Merge branch 'dev' into 'main'

Dev

See merge request oscar.krause/fastapi-dls!29

.gitlab-ci.yml

@@ -8,6 +8,9 @@ include:
 cache:
   key: one-key-to-rule-them-all
 
+variables:
+  DOCKER_BUILDX_PLATFORM: "linux/amd64,linux/arm64"
+
 build:docker:
   image: docker:dind
   interruptible: true
@@ -25,7 +28,7 @@ build:docker:
   script:
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
     - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHA
-    - docker buildx build --progress=plain --platform linux/amd64,linux/arm64 --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
     - docker buildx imagetools inspect $IMAGE
     - echo "CS_IMAGE=$IMAGE" > container_scanning.env
   artifacts:
@@ -190,7 +193,7 @@ test:debian:
 
 test:ubuntu:
   extends: .test:linux
-  image: ubuntu:22.10
+  image: ubuntu:23.04
 
 test:archlinux:
   image: archlinux:base
@@ -263,24 +266,24 @@ gemnasium-python-dependency_scanning:
 
 deploy:docker:
   extends: .deploy
+  image: docker:dind
   stage: deploy
+  tags: [ docker ]
   before_script:
     - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
+    - docker buildx inspect
+    - docker buildx create --use
   script:
     - echo "========== GitLab-Registry =========="
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest
-    - docker push $IMAGE:$CI_COMMIT_REF_NAME
-    - docker push $IMAGE:latest
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
     - echo "========== Docker-Hub =========="
     - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
     - IMAGE=$PUBLIC_REGISTRY_USER/$CI_PROJECT_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest
-    - docker push $IMAGE:$CI_COMMIT_REF_NAME
-    - docker push $IMAGE:latest
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
 
 deploy:apt:
   # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
@@ -331,7 +334,6 @@ deploy:pacman:
       artifacts: true
   script:
     - source .PKGBUILD/PKGBUILD
-    - source version.env
     # fastapi-dls-1.0-1-any.pkg.tar.zst
     - BUILD_NAME=${pkgname}-${CI_COMMIT_REF_NAME}-${pkgrel}-any.pkg.tar.zst
     - PACKAGE_NAME=${pkgname}

Dockerfile

@@ -7,10 +7,10 @@ RUN echo -e "VERSION=$VERSION\nCOMMIT=$COMMIT" > /version.env
 COPY requirements.txt /tmp/requirements.txt
 
 RUN apk update \
- && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev \
- && apk add --no-cache curl postgresql postgresql-dev mariadb-connector-c-dev sqlite-dev \
+ && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev pkgconfig \
+ && apk add --no-cache curl postgresql postgresql-dev mariadb-dev sqlite-dev \
  && pip install --no-cache-dir --upgrade uvicorn \
- && pip install --no-cache-dir psycopg2==2.9.5 mysqlclient==2.1.1 pysqlite3==0.5.0 \
+ && pip install --no-cache-dir psycopg2==2.9.6 mysqlclient==2.2.0 pysqlite3==0.5.1 \
  && pip install --no-cache-dir -r /tmp/requirements.txt \
  && apk del build-deps
 

README.md

@@ -2,7 +2,7 @@
 
 Minimal Delegated License Service (DLS).
 
-Compatibility tested with official DLS 2.0.1.
+Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0. For Driver compatibility see [here](#setup-client).
 
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
@@ -25,8 +25,9 @@ Only the clients need a connection to this service on configured port.
 
 - 256mb ram
 - 4gb hdd
+- *maybe IPv6 must be disabled*
 
-Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
+Tested with Ubuntu 22.10 (EOL!) (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
 
 **Prepare your system**
 
@@ -34,12 +35,12 @@ Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb
 
 ## Docker
 
-Docker-Images are available here:
+Docker-Images are available here for Intel (x86), AMD (amd64) and ARM (arm64):
 
 - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
-- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
+- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls:latest`
 
-The images include database drivers for `postgres`, `mysql`, `mariadb` and `sqlite`.
+The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 
 **Run this on the Docker-Host**
 
@@ -65,7 +66,9 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/
 
 **Docker-Compose / Deploy stack**
 
-Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example (with reverse proxy usage).
+See [`examples`](examples) directory for more advanced examples (with reverse proxy usage).
+
+> Adjust *REQUIRED* variables as needed
 
 ```yaml
 version: '3.9'
@@ -99,9 +102,10 @@ volumes:
   dls-db:
 ```
 
-## Debian/Ubuntu (manual method using `git clone` and python virtual environment)
+## Debian/Ubuntu/macOS (manual method using `git clone` and python virtual environment)
 
-Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
+Tested on `Debian 11 (bullseye)` and `macOS Ventura (13.6)`, Ubuntu may also work. **Please note that setup on macOS
+differs from Debian based systems.**
 
 **Make sure you are logged in as root.**
 
@@ -152,6 +156,8 @@ su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fast
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 mkdir /etc/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
@@ -254,10 +260,11 @@ su - ${SERVICE_USER} -c "${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 BASE_DIR=/opt/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
-# Adjust DSL_URL as needed (accessing from LAN won't work with 127.0.0.1)
 DLS_URL=127.0.0.1
 DLS_PORT=443
 LEASE_EXPIRE_DAYS=90
@@ -311,7 +318,8 @@ Packages are available here:
 Successful tested with:
 
 - Debian 12 (Bookworm)
-- Ubuntu 22.10 (Kinetic Kudu)
+- Ubuntu 22.10 (Kinetic Kudu) (EOL!)
+- Ubuntu 23.04 (Lunar)
 
 Not working with:
 
@@ -332,6 +340,7 @@ apt-get install -f --fix-missing
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/fastapi-dls/env` as needed.
 
