yml | 2 + deployment/roles/hydra_server/vars/main.yml | 2 + .../roles/oidc_client_registration/README.md | 38 ++++++++++++++ .../defaults/main.yml | 2 + .../handlers/main.yml | 2 + .../oidc_client_registration/meta/main.yml | 52 +++++++++++++++++++ .../oidc_client_registration/tasks/main.yml | 2 + .../oidc_client_registration/vars/main.yml | 2 + .../roles/oidc_demo_application/README.md | 38 ++++++++++++++ .../oidc_demo_application/defaults/main.yml | 2 + .../oidc_demo_application/handlers/main.yml | 2 + .../roles/oidc_demo_application/meta/main.yml | 52 +++++++++++++++++++ .../oidc_demo_application/tasks/main.yml | 2 + .../roles/oidc_demo_application/vars/main.yml | 2 + deployment/roles/oidc_idp/README.md | 38 ++++++++++++++ deployment/roles/oidc_idp/defaults/main.yml | 2 + deployment/roles/oidc_idp/handlers/main.yml | 2 + deployment/roles/oidc_idp/meta/main.yml | 52 +++++++++++++++++++ deployment/roles/oidc_idp/tasks/main.yml | 2 + deployment/roles/oidc_idp/vars/main.yml | 2 + 34 files changed, 555 insertions(+) create mode 100644 deployment/README.md create mode 100644 deployment/ansible.cfg create mode 100644 deployment/inventory/group_vars/all.yml create mode 100644 deployment/inventory/local create mode 100644 deployment/playbooks/01_install_cacert_oidc.yml create mode 100644 deployment/roles/hydra_database/README.md create mode 100644 deployment/roles/hydra_database/defaults/main.yml create mode 100644 deployment/roles/hydra_database/handlers/main.yml create mode 100644 deployment/roles/hydra_database/meta/main.yml create mode 100644 deployment/roles/hydra_database/tasks/main.yml create mode 100644 deployment/roles/hydra_server/README.md create mode 100644 deployment/roles/hydra_server/defaults/main.yml create mode 100644 deployment/roles/hydra_server/handlers/main.yml create mode 100644 deployment/roles/hydra_server/meta/main.yml create mode 100644 deployment/roles/hydra_server/tasks/main.yml create mode 100644 deployment/roles/hydra_server/vars/main.yml create mode 100644 deployment/roles/oidc_client_registration/README.md create mode 100644 deployment/roles/oidc_client_registration/defaults/main.yml create mode 100644 deployment/roles/oidc_client_registration/handlers/main.yml create mode 100644 deployment/roles/oidc_client_registration/meta/main.yml create mode 100644 deployment/roles/oidc_client_registration/tasks/main.yml create mode 100644 deployment/roles/oidc_client_registration/vars/main.yml create mode 100644 deployment/roles/oidc_demo_application/README.md create mode 100644 deployment/roles/oidc_demo_application/defaults/main.yml create mode 100644 deployment/roles/oidc_demo_application/handlers/main.yml create mode 100644 deployment/roles/oidc_demo_application/meta/main.yml create mode 100644 deployment/roles/oidc_demo_application/tasks/main.yml create mode 100644 deployment/roles/oidc_demo_application/vars/main.yml create mode 100644 deployment/roles/oidc_idp/README.md create mode 100644 deployment/roles/oidc_idp/defaults/main.yml create mode 100644 deployment/roles/oidc_idp/handlers/main.yml create mode 100644 deployment/roles/oidc_idp/meta/main.yml create mode 100644 deployment/roles/oidc_idp/tasks/main.yml create mode 100644 deployment/roles/oidc_idp/vars/main.yml diff --git a/deployment/README.md b/deployment/README.md new file mode 100644 index 0000000..a37907b --- /dev/null +++ b/deployment/README.md @@ -0,0 +1,4 @@ +Deployment automation for the CAcert OIDC setup + +This directory contains [Ansible](https://docs.ansible.com) automation code to +install and setup the CAcert OpenID connect components. diff --git a/deployment/ansible.cfg b/deployment/ansible.cfg new file mode 100644 index 0000000..23c9600 --- /dev/null +++ b/deployment/ansible.cfg @@ -0,0 +1,35 @@ +[defaults] +# (boolean) By default Ansible will issue a warning when received from a task action (module or action plugin) +# These warnings can be silenced by adjusting this setting to False. +action_warnings=True + +# (string) Chooses which cache plugin to use, the default 'memory' is ephemeral. +fact_caching=memory + +# (pathlist) Comma separated list of Ansible inventory sources +inventory=inventory/local + +# (pathspec) Colon separated paths in which Ansible will search for Roles. +roles_path=./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles + +# (boolean) Toggles the use of persistence for connections. +use_persistent_connections=True + +interpreter_python=auto_silent + + +[privilege_escalation] +# (boolean) Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method +agnostic_become_prompt=True + +# (boolean) This setting controls if become is skipped when remote user and become user are the same. I.E root sudo to root. +# If executable, it will be run and the resulting stdout will be used as the password. +become_allow_same_user=False + + +[diff] +# (bool) Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``. +always=True + +# (integer) How many lines of context to show when displaying the differences between files. +context=3 diff --git a/deployment/inventory/group_vars/all.yml b/deployment/inventory/group_vars/all.yml new file mode 100644 index 0000000..6a325aa --- /dev/null +++ b/deployment/inventory/group_vars/all.yml @@ -0,0 +1,2 @@ +--- +hydra_db_password: hydra diff --git a/deployment/inventory/local b/deployment/inventory/local new file mode 100644 index 0000000..fcb4ffa --- /dev/null +++ b/deployment/inventory/local @@ -0,0 +1,10 @@ +localhost ansible_connection=local + +[pgsqlserver] +localhost + +[authserver] +localhost + +[demoserver] +localhost diff --git a/deployment/playbooks/01_install_cacert_oidc.yml b/deployment/playbooks/01_install_cacert_oidc.yml new file mode 100644 index 0000000..01fc695 --- /dev/null +++ b/deployment/playbooks/01_install_cacert_oidc.yml @@ -0,0 +1,23 @@ +--- +- name: Setup database + hosts: pgsqlserver + become: true + + roles: + - hydra_database + +- name: Install authorization server + hosts: authserver + become: true + + roles: + - hydra_server + - oidc_idp + - oidc_client_registration + +- name: Install demo application + hosts: demoserver + become: true + + roles: + - oidc_demo_application diff --git a/deployment/roles/hydra_database/README.md b/deployment/roles/hydra_database/README.md new file mode 100644 index 0000000..f8ab874 --- /dev/null +++ b/deployment/roles/hydra_database/README.md @@ -0,0 +1,38 @@ +Hydra Database +============== + +Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/). + +Requirements +------------ + +The role expects a Debian system running Debian 10 or later. + +Role Variables +-------------- + +| Name | Description | Default | +| ------------------- | ----------------- | ------- | +| `hydra_db_name` | Database name | `hydra` | +| `hydra_db_user` | Database user | `hydra` | +| `hydra_db_password` | Database password | - | + + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - hydra_database + +License +------- + +GPL-2.0-or-later + +Author Information +------------------ + +Jan Dittberner diff --git a/deployment/roles/hydra_database/defaults/main.yml b/deployment/roles/hydra_database/defaults/main.yml new file mode 100644 index 0000000..a1770a1 --- /dev/null +++ b/deployment/roles/hydra_database/defaults/main.yml @@ -0,0 +1,3 @@ +--- +hydra_db_name: hydra +hydra_db_user: hydra diff --git a/deployment/roles/hydra_database/handlers/main.yml b/deployment/roles/hydra_database/handlers/main.yml new file mode 100644 index 0000000..d8a9d8e --- /dev/null +++ b/deployment/roles/hydra_database/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for hydra_database diff --git a/deployment/roles/hydra_database/meta/main.yml b/deployment/roles/hydra_database/meta/main.yml new file mode 100644 index 0000000..a20271f --- /dev/null +++ b/deployment/roles/hydra_database/meta/main.yml @@ -0,0 +1,17 @@ +galaxy_info: + author: Jan Dittberner + description: ORY Hydra database setup + company: CAcert + issue_tracker_url: https://code.cacert.org/cacert/oidc-parent/issues + license: GPL-2.0-or-later + min_ansible_version: 2.1 + platforms: + - name: Debian + versions: + - buster + - bullseye + - bookworm + + galaxy_tags: [] + +dependencies: [] diff --git a/deployment/roles/hydra_database/tasks/main.yml b/deployment/roles/hydra_database/tasks/main.yml new file mode 100644 index 0000000..c5bc6d3 --- /dev/null +++ b/deployment/roles/hydra_database/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install PostgreSQL server + ansible.builtin.package: + name: postgresql + state: present + +- name: Create Hydra database + community.postgresql.postgresql_db: + name: "{{ hydra_db_name }}" + encoding: UTF-8 + template: template0 + state: present + become_user: postgres + +- name: Create Hydra database user + community.postgresql.postgresql_user: + name: "{{ hydra_db_user }}" + password: "{{ hydra_db_password }}" + state: present + become_user: postgres + +- name: Grant permissions on Hydra database to Hydra database user + community.postgresql.postgresql_privs: + database: "{{ hydra_db_name }}" + state: present + privs: CREATE,CONNECT + type: database + role: "{{ hydra_db_user }}" + become_user: postgres diff --git a/deployment/roles/hydra_server/README.md b/deployment/roles/hydra_server/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/deployment/roles/hydra_server/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/deployment/roles/hydra_server/defaults/main.yml b/deployment/roles/hydra_server/defaults/main.yml new file mode 100644 index 0000000..357e185 --- /dev/null +++ b/deployment/roles/hydra_server/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/hydra_server diff --git a/deployment/roles/hydra_server/handlers/main.yml b/deployment/roles/hydra_server/handlers/main.yml new file mode 100644 index 0000000..018486d --- /dev/null +++ b/deployment/roles/hydra_server/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/hydra_server diff --git a/deployment/roles/hydra_server/meta/main.yml b/deployment/roles/hydra_server/meta/main.yml new file mode 100644 index 0000000..18848a7 --- /dev/null +++ b/deployment/roles/hydra_server/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Jan Dittberner + description: Setup ORY Hydra server + company: CAcert + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: GPL-2.0-or-later + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml new file mode 100644 index 0000000..ae54d2a --- /dev/null +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for roles/hydra_server diff --git a/deployment/roles/hydra_server/vars/main.yml b/deployment/roles/hydra_server/vars/main.yml new file mode 100644 index 0000000..189ec15 --- /dev/null +++ b/deployment/roles/hydra_server/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/hydra_server diff --git a/deployment/roles/oidc_client_registration/README.md b/deployment/roles/oidc_client_registration/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/deployment/roles/oidc_client_registration/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/deployment/roles/oidc_client_registration/defaults/main.yml b/deployment/roles/oidc_client_registration/defaults/main.yml new file mode 100644 index 0000000..ca4b246 --- /dev/null +++ b/deployment/roles/oidc_client_registration/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/handlers/main.yml b/deployment/roles/oidc_client_registration/handlers/main.yml new file mode 100644 index 0000000..f9ded04 --- /dev/null +++ b/deployment/roles/oidc_client_registration/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/meta/main.yml b/deployment/roles/oidc_client_registration/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/deployment/roles/oidc_client_registration/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/deployment/roles/oidc_client_registration/tasks/main.yml b/deployment/roles/oidc_client_registration/tasks/main.yml new file mode 100644 index 0000000..8662f7a --- /dev/null +++ b/deployment/roles/oidc_client_registration/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/vars/main.yml b/deployment/roles/oidc_client_registration/vars/main.yml new file mode 100644 index 0000000..188961d --- /dev/null +++ b/deployment/roles/oidc_client_registration/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_demo_application/README.md b/deployment/roles/oidc_demo_application/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/deployment/roles/oidc_demo_application/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/deployment/roles/oidc_demo_application/defaults/main.yml b/deployment/roles/oidc_demo_application/defaults/main.yml new file mode 100644 index 0000000..a344905 --- /dev/null +++ b/deployment/roles/oidc_demo_application/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/oidc_demo_application diff --git a/deployment/roles/oidc_demo_application/handlers/main.yml b/deployment/roles/oidc_demo_application/handlers/main.yml new file mode 100644 index 0000000..29cefff --- /dev/null +++ b/deployment/roles/oidc_demo_application/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/oidc_demo_application diff --git a/deployment/roles/oidc_demo_application/meta/main.yml b/deployment/roles/oidc_demo_application/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/deployment/roles/oidc_demo_application/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/deployment/roles/oidc_demo_application/tasks/main.yml b/deployment/roles/oidc_demo_application/tasks/main.yml new file mode 100644 index 0000000..d02ffeb --- /dev/null +++ b/deployment/roles/oidc_demo_application/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for roles/oidc_demo_application diff --git a/deployment/roles/oidc_demo_application/vars/main.yml b/deployment/roles/oidc_demo_application/vars/main.yml new file mode 100644 index 0000000..b973543 --- /dev/null +++ b/deployment/roles/oidc_demo_application/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/oidc_demo_application diff --git a/deployment/roles/oidc_idp/README.md b/deployment/roles/oidc_idp/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/deployment/roles/oidc_idp/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/deployment/roles/oidc_idp/defaults/main.yml b/deployment/roles/oidc_idp/defaults/main.yml new file mode 100644 index 0000000..3f81055 --- /dev/null +++ b/deployment/roles/oidc_idp/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/oidc_idp diff --git a/deployment/roles/oidc_idp/handlers/main.yml