added notes about cronjob for ha

# Conflicts:
#	README.md

.DEBIAN/control

@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-pycryptodome, python3-markdown, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-pycryptodome, python3-markdown, python3-httpx, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls

.DEBIAN/env.default

@@ -0,0 +1,27 @@
+# Toggle debug mode
+#DEBUG=false
+
+# Where the client can find the DLS server
+DLS_URL=127.0.0.1
+DLS_PORT=443
+
+# CORS configuration
+## comma separated list without spaces
+#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
+
+# Lease expiration in days
+LEASE_EXPIRE_DAYS=90
+LEASE_RENEWAL_PERIOD=0.2
+
+# Database location
+## https://docs.sqlalchemy.org/en/14/core/engines.html
+DATABASE=sqlite:////etc/fastapi-dls/db.sqlite
+
+# UUIDs for identifying the instance
+#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
+#INSTANCE_REF="10000000-0000-0000-0000-000000000001"
+#ALLOTMENT_REF="20000000-0000-0000-0000-000000000001"
+
+# Site-wide signing keys
+INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem
+INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem

.DEBIAN/fastapi-dls.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Service for fastapi-dls
+Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+WorkingDirectory=/usr/share/fastapi-dls/app
+EnvironmentFile=/etc/fastapi-dls/env
+ExecStart=uvicorn main:app \
+  --env-file /etc/fastapi-dls/env \
+  --host $DLS_URL --port $DLS_PORT \
+  --app-dir /usr/share/fastapi-dls/app \
+  --ssl-keyfile /etc/fastapi-dls/webserver.key \
+  --ssl-certfile /etc/fastapi-dls/webserver.crt \
+  --proxy-headers
+Restart=always
+KillSignal=SIGQUIT
+Type=simple
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target

.DEBIAN/postinst

@@ -3,94 +3,31 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 
-echo "> Create config directory ..."
-mkdir -p $CONFIG_DIR
-
-# normally we would define services in `conffiles` and as separate file, but we like to keep thinks simple.
-echo "> Install service ..."
-cat <<EOF >/etc/systemd/system/fastapi-dls.service
-[Unit]
-Description=Service for fastapi-dls
-Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
-After=network.target
-
-[Service]
-User=www-data
-Group=www-data
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-WorkingDirectory=$WORKING_DIR/app
-EnvironmentFile=$CONFIG_DIR/env
-ExecStart=uvicorn main:app \\
-  --env-file /etc/fastapi-dls/env \\
-  --host \$DLS_URL --port \$DLS_PORT \\
-  --app-dir $WORKING_DIR/app \\
-  --ssl-keyfile /etc/fastapi-dls/webserver.key \\
-  --ssl-certfile /etc/fastapi-dls/webserver.crt \\
-  --proxy-headers
-Restart=always
-KillSignal=SIGQUIT
-Type=simple
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
-
-EOF
-
-systemctl daemon-reload
-
-# normally we would define configfiles in `conffiles` and as separate file, but we like to keep thinks simple.
-if [[ ! -f $CONFIG_DIR/env ]]; then
-  echo "> Writing initial config ..."
-  touch $CONFIG_DIR/env
-  cat <<EOF >$CONFIG_DIR/env
-# Toggle debug mode
-#DEBUG=false
-
-# Where the client can find the DLS server
-DLS_URL=127.0.0.1
-DLS_PORT=443
-
-# CORS configuration
-## comma separated list without spaces
-#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
-
-# Lease expiration in days
-LEASE_EXPIRE_DAYS=90
-
-# Database location
-## https://docs.sqlalchemy.org/en/14/core/engines.html
-DATABASE=sqlite:///$CONFIG_DIR/db.sqlite
-
-# UUIDs for identifying the instance
-#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
-#INSTANCE_REF="00000000-0000-0000-0000-000000000000"
-
-# Site-wide signing keys
-INSTANCE_KEY_RSA=$CONFIG_DIR/instance.private.pem
-INSTANCE_KEY_PUB=$CONFIG_DIR/instance.public.pem
-
-EOF
+if [ ! -f $CONFIG_DIR/instance.private.pem ]; then
+  echo "> Create dls-instance keypair ..."
+  openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
+  openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
+else
+  echo "> Create dls-instance keypair skipped! (exists)"
 fi
 
-echo "> Create dls-instance keypair ..."
-openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
-openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
-
 while true; do
-  read -p "> Do you wish to create self-signed webserver certificate? [Y/n]" yn
-  yn=${yn:-y} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
+  [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
+  [ $default_answer == "Y" ] && V="Y/n" || V="y/N"
+  read -p "> Do you wish to create self-signed webserver certificate? [${V}]" yn
+  yn=${yn:-$default_answer} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
   case $yn in
   [Yy]*)
+    echo "> Generating keypair ..."
     openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $CONFIG_DIR/webserver.key -out $CONFIG_DIR/webserver.crt
     break
     ;;
-  [Nn]*) break ;;
+  [Nn]*) echo "> Generating keypair skipped! (exists)"; break ;;
   *) echo "Please answer [y] or [n]." ;;
   esac
 done
 
-if [[ -f $CONFIG_DIR/webserver.key ]]; then
+if [ -f $CONFIG_DIR/webserver.key ]; then
   echo "> Starting service ..."
   systemctl start fastapi-dls.service
 
@@ -115,7 +52,7 @@ cat <<EOF
 #    Service should be up and running.                                        #
 #      Webservice is listen to https://localhost                              #
 #                                                                             #
-#    Configuration is stored in ${CONFIG_DIR}/env                             #
+#    Configuration is stored in /etc/fastapi-dls/env.                         #
 #                                                                             #
 #                                                                             #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

.DEBIAN/postrm

@@ -1,8 +1,9 @@
 #!/bin/bash
 
-if [[ -f /etc/systemd/system/fastapi-dls.service ]]; then
-  echo "> Removing service file."