 ## ArchLinux (using `pacman`)
 
@@ -353,6 +362,7 @@ pacman -U --noconfirm fastapi-dls.pkg.tar.zst
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/default/fastapi-dls` as needed.
 
 ## unRAID
 
@@ -415,8 +425,11 @@ client has 19.2 hours in which to re-establish connectivity before its license e
 
 Successfully tested with this package versions:
 
-| vGPU Suftware | vGPU Manager | Linux Driver | Windows Driver | Release Date  |
-|---------------|--------------|--------------|----------------|---------------|
+| vGPU Suftware | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date  |
+|---------------|--------------------|--------------|----------------|---------------|
+| `16.1`        | `535.54.06`        | `535.54.03`  | `536.25`       | August 2023   |
+| `16.0`        | `535.104.06`       | `535.104.05` | `537.13`       | July 2023     |
+| `15.3`        | `525.125.03`       | `525.125.06` | `529.11`       | June 2023     |
 | `15.2`        | `525.105.14`       | `525.105.17` | `528.89`       | March 2023    |
 | `15.1`        | `525.85.07`        | `525.85.05`  | `528.24`       | January 2023  |
 | `15.0`        | `525.60.12`        | `525.60.13`  | `527.41`       | December 2022 |
@@ -502,6 +515,9 @@ Done. For more information check [troubleshoot section](#troubleshoot).
 
 # Endpoints
 
+<details>
+  <summary>show</summary>
+
 ### `GET /`
 
 Redirect to `/-/readme`.
@@ -553,11 +569,18 @@ Generate client token, (see [installation](#installation)).
 ### Others
 
 There are many other internal api endpoints for handling authentication and lease process.
+</details>
 
 # Troubleshoot
 
 **Please make sure that fastapi-dls and your guests are on the same timezone!**
 
+Maybe you have to disable IPv6 on the machine you are running FastAPI-DLS.
+
+## Docker
+
+Logs are available with `docker logs <container>`. To get the correct container-id use `docker container ls` or `docker ps`.
+
 ## Linux
 
 Logs are available with `journalctl -u nvidia-gridd -f`.
@@ -615,7 +638,7 @@ only
 gets a valid local license.
 
 <details>
-  <summary>Log</summary>
+  <summary>Log example</summary>
 
 **Display-Container-LS**
 
@@ -681,7 +704,7 @@ The error message can safely be ignored (since we have no license limitation :P)
 <0>:End Logging
 ```
 
-#### log with nginx as reverse proxy (see [docker-compose.yml](docker-compose.yml))
+#### log with nginx as reverse proxy (see [docker-compose-http-and-https.yml](examples/docker-compose-http-and-https.yml))
 
 ```
 <1>:NLS initialized

app/main.py

@@ -9,42 +9,48 @@ from dotenv import load_dotenv
 from fastapi import FastAPI
 from fastapi.requests import Request
 from json import loads as json_loads
-from datetime import datetime
+from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
 from calendar import timegm
-from jose import jws, jwt, JWTError
+from jose import jws, jwk, jwt, JWTError
 from jose.constants import ALGORITHMS
 from starlette.middleware.cors import CORSMiddleware
 from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 
-from orm import init as db_init, migrate, Site, Instance, Origin, Lease
+from util import load_key, load_file
+from orm import Origin, Lease, init as db_init, migrate
 
 load_dotenv('../version.env')
 
-# get local timezone
 TZ = datetime.now().astimezone().tzinfo
 
-# fetch version info
 VERSION, COMMIT, DEBUG = env('VERSION', 'unknown'), env('COMMIT', 'unknown'), bool(env('DEBUG', False))
 
-# fastapi setup
-config = dict(openapi_url='/-/openapi.json', docs_url=None, redoc_url=None)
+config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
 app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, **config)
-
-# database setup
 db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
 db_init(db), migrate(db)
 
-# DLS setup (static)
+# everything prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
+SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
+INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
+ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
+INSTANCE_KEY_RSA = load_key(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
+INSTANCE_KEY_PUB = load_key(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
+TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
+LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
+LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
+LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
+CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 
-ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))  # todo
+jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
 
-# fastapi middleware
 app.debug = DEBUG
 app.add_middleware(
     CORSMiddleware,
@@ -54,25 +60,12 @@ app.add_middleware(
     allow_headers=['*'],
 )
 
-# logging
 logging.basicConfig()
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)
 