b/deployment/roles/oidc_idp/handlers/main.yml new file mode 100644 index 0000000..abef7bb --- /dev/null +++ b/deployment/roles/oidc_idp/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/oidc_idp diff --git a/deployment/roles/oidc_idp/meta/main.yml b/deployment/roles/oidc_idp/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/deployment/roles/oidc_idp/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml new file mode 100644 index 0000000..3ea98dc --- /dev/null +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for roles/oidc_idp diff --git a/deployment/roles/oidc_idp/vars/main.yml b/deployment/roles/oidc_idp/vars/main.yml new file mode 100644 index 0000000..7533e99 --- /dev/null +++ b/deployment/roles/oidc_idp/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/oidc_idp From 9791658838cfcf0d7197088b58d04cd9fa8e1e0f Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 11 Aug 2022 12:09:43 +0200 Subject: [PATCH 02/33] Start Hydra server role implementation - Define localhost variant of Hydra parameters - Download and unpack Hydra - Create configuration file - Create certificates using mkcert --- deployment/inventory/group_vars/all.yml | 2 +- deployment/inventory/host_vars/localhost.yml | 33 +++++ .../roles/hydra_server/defaults/main.yml | 8 +- deployment/roles/hydra_server/tasks/main.yml | 119 +++++++++++++++++- .../roles/hydra_server/templates/hydra.yml.j2 | 46 +++++++ 5 files changed, 205 insertions(+), 3 deletions(-) create mode 100644 deployment/inventory/host_vars/localhost.yml create mode 100644 deployment/roles/hydra_server/templates/hydra.yml.j2 diff --git a/deployment/inventory/group_vars/all.yml b/deployment/inventory/group_vars/all.yml index 6a325aa..1acb311 100644 --- a/deployment/inventory/group_vars/all.yml +++ b/deployment/inventory/group_vars/all.yml @@ -1,2 +1,2 @@ --- -hydra_db_password: hydra +hydra_home: /srv/hydra diff --git a/deployment/inventory/host_vars/localhost.yml b/deployment/inventory/host_vars/localhost.yml new file mode 100644 index 0000000..c5899a6 --- /dev/null +++ b/deployment/inventory/host_vars/localhost.yml @@ -0,0 +1,33 @@ +--- +# this is for a localhost deployment, database passwords for public servers +# must be different random values encrypted via ansible-vault +hydra_db_password: hydra +hydra_db_host: localhost +hydra_db_port: 5432 +hydra_version: "1.11.9" +hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c" +hydra_tls: + cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem" + key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem" +# this is for a localhost deployment, secrets for public servers must be +# different random values encrypted via ansible-vault +hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" + +oidc_urls: + hydra_admin: + host: hydra.cacert.localhost + port: 4445 + hydra_public: + host: auth.cacert.localhost + port: 4444 + idp: + host: login.cacert.localhost + port: 3000 + demoapp: + host: app.cacert.localhost + port: 4000 + register: + host: register.cacert.localhost + port: 5000 + +use_mkcert: true diff --git a/deployment/roles/hydra_server/defaults/main.yml b/deployment/roles/hydra_server/defaults/main.yml index 357e185..6c71d8d 100644 --- a/deployment/roles/hydra_server/defaults/main.yml +++ b/deployment/roles/hydra_server/defaults/main.yml @@ -1,2 +1,8 @@ --- -# defaults file for roles/hydra_server +hydra_db_name: hydra +hydra_db_user: hydra +hydra_os_group: hydra +hydra_os_user: hydra +hydra_home: /srv/hydra + +use_mkcert: false diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index ae54d2a..f7a27a2 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -1,2 +1,119 @@ --- -# tasks file for roles/hydra_server +- name: Create Hydra group + ansible.builtin.group: + name: "{{ hydra_os_group }}" + state: present + system: true + +- name: Create Hydra user + ansible.builtin.user: + name: "{{ hydra_os_user }}" + group: "{{ hydra_os_group }}" + home: "{{ hydra_home }}" + state: present + system: true + + +- name: Create Hydra directories + ansible.builtin.file: + path: "{{hydra_home }}/{{ item.path }}" + owner: "{{ hydra_os_user }}" + group: "{{ hydra_os_group }}" + mode: "{{ item.mode }}" + state: directory + loop: + - { path: etc, mode: '0750' } + - { path: bin, mode: '0750' } + - { path: download, mode: '0750' } + + +- name: Download Hydra binary + ansible.builtin.get_url: + url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz" + dest: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz" + checksum: "sha256:{{ hydra_checksum }}" + owner: "{{ hydra_os_user }}" + group: "{{ hydra_os_group }}" + mode: '0640' + +- name: Extract Hydra binary + ansible.builtin.unarchive: + remote_src: true + src: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz" + dest: "{{ hydra_home }}/bin" + owner: root + group: "{{ hydra_os_group }}" + include: 'hydra' + mode: '0750' + +- name: Create Hydra configuration + ansible.builtin.template: + src: hydra.yml.j2 + dest: "{{ hydra_home }}/etc/hydra.yml" + owner: root + group: "{{ hydra_os_group }}" + mode: '0640' + +- name: Check whether certificate exists + ansible.builtin.stat: + path: "{{ hydra_tls.cert }}" + register: hydra_cert_st + +- name: Create Hydra key and certificate with mkcert + block: + + - name: Install mkcert CA + ansible.builtin.command: + cmd: mkcert -install + + - name: Create temporary directory for Hydra key and certificate + ansible.builtin.tempfile: + prefix: "hydra-cert." + state: directory + register: hydra_cert_temp_dir + + - name: Create Hydra key and certificate + ansible.builtin.command: + cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" + + - name: Move Hydra certificate and key to target + ansible.builtin.copy: + src: "{{ hydra_cert_temp_dir.path }}/{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: "{{ hydra_os_group }}" + mode: "{{ item.mode }}" + remote_src: true + loop: + - { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' } + - { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' } + become: true + + - name: Remove temporary directory + ansible.builtin.file: + path: "{{ hydra_cert_temp_dir.path }}" + state: absent + + when: use_mkcert and not hydra_cert_st.stat.exists + become: false + +- name: Copy Hydra key and certificate from inventory + block: + + - name: Copy Hydra certificate + ansible.builtin.copy: + dest: "{{ hydra_tls.cert }}" + owner: root + group: "{{ hydra_os_group }}" + mode: '0644' + content: "{{ hydra_tls.certdata }}" + + - name: Copy Hydra key + ansible.builtin.copy: + dest: "{{ hydra_tls.key }}" + owner: root + group: "{{ hydra_os_group }}" + mode: '0640' + content: "{{ hydra_tls.keydata }}" + + when: not use_mkcert diff --git a/deployment/roles/hydra_server/templates/hydra.yml.j2 b/deployment/roles/hydra_server/templates/hydra.yml.j2 new file mode 100644 index 0000000..358aa84 --- /dev/null +++ b/deployment/roles/hydra_server/templates/hydra.yml.j2 @@ -0,0 +1,46 @@ +--- +serve: + admin: + host: {{ oidc_urls.hydra_admin.host }} + public: + host: {{ oidc_urls.hydra_public.host }} + tls: + cert: + path: {{ hydra_tls.cert }} + key: + path: {{ hydra_tls.key }} +dsn: 'postgres://{{ hydra_db_user }}:{{ hydra_db_password }}@{{ hydra_db_host }}:{{ hydra_db_port }}/{{ hydra_db_name }}' + +webfinger: + oidc_discovery: + supported_claims: + - email + - email_verified + - given_name + - family_name + - middle_name + - name + - birthdate + - zoneinfo + - locale + - https://auth.cacert.org/groups + supported_scope: + - profile + - email + +oauth2: + expose_internal_errors: false + +urls: + login: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/login + consent: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/consent + logout: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout + error: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/error + post_logout_redirect: https://{{ oidc_urls.idp.host }}:{{ oidc_urls.idp.port }}/logout-successful + self: + public: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/ + issuer: https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/ + +secrets: + system: + - "{{ hydra_system_secret }}" From f0d279789a75973ca3f366c26ee351e1308a0517 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 16 Aug 2022 16:22:36 +0200 Subject: [PATCH 03/33] Setup Hydra systemd service - run migrations before start - register systemd unit - start service - define localhost as default listening address --- deployment/playbooks/01_install_cacert_oidc.yml | 7 +++++++ deployment/roles/hydra_server/handlers/main.yml | 7 ++++++- deployment/roles/hydra_server/tasks/main.yml | 14 ++++++++++++++ .../roles/hydra_server/templates/hydra.service.j2 | 13 +++++++++++++ .../roles/hydra_server/templates/hydra.yml.j2 | 6 ++++-- 5 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 deployment/roles/hydra_server/templates/hydra.service.j2 diff --git a/deployment/playbooks/01_install_cacert_oidc.yml b/deployment/playbooks/01_install_cacert_oidc.yml index 01fc695..5032556 100644 --- a/deployment/playbooks/01_install_cacert_oidc.yml +++ b/deployment/playbooks/01_install_cacert_oidc.yml @@ -3,6 +3,13 @@ hosts: pgsqlserver become: true + pre_tasks: + + - name: Install python3-psycopg2 + ansible.builtin.package: + name: python3-psycopg2 + state: present + roles: - hydra_database diff --git a/deployment/roles/hydra_server/handlers/main.yml b/deployment/roles/hydra_server/handlers/main.yml index 018486d..63b31e8 100644 --- a/deployment/roles/hydra_server/handlers/main.yml +++ b/deployment/roles/hydra_server/handlers/main.yml @@ -1,2 +1,7 @@ --- -# handlers file for roles/hydra_server +- name: hydra_systemd_reload + ansible.builtin.systemd: + state: started + name: hydra + daemon_reload: true + enabled: true diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index f7a27a2..72a9385 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -117,3 +117,17 @@ content: "{{ hydra_tls.keydata }}" when: not use_mkcert + +- name: Run Hydra SQL migrations + ansible.builtin.command: + cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml" + changed_when: false + +- name: Create systemd unit file + ansible.builtin.template: + src: hydra.service.j2 + dest: /etc/systemd/system/hydra.service + owner: root + group: root + mode: "0640" + notify: hydra_systemd_reload diff --git a/deployment/roles/hydra_server/templates/hydra.service.j2 b/deployment/roles/hydra_server/templates/hydra.service.j2 new file mode 100644 index 0000000..92bc507 --- /dev/null +++ b/deployment/roles/hydra_server/templates/hydra.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=ORY Hydra OAuth2/OpenID Connect API server +After=network.target +Documentation=https://www.ory.sh/docs/hydra/ + +[Service] +ExecStart={{ hydra_home }}/bin/hydra serve all --config "{{ hydra_home }}/etc/hydra.yml" +WorkingDirectory={{ hydra_home }} +User={{ hydra_os_user }} +Group={{ hydra_os_group }} + +[Install] +WantedBy=multi-user.target diff --git a/deployment/roles/hydra_server/templates/hydra.yml.j2 b/deployment/roles/hydra_server/templates/hydra.yml.j2 index 358aa84..de94340 100644 --- a/deployment/roles/hydra_server/templates/hydra.yml.j2 +++ b/deployment/roles/hydra_server/templates/hydra.yml.j2 @@ -1,9 +1,11 @@ --- serve: admin: - host: {{ oidc_urls.hydra_admin.host }} + host: {{ oidc_urls.hydra_admin.address | default("localhost") }} + port: {{ oidc_urls.hydra_admin.port | default("4445") }} public: - host: {{ oidc_urls.hydra_public.host }} + host: {{ oidc_urls.hydra_public.address | default("localhost") }} + port: {{ oidc_urls.hydra_public.port | default("4444") }} tls: cert: path: {{ hydra_tls.cert }} From bfa60b9288b7f1747b145768ba3c31ad783239a7 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 17 Aug 2022 20:30:03 +0200 Subject: [PATCH 04/33] Add Makefile based build process This commit updates the submodules to versions that contain a Makefile to automate their builds. A main Makefile has been added to orchestrate the builds. --- Makefile | 24 ++++++++++++++++++++++++ cacert_resources | 2 +- oidc_app | 2 +- oidc_idp | 2 +- oidc_registration | 2 +- 5 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5325275 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +SUBDIRS = cacert_resources oidc_app oidc_idp oidc_registration + +all: oidc_app/demo-app oidc_idp/cacert-idp oidc_registration/cacert-oidc-registration + +oidc_app/demo-app: force_look + echo building demo app : $(MAKE) $(MFLAGS) + cd oidc_app ; $(MAKE) $(MFLAGS) + +oidc_idp/cacert-idp: force_look + echo building CAcert IDP : $(MAKE) $(MFLAGS) + cd oidc_idp ; $(MAKE) $(MFLAGS) + +oidc_registration/cacert-oidc-registration: force_look + echo building CAcert client registration: $(MAKE) $(MFLAGS) + cd oidc_registration ; $(MAKE) $(MFLAGS) + +clean: + echo cleaning up in . + -for d in $(SUBDIRS) ; do ( cd $$d; $(MAKE) clean ); done + +force_look: + true + +.PHONY: all clean diff --git a/cacert_resources b/cacert_resources index 5cbcbef..ad14916 160000 --- a/cacert_resources +++ b/cacert_resources @@ -1 +1 @@ -Subproject commit 5cbcbefac6f05fa6537b6a925cc29118a5ecc571 +Subproject commit ad14916ba5ca4e89b3f97b7d22be0321d35ae4f9 diff --git a/oidc_app b/oidc_app index c69e8d2..294f237 160000 --- a/oidc_app +++ b/oidc_app @@ -1 +1 @@ -Subproject commit c69e8d29805af1ad9abab2e6318f3b1c3b45a557 +Subproject commit 294f2372e1c6bcb65a614e498ff127d3e032345c diff --git a/oidc_idp b/oidc_idp index 26447f9..2affaa2 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 26447f99c92e346ca5823f84db8822e1988f726d +Subproject commit 2affaa21506db92731685bc3ab67679604147243 diff --git a/oidc_registration b/oidc_registration index 0c88fb5..be90065 160000 --- a/oidc_registration +++ b/oidc_registration @@ -1 +1 @@ -Subproject commit 0c88fb544734d07a2d61e87b9084ee6fdc274cff +Subproject commit be9006546dbad89aef476d2096c91b14fad2a3f4 From 5daa87ca903d88ef7d3d2f2c9362c238b7f49e1e Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 18 Aug 2022 11:58:24 +0200 Subject: [PATCH 05/33] Add local preconditions and Vagrantfile This commit adds a role to ensure local preconditions (i.e. mkcert) and a Vagrantfile to test the ansible playbook in a local virtual machine. --- .gitignore | 1 + README.md | 31 +++++++++++++++++++ Vagrantfile | 28 +++++++++++++++++ .../01_install_cacert_oidc.yml | 16 +++++++++- deployment/{inventory => }/group_vars/all.yml | 0 .../{inventory => }/host_vars/localhost.yml | 3 +- deployment/host_vars/oidcbox.yml | 31 +++++++++++++++++++ deployment/roles/hydra_database/README.md | 2 +- deployment/roles/hydra_database/meta/main.yml | 2 +- .../roles/hydra_server/defaults/main.yml | 3 ++ deployment/roles/hydra_server/tasks/main.yml | 10 ++---- .../roles/hydra_server/templates/hydra.yml.j2 | 2 +- deployment/roles/prepare_devtools/README.md | 14 +++++++++ .../roles/prepare_devtools/defaults/main.yml | 3 ++ .../roles/prepare_devtools/meta/main.yml | 19 ++++++++++++ .../roles/prepare_devtools/tasks/main.yml | 28 +++++++++++++++++ 16 files changed, 180 insertions(+), 13 deletions(-) create mode 100644 Vagrantfile rename deployment/{playbooks => }/01_install_cacert_oidc.yml (50%) rename deployment/{inventory => }/group_vars/all.yml (100%) rename deployment/{inventory => }/host_vars/localhost.yml (89%) create mode 100644 deployment/host_vars/oidcbox.yml create mode 100644 deployment/roles/prepare_devtools/README.md create mode 100644 deployment/roles/prepare_devtools/defaults/main.yml create mode 100644 deployment/roles/prepare_devtools/meta/main.yml create mode 100644 deployment/roles/prepare_devtools/tasks/main.yml diff --git a/.gitignore b/.gitignore index 85e7c1d..ae91c4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /.idea/ +/.vagrant/ diff --git a/README.md b/README.md index cce68f0..d86f5a8 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,34 @@ git config submodule.recurse true - setup IDP (provides login and consent screens) - setup demo application - setup setup OpenID Connect client registration application + +## Local development setup + +Make sure you have the necessary prerequisites installed (tested on Debian 11 +Bullseye) and `~/.local/bin` is in your `$PATH` variable: + +```shell +sudo apt update +sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg +python3 -m pip install --user -U pip +python3 -m pip install --user ansible +export PATH=$HOME/.local/bin:$PATH +``` + +*Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or +`.zshenv`. + +Use `make` to build the web app resources and applications: + +```shell +make +``` + +Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo +application: + +```shell +cd deployment +ansible-playbook 01_install_cacert_oidc.yml +``` + diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..93e3ec9 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,28 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "generic/debian11" + + config.vm.define "oidcbox" + + config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1" + config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1" + config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1" + config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1" + + config.vm.provider "libvirt" do |lv| + lv.memory = "2048" + lv.cpus = 2 + lv.machine_virtual_size = 10 + end + config.vm.provision "ansible" do |ansible| + ansible.playbook = "deployment/01_install_cacert_oidc.yml" + ansible.verbose = true + ansible.groups = { + "pgsqlserver" => ["oidcbox"], + "authserver" => ["oidcbox"], + "demoserver" => ["oidcbox"] + } + end +end diff --git a/deployment/playbooks/01_install_cacert_oidc.yml b/deployment/01_install_cacert_oidc.yml similarity index 50% rename from deployment/playbooks/01_install_cacert_oidc.yml rename to deployment/01_install_cacert_oidc.yml index 5032556..1b7cc20 100644 --- a/deployment/playbooks/01_install_cacert_oidc.yml +++ b/deployment/01_install_cacert_oidc.yml @@ -1,15 +1,29 @@ --- +- name: Install development tools + hosts: all + become: false + + roles: + - prepare_devtools + - name: Setup database hosts: pgsqlserver become: true pre_tasks: - - name: Install python3-psycopg2 + - name: Install package python3-psycopg2 ansible.builtin.package: name: python3-psycopg2 state: present + # The ACL package is required to run commands as the postgres user + # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user + - name: Install package acl + ansible.builtin.package: + name: acl + state: present + roles: - hydra_database diff --git a/deployment/inventory/group_vars/all.yml b/deployment/group_vars/all.yml similarity index 100% rename from deployment/inventory/group_vars/all.yml rename to deployment/group_vars/all.yml diff --git a/deployment/inventory/host_vars/localhost.yml b/deployment/host_vars/localhost.yml similarity index 89% rename from deployment/inventory/host_vars/localhost.yml rename to deployment/host_vars/localhost.yml index c5899a6..835cab3 100644 --- a/deployment/inventory/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -4,8 +4,6 @@ hydra_db_password: hydra hydra_db_host: localhost hydra_db_port: 5432 -hydra_version: "1.11.9" -hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c" hydra_tls: cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem" key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem" @@ -18,6 +16,7 @@ oidc_urls: host: hydra.cacert.localhost port: 4445 hydra_public: + address: localhost host: auth.cacert.localhost port: 4444 idp: diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml new file mode 100644 index 0000000..ba93a1d --- /dev/null +++ b/deployment/host_vars/oidcbox.yml @@ -0,0 +1,31 @@ +--- +# this is for a localhost deployment, database passwords for public servers +# must be different random values encrypted via ansible-vault +hydra_db_password: hydra +hydra_db_host: localhost +hydra_db_port: 5432 +hydra_tls: + cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem" + key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem" +# this is for a localhost deployment, secrets for public servers must be +# different random values encrypted via ansible-vault +hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" + +oidc_urls: + hydra_admin: + host: hydra.cacert.localhost + port: 4445 + hydra_public: + host: auth.cacert.localhost + port: 4444 + idp: + host: login.cacert.localhost + port: 3000 + demoapp: + host: app.cacert.localhost + port: 4000 + register: + host: register.cacert.localhost + port: 5000 + +use_mkcert: true diff --git a/deployment/roles/hydra_database/README.md b/deployment/roles/hydra_database/README.md index f8ab874..38a8f85 100644 --- a/deployment/roles/hydra_database/README.md +++ b/deployment/roles/hydra_database/README.md @@ -6,7 +6,7 @@ Setup a PostgreSQL database for [ORY Hydra](https://ory.sh/hydra/). Requirements ------------ -The role expects a Debian system running Debian 10 or later. +The role expects a Debian system running Debian 11 or later. Role Variables -------------- diff --git a/deployment/roles/hydra_database/meta/main.yml b/deployment/roles/hydra_database/meta/main.yml index a20271f..fbaf1a6 100644 --- a/deployment/roles/hydra_database/meta/main.yml +++ b/deployment/roles/hydra_database/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: Jan Dittberner description: ORY Hydra database setup @@ -8,7 +9,6 @@ galaxy_info: platforms: - name: Debian versions: - - buster - bullseye - bookworm diff --git a/deployment/roles/hydra_server/defaults/main.yml b/deployment/roles/hydra_server/defaults/main.yml index 6c71d8d..a1c1c9f 100644 --- a/deployment/roles/hydra_server/defaults/main.yml +++ b/deployment/roles/hydra_server/defaults/main.yml @@ -5,4 +5,7 @@ hydra_os_group: hydra hydra_os_user: hydra hydra_home: /srv/hydra +hydra_version: "1.11.9" +hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c" + use_mkcert: false diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index 72a9385..a474f50 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -62,10 +62,6 @@ - name: Create Hydra key and certificate with mkcert block: - - name: Install mkcert CA - ansible.builtin.command: - cmd: mkcert -install - - name: Create temporary directory for Hydra key and certificate ansible.builtin.tempfile: prefix: "hydra-cert." @@ -74,7 +70,7 @@ - name: Create Hydra key and certificate ansible.builtin.command: - cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" + cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" - name: Move Hydra certificate and key to target ansible.builtin.copy: @@ -85,8 +81,8 @@ mode: "{{ item.mode }}" remote_src: true loop: - - { src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644' } - - { src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640' } + - {src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644'} + - {src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640'} become: true - name: Remove temporary directory diff --git a/deployment/roles/hydra_server/templates/hydra.yml.j2 b/deployment/roles/hydra_server/templates/hydra.yml.j2 index de94340..98c6dbc 100644 --- a/deployment/roles/hydra_server/templates/hydra.yml.j2 +++ b/deployment/roles/hydra_server/templates/hydra.yml.j2 @@ -4,7 +4,7 @@ serve: host: {{ oidc_urls.hydra_admin.address | default("localhost") }} port: {{ oidc_urls.hydra_admin.port | default("4445") }} public: - host: {{ oidc_urls.hydra_public.address | default("localhost") }} + host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} port: {{ oidc_urls.hydra_public.port | default("4444") }} tls: cert: diff --git a/deployment/roles/prepare_devtools/README.md b/deployment/roles/prepare_devtools/README.md new file mode 100644 index 0000000..f5bee91 --- /dev/null +++ b/deployment/roles/prepare_devtools/README.md @@ -0,0 +1,14 @@ +Role Name +========= + +Prepare development tools for the CAcert OIDC setup. + +License +------- + +GPL-2.0-or-later + +Author Information +------------------ + +Jan Dittberner diff --git a/deployment/roles/prepare_devtools/defaults/main.yml b/deployment/roles/prepare_devtools/defaults/main.yml new file mode 100644 index 0000000..63680a6 --- /dev/null +++ b/deployment/roles/prepare_devtools/defaults/main.yml @@ -0,0 +1,3 @@ +--- +mkcert_version: v1.4.4 +mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52 diff --git a/deployment/roles/prepare_devtools/meta/main.yml b/deployment/roles/prepare_devtools/meta/main.yml new file mode 100644 index 0000000..578ebf2 --- /dev/null +++ b/deployment/roles/prepare_devtools/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + author: Jan Dittberner + description: Prepare development tools for the CAcert OIDC setup. + company: CAcert + + license: GPL-2.0-or-later + + min_ansible_version: 2.1 + + platforms: + - name: Debian + versions: + - bullseye + - bookworm + + galaxy_tags: [] + +dependencies: [] diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml new file mode 100644 index 0000000..7f6506f --- /dev/null +++ b/deployment/roles/prepare_devtools/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Create .local/bin for ansible user + ansible.builtin.file: + path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin" + state: directory + owner: "{{ ansible_user | default(ansible_env.USER) }}" + group: "{{ ansible_user | default(ansible_env.USER) }}" + mode: "0750" + +- name: Prepare mkcert + block: + + - name: Download mkcert binary + ansible.builtin.get_url: + url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64" + dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert" + checksum: "sha256:{{ mkcert_checksum }}" + owner: "{{ ansible_user | default(ansible_env.USER) }}" + group: "{{ ansible_user | default(ansible_env.USER) }}" + mode: "0750" + + - name: Install mkcert CA + ansible.builtin.command: + cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install" + changed_when: false + + when: use_mkcert + become: false From fe7d96c8d5a6d69b481980a02d51eeeb3a63be28 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 18 Aug 2022 12:26:43 +0200 Subject: [PATCH 06/33] Reload Hydra when configuration changes --- deployment/roles/hydra_server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index a474f50..c144888 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -53,6 +53,7 @@ owner: root group: "{{ hydra_os_group }}" mode: '0640' + notify: hydra_systemd_reload - name: Check whether certificate exists ansible.builtin.stat: From e631cf7072dbc3e922bd53168d881014d479a94c Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 18 Aug 2022 12:28:01 +0200 Subject: [PATCH 07/33] Add certificate paths for CAcert applications --- deployment/host_vars/localhost.yml | 12 ++++++++++++ deployment/host_vars/oidcbox.yml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml index 835cab3..44f326f 100644 --- a/deployment/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -11,6 +11,18 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" +idp_tls: + cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" + +register_tls: + cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" + +demoapp_tls: + cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem" + oidc_urls: hydra_admin: host: hydra.cacert.localhost diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml index ba93a1d..0c987fd 100644 --- a/deployment/host_vars/oidcbox.yml +++ b/deployment/host_vars/oidcbox.yml @@ -11,6 +11,18 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" +idp_tls: + cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" + +register_tls: + cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" + +demoapp_tls: + cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem" + oidc_urls: hydra_admin: host: hydra.cacert.localhost From 2bfa2101409d7840c8ffb6b4caf15dbbdaa42cb5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 19 Aug 2022 16:40:52 +0200 Subject: [PATCH 08/33] Add oidc_idp role - Deploy cacert-idp from oidc_idp subdirectory - configure systemd and start cacert-idp service --- deployment/roles/oidc_idp/README.md | 25 +--- deployment/roles/oidc_idp/defaults/main.yml | 4 +- deployment/roles/oidc_idp/handlers/main.yml | 7 +- deployment/roles/oidc_idp/meta/main.yml | 55 ++------- deployment/roles/oidc_idp/tasks/main.yml | 111 +++++++++++++++++- .../oidc_idp/templates/cacert-idp.service.j2 | 14 +++ .../oidc_idp/templates/idp_config.toml.j2 | 2 + 7 files changed, 148 insertions(+), 70 deletions(-) create mode 100644 deployment/roles/oidc_idp/templates/cacert-idp.service.j2 create mode 100644 deployment/roles/oidc_idp/templates/idp_config.toml.j2 diff --git a/deployment/roles/oidc_idp/README.md b/deployment/roles/oidc_idp/README.md index 225dd44..976afdb 100644 --- a/deployment/roles/oidc_idp/README.md +++ b/deployment/roles/oidc_idp/README.md @@ -1,38 +1,19 @@ Role Name ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Setup the CAcert OpenID Connect identity provider application. Role Variables -------------- A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - License ------- -BSD +GPL-2.0-or-later Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Jan Dittberner diff --git a/deployment/roles/oidc_idp/defaults/main.yml b/deployment/roles/oidc_idp/defaults/main.yml index 3f81055..58205fb 100644 --- a/deployment/roles/oidc_idp/defaults/main.yml +++ b/deployment/roles/oidc_idp/defaults/main.yml @@ -1,2 +1,4 @@ --- -# defaults file for roles/oidc_idp +cacert_os_user: cacert +cacert_os_group: cacert +cacert_home: /srv/cacert diff --git a/deployment/roles/oidc_idp/handlers/main.yml b/deployment/roles/oidc_idp/handlers/main.yml index abef7bb..0901f0e 100644 --- a/deployment/roles/oidc_idp/handlers/main.yml +++ b/deployment/roles/oidc_idp/handlers/main.yml @@ -1,2 +1,7 @@ --- -# handlers file for roles/oidc_idp +- name: idp_systemd_reload + ansible.builtin.systemd: + state: started + name: cacert-idp + daemon_reload: true + enabled: true diff --git a/deployment/roles/oidc_idp/meta/main.yml b/deployment/roles/oidc_idp/meta/main.yml index c572acc..1f76312 100644 --- a/deployment/roles/oidc_idp/meta/main.yml +++ b/deployment/roles/oidc_idp/meta/main.yml @@ -1,52 +1,17 @@ +--- galaxy_info: - author: your name - description: your role description - company: your company (optional) + author: Jan Dittberner + description: CAcert OpenID Connect identity provider application setup + company: CAcert - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: GPL-2.0-or-later min_ansible_version: 2.1 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Debian + versions: + - bullseye + - bookworm galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 3ea98dc..6f022ba 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -1,2 +1,111 @@ --- -# tasks file for roles/oidc_idp +- name: Create CAcert group + ansible.builtin.group: + name: "{{ cacert_os_group }}" + state: present + system: true + +- name: Create CAcert user + ansible.builtin.user: + name: "{{ cacert_os_user }}" + group: "{{ cacert_os_group }}" + home: "{{ cacert_home }}" + state: present + system: true + +- name: Create CAcert directories + ansible.builtin.file: + path: "{{ cacert_home }}/{{ item.path }}" + owner: "{{ cacert_os_user }}" + group: "{{ cacert_os_group }}" + mode: "{{ item.mode }}" + state: directory + loop: + - { path: etc, mode: '0750' } + - { path: bin, mode: '0750' } + - { path: download, mode: '0750' } + +- name: Copy IDP binary + ansible.builtin.copy: + src: ../oidc_idp/cacert-idp + dest: "{{ cacert_home }}/bin/cacert-idp" + owner: root + group: "{{ cacert_os_group }}" + mode: "0750" + +- name: Check whether certificate exists + ansible.builtin.stat: + path: "{{ idp_tls.cert }}" + register: idp_cert_st + +- name: Create IDP key and certificate with mkcert + block: + + - name: Create temporary directory for IDP key and certificate + ansible.builtin.tempfile: + prefix: "idp-cert." + state: directory + register: idp_cert_temp_dir + + - name: Create IDP key and certificate + ansible.builtin.command: + cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" + + - name: Move IDP certificate and key to target + ansible.builtin.copy: + src: "{{ idp_cert_temp_dir.path }}/{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: "{{ cacert_os_group }}" + mode: "{{ item.mode }}" + remote_src: true + loop: + - {src: idp.pem, dest: "{{ idp_tls.cert }}", mode: '0644'} + - {src: idp.key.pem, dest: "{{ idp_tls.key }}", mode: '0640'} + become: true + + - name: Remove temporary directory + ansible.builtin.file: + path: "{{ idp_cert_temp_dir.path }}" + state: absent + + when: use_mkcert and not idp_cert_st.stat.exists + become: false + +- name: Copy IDP key and certificate from inventory + block: + + - name: Copy IDP certificate + ansible.builtin.copy: + dest: "{{ idp_tls.cert }}" + owner: root + group: "{{ cacert_os_group }}" + mode: '0644' + content: "{{ idp_tls.certdata }}" + + - name: Copy IDP key + ansible.builtin.copy: + dest: "{{ idp_tls.key }}" + owner: root + group: "{{ cacert_os_group }}" + mode: '0640' + content: "{{ idp_tls.keydata }}" + + when: not use_mkcert +- name: Create IDP configuration + ansible.builtin.template: + src: idp_config.toml.j2 + dest: "{{ cacert_home }}/etc/cacert-idp.toml" + owner: root + group: "{{ cacert_os_group }}" + mode: '0640' + notify: idp_systemd_reload + +- name: Create IDP systemd unit file + ansible.builtin.template: + src: cacert-idp.service.j2 + dest: /etc/systemd/system/cacert-idp.service + owner: root + group: root + mode: "0640" + notify: idp_systemd_reload diff --git a/deployment/roles/oidc_idp/templates/cacert-idp.service.j2 b/deployment/roles/oidc_idp/templates/cacert-idp.service.j2 new file mode 100644 index 0000000..e41f828 --- /dev/null +++ b/deployment/roles/oidc_idp/templates/cacert-idp.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=CAcert OpenID Connect identity provider +After=network.target +Documentation=https://code.cacert.org/cacert/oidc-idp + +[Service] +ExecStart={{ cacert_home }}/bin/cacert-idp --conf "{{ cacert_home }}/etc/cacert-idp.toml" +WorkingDirectory={{ cacert_home }} +User={{ cacert_os_user }} +Group={{ cacert_os_group }} + +[Install] +WantedBy=multi-user.target + diff --git a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 new file mode 100644 index 0000000..ddec0f4 --- /dev/null +++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 @@ -0,0 +1,2 @@ +[security] +csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" From 4ebfa57dc9bd97c3c8eaa32b3dfa48444601f6e5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 19 Aug 2022 16:49:07 +0200 Subject: [PATCH 09/33] Update oidc_idp submodule --- oidc_idp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_idp b/oidc_idp index 2affaa2..0effaaa 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 2affaa21506db92731685bc3ab67679604147243 +Subproject commit 0effaaa58675487ef89444245482977339f8a6ff From e4b5a99147b57d69502e0561c82209514dd492d6 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 22 Aug 2022 18:52:28 +0200 Subject: [PATCH 10/33] Use self-contained cacert-idp build --- oidc_idp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_idp b/oidc_idp index 0effaaa..695f5ca 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 0effaaa58675487ef89444245482977339f8a6ff +Subproject commit 695f5cae6be3171528ff8398af64bd47c112bb88 From f9ad2ba2b5f6d8ffca79df6c4f4b30a1f2f9d290 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 22 Aug 2022 18:52:47 +0200 Subject: [PATCH 11/33] Finish IDP setup --- deployment/group_vars/authserver.yml | 40 +++++++++++++++++++ deployment/host_vars/localhost.yml | 4 -- deployment/host_vars/oidcbox.yml | 4 -- deployment/roles/oidc_idp/tasks/main.yml | 13 +++++- .../oidc_idp/templates/idp_config.toml.j2 | 10 +++++ deployment/roles/oidc_idp/vars/main.yml | 5 ++- 6 files changed, 65 insertions(+), 11 deletions(-) create mode 100644 deployment/group_vars/authserver.yml diff --git a/deployment/group_vars/authserver.yml b/deployment/group_vars/authserver.yml new file mode 100644 index 0000000..043cada --- /dev/null +++ b/deployment/group_vars/authserver.yml @@ -0,0 +1,40 @@ +--- +# defaults to CAcert class 3 certificate +idp: + client_certificate_data: | + -----BEGIN CERTIFICATE----- + MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv + b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ + Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y + dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU + MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 + Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN + AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a + iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 + aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C + jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia + pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 + FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt + XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL + oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 + R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp + rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ + LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA + BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw + IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC + hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG + CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y + Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v + cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9 + dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3 + hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/ + mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq + eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh + LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5 + /LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU + qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5 + 0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq + i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE + CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87 + cSvOK6eB1kdGKLA8ymXxZp8= + -----END CERTIFICATE----- diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml index 44f326f..52104d1 100644 --- a/deployment/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -11,10 +11,6 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -idp_tls: - cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" - register_tls: cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml index 0c987fd..76330ea 100644 --- a/deployment/host_vars/oidcbox.yml +++ b/deployment/host_vars/oidcbox.yml @@ -11,10 +11,6 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -idp_tls: - cert: "{{ cacert_home }}/etc/login.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/login.cacert.localhost-key.pem" - register_tls: cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 6f022ba..32e1070 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -81,7 +81,7 @@ owner: root group: "{{ cacert_os_group }}" mode: '0644' - content: "{{ idp_tls.certdata }}" + content: "{{ idp.server_certificate_data }}" - name: Copy IDP key ansible.builtin.copy: @@ -89,9 +89,18 @@ owner: root group: "{{ cacert_os_group }}" mode: '0640' - content: "{{ idp_tls.keydata }}" + content: "{{ idp.server_key_data }}" when: not use_mkcert + +- name: Copy client CA certificates + ansible.builtin.copy: + dest: "{{ idp_tls.client_cas }}" + owner: root + group: "{{ cacert_os_group }}" + mode: '0640' + content: "{{ idp.client_certificate_data }}" + - name: Create IDP configuration ansible.builtin.template: src: idp_config.toml.j2 diff --git a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 index ddec0f4..15ecba1 100644 --- a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 +++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 @@ -1,2 +1,12 @@ [security] csrf.key = "{{ idp_csrf_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" +client.ca-file = "{{ idp_tls.client_cas }}" + +[server] +name = "{{ oidc_urls.idp.address | default(ansible_default_ipv4.address) }}" +port = {{ oidc_urls.idp.address | default("3000") }} +certificate = "{{ idp_tls.cert }}" +key = "{{ idp_tls.key }}" + +[admin] +url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}" diff --git a/deployment/roles/oidc_idp/vars/main.yml b/deployment/roles/oidc_idp/vars/main.yml index 7533e99..0dc4e9f 100644 --- a/deployment/roles/oidc_idp/vars/main.yml +++ b/deployment/roles/oidc_idp/vars/main.yml @@ -1,2 +1,5 @@ --- -# vars file for roles/oidc_idp +idp_tls: + cert: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}.pem" + key: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-key.pem" + client_cas: "{{ cacert_home }}/etc/{{ oidc_urls.idp.host }}-client-cas.pem" From 020869b4c36be2cb899add0820db0f2fbbbcb86f Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 26 Sep 2022 10:19:49 +0200 Subject: [PATCH 12/33] Start documentation of vagrant setup --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index d86f5a8..4905ac3 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ export PATH=$HOME/.local/bin:$PATH Use `make` to build the web app resources and applications: ```shell +go install github.com/nicksnyder/go-i18n/v2/goi18n@latest make ``` @@ -50,3 +51,11 @@ cd deployment ansible-playbook 01_install_cacert_oidc.yml ``` +## Vagrant setup + +```shell +sudo apt install vagrant-libvirt virt-manager libvirt-clients +vagrant up +vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt +sudo update ca-certificates +``` From 3d221b00dff0a0281490229b6a4d7c2224b75608 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 21 Nov 2022 17:15:10 +0100 Subject: [PATCH 13/33] Update submodule versions --- oidc_app | 2 +- oidc_idp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/oidc_app b/oidc_app index 294f237..f980c1a 160000 --- a/oidc_app +++ b/oidc_app @@ -1 +1 @@ -Subproject commit 294f2372e1c6bcb65a614e498ff127d3e032345c +Subproject commit f980c1acc3f01f40dfea739a7433cb83fed53d98 diff --git a/oidc_idp b/oidc_idp index 695f5ca..2ccbb5d 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 695f5cae6be3171528ff8398af64bd47c112bb88 +Subproject commit 2ccbb5dd1090bd9312ed903d4ec7151e9870e5a1 From 7d04c6b2baae6310de2260a9650926b5980991d3 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 25 Nov 2022 06:59:45 +0000 Subject: [PATCH 14/33] Remove double "setup" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4905ac3..539c4cf 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ git config submodule.recurse true - build CAcert web application resources - setup IDP (provides login and consent screens) - setup demo application -- setup setup OpenID Connect client registration application +- setup OpenID Connect client registration application ## Local development setup From 68a4d4398fda90e584bd2c228393078a638eb8a3 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 13 May 2023 13:28:09 +0200 Subject: [PATCH 15/33] Update to latest oidc_idp --- oidc_idp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_idp b/oidc_idp index 2ccbb5d..2c82ccb 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 2ccbb5dd1090bd9312ed903d4ec7151e9870e5a1 +Subproject commit 2c82ccb324ed370c05bbb874d0cd88f03cd8aa4e From f0447bdb5c555a2ab73dc1c1b248952d850a27db Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 15 May 2023 16:48:05 +0200 