Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1753411949, "reponame":"sai", "desc":"Sai lightweight distributed CI", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/sai", "f":3, "items": [ { "schema":"libjg2-1", "oid":{ "oid": "47a53948a6c10f26062cc371cf045a89b5a9b6fe", "alias": []},"tree": [ { "name": "README-auth.md","mode": "33188", "size":2204}, { "name": "README-build-bsds.md","mode": "33188", "size":3343}, { "name": "README-build-windows.md","mode": "33188", "size":2141}, { "name": "README-gitolite-hook.md","mode": "33188", "size":1231}, { "name": "README-platform-naming.md","mode": "33188", "size":4424}, { "name": "README-resource-management.md","mode": "33188", "size":3339}, { "name": "README-sai-jig.md","mode": "33188", "size":4013}, { "name": "README-sai-json.md","mode": "33188", "size":2812}, { "name": "README-systemd-nspawn.md","mode": "33188", "size":23804}, { "name": "sai-build-test-flow.png","mode": "33188", "size":109316}, { "name": "sai-embedded-test.png","mode": "33188", "size":104850}, { "name": "sai-ov2.png","mode": "33188", "size":106610}, { "name": "sai-overview.png","mode": "33188", "size":268612}, { "name": "sai-resources.png","mode": "33188", "size":99164}],"s":{"c":1753411949,"u": 8683}} ,{"schema":"libjg2-1", "cid":"8daa018427fa473959053160111fb6df", "oid":{ "oid": "47a53948a6c10f26062cc371cf045a89b5a9b6fe", "alias": []},"blobname": "READMEs/README-auth.md", "blob": "# Sai web auth\n\n## Authorization Overview\n\nSai uses signed JWTs\n\nThere's no UI at the moment for creating authorized users, everything except\nevent deletion and task restart works without authorization.\n\n## sai-server configuration for auth\n\nIn the `vhosts|ws-protocols|com-warmcat-sai` section of the config JSON, the\nfollowing entries define the authorization operation\n\n```\n \u0022jwt-auth-alg\u0022: \u0022ES512\u0022,\n \u0022jwt-auth-jwk-path\u0022: \u0022/etc/sai/server/auth.jwk\u0022,\n \u0022jwt-iss\u0022: \u0022com.warmcat\u0022,\n \u0022jwt-aud\u0022: \u0022https://libwebsockets.org/sai\u0022,\n```\n\nThe `jwt-iss` and `jwt-aud` values go into generated JWTs and are confirmed\nto match when receiving a JWT, these define the issuing authority and the\n\u0022audience\u0022, the receipient the JWT was created to be consumed by... the\naudience should be the globally unique site base URI.\n\n## Creating the server JWK\n\nIf you build lws with\n`-DLWS_WITH_GENCRYPTO\u003d1 -DLWS_WITH_JOSE\u003d1 -DLWS_WITH_MINIMAL_EXAMPLES\u003d1`\nit will create a set of JOSE utilities, including one for JWK key generation.\n\nUse this as below to create the server JWK used for signing and validation,\nfor ES512 algorithm in our case\n\n```\n$ sudo ./bin/lws-crypto-jwk -t EC -b512 -vP-521 --alg ES512 \u003e /etc/sai/server/auth.jwk\n```\n\n## Defining an authorized user\n\nSai-server creates a separate auth database and prepares the table schema in\nit on startup if not already existing. So you using sai-server at all already\ndid most of the work.\n\nTo create a user that can login via his browser and see and use the UI for the\nadditional actions, currently you can create the user by hand on the server:\n\n```\n# sqlite3 /home/srv/sai/sai-server-auth.sqlite3\nSQLite version 3.32.3 2020-06-18 14:00:33\nEnter \u0022.help\u0022 for usage hints.\nsqlite\u003e .schema\nCREATE TABLE auth (_lws_idx integer, name varchar, passphrase varchar, since integer primary key autoincrement, last_updated integer);\nCREATE TABLE sqlite_sequence(name,seq);\nsqlite\u003e insert into auth (_lws_idx, name, passphrase) values (0, \u0022your@email.com\u0022, \u0022somepassword\u0022);\n```\n\nAfterwards, it should be possible to log in from the web UI using the given\ncredentials and see the additional UI elements.\n","s":{"c":1753411949,"u": 95}} ],"g": 11015,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 1, "si": 0, "db":0, "di":1, "sat":0, "lfc": "0000"}