 
-def validate_settings():
-    session = sessionmaker(bind=db)()
-
-    lease_expire_delta_min, lease_expire_delta_max = 86_400, 7_776_000
-    for instance in session.query(Instance).all():
-        lease_expire_delta = instance.lease_expire_delta
-        if lease_expire_delta < 86_400 or lease_expire_delta > 7_776_000:
-            logging.warning(f'> [ instance ]: {instance.instance_ref}: "lease_expire_delta" should be between {lease_expire_delta_min} and {lease_expire_delta_max}')
-
-    session.close()
-
-
-def __get_token(request: Request, jwt_decode_key: "jose.jwt") -> dict:
+def __get_token(request: Request) -> dict:
     authorization_header = request.headers.get('authorization')
     token = authorization_header.split(' ')[1]
     return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
@@ -95,20 +88,18 @@ async def _health():
 
 @app.get('/-/config', summary='* Config', description='returns environment variables.')
 async def _config():
-    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
-
     return JSONr({
         'VERSION': str(VERSION),
         'COMMIT': str(COMMIT),
         'DEBUG': str(DEBUG),
         'DLS_URL': str(DLS_URL),
         'DLS_PORT': str(DLS_PORT),
-        'SITE_KEY_XID': str(default_site.site_key),
-        'INSTANCE_REF': str(default_instance.instance_ref),
+        'SITE_KEY_XID': str(SITE_KEY_XID),
+        'INSTANCE_REF': str(INSTANCE_REF),
         'ALLOTMENT_REF': [str(ALLOTMENT_REF)],
-        'TOKEN_EXPIRE_DELTA': str(default_instance.get_token_expire_delta()),
-        'LEASE_EXPIRE_DELTA': str(default_instance.get_lease_expire_delta()),
-        'LEASE_RENEWAL_PERIOD': str(default_instance.lease_renewal_period),
+        'TOKEN_EXPIRE_DELTA': str(TOKEN_EXPIRE_DELTA),
+        'LEASE_EXPIRE_DELTA': str(LEASE_EXPIRE_DELTA),
+        'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD),
         'CORS_ORIGINS': str(CORS_ORIGINS),
         'TZ': str(TZ),
     })
@@ -117,8 +108,6 @@ async def _config():
 @app.get('/-/readme', summary='* Readme')
 async def _readme():
     from markdown import markdown
-    from util import load_file
-
     content = load_file('../README.md').decode('utf-8')
     return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
 
@@ -168,7 +157,8 @@ async def _origins(request: Request, leases: bool = False):
     for origin in session.query(Origin).all():
         x = origin.serialize()
         if leases:
-            x['leases'] = list(map(lambda _: _.serialize(), Lease.find_by_origin_ref(db, origin.origin_ref)))
+            serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+            x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref)))
         response.append(x)
     session.close()
     return JSONr(response)
@@ -185,7 +175,8 @@ async def _leases(request: Request, origin: bool = False):
     session = sessionmaker(bind=db)()
     response = []
     for lease in session.query(Lease).all():
-        x = lease.serialize()
+        serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+        x = lease.serialize(**serialize)
         if origin:
             lease_origin = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first()
             if lease_origin is not None:
@@ -212,13 +203,7 @@ async def _lease_delete(request: Request, lease_ref: str):
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
     cur_time = datetime.utcnow()
-
-    default_instance = Instance.get_default_instance(db)
-    public_key = default_instance.get_public_key()
-    # todo: implemented request parameter to support different instances
-    jwt_encode_key = default_instance.get_jwt_encode_key()
-
-    exp_time = cur_time + default_instance.get_client_token_expire_delta()
+    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
 
     payload = {
         "jti": str(uuid4()),
@@ -231,7 +216,7 @@ async def _client_token():
         "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
         "service_instance_configuration": {
-            "nls_service_instance_ref": default_instance.instance_ref,
+            "nls_service_instance_ref": INSTANCE_REF,
             "svc_port_set_list": [
                 {
                     "idx": 0,
@@ -243,10 +228,10 @@ async def _client_token():
         },
         "service_instance_public_key_configuration": {
             "service_instance_public_key_me": {
-                "mod": hex(public_key.public_key().n)[2:],
-                "exp": int(public_key.public_key().e),
+                "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:],
+                "exp": int(INSTANCE_KEY_PUB.public_key().e),
             },
-            "service_instance_public_key_pem": public_key.export_key().decode('utf-8'),
+            "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'),
             "key_retention_mode": "LATEST_ONLY"
         },
     }
@@ -328,16 +313,13 @@ async def auth_v1_code(request: Request):
     delta = relativedelta(minutes=15)
     expires = cur_time + delta
 
-    default_site = Site.get_default_site(db)
-    jwt_encode_key = Instance.get_default_instance(db).get_jwt_encode_key()
-
     payload = {
         'iat': timegm(cur_time.timetuple()),
         'exp': timegm(expires.timetuple()),
         'challenge': j.get('code_challenge'),
         'origin_ref': j.get('origin_ref'),
-        'key_ref': default_site.site_key,
-        'kid': default_site.site_key,
+        'key_ref': SITE_KEY_XID,
+        'kid': SITE_KEY_XID
     }
 
     auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -357,11 +339,8 @@ async def auth_v1_code(request: Request):
 async def auth_v1_token(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
-    jwt_encode_key, jwt_decode_key = default_instance.get_jwt_encode_key(), default_instance.get_jwt_decode_key()
-
     try:
-        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=[ALGORITHMS.RS256])
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key)
     except JWTError as e:
         return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
 