Subject: [PATCH 16/33] Update oidc_idp reference commit --- oidc_idp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc_idp b/oidc_idp index 2c82ccb..9fad7ef 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 2c82ccb324ed370c05bbb874d0cd88f03cd8aa4e +Subproject commit 9fad7ef3a660025e00efb5d4d95f9645d8210973 From 0d0c05c233969111e60d131229a3f5dc345643b2 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 20 May 2023 12:09:16 +0200 Subject: [PATCH 17/33] Update to latest cacert_resources --- cacert_resources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cacert_resources b/cacert_resources index ad14916..d39547c 160000 --- a/cacert_resources +++ b/cacert_resources @@ -1 +1 @@ -Subproject commit ad14916ba5ca4e89b3f97b7d22be0321d35ae4f9 +Subproject commit d39547c40b7a877119f037ed198b534b1ccadc77 From 0a67537054f6538dab3e861a97c20081168d0774 Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Sat, 17 Jun 2023 20:10:03 -0400 Subject: [PATCH 18/33] Updated ansible-playbook command to accept a password at the command prompt. --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 539c4cf..c7ee83e 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,14 @@ cd deployment ansible-playbook 01_install_cacert_oidc.yml ``` +Note: If ansible-playbook fails early in the process with "sudo: a password is required," +then confirm that your user has sudo privileges and execute that command like + +```shell +ansible-playbook -K 01_install_cacert_oidc.yml +``` + + ## Vagrant setup ```shell From 91bfc4b81b4e50feb967c5dce5bdcb08ff8c460d Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Mon, 19 Jun 2023 08:19:18 -0400 Subject: [PATCH 19/33] Corrected typo in last line of README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c7ee83e..1426e56 100644 --- a/README.md +++ b/README.md @@ -65,5 +65,5 @@ ansible-playbook -K 01_install_cacert_oidc.yml sudo apt install vagrant-libvirt virt-manager libvirt-clients vagrant up vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt -sudo update ca-certificates +sudo update-ca-certificates ``` From f64476a1768b1d511e340f7be29b19dad1663f87 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 19 Jun 2023 18:30:10 +0200 Subject: [PATCH 20/33] Update cacert_resources ref commit --- cacert_resources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cacert_resources b/cacert_resources index d39547c..28347cb 160000 --- a/cacert_resources +++ b/cacert_resources @@ -1 +1 @@ -Subproject commit d39547c40b7a877119f037ed198b534b1ccadc77 +Subproject commit 28347cb3dfc8cf67a17640e2ea0ebff396c0e530 From 4023cfc718dfbbad5d10d0b0782192214dd9fff9 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 19 Jun 2023 19:46:25 +0200 Subject: [PATCH 21/33] Update to Debian 12 Bookworm - improve README.md add test scenarios - update Vagrant setup to Debian 12 - update dependency installation to be compatible with Debian 12 - use mkcert from Debian 12 package --- README.md | 72 +++++++++++++++---- Vagrantfile | 6 +- deployment/01_install_cacert_oidc.yml | 4 +- deployment/roles/hydra_server/tasks/main.yml | 2 +- deployment/roles/oidc_idp/tasks/main.yml | 2 +- .../roles/prepare_devtools/defaults/main.yml | 3 - .../roles/prepare_devtools/tasks/main.yml | 23 ++---- 7 files changed, 73 insertions(+), 39 deletions(-) delete mode 100644 deployment/roles/prepare_devtools/defaults/main.yml diff --git a/README.md b/README.md index 1426e56..a8f80ea 100644 --- a/README.md +++ b/README.md @@ -14,35 +14,51 @@ git config submodule.recurse true ## Get started -- [setup Hydra](https://code.cacert.org/cacert/oidc-hydra-config/src/branch/main/README.md) -- build CAcert web application resources -- setup IDP (provides login and consent screens) -- setup demo application -- setup OpenID Connect client registration application - -## Local development setup - -Make sure you have the necessary prerequisites installed (tested on Debian 11 -Bullseye) and `~/.local/bin` is in your `$PATH` variable: +Make sure you have the necessary prerequisites installed (tested on Debian 12 +Bookworm) and `~/.local/bin` in your `$PATH` +variable: ```shell sudo apt update -sudo apt install make python3-pip python3-psycopg2 golang-go yarnpkg -python3 -m pip install --user -U pip -python3 -m pip install --user ansible +sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg +mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin +python3 -m venv $HOME/.local/share/virtualenvs/ansible +$HOME/.local/share/virtualenvs/ansible/bin/pip install ansible +ln -s $HOME/.local/share/virtualenvs/ansible/bin/ansible* $HOME/.local/bin/ export PATH=$HOME/.local/bin:$PATH ``` *Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or `.zshenv`. +### Build the applications + Use `make` to build the web app resources and applications: + ```shell go install github.com/nicksnyder/go-i18n/v2/goi18n@latest make ``` +## Deployment options + +There are two deployment options for the Hydra server and for the custom applications: + +1. local deployment +2. Vagrant deployment + +You only need one of these options. + +Both options use [ansible](https://docs.ansible.com/) to: + +- setup the Hydra authorization server +- setup IDP (provides login and consent screens) +- setup demo application +- setup OpenID Connect client registration application + +### Local deployment + Use `ansible-playbook` to deploy Hydra, IDP, Client registration and the demo application: @@ -58,8 +74,11 @@ then confirm that your user has sudo privileges and execute that command like ansible-playbook -K 01_install_cacert_oidc.yml ``` +### Vagrant setup -## Vagrant setup +You can also use [Vagrant](https://www.vagrantup.com/) with the +libvirt-provider. The included Vagrantfile is configured to apply the +ansible-playbook to the Vagrant managed virtual machine. ```shell sudo apt install vagrant-libvirt virt-manager libvirt-clients @@ -67,3 +86,28 @@ vagrant up vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt sudo update-ca-certificates ``` + +Note: You may also want to configure your browser to trust the CA certificate +in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not +add this trust configuration you will get browser warnings for an unknown +certificate authority. + +## Testing your local setup + +### Test the authorization server + +Request the OpenID connect auto discovery information from Hydra + +```shell +curl https://hydra.cacert.localhost:4444/.well-known/openid-configuration | python3 -m json.tool +``` + +This should give you a JSON document with information about the authorization server. + +### Test the identity provider + +Open +[https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/) +this should ask you for a CAcert class 3 client certificate and should render a +404 page with a CAcert logo. + diff --git a/Vagrantfile b/Vagrantfile index 93e3ec9..2c41041 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "generic/debian11" + config.vm.box = "debian/bookworm64" config.vm.define "oidcbox" @@ -15,7 +15,11 @@ Vagrant.configure("2") do |config| lv.memory = "2048" lv.cpus = 2 lv.machine_virtual_size = 10 + lv.memorybacking :access, :mode => "shared" end + + config.vm.synced_folder "./", "/vagrant", type: "virtiofs" + config.vm.provision "ansible" do |ansible| ansible.playbook = "deployment/01_install_cacert_oidc.yml" ansible.verbose = true diff --git a/deployment/01_install_cacert_oidc.yml b/deployment/01_install_cacert_oidc.yml index 1b7cc20..b826065 100644 --- a/deployment/01_install_cacert_oidc.yml +++ b/deployment/01_install_cacert_oidc.yml @@ -13,14 +13,14 @@ pre_tasks: - name: Install package python3-psycopg2 - ansible.builtin.package: + ansible.builtin.apt: name: python3-psycopg2 state: present # The ACL package is required to run commands as the postgres user # See https://docs.ansible.com/ansible-core/2.12/user_guide/become.html#risks-of-becoming-an-unprivileged-user - name: Install package acl - ansible.builtin.package: + ansible.builtin.apt: name: acl state: present diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index c144888..ad1d1df 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -71,7 +71,7 @@ - name: Create Hydra key and certificate ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" + cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" - name: Move Hydra certificate and key to target ansible.builtin.copy: diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 32e1070..202912c 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -49,7 +49,7 @@ - name: Create IDP key and certificate ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" + cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" - name: Move IDP certificate and key to target ansible.builtin.copy: diff --git a/deployment/roles/prepare_devtools/defaults/main.yml b/deployment/roles/prepare_devtools/defaults/main.yml deleted file mode 100644 index 63680a6..0000000 --- a/deployment/roles/prepare_devtools/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -mkcert_version: v1.4.4 -mkcert_checksum: 6d31c65b03972c6dc4a14ab429f2928300518b26503f58723e532d1b0a3bbb52 diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml index 7f6506f..b35e34f 100644 --- a/deployment/roles/prepare_devtools/tasks/main.yml +++ b/deployment/roles/prepare_devtools/tasks/main.yml @@ -1,27 +1,16 @@ --- -- name: Create .local/bin for ansible user - ansible.builtin.file: - path: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin" - state: directory - owner: "{{ ansible_user | default(ansible_env.USER) }}" - group: "{{ ansible_user | default(ansible_env.USER) }}" - mode: "0750" - - name: Prepare mkcert block: - - name: Download mkcert binary - ansible.builtin.get_url: - url: "https://github.com/FiloSottile/mkcert/releases/download/{{ mkcert_version }}/mkcert-{{ mkcert_version }}-linux-amd64" - dest: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert" - checksum: "sha256:{{ mkcert_checksum }}" - owner: "{{ ansible_user | default(ansible_env.USER) }}" - group: "{{ ansible_user | default(ansible_env.USER) }}" - mode: "0750" + - name: Install mkcert + ansible.builtin.apt: + name: mkcert + update_cache: true + become: true - name: Install mkcert CA ansible.builtin.command: - cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -install" + cmd: "mkcert -install" changed_when: false when: use_mkcert From 1d2630c0b7e5715b992ddfdc765a721830dea0f4 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 29 Jul 2023 22:29:19 +0200 Subject: [PATCH 22/33] Update submodules --- cacert_resources | 2 +- oidc_app | 2 +- oidc_idp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cacert_resources b/cacert_resources index 28347cb..c449873 160000 --- a/cacert_resources +++ b/cacert_resources @@ -1 +1 @@ -Subproject commit 28347cb3dfc8cf67a17640e2ea0ebff396c0e530 +Subproject commit c449873fd1d170a6928733e4a7e90c073499dcc2 diff --git a/oidc_app b/oidc_app index f980c1a..bc35b09 160000 --- a/oidc_app +++ b/oidc_app @@ -1 +1 @@ -Subproject commit f980c1acc3f01f40dfea739a7433cb83fed53d98 +Subproject commit bc35b0984f74d5abadfbff37589d1970d0119541 diff --git a/oidc_idp b/oidc_idp index 9fad7ef..962dd30 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 9fad7ef3a660025e00efb5d4d95f9645d8210973 +Subproject commit 962dd30c6ad0a95be112227828af1657a30e294f From 92b657061423a7e0156dc2b7f7e49358237172d5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 29 Jul 2023 22:29:52 +0200 Subject: [PATCH 23/33] Change default hostname for Hydra --- deployment/roles/oidc_idp/templates/idp_config.toml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 index 15ecba1..0283eac 100644 --- a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 +++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 @@ -9,4 +9,4 @@ certificate = "{{ idp_tls.cert }}" key = "{{ idp_tls.key }}" [admin] -url = "https://{{ oidc_urls.hydra_admin.address | default("localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}" +url = "https://{{ oidc_urls.hydra_admin.address | default("hydra.cacert.localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}" From a74421a3779d74442086ba195905fc3e96761599 Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Sun, 6 Aug 2023 14:03:52 -0400 Subject: [PATCH 24/33] updated configuration and README --- README.md | 52 ++++++++++++++++++++++++++++++ deployment/host_vars/localhost.yml | 4 +-- deployment/host_vars/oidcbox.yml | 4 +-- 3 files changed, 56 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a8f80ea..e5c00a6 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,53 @@ export PATH=$HOME/.local/bin:$PATH *Note:* It is a good idea to put the `PATH` export line into your `.bashrc` or `.zshenv`. +### Initial Configuration +Each of the sub-directories contains instructions for creating or editing +a configuration file and, usually, certificates. + +The first that must be performed are the instructions found in the "hydra_config" +sub-directory. + + In that one, you must create a certificate and key pair using mkcert, + set your database password, and generate a secret key for Hydra. + + Following that, you need to create the Hydra configuration file, hydra.yaml. + + Finally, after starting Hydra, you need to create a Hydra Client, using the + command found at the bottom of the README.md in that directory. Save the + values returned from that command. + +Next, go in to the cacert_resources sub-directory and follow the directions +in that README.md. + +Third, go in to the oidc_app sub-directory. + + There, you again need to create a certicate and key pair using mkcert. + + Create the configuration file, resource_app.toml, using the values created + from the Hydra command described in the hydra_config README.md, and the two + secret keys as described in the current README.md file. + +Next, the oidc_idp sub-directory. + + Again, you will need to create the certificate and key pair using mkcert. + + Create the configuration file, idp.toml, using only the a secret key, as + described in the current README.md file. + +Finally, change into the oidc_registration sub-directory. + + There, you will find detailed instructions for certificate creation for + this module. + + As well, after creating a secret key, you will create the configuration + file, registration.toml. + +### Continuing + +At this point, you should have created all of the certificates and configuration files +needed by this system. + ### Build the applications Use `make` to build the web app resources and applications: @@ -94,6 +141,11 @@ certificate authority. ## Testing your local setup +After running "make", in each of the sub-directories except cacert_resources and +hydra_config you will find an executable file. You must execute each of these +commands, using multiple terminal windows, so that they are each running +in individual terminals. + ### Test the authorization server Request the OpenID connect auto discovery information from Hydra diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml index 52104d1..297fcfd 100644 --- a/deployment/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -5,8 +5,8 @@ hydra_db_password: hydra hydra_db_host: localhost hydra_db_port: 5432 hydra_tls: - cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem" - key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem" + cert: "{{ hydra_home }}/etc/localhost+2.pem" + key: "{{ hydra_home }}/etc/localhost+2-key.pem" # this is for a localhost deployment, secrets for public servers must be # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml index 76330ea..7915152 100644 --- a/deployment/host_vars/oidcbox.yml +++ b/deployment/host_vars/oidcbox.yml @@ -5,8 +5,8 @@ hydra_db_password: hydra hydra_db_host: localhost hydra_db_port: 5432 hydra_tls: - cert: "{{ hydra_home }}/etc/hydra.cacert.localhost+1.pem" - key: "{{ hydra_home }}/etc/hydra.cacert.localhost+1-key.pem" + cert: "{{ hydra_home }}/etc/localhost+2.pem" + key: "{{ hydra_home }}/etc/localhost+2-key.pem" # this is for a localhost deployment, secrets for public servers must be # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" From 089ae46ff184fefb3a725f8094c07af7de9e4e78 Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Sun, 6 Aug 2023 15:08:46 -0400 Subject: [PATCH 25/33] Updated Makefile to include cacert_resources --- Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5325275..2dde510 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,10 @@ SUBDIRS = cacert_resources oidc_app oidc_idp oidc_registration -all: oidc_app/demo-app oidc_idp/cacert-idp oidc_registration/cacert-oidc-registration +all: cacert_resources oidc_app/demo-app oidc_idp/cacert-idp oidc_registration/cacert-oidc-registration + +cacert_resources: force_look + echo building JS and CSS resources + cd cacert_resources ; $(MAKE) $(MFLAGS) oidc_app/demo-app: force_look echo building demo app : $(MAKE) $(MFLAGS) From fbf07c66d9515da4e44c3f8613f1c5919e0a26b1 Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Sun, 6 Aug 2023 15:54:14 -0400 Subject: [PATCH 26/33] Updated README to show current practice. --- README-extra.md | 14 ++++++++++++++ README.md | 43 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 48 insertions(+), 9 deletions(-) create mode 100644 README-extra.md diff --git a/README-extra.md b/README-extra.md new file mode 100644 index 0000000..9af1b0a --- /dev/null +++ b/README-extra.md @@ -0,0 +1,14 @@ +### Extra PostgreSQL Notes + +PostgreSQL should have been installed automatically as part of the installation of Debian 12. + +see /usr/share/doc/postgresql-common for some documentation + +If, for some reason, that installation is incomplete, it is best to re-install PostgreSQL in your Debian 12. + +```shell +sudo apt update +sudo apt install postgresql postgresql-contrib +``` + + diff --git a/README.md b/README.md index e5c00a6..7a3bb2b 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,13 @@ Make sure you have the necessary prerequisites installed (tested on Debian 12 Bookworm) and `~/.local/bin` in your `$PATH` variable: +Those prerequisites include: +git -- of course +PostgreSQL -- see README-extra.md +Hydra -- see hydra_config/README.md + +Further items are installed here: + ```shell sudo apt update sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg @@ -38,8 +45,10 @@ a configuration file and, usually, certificates. The first that must be performed are the instructions found in the "hydra_config" sub-directory. - In that one, you must create a certificate and key pair using mkcert, - set your database password, and generate a secret key for Hydra. + In that one, you must first install Hydra before you continue. + + Next, create a certificate and key pair using mkcert, set your database + password, and generate a secret key for Hydra. Following that, you need to create the Hydra configuration file, hydra.yaml. @@ -48,7 +57,7 @@ sub-directory. values returned from that command. Next, go in to the cacert_resources sub-directory and follow the directions -in that README.md. +in that README.md regarding installing nodejs and webpack. Third, go in to the oidc_app sub-directory. @@ -83,8 +92,18 @@ needed by this system. Use `make` to build the web app resources and applications: +### Install the language translation tool + ```shell go install github.com/nicksnyder/go-i18n/v2/goi18n@latest +``` + + +### Build the applications + +Use `make` to build the web app resources and applications: + +```shell make ``` @@ -115,7 +134,7 @@ ansible-playbook 01_install_cacert_oidc.yml ``` Note: If ansible-playbook fails early in the process with "sudo: a password is required," -then confirm that your user has sudo privileges and execute that command like +then confirm that your user has sudo privileges and execute the `ansible-playbook` command like: ```shell ansible-playbook -K 01_install_cacert_oidc.yml @@ -123,7 +142,7 @@ ansible-playbook -K 01_install_cacert_oidc.yml ### Vagrant setup -You can also use [Vagrant](https://www.vagrantup.com/) with the +Instead of Ansible, you can also use [Vagrant](https://www.vagrantup.com/) with the libvirt-provider. The included Vagrantfile is configured to apply the ansible-playbook to the Vagrant managed virtual machine. @@ -134,6 +153,11 @@ vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca sudo update-ca-certificates ``` + +======== + +## Finally + Note: You may also want to configure your browser to trust the CA certificate in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not add this trust configuration you will get browser warnings for an unknown @@ -141,10 +165,11 @@ certificate authority. ## Testing your local setup -After running "make", in each of the sub-directories except cacert_resources and -hydra_config you will find an executable file. You must execute each of these -commands, using multiple terminal windows, so that they are each running -in individual terminals. +After running "make" and "ansible-playbook," Hydra and oidc-idp will both be running. + +To run the rest of the components, in each of two new terminal windows, execute +"oidc_app/demo-app" and "oidc_registration/cacert-oidc-registration". + ### Test the authorization server From a468ba805673b62597a3ce3c7fa6c56e7f5225d2 Mon Sep 17 00:00:00 2001 From: Brian McCullough Date: Sun, 6 Aug 2023 16:02:05 -0400 Subject: [PATCH 27/33] Reformatted --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 7a3bb2b..8977e70 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,7 @@ git config submodule.recurse true ## Get started Make sure you have the necessary prerequisites installed (tested on Debian 12 -Bookworm) and `~/.local/bin` in your `$PATH` -variable: +Bookworm) and `~/.local/bin` in your `$PATH` variable: Those prerequisites include: git -- of course From d6b0b21501a774361450b7eb1988b33f3f1fd446 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 7 Aug 2023 18:07:31 +0200 Subject: [PATCH 28/33] Update submodule commit references --- cacert_resources | 2 +- oidc_app | 2 +- oidc_idp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cacert_resources b/cacert_resources index c449873..e6be3d2 160000 --- a/cacert_resources +++ b/cacert_resources @@ -1 +1 @@ -Subproject commit c449873fd1d170a6928733e4a7e90c073499dcc2 +Subproject commit e6be3d2cf94db1be5fcab35db94a84b94f218634 diff --git a/oidc_app b/oidc_app index bc35b09..ae86e52 160000 --- a/oidc_app +++ b/oidc_app @@ -1 +1 @@ -Subproject commit bc35b0984f74d5abadfbff37589d1970d0119541 +Subproject commit ae86e52d405f120eacc19f122a599a555a618aeb diff --git a/oidc_idp b/oidc_idp index 962dd30..a5c583f 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit 962dd30c6ad0a95be112227828af1657a30e294f +Subproject commit a5c583f1f65cf5a09054ad7249c451551089cd0f From c737754d0e6c24e9c3c5e29aa6b726d29b5bdfd1 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 7 Aug 2023 18:08:19 +0200 Subject: [PATCH 29/33] Update test scenario description --- README.md | 66 +++++++++++++++++++++++++++---------------------------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 8977e70..0c72f29 100644 --- a/README.md +++ b/README.md @@ -17,16 +17,9 @@ git config submodule.recurse true Make sure you have the necessary prerequisites installed (tested on Debian 12 Bookworm) and `~/.local/bin` in your `$PATH` variable: -Those prerequisites include: -git -- of course -PostgreSQL -- see README-extra.md -Hydra -- see hydra_config/README.md - -Further items are installed here: - ```shell sudo apt update -sudo apt install make mkcert python3-pip python3-venv golang-go yarnpkg +sudo apt install git golang-go make mkcert postgresql python3-pip python3-venv yarnpkg mkdir -p $HOME/.local/share/virtualenvs ~/.local/bin python3 -m venv $HOME/.local/share/virtualenvs/ansible $HOME/.local/share/virtualenvs/ansible/bin/pip install ansible @@ -38,27 +31,31 @@ export PATH=$HOME/.local/bin:$PATH `.zshenv`. ### Initial Configuration -Each of the sub-directories contains instructions for creating or editing -a configuration file and, usually, certificates. -The first that must be performed are the instructions found in the "hydra_config" -sub-directory. +*Note:* If you want to do everything manually, read on. Otherwise skip to the +ansible or Vagrant options below. + +Each of the sub-directories contains instructions for creating or editing a +configuration file and, usually, certificates. + +The first that must be performed are the instructions found in the +`hydra_config` sub-directory. In that one, you must first install Hydra before you continue. - Next, create a certificate and key pair using mkcert, set your database + Next, create a certificate and key pair using mkcert, set your database password, and generate a secret key for Hydra. Following that, you need to create the Hydra configuration file, hydra.yaml. - Finally, after starting Hydra, you need to create a Hydra Client, using the - command found at the bottom of the README.md in that directory. Save the + Finally, after starting Hydra, you need to create a Hydra Client, using the + command found at the bottom of the README.md in that directory. Save the values returned from that command. -Next, go in to the cacert_resources sub-directory and follow the directions +Next, go in to the `cacert_resources` sub-directory and follow the directions in that README.md regarding installing nodejs and webpack. -Third, go in to the oidc_app sub-directory. +Third, go in to the `oidc_app` sub-directory. There, you again need to create a certicate and key pair using mkcert. @@ -66,19 +63,19 @@ Third, go in to the oidc_app sub-directory. from the Hydra command described in the hydra_config README.md, and the two secret keys as described in the current README.md file. -Next, the oidc_idp sub-directory. +Next, the `oidc_idp` sub-directory. Again, you will need to create the certificate and key pair using mkcert. Create the configuration file, idp.toml, using only the a secret key, as described in the current README.md file. -Finally, change into the oidc_registration sub-directory. +Finally, change into the `oidc_registration` sub-directory. There, you will find detailed instructions for certificate creation for this module. - As well, after creating a secret key, you will create the configuration + As well, after creating a secret key, you will create the configuration file, registration.toml. ### Continuing @@ -90,14 +87,12 @@ needed by this system. Use `make` to build the web app resources and applications: - ### Install the language translation tool ```shell go install github.com/nicksnyder/go-i18n/v2/goi18n@latest ``` - ### Build the applications Use `make` to build the web app resources and applications: @@ -132,8 +127,9 @@ cd deployment ansible-playbook 01_install_cacert_oidc.yml ``` -Note: If ansible-playbook fails early in the process with "sudo: a password is required," -then confirm that your user has sudo privileges and execute the `ansible-playbook` command like: +*Note:* If ansible-playbook fails early in the process with "sudo: a password +is required," then confirm that your user has sudo privileges and execute the +`ansible-playbook` command like: ```shell ansible-playbook -K 01_install_cacert_oidc.yml @@ -141,8 +137,8 @@ ansible-playbook -K 01_install_cacert_oidc.yml ### Vagrant setup -Instead of Ansible, you can also use [Vagrant](https://www.vagrantup.com/) with the -libvirt-provider. The included Vagrantfile is configured to apply the +Instead of Ansible, you can also use [Vagrant](https://www.vagrantup.com/) with +the libvirt-provider. The included Vagrantfile is configured to apply the ansible-playbook to the Vagrant managed virtual machine. ```shell @@ -152,22 +148,19 @@ vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca sudo update-ca-certificates ``` - -======== - ## Finally -Note: You may also want to configure your browser to trust the CA certificate +*Note:* You may also want to configure your browser to trust the CA certificate in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not add this trust configuration you will get browser warnings for an unknown certificate authority. ## Testing your local setup -After running "make" and "ansible-playbook," Hydra and oidc-idp will both be running. +After running `make` and `ansible-playbook`, Hydra and oidc-idp will both be running. -To run the rest of the components, in each of two new terminal windows, execute -"oidc_app/demo-app" and "oidc_registration/cacert-oidc-registration". +To run the rest of the components, in each of two new terminal windows, execute +`oidc_app/demo-app` and `oidc_registration/cacert-oidc-registration`. ### Test the authorization server @@ -185,5 +178,10 @@ This should give you a JSON document with information about the authorization se Open [https://login.cacert.localhost:3000/](https://login.cacert.localhost:3000/) this should ask you for a CAcert class 3 client certificate