@@ -373,7 +352,7 @@ async def auth_v1_token(request: Request):
     if payload.get('challenge') != challenge:
         return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
 
-    access_expires_on = cur_time + default_instance.get_token_expire_delta()
+    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
 
     new_payload = {
         'iat': timegm(cur_time.timetuple()),
@@ -382,8 +361,8 @@ async def auth_v1_token(request: Request):
         'aud': 'https://cls.nvidia.org',
         'exp': timegm(access_expires_on.timetuple()),
         'origin_ref': origin_ref,
-        'key_ref': default_site.site_key,
-        'kid': default_site.site_key,
+        'key_ref': SITE_KEY_XID,
+        'kid': SITE_KEY_XID,
     }
 
     auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -400,13 +379,10 @@ async def auth_v1_token(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
-
-    default_instance = Instance.get_default_instance(db)
-    jwt_decode_key = default_instance.get_jwt_decode_key()
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
 
     try:
-        token = __get_token(request, jwt_decode_key)
+        token = __get_token(request)
     except JWTError:
         return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
@@ -420,7 +396,7 @@ async def leasing_v1_lessor(request: Request):
         #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
 
         lease_ref = str(uuid4())
-        expires = cur_time + default_instance.get_lease_expire_delta()
+        expires = cur_time + LEASE_EXPIRE_DELTA
         lease_result_list.append({
             "ordinal": 0,
             # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
@@ -428,13 +404,13 @@ async def leasing_v1_lessor(request: Request):
                 "ref": lease_ref,
                 "created": cur_time.isoformat(),
                 "expires": expires.isoformat(),
-                "recommended_lease_renewal": default_instance.lease_renewal_period,
+                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
                 "offline_lease": "true",
                 "license_type": "CONCURRENT_COUNTED_SINGLE"
             }
         })
 
-        data = Lease(instance_ref=default_instance.instance_ref, origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
+        data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
         Lease.create_or_update(db, data)
 
     response = {
@@ -451,14 +427,7 @@ async def leasing_v1_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
 @app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    cur_time = datetime.utcnow()
-
-    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
-
-    try:
-        token = __get_token(request, jwt_decode_key)
-    except JWTError:
-        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
+    token, cur_time = __get_token(request), datetime.utcnow()
 
     origin_ref = token.get('origin_ref')
 
@@ -478,15 +447,7 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    cur_time = datetime.utcnow()
-
-    default_instance = Instance.get_default_instance(db)
-    jwt_decode_key = default_instance.get_jwt_decode_key()
-
-    try:
-        token = __get_token(request, jwt_decode_key)
-    except JWTError:
-        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
+    token, cur_time = __get_token(request), datetime.utcnow()
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
@@ -495,11 +456,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
     if entity is None:
         return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
 
-    expires = cur_time + default_instance.get_lease_expire_delta()
+    expires = cur_time + LEASE_EXPIRE_DELTA
     response = {
         "lease_ref": lease_ref,
         "expires": expires.isoformat(),
-        "recommended_lease_renewal": default_instance.lease_renewal_period,
+        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
         "offline_lease": True,
         "prompts": None,
         "sync_timestamp": cur_time.isoformat(),
@@ -513,14 +474,7 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    cur_time = datetime.utcnow()
-
-    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
-
-    try:
-        token = __get_token(request, jwt_decode_key)
-    except JWTError:
-        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
+    token, cur_time = __get_token(request), datetime.utcnow()
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
@@ -546,14 +500,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    cur_time = datetime.utcnow()
-
-    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
-
-    try:
-        token = __get_token(request, jwt_decode_key)
-    except JWTError:
-        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
+    token, cur_time = __get_token(request), datetime.utcnow()
 
     origin_ref = token.get('origin_ref')
 
@@ -575,8 +522,6 @@ async def leasing_v1_lessor_lease_remove(request: Request):
 async def leasing_v1_lessor_shutdown(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
-
     token = j.get('token')
     token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
     origin_ref = token.get('origin_ref')
@@ -597,23 +542,15 @@ async def leasing_v1_lessor_shutdown(request: Request):
 
 @app.on_event('startup')
 async def app_on_startup():
-    default_instance = Instance.get_default_instance(db)
-
-    lease_renewal_period = default_instance.lease_renewal_period
-    lease_renewal_delta = default_instance.get_lease_renewal_delta()
-    client_token_expire_delta = default_instance.get_client_token_expire_delta()
-
     logger.info(f'''
     Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
     
-    Your clients will renew their license every {str(Lease.calculate_renewal(lease_renewal_period, lease_renewal_delta))}.
-    If the renewal fails, the license is valid for {str(lease_renewal_delta)}.
+    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
+    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
     
-    Your client-token file (.tok) is valid for {str(client_token_expire_delta)}.
+    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
     ''')
 
-    validate_settings()
-
 
 if __name__ == '__main__':
     import uvicorn

app/orm.py

@@ -1,143 +1,18 @@
-import logging
 from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
-from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text, BLOB, INT, FLOAT
+
+from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
 from sqlalchemy.engine import Engine
-from sqlalchemy.orm import sessionmaker, declarative_base, Session, relationship
-
-from app.util import parse_key
-
-logging.basicConfig()
-logger = logging.getLogger(__name__)
-logger.setLevel(logging.INFO)
+from sqlalchemy.orm import sessionmaker, declarative_base
 
 Base = declarative_base()
 
 
-class Site(Base):
-    __tablename__ = "site"
-
-    INITIAL_SITE_KEY_XID = '00000000-0000-0000-0000-000000000000'
-    INITIAL_SITE_NAME = 'default'
-
-    site_key = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, SITE_KEY_XID
-    name = Column(VARCHAR(length=256), nullable=False)
-
-    def __str__(self):
-        return f'SITE_KEY_XID: {self.site_key}'
-
-    @staticmethod
-    def create_statement(engine: Engine):
-        from sqlalchemy.schema import CreateTable
-        return CreateTable(Site.__table__).compile(engine)
-
-    @staticmethod
-    def get_default_site(engine: Engine) -> "Site":
-        session = sessionmaker(bind=engine)()
-        entity = session.query(Site).filter(Site.site_key == Site.INITIAL_SITE_KEY_XID).first()
-        session.close()
-        return entity
-
-
-class Instance(Base):
-    __tablename__ = "instance"
-
-    DEFAULT_INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
-    DEFAULT_TOKEN_EXPIRE_DELTA = 86_400  # 1 day
-    DEFAULT_LEASE_EXPIRE_DELTA = 7_776_000  # 90 days
-    DEFAULT_LEASE_RENEWAL_PERIOD = 0.15
-    DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA = 378_432_000  # 12 years
-    # 1 day = 86400 (min. in production setup, max 90 days), 1 hour = 3600
-
-    instance_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, INSTANCE_REF
-    site_key = Column(CHAR(length=36), ForeignKey(Site.site_key, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
-    private_key = Column(BLOB(length=2048), nullable=False)
-    public_key = Column(BLOB(length=512), nullable=False)
-    token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_TOKEN_EXPIRE_DELTA, comment='in seconds')
-    lease_expire_delta = Column(INT(), nullable=False, default=DEFAULT_LEASE_EXPIRE_DELTA, comment='in seconds')
-    lease_renewal_period = Column(FLOAT(precision=2), nullable=False, default=DEFAULT_LEASE_RENEWAL_PERIOD)
-    client_token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA, comment='in seconds')
-
-    __origin = relationship(Site, foreign_keys=[site_key])
-
-    def __str__(self):
-        return f'INSTANCE_REF: {self.instance_ref} (SITE_KEY_XID: {self.site_key})'
-
-    @staticmethod
-    def create_statement(engine: Engine):
-        from sqlalchemy.schema import CreateTable
-        return CreateTable(Instance.__table__).compile(engine)
-
-    @staticmethod
-    def create_or_update(engine: Engine, instance: "Instance"):
-        session = sessionmaker(bind=engine)()
-        entity = session.query(Instance).filter(Instance.instance_ref == instance.instance_ref).first()
-        if entity is None:
-            session.add(instance)
-        else:
-            x = dict(
-                site_key=instance.site_key,
-                private_key=instance.private_key,
-                public_key=instance.public_key,
-                token_expire_delta=instance.token_expire_delta,
-                lease_expire_delta=instance.lease_expire_delta,
-                lease_renewal_period=instance.lease_renewal_period,
-                client_token_expire_delta=instance.client_token_expire_delta,
-            )
-            session.execute(update(Instance).where(Instance.instance_ref == instance.instance_ref).values(**x))
-        session.commit()
-        session.flush()
-        session.close()
-
-    # todo: validate on startup that "lease_expire_delta" is between 1 day and 90 days
-
-    @staticmethod
-    def get_default_instance(engine: Engine) -> "Instance":
-        session = sessionmaker(bind=engine)()
-        site = Site.get_default_site(engine)
-        entity = session.query(Instance).filter(Instance.site_key == site.site_key).first()
-        session.close()
-        return entity
-
-    def get_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
-        return relativedelta(seconds=self.token_expire_delta)
-
-    def get_lease_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
-        return relativedelta(seconds=self.lease_expire_delta)
-
-    def get_lease_renewal_delta(self) -> "datetime.timedelta":
-        return timedelta(seconds=self.lease_expire_delta)
-
-    def get_client_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
-        return relativedelta(seconds=self.client_token_expire_delta)
-
-    def __get_private_key(self) -> "RsaKey":
-        return parse_key(self.private_key)
-
-    def get_public_key(self) -> "RsaKey":
-        return parse_key(self.public_key)
-
-    def get_jwt_encode_key(self) -> "jose.jkw":
-        from jose import jwk
-        from jose.constants import ALGORITHMS
-        return jwk.construct(self.__get_private_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-
-    def get_jwt_decode_key(self) -> "jose.jwt":
-        from jose import jwk
-        from jose.constants import ALGORITHMS
-        return jwk.construct(self.get_public_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-
-    def get_private_key_str(self, encoding: str = 'utf-8') -> str:
-        return self.private_key.decode(encoding)
-
-    def get_public_key_str(self, encoding: str = 'utf-8') -> str:
-        return self.private_key.decode(encoding)
-
-
 class Origin(Base):
     __tablename__ = "origin"
 