and should render a -404 page with a CAcert logo. +welcome page with a CAcert logo. +### Test the demo application + +Open [https://app.cacert.localhost:4000/](https://app.cacert.localhost:4000/) +to visit the demo application. Login should redirect you to the IDP, request +consent and redirect back to the application. From 82954212c46683ab8b029d632eb9f363cdfedb78 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 7 Aug 2023 18:41:29 +0200 Subject: [PATCH 30/33] Update Hydra setup --- .../roles/hydra_database/tasks/main.yml | 12 +++++++-- .../roles/hydra_server/defaults/main.yml | 6 ++--- deployment/roles/hydra_server/tasks/main.yml | 2 -- .../roles/hydra_server/templates/hydra.yml.j2 | 25 ++++++++++--------- hydra_config | 2 +- 5 files changed, 27 insertions(+), 20 deletions(-) diff --git a/deployment/roles/hydra_database/tasks/main.yml b/deployment/roles/hydra_database/tasks/main.yml index c5bc6d3..7e3a86b 100644 --- a/deployment/roles/hydra_database/tasks/main.yml +++ b/deployment/roles/hydra_database/tasks/main.yml @@ -22,8 +22,16 @@ - name: Grant permissions on Hydra database to Hydra database user community.postgresql.postgresql_privs: database: "{{ hydra_db_name }}" - state: present - privs: CREATE,CONNECT + privs: CONNECT type: database role: "{{ hydra_db_user }}" become_user: postgres + +- name: Grant permissions on public schema of Hydra database to Hydra database user + community.postgresql.postgresql_privs: + database: "{{ hydra_db_name }}" + objs: public + privs: CREATE,USAGE + type: schema + role: "{{ hydra_db_user }}" + become_user: postgres diff --git a/deployment/roles/hydra_server/defaults/main.yml b/deployment/roles/hydra_server/defaults/main.yml index a1c1c9f..8cae35e 100644 --- a/deployment/roles/hydra_server/defaults/main.yml +++ b/deployment/roles/hydra_server/defaults/main.yml @@ -5,7 +5,7 @@ hydra_os_group: hydra hydra_os_user: hydra hydra_home: /srv/hydra -hydra_version: "1.11.9" -hydra_checksum: "0e38096a45ae411f70b95beaad69a5335a16cf34c4963724beef3ebce37c283c" +hydra_version: "2.1.2" +hydra_checksum: "acab44b1f5324e001fcfecaa7115a5c3a07156e3e0d3840d8ed12deca4db6490" -use_mkcert: false +use_mkcert: true diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index ad1d1df..a6b2945 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -13,7 +13,6 @@ state: present system: true - - name: Create Hydra directories ansible.builtin.file: path: "{{hydra_home }}/{{ item.path }}" @@ -26,7 +25,6 @@ - { path: bin, mode: '0750' } - { path: download, mode: '0750' } - - name: Download Hydra binary ansible.builtin.get_url: url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz" diff --git a/deployment/roles/hydra_server/templates/hydra.yml.j2 b/deployment/roles/hydra_server/templates/hydra.yml.j2 index 98c6dbc..f5ea8d4 100644 --- a/deployment/roles/hydra_server/templates/hydra.yml.j2 +++ b/deployment/roles/hydra_server/templates/hydra.yml.j2 @@ -3,14 +3,22 @@ serve: admin: host: {{ oidc_urls.hydra_admin.address | default("localhost") }} port: {{ oidc_urls.hydra_admin.port | default("4445") }} + tls: + enabled: true + cert: + path: {{ hydra_tls.cert }} + key: + path: {{ hydra_tls.key }} public: host: {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} port: {{ oidc_urls.hydra_public.port | default("4444") }} - tls: - cert: - path: {{ hydra_tls.cert }} - key: - path: {{ hydra_tls.key }} + tls: + enabled: true + cert: + path: {{ hydra_tls.cert }} + key: + path: {{ hydra_tls.key }} + dsn: 'postgres://{{ hydra_db_user }}:{{ hydra_db_password }}@{{ hydra_db_host }}:{{ hydra_db_port }}/{{ hydra_db_name }}' webfinger: @@ -18,14 +26,7 @@ webfinger: supported_claims: - email - email_verified - - given_name - - family_name - - middle_name - name - - birthdate - - zoneinfo - - locale - - https://auth.cacert.org/groups supported_scope: - profile - email diff --git a/hydra_config b/hydra_config index 4d3f908..6aa5d1d 160000 --- a/hydra_config +++ b/hydra_config @@ -1 +1 @@ -Subproject commit 4d3f908958b100eb901ce9f849a6fdd613aece06 +Subproject commit 6aa5d1de0411ce93deb67d91ed841ec1ef658bc3 From 0e44cc901754e7ecace0504ac088418c07e3c050 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 7 Aug 2023 18:46:45 +0200 Subject: [PATCH 31/33] Remove unused oidc_client_registration role --- Vagrantfile | 1 - deployment/01_install_cacert_oidc.yml | 1 - .../roles/oidc_client_registration/README.md | 38 -------------- .../defaults/main.yml | 2 - .../handlers/main.yml | 2 - .../oidc_client_registration/meta/main.yml | 52 ------------------- .../oidc_client_registration/tasks/main.yml | 2 - .../oidc_client_registration/vars/main.yml | 2 - 8 files changed, 100 deletions(-) delete mode 100644 deployment/roles/oidc_client_registration/README.md delete mode 100644 deployment/roles/oidc_client_registration/defaults/main.yml delete mode 100644 deployment/roles/oidc_client_registration/handlers/main.yml delete mode 100644 deployment/roles/oidc_client_registration/meta/main.yml delete mode 100644 deployment/roles/oidc_client_registration/tasks/main.yml delete mode 100644 deployment/roles/oidc_client_registration/vars/main.yml diff --git a/Vagrantfile b/Vagrantfile index 2c41041..00a1ac7 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -9,7 +9,6 @@ Vagrant.configure("2") do |config| config.vm.network "forwarded_port", guest: 4444, host: 4444, host_ip: "127.0.0.1" config.vm.network "forwarded_port", guest: 3000, host: 3000, host_ip: "127.0.0.1" config.vm.network "forwarded_port", guest: 4000, host: 4000, host_ip: "127.0.0.1" - config.vm.network "forwarded_port", guest: 5000, host: 5000, host_ip: "127.0.0.1" config.vm.provider "libvirt" do |lv| lv.memory = "2048" diff --git a/deployment/01_install_cacert_oidc.yml b/deployment/01_install_cacert_oidc.yml index b826065..df3da52 100644 --- a/deployment/01_install_cacert_oidc.yml +++ b/deployment/01_install_cacert_oidc.yml @@ -34,7 +34,6 @@ roles: - hydra_server - oidc_idp - - oidc_client_registration - name: Install demo application hosts: demoserver diff --git a/deployment/roles/oidc_client_registration/README.md b/deployment/roles/oidc_client_registration/README.md deleted file mode 100644 index 225dd44..0000000 --- a/deployment/roles/oidc_client_registration/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/deployment/roles/oidc_client_registration/defaults/main.yml b/deployment/roles/oidc_client_registration/defaults/main.yml deleted file mode 100644 index ca4b246..0000000 --- a/deployment/roles/oidc_client_registration/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/handlers/main.yml b/deployment/roles/oidc_client_registration/handlers/main.yml deleted file mode 100644 index f9ded04..0000000 --- a/deployment/roles/oidc_client_registration/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/meta/main.yml b/deployment/roles/oidc_client_registration/meta/main.yml deleted file mode 100644 index c572acc..0000000 --- a/deployment/roles/oidc_client_registration/meta/main.yml +++ /dev/null @@ -1,52 +0,0 @@ -galaxy_info: - author: your name - description: your role description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) - - min_ansible_version: 2.1 - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/deployment/roles/oidc_client_registration/tasks/main.yml b/deployment/roles/oidc_client_registration/tasks/main.yml deleted file mode 100644 index 8662f7a..0000000 --- a/deployment/roles/oidc_client_registration/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# tasks file for roles/oidc_client_registration diff --git a/deployment/roles/oidc_client_registration/vars/main.yml b/deployment/roles/oidc_client_registration/vars/main.yml deleted file mode 100644 index 188961d..0000000 --- a/deployment/roles/oidc_client_registration/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for roles/oidc_client_registration From 4a7e46f2ad0e358d500c1eda85becec9a289452e Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 8 Aug 2023 12:31:25 +0200 Subject: [PATCH 32/33] Add Go installation to Makefile --- .gitignore | 1 + Makefile | 31 +++++++++++++++++++++---------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index ae91c4c..ad720a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /.idea/ /.vagrant/ +/tmp/ diff --git a/Makefile b/Makefile index 2dde510..ffd7c41 100644 --- a/Makefile +++ b/Makefile @@ -1,23 +1,34 @@ SUBDIRS = cacert_resources oidc_app oidc_idp oidc_registration +GO_VERSION = 1.20.7 -all: cacert_resources oidc_app/demo-app oidc_idp/cacert-idp oidc_registration/cacert-oidc-registration +export PATH:=$(CURDIR)/tmp/go/bin:$(PATH) -cacert_resources: force_look - echo building JS and CSS resources +all: cacert_resources oidc_app/demo-app oidc_idp/cacert-idp + +$(CURDIR)/tmp/go$(GO_VERSION).linux-amd64.tar.gz: + mkdir -p tmp ; cd tmp ; \ + curl -L -O https://go.dev/dl/go$(GO_VERSION).linux-amd64.tar.gz ; \ + +install_go: $(CURDIR)/tmp/go$(GO_VERSION).linux-amd64.tar.gz + tar x -C $(CURDIR)/tmp -f $(CURDIR)/tmp/go$(GO_VERSION).linux-amd64.tar.gz + go version + go env + +install_yarn: + sudo apt install yarnpkg + +cacert_resources: install_yarn force_look + echo building UI resources : $(MAKE) $(MFLAGS) cd cacert_resources ; $(MAKE) $(MFLAGS) -oidc_app/demo-app: force_look +oidc_app/demo-app: cacert_resources install_go force_look echo building demo app : $(MAKE) $(MFLAGS) cd oidc_app ; $(MAKE) $(MFLAGS) -oidc_idp/cacert-idp: force_look +oidc_idp/cacert-idp: cacert_resources install_go force_look echo building CAcert IDP : $(MAKE) $(MFLAGS) cd oidc_idp ; $(MAKE) $(MFLAGS) -oidc_registration/cacert-oidc-registration: force_look - echo building CAcert client registration: $(MAKE) $(MFLAGS) - cd oidc_registration ; $(MAKE) $(MFLAGS) - clean: echo cleaning up in . -for d in $(SUBDIRS) ; do ( cd $$d; $(MAKE) clean ); done @@ -25,4 +36,4 @@ clean: force_look: true -.PHONY: all clean +.PHONY: all clean install_go install_yarn From 372532c943a1e5b302c185e12e535f82d25ed50f Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 8 Aug 2023 15:21:27 +0200 Subject: [PATCH 33/33] Complete Vagrant deployment --- .gitignore | 2 + README.md | 12 +- Vagrantfile | 3 + deployment/group_vars/all.yml | 14 ++ deployment/host_vars/demoserver.yml | 4 + deployment/host_vars/localhost.yml | 13 +- deployment/host_vars/oidcbox.yml | 25 +-- .../roles/hydra_server/handlers/main.yml | 2 +- deployment/roles/hydra_server/tasks/main.yml | 25 +-- .../oidc_demo_application/defaults/main.yml | 4 +- .../oidc_demo_application/handlers/main.yml | 7 +- .../oidc_demo_application/tasks/main.yml | 166 +++++++++++++++++- .../templates/cacert-demoapp.service.j2 | 14 ++ .../templates/demoapp_config.toml.j2 | 19 ++ deployment/roles/oidc_idp/handlers/main.yml | 2 +- deployment/roles/oidc_idp/tasks/main.yml | 47 ++--- .../oidc_idp/templates/idp_config.toml.j2 | 7 + .../roles/prepare_devtools/tasks/main.yml | 3 +- oidc_idp | 2 +- 19 files changed, 280 insertions(+), 91 deletions(-) create mode 100644 deployment/host_vars/demoserver.yml create mode 100644 deployment/roles/oidc_demo_application/templates/cacert-demoapp.service.j2 create mode 100644 deployment/roles/oidc_demo_application/templates/demoapp_config.toml.j2 diff --git a/.gitignore b/.gitignore index ad720a5..d0c8370 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ /.idea/ /.vagrant/ +/deployment/*-from-vagrant.* +/mkcert_ca/ /tmp/ diff --git a/README.md b/README.md index 0c72f29..5f7f698 100644 --- a/README.md +++ b/README.md @@ -144,16 +144,11 @@ ansible-playbook to the Vagrant managed virtual machine. ```shell sudo apt install vagrant-libvirt virt-manager libvirt-clients vagrant up -vagrant ssh -- cat .local/share/mkcert/rootCA.pem | sudo tee /usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt -sudo update-ca-certificates +CAROOT=$(pwd)/mkcert_ca mkcert -install ``` -## Finally - -*Note:* You may also want to configure your browser to trust the CA certificate -in `/usr/local/share/ca-certificates/mkcert-vagrant-oidc.crt`. If you do not -add this trust configuration you will get browser warnings for an unknown -certificate authority. +The last step installs the `mkcert` CA certificate in your user's browser trust +store. ## Testing your local setup @@ -162,7 +157,6 @@ After running `make` and `ansible-playbook`, Hydra and oidc-idp will both be run To run the rest of the components, in each of two new terminal windows, execute `oidc_app/demo-app` and `oidc_registration/cacert-oidc-registration`. - ### Test the authorization server Request the OpenID connect auto discovery information from Hydra diff --git a/Vagrantfile b/Vagrantfile index 00a1ac7..1bf57e6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -27,5 +27,8 @@ Vagrant.configure("2") do |config| "authserver" => ["oidcbox"], "demoserver" => ["oidcbox"] } + ansible.extra_vars = { + mkcert_caroot: "/vagrant/mkcert_ca" + } end end diff --git a/deployment/group_vars/all.yml b/deployment/group_vars/all.yml index 1acb311..19b0bdc 100644 --- a/deployment/group_vars/all.yml +++ b/deployment/group_vars/all.yml @@ -1,2 +1,16 @@ --- hydra_home: /srv/hydra + +oidc_urls: + hydra_admin: + host: hydra.cacert.localhost + port: 4445 + hydra_public: + host: auth.cacert.localhost + port: 4444 + idp: + host: login.cacert.localhost + port: 3000 + demoapp: + host: app.cacert.localhost + port: 4000 diff --git a/deployment/host_vars/demoserver.yml b/deployment/host_vars/demoserver.yml new file mode 100644 index 0000000..6392816 --- /dev/null +++ b/deployment/host_vars/demoserver.yml @@ -0,0 +1,4 @@ +--- +demoapp_tls: + cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem" diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml index 297fcfd..a065ca0 100644 --- a/deployment/host_vars/localhost.yml +++ b/deployment/host_vars/localhost.yml @@ -11,14 +11,14 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -register_tls: - cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" - demoapp_tls: cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem" key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem" +idp_tls: + cert: "{{ cacert_home }}/etc/idp.