     origin_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4
+
     # service_instance_xid = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one service_instance_xid ('INSTANCE_REF')
     hostname = Column(VARCHAR(length=256), nullable=True)
     guest_driver_version = Column(VARCHAR(length=10), nullable=True)
@@ -195,24 +70,18 @@ class Origin(Base):
 class Lease(Base):
     __tablename__ = "lease"
 
-    instance_ref = Column(CHAR(length=36), ForeignKey(Instance.instance_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     lease_ref = Column(CHAR(length=36), primary_key=True, nullable=False, index=True)  # uuid4
+
     origin_ref = Column(CHAR(length=36), ForeignKey(Origin.origin_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     # scope_ref = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one scope_ref ('ALLOTMENT_REF')
     lease_created = Column(DATETIME(), nullable=False)
     lease_expires = Column(DATETIME(), nullable=False)
     lease_updated = Column(DATETIME(), nullable=False)
 
-    __instance = relationship(Instance, foreign_keys=[instance_ref])
-    __origin = relationship(Origin, foreign_keys=[origin_ref])
-
     def __repr__(self):
         return f'Lease(origin_ref={self.origin_ref}, lease_ref={self.lease_ref}, expires={self.lease_expires})'
 
-    def serialize(self) -> dict:
-        renewal_period = self.__instance.lease_renewal_period
-        renewal_delta = self.__instance.get_lease_renewal_delta
-
+    def serialize(self, renewal_period: float, renewal_delta: timedelta) -> dict:
         lease_renewal = int(Lease.calculate_renewal(renewal_period, renewal_delta).total_seconds())
         lease_renewal = self.lease_updated + relativedelta(seconds=lease_renewal)
 
@@ -322,104 +191,38 @@ class Lease(Base):
         return renew
 
 
-def init_default_site(session: Session):
-    from uuid import uuid4
-    from app.util import generate_key
-
-    private_key = generate_key()
-    public_key = private_key.public_key()
-
-    site = Site(
-        site_key=Site.INITIAL_SITE_KEY_XID,
-        name=Site.INITIAL_SITE_NAME
-    )
-    session.add(site)
-    session.commit()
-
-    instance = Instance(
-        instance_ref=Instance.DEFAULT_INSTANCE_REF,
-        site_key=site.site_key,
-        private_key=private_key.export_key(),
-        public_key=public_key.export_key(),
-    )
-    session.add(instance)
-    session.commit()
-
-
 def init(engine: Engine):
-    tables = [Site, Instance, Origin, Lease]
+    tables = [Origin, Lease]
     db = inspect(engine)
     session = sessionmaker(bind=engine)()
     for table in tables:
-        exists = db.dialect.has_table(engine.connect(), table.__tablename__)
-        logger.info(f'> Table "{table.__tablename__:<16}" exists: {exists}')
-        if not exists:
+        if not db.dialect.has_table(engine.connect(), table.__tablename__):
             session.execute(text(str(table.create_statement(engine))))
             session.commit()
-
-    # create default site
-    cnt = session.query(Site).count()
-    if cnt == 0:
-        init_default_site(session)
-
-    session.flush()
     session.close()
 
 
 def migrate(engine: Engine):
-    from os import getenv as env
-    from os.path import join, dirname, isfile
-    from util import load_key
-
     db = inspect(engine)
 
-    # todo: add update guide to use 1.LATEST to 2.0
-    def upgrade_1_x_to_2_0():
-        site = Site.get_default_site(engine)
-        logger.info(site)
-        instance = Instance.get_default_instance(engine)
-        logger.info(instance)
+    def upgrade_1_0_to_1_1():
+        x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
+        x = next(_ for _ in x if _['name'] == 'origin_ref')
+        if x['primary_key'] > 0:
+            print('Found old database schema with "origin_ref" as primary-key in "lease" table. Dropping table!')
+            print('  Your leases are recreated on next renewal!')
+            print('  If an error message appears on the client, you can ignore it.')
+            Lease.__table__.drop(bind=engine)
+            init(engine)
 
-        # SITE_KEY_XID
-        if site_key := env('SITE_KEY_XID', None) is not None:
-            site.site_key = str(site_key)
+    # def upgrade_1_2_to_1_3():
+    #    x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
+    #    x = next((_ for _ in x if _['name'] == 'scope_ref'), None)
+    #    if x is None:
+    #        Lease.scope_ref.compile()
+    #        column_name = Lease.scope_ref.name
+    #        column_type = Lease.scope_ref.type.compile(engine.dialect)
+    #        engine.execute(f'ALTER TABLE "{Lease.__tablename__}" ADD COLUMN "{column_name}" {column_type}')
 
-        # INSTANCE_REF
-        if instance_ref := env('INSTANCE_REF', None) is not None:
-            instance.instance_ref = str(instance_ref)
-
-        # ALLOTMENT_REF
-        if allotment_ref := env('ALLOTMENT_REF', None) is not None:
-            pass  # todo
-
-        # INSTANCE_KEY_RSA, INSTANCE_KEY_PUB
-        default_instance_private_key_path = str(join(dirname(__file__), 'cert/instance.private.pem'))
-        if instance_private_key := env('INSTANCE_KEY_RSA', None) is not None:
-            instance.private_key = load_key(str(instance_private_key))
-        elif isfile(default_instance_private_key_path):
-            instance.private_key = load_key(default_instance_private_key_path)
-        default_instance_public_key_path = str(join(dirname(__file__), 'cert/instance.public.pem'))
-        if instance_public_key := env('INSTANCE_KEY_PUB', None) is not None:
-            instance.public_key = load_key(str(instance_public_key))
-        elif isfile(default_instance_public_key_path):
-            instance.public_key = load_key(default_instance_public_key_path)
-
-        # TOKEN_EXPIRE_DELTA
-        if token_expire_delta := env('TOKEN_EXPIRE_DAYS', None) not in (None, 0):
-            instance.token_expire_delta = token_expire_delta * 86_400
-        if token_expire_delta := env('TOKEN_EXPIRE_HOURS', None) not in (None, 0):
-            instance.token_expire_delta = token_expire_delta * 3_600
-
-        # LEASE_EXPIRE_DELTA, LEASE_RENEWAL_DELTA
-        if lease_expire_delta := env('LEASE_EXPIRE_DAYS', None) not in (None, 0):
-            instance.lease_expire_delta = lease_expire_delta * 86_400
-        if lease_expire_delta := env('LEASE_EXPIRE_HOURS', None) not in (None, 0):
-            instance.lease_expire_delta = lease_expire_delta * 3_600
-
-        # LEASE_RENEWAL_PERIOD
-        if lease_renewal_period := env('LEASE_RENEWAL_PERIOD', None) is not None:
-            instance.lease_renewal_period = lease_renewal_period
-
-        # todo: update site, instance
-
-    upgrade_1_x_to_2_0()
+    upgrade_1_0_to_1_1()
+    # upgrade_1_2_to_1_3()

app/util.py

@@ -16,18 +16,6 @@ def load_key(filename) -> "RsaKey":
     return RSA.import_key(extern_key=load_file(filename), passphrase=None)
 
 
-def parse_key(content: bytes) -> "RsaKey":
-    try:
-        # Crypto | Cryptodome on Debian
-        from Crypto.PublicKey import RSA
-        from Crypto.PublicKey.RSA import RsaKey
-    except ModuleNotFoundError:
-        from Cryptodome.PublicKey import RSA
-        from Cryptodome.PublicKey.RSA import RsaKey
-
-    return RSA.import_key(extern_key=content, passphrase=None)
-
-
 def generate_key() -> "RsaKey":
     try:
         # Crypto | Cryptodome on Debian

docker-compose.yml

@@ -1,9 +1,10 @@
 version: '3.9'
 
 x-dls-variables: &dls-variables
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
   DLS_URL: localhost # REQUIRED, change to your ip or hostname
-  DLS_PORT: 443  # must match nginx listen & exposed port
-  LEASE_EXPIRE_DAYS: 90
+  DLS_PORT: 443
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
   DATABASE: sqlite:////app/database/db.sqlite
   DEBUG: false
 
@@ -13,108 +14,16 @@ services:
     restart: always
     environment:
       <<: *dls-variables
-    volumes:
-      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
-      - db:/app/database
-    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
-    healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-  proxy:
-    image: nginx
     ports:
-      # thees are ports where nginx (!) is listen to
-      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
-      - "443:443"  # first part must match "DLS_PORT"
+      - "443:443"
     volumes:
-      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/opt/cert
-    healthcheck:
-      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-    command: |
-      bash -c "bash -s <<\"EOF\"
-      cat > /etc/nginx/nginx.conf <<\"EON\"
-      daemon off;
-      user root;
-      worker_processes auto;
-      
-      events {
-        worker_connections 1024;
-      }
-      
-      http {
-        gzip on;
-        gzip_disable "msie6";
-        include /etc/nginx/mime.types;
-      
-        upstream dls-backend {
-          server dls:8000;  # must match dls listen port
-        }
-      
-        server {
-          listen 443 ssl http2 default_server;
-          listen [::]:443 ssl http2 default_server;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          ssl_certificate "/opt/cert/webserver.crt";
-          ssl_certificate_key "/opt/cert/webserver.key";
-          ssl_session_cache shared:SSL:1m;
-          ssl_session_timeout  10m;
-          ssl_protocols TLSv1.3 TLSv1.2;
-          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
-          # ssl_ciphers PROFILE=SYSTEM;
-          ssl_prefer_server_ciphers on;
-      
-          location / {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend$$request_uri;
-          }
-      
-          location = /-/health {
-            access_log off;
-            add_header 'Content-Type' 'application/json';
-            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
-          }
-        }
-      
-        server {
-          listen 80;
-          listen [::]:80;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          location /leasing/v1/lessor/shutdown {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
-          }
-      
-          location / {
-            return 301 https://$$host$$request_uri;
-          }
-        }
-      }
-      EON
-      nginx
-      EOF"
+      - /opt/docker/fastapi-dls/cert:/app/cert
+      - dls-db:/app/database
+    logging: # optional, for those who do not need logs
+      driver: "json-file"
+      options:
+        max-file: 5
+        max-size: 10m
 
 volumes:
-  db:
+  dls-db:

examples/docker-compose-http-and-https.yml

@@ -0,0 +1,120 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443  # must match nginx listen & exposed port
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - db:/app/database
+    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+  proxy:
+    image: nginx
+    ports:
+      # thees are ports where nginx (!) is listen to
+      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
+      - "443:443"  # first part must match "DLS_PORT"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/opt/cert
+    healthcheck:
+      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    command: |
+      bash -c "bash -s <<\"EOF\"
+      cat > /etc/nginx/nginx.conf <<\"EON\"
+      daemon off;
+      user root;
+      worker_processes auto;
+      
+      events {
+        worker_connections 1024;
+      }
+      
+      http {
+        gzip on;
+        gzip_disable "msie6";
+        include /etc/nginx/mime.types;
+      
+        upstream dls-backend {
+          server dls:8000;  # must match dls listen port
+        }
+      
+        server {
+          listen 443 ssl http2 default_server;
+          listen [::]:443 ssl http2 default_server;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          ssl_certificate "/opt/cert/webserver.crt";
+          ssl_certificate_key "/opt/cert/webserver.key";
+          ssl_session_cache shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_protocols TLSv1.3 TLSv1.2;
+          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+          # ssl_ciphers PROFILE=SYSTEM;
+          ssl_prefer_server_ciphers on;
+      
+          location / {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend$$request_uri;
+          }
+      
+          location = /-/health {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+          }
+        }
+      
+        server {
+          listen 80;
+          listen [::]:80;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          location /leasing/v1/lessor/shutdown {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+          }
+      
+          location / {
+            return 301 https://$$host$$request_uri;
+          }
+        }
+      }
+      EON
+      nginx
+      EOF"
+
+volumes:
+  db:

requirements.txt

@@ -1,8 +1,8 @@
-fastapi==0.97.0
-uvicorn[standard]==0.22.0
+fastapi==0.103.1
+uvicorn[standard]==0.23.2
 python-jose==3.3.0
-pycryptodome==3.18.0
+pycryptodome==3.19.0
 python-dateutil==2.8.2
-sqlalchemy==2.0.16
-markdown==3.4.3
+sqlalchemy==2.0.21
+markdown==3.4.4
 python-dotenv==1.0.0

test/main.py

@@ -1,15 +1,14 @@
-from os import getenv as env
 from base64 import b64encode as b64enc
 from hashlib import sha256
 from calendar import timegm
 from datetime import datetime
-from uuid import UUID, uuid4
+from os.path import dirname, join
+from uuid import uuid4, UUID
 
 from dateutil.relativedelta import relativedelta
-from jose import jwt
+from jose import jwt, jwk
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
-from sqlalchemy import create_engine
 import sys
 
 # add relative path to use packages as they were in the app/ dir
@@ -17,23 +16,20 @@ sys.path.append('../')
 sys.path.append('../app')
 
 from app import main
-from app.orm import init as db_init, migrate, Site, Instance
+from app.util import load_key
 
+client = TestClient(main.app)
 
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 
-# fastapi setup
-client = TestClient(main.app)
+# INSTANCE_KEY_RSA = generate_key()
+# INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
 
-# database setup
-db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
-db_init(db), migrate(db)
+INSTANCE_KEY_RSA = load_key(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
+INSTANCE_KEY_PUB = load_key(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
 
-# test vars
-DEFAULT_SITE, DEFAULT_INSTANCE = Site.get_default_site(db), Instance.get_default_instance(db)
-
-SITE_KEY = DEFAULT_SITE.site_key
-jwt_encode_key, jwt_decode_key = DEFAULT_INSTANCE.get_jwt_encode_key(), DEFAULT_INSTANCE.get_jwt_decode_key()
+jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
 
 
 def __bearer_token(origin_ref: str) -> str:
@@ -42,12 +38,6 @@ def __bearer_token(origin_ref: str) -> str:
     return token
 
 
-def test_initial_default_site_and_instance():
-    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
-    assert default_site.site_key == Site.INITIAL_SITE_KEY_XID
-    assert default_instance.instance_ref == Instance.DEFAULT_INSTANCE_REF
-
-
 def test_index():
     response = client.get('/')
     assert response.status_code == 200
@@ -163,7 +153,8 @@ def test_auth_v1_token():
         "kid": "00000000-0000-0000-0000-000000000000"
     }
     payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')},
+                                algorithm=ALGORITHMS.RS256),
         "code_verifier": SECRET,
     }