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/idp.cacert.localhost-key.pem" + oidc_urls: hydra_admin: host: hydra.cacert.localhost @@ -33,8 +33,3 @@ oidc_urls: demoapp: host: app.cacert.localhost port: 4000 - register: - host: register.cacert.localhost - port: 5000 - -use_mkcert: true diff --git a/deployment/host_vars/oidcbox.yml b/deployment/host_vars/oidcbox.yml index 7915152..ecd7989 100644 --- a/deployment/host_vars/oidcbox.yml +++ b/deployment/host_vars/oidcbox.yml @@ -11,29 +11,10 @@ hydra_tls: # different random values encrypted via ansible-vault hydra_system_secret: "AczA+NZ25Ye9eAreglv5bo9XcND6uwBQHVUYCvPfwXo=" -register_tls: - cert: "{{ cacert_home }}/etc/register.cacert.localhost.pem" - key: "{{ cacert_home }}/etc/register.cacert.localhost-key.pem" +idp_tls: + cert: "{{ cacert_home }}/etc/idp.cacert.localhost.pem" + key: "{{ cacert_home }}/etc/idp.cacert.localhost-key.pem" demoapp_tls: cert: "{{ cacert_home }}/etc/app.cacert.localhost.pem" key: "{{ cacert_home }}/etc/app.cacert.localhost-key.pem" - -oidc_urls: - hydra_admin: - host: hydra.cacert.localhost - port: 4445 - hydra_public: - host: auth.cacert.localhost - port: 4444 - idp: - host: login.cacert.localhost - port: 3000 - demoapp: - host: app.cacert.localhost - port: 4000 - register: - host: register.cacert.localhost - port: 5000 - -use_mkcert: true diff --git a/deployment/roles/hydra_server/handlers/main.yml b/deployment/roles/hydra_server/handlers/main.yml index 63b31e8..25ec00d 100644 --- a/deployment/roles/hydra_server/handlers/main.yml +++ b/deployment/roles/hydra_server/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: hydra_systemd_reload ansible.builtin.systemd: - state: started + state: restarted name: hydra daemon_reload: true enabled: true diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml index a6b2945..7043c75 100644 --- a/deployment/roles/hydra_server/tasks/main.yml +++ b/deployment/roles/hydra_server/tasks/main.yml @@ -70,6 +70,8 @@ - name: Create Hydra key and certificate ansible.builtin.command: cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}" + environment: + CAROOT: "{{ mkcert_caroot | default(omit) }}" - name: Move Hydra certificate and key to target ansible.builtin.copy: @@ -89,30 +91,9 @@ path: "{{ hydra_cert_temp_dir.path }}" state: absent - when: use_mkcert and not hydra_cert_st.stat.exists + when: not hydra_cert_st.stat.exists become: false -- name: Copy Hydra key and certificate from inventory - block: - - - name: Copy Hydra certificate - ansible.builtin.copy: - dest: "{{ hydra_tls.cert }}" - owner: root - group: "{{ hydra_os_group }}" - mode: '0644' - content: "{{ hydra_tls.certdata }}" - - - name: Copy Hydra key - ansible.builtin.copy: - dest: "{{ hydra_tls.key }}" - owner: root - group: "{{ hydra_os_group }}" - mode: '0640' - content: "{{ hydra_tls.keydata }}" - - when: not use_mkcert - - name: Run Hydra SQL migrations ansible.builtin.command: cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml" diff --git a/deployment/roles/oidc_demo_application/defaults/main.yml b/deployment/roles/oidc_demo_application/defaults/main.yml index a344905..58205fb 100644 --- a/deployment/roles/oidc_demo_application/defaults/main.yml +++ b/deployment/roles/oidc_demo_application/defaults/main.yml @@ -1,2 +1,4 @@ --- -# defaults file for roles/oidc_demo_application +cacert_os_user: cacert +cacert_os_group: cacert +cacert_home: /srv/cacert diff --git a/deployment/roles/oidc_demo_application/handlers/main.yml b/deployment/roles/oidc_demo_application/handlers/main.yml index 29cefff..cccd716 100644 --- a/deployment/roles/oidc_demo_application/handlers/main.yml +++ b/deployment/roles/oidc_demo_application/handlers/main.yml @@ -1,2 +1,7 @@ --- -# handlers file for roles/oidc_demo_application +- name: demoapp_systemd_reload + ansible.builtin.systemd: + state: restarted + name: cacert-demoapp + daemon_reload: true + enabled: true diff --git a/deployment/roles/oidc_demo_application/tasks/main.yml b/deployment/roles/oidc_demo_application/tasks/main.yml index d02ffeb..a6f371a 100644 --- a/deployment/roles/oidc_demo_application/tasks/main.yml +++ b/deployment/roles/oidc_demo_application/tasks/main.yml @@ -1,2 +1,166 @@ --- -# tasks file for roles/oidc_demo_application +- name: Manage /etc/hosts + blockinfile: + path: /etc/hosts + create: true + block: | + 127.0.0.1 localhost + 127.0.0.2 bookworm + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + + {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} {{ oidc_urls.hydra_public.host }} + 127.0.0.1 {{ oidc_urls.demoapp.host }} + +- name: Create CAcert group + ansible.builtin.group: + name: "{{ cacert_os_group }}" + state: present + system: true + +- name: Create CAcert user + ansible.builtin.user: + name: "{{ cacert_os_user }}" + group: "{{ cacert_os_group }}" + home: "{{ cacert_home }}" + state: present + system: true + +- name: Create CAcert directories + ansible.builtin.file: + path: "{{ cacert_home }}/{{ item.path }}" + owner: "{{ cacert_os_user }}" + group: "{{ cacert_os_group }}" + mode: "{{ item.mode }}" + state: directory + loop: + - { path: etc, mode: '0750' } + - { path: bin, mode: '0750' } + - { path: download, mode: '0750' } + +- name: Create session directory + ansible.builtin.file: + path: "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}" + owner: "{{ cacert_os_user }}" + group: "{{ cacert_os_group }}" + mode: "0750" + state: directory + +- name: Copy demo application binary + ansible.builtin.copy: + src: ../oidc_app/demo-app + dest: "{{ cacert_home }}/bin/cacert-oidcdemo" + owner: root + group: "{{ cacert_os_group }}" + mode: "0750" + +- name: Check whether certificate exists + ansible.builtin.stat: + path: "{{ demoapp_tls.cert }}" + register: demoapp_cert_st + +- name: Create demo application key and certificate with mkcert + block: + + - name: Create temporary directory for demo application key and certificate + ansible.builtin.tempfile: + prefix: "demoapp-cert." + state: directory + register: demoapp_cert_temp_dir + + - name: Create demo application key and certificate + ansible.builtin.command: + cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}" + environment: + CAROOT: "{{ mkcert_caroot | default(omit) }}" + + - name: Move demo application certificate and key to target + ansible.builtin.copy: + src: "{{ demoapp_cert_temp_dir.path }}/{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: "{{ cacert_os_group }}" + mode: "{{ item.mode }}" + remote_src: true + loop: + - {src: demoapp.pem, dest: "{{ demoapp_tls.cert }}", mode: '0644'} + - {src: demoapp.key.pem, dest: "{{ demoapp_tls.key }}", mode: '0640'} + become: true + + - name: Remove temporary directory + ansible.builtin.file: + path: "{{ demoapp_cert_temp_dir.path }}" + state: absent + + when: not demoapp_cert_st.stat.exists + become: false + +- name: Check whether configuration file exists + ansible.builtin.stat: + path: "{{ cacert_home }}/etc/cacert-demoapp.toml" + register: demoapp_config_st + +- name: Get credentials from existing file + block: + + - name: fetch existing configuration file + ansible.builtin.fetch: + src: "{{ demoapp_config_st.stat.path }}" + dest: demoapp_config-from-vagrant.toml + flat: true + + - name: set credential facts + ansible.builtin.set_fact: + demoapp_client_id: "{{ lookup('ansible.builtin.ini', 'client-id', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}" + demoapp_client_secret: "{{ lookup('ansible.builtin.ini', 'client-secret', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}" + demoapp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}" + demoapp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}" + + when: demoapp_config_st.stat.exists + +- name: Generate new credentials + block: + + - name: Create new client via Hydra admin API + ansible.builtin.uri: + url: "https://{{ oidc_urls.hydra_admin.host }}:{{ oidc_urls.hydra_admin.port }}/admin/clients" + method: "POST" + body: + client_name: "CAcert OIDC demo application" + redirect_uris: + - "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/callback" + post_logout_redirect_uris: + - "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/after-logout" + scope: "openid email profile groups" + body_format: "json" + headers: + Accept: "application/json" + Content-Type: "application/json" + status_code: [201] + register: hydra_response + + - name: Set credential facts + ansible.builtin.set_fact: + demoapp_client_id: "{{ hydra_response.json.client_id }}" + demoapp_client_secret: "{{ hydra_response.json.client_secret }}" + + when: not demoapp_config_st.stat.exists + +- name: Create demo application configuration + ansible.builtin.template: + src: demoapp_config.toml.j2 + dest: "{{ cacert_home }}/etc/cacert-demoapp.toml" + owner: root + group: "{{ cacert_os_group }}" + mode: '0640' + notify: demoapp_systemd_reload + +- name: Create demoapp systemd unit file + ansible.builtin.template: + src: cacert-demoapp.service.j2 + dest: /etc/systemd/system/cacert-demoapp.service + owner: root + group: root + mode: "0640" + notify: demoapp_systemd_reload diff --git a/deployment/roles/oidc_demo_application/templates/cacert-demoapp.service.j2 b/deployment/roles/oidc_demo_application/templates/cacert-demoapp.service.j2 new file mode 100644 index 0000000..8b29f2f --- /dev/null +++ b/deployment/roles/oidc_demo_application/templates/cacert-demoapp.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=CAcert OpenID Connect demo application +After=network.target +Documentation=https://code.cacert.org/cacert/oidc-demo-app + +[Service] +ExecStart={{ cacert_home }}/bin/cacert-oidcdemo --conf "{{ cacert_home }}/etc/cacert-demoapp.toml" +WorkingDirectory={{ cacert_home }} +User={{ cacert_os_user }} +Group={{ cacert_os_group }} + +[Install] +WantedBy=multi-user.target + diff --git a/deployment/roles/oidc_demo_application/templates/demoapp_config.toml.j2 b/deployment/roles/oidc_demo_application/templates/demoapp_config.toml.j2 new file mode 100644 index 0000000..919d550 --- /dev/null +++ b/deployment/roles/oidc_demo_application/templates/demoapp_config.toml.j2 @@ -0,0 +1,19 @@ +[oidc] +client-id = "{{ demoapp_client_id }}" +client-secret = "{{ demoapp_client_secret }}" +server = "https://{{ oidc_urls.hydra_public.host }}:{{ oidc_urls.hydra_public.port }}/" + +[server] +name = "{{ oidc_urls.demoapp.host }}" +address = "{{ oidc_urls.demoapp.address | default(ansible_default_ipv4.address) }}" +port = {{ oidc_urls.demoapp.address | default("4000") }} +certificate = "{{ demoapp_tls.cert }}" +key = "{{ demoapp_tls.key }}" + +[session] +auth-key = "{{ demoapp_auth_key | default(lookup('community.general.random_string', length=64, base64=true)) }}" +enc-key = "{{ demoapp_enc_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" +path = "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}" + +[log] +level = "trace" diff --git a/deployment/roles/oidc_idp/handlers/main.yml b/deployment/roles/oidc_idp/handlers/main.yml index 0901f0e..3eb34e2 100644 --- a/deployment/roles/oidc_idp/handlers/main.yml +++ b/deployment/roles/oidc_idp/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: idp_systemd_reload ansible.builtin.systemd: - state: started + state: restarted name: cacert-idp daemon_reload: true enabled: true diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml index 202912c..fbb7d47 100644 --- a/deployment/roles/oidc_idp/tasks/main.yml +++ b/deployment/roles/oidc_idp/tasks/main.yml @@ -50,6 +50,8 @@ - name: Create IDP key and certificate ansible.builtin.command: cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}" + environment: + CAROOT: "{{ mkcert_caroot | default(omit) }}" - name: Move IDP certificate and key to target ansible.builtin.copy: @@ -69,30 +71,9 @@ path: "{{ idp_cert_temp_dir.path }}" state: absent - when: use_mkcert and not idp_cert_st.stat.exists + when: not idp_cert_st.stat.exists become: false -- name: Copy IDP key and certificate from inventory - block: - - - name: Copy IDP certificate - ansible.builtin.copy: - dest: "{{ idp_tls.cert }}" - owner: root - group: "{{ cacert_os_group }}" - mode: '0644' - content: "{{ idp.server_certificate_data }}" - - - name: Copy IDP key - ansible.builtin.copy: - dest: "{{ idp_tls.key }}" - owner: root - group: "{{ cacert_os_group }}" - mode: '0640' - content: "{{ idp.server_key_data }}" - - when: not use_mkcert - - name: Copy client CA certificates ansible.builtin.copy: dest: "{{ idp_tls.client_cas }}" @@ -101,6 +82,28 @@ mode: '0640' content: "{{ idp.client_certificate_data }}" +- name: Check whether configuration file exists + ansible.builtin.stat: + path: "{{ cacert_home }}/etc/cacert-idp.toml" + register: idp_config_st + +- name: Get credentials from existing file + block: + + - name: fetch existing configuration file + ansible.builtin.fetch: + src: "{{ idp_config_st.stat.path }}" + dest: idp_config-from-vagrant.toml + flat: true + + - name: set credential facts + ansible.builtin.set_fact: + idp_csrf_key: "{{ lookup('ansible.builtin.ini', 'csrf.key', section='security', file='idp_config-from-vagrant.toml') | from_json }}" + idp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='idp_config-from-vagrant.toml') | from_json }}" + idp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='idp_config-from-vagrant.toml') | from_json }}" + + when: idp_config_st.stat.exists + - name: Create IDP configuration ansible.builtin.template: src: idp_config.toml.j2 diff --git a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 index 0283eac..a5d2029 100644 --- a/deployment/roles/oidc_idp/templates/idp_config.toml.j2 +++ b/deployment/roles/oidc_idp/templates/idp_config.toml.j2 @@ -8,5 +8,12 @@ port = {{ oidc_urls.idp.address | default("3000") }} certificate = "{{ idp_tls.cert }}" key = "{{ idp_tls.key }}" +[session] +auth-key = "{{ idp_auth_key | default(lookup('community.general.random_string', length=64, base64=true)) }}" +enc-key = "{{ idp_enc_key | default(lookup('community.general.random_string', length=32, base64=true)) }}" + [admin] url = "https://{{ oidc_urls.hydra_admin.address | default("hydra.cacert.localhost") }}:{{ oidc_urls.hydra_admin.port | default("3000") }}" + +[log] +level = "trace" diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml index b35e34f..530e861 100644 --- a/deployment/roles/prepare_devtools/tasks/main.yml +++ b/deployment/roles/prepare_devtools/tasks/main.yml @@ -11,7 +11,8 @@ - name: Install mkcert CA ansible.builtin.command: cmd: "mkcert -install" + environment: + CAROOT: "{{ mkcert_caroot | default(omit) }}" changed_when: false - when: use_mkcert become: false diff --git a/oidc_idp b/oidc_idp index a5c583f..9aeca21 160000 --- a/oidc_idp +++ b/oidc_idp @@ -1 +1 @@ -Subproject commit a5c583f1f65cf5a09054ad7249c451551089cd0f +Subproject commit 9aeca21faa2db96ecd359e26eb4dc392d7c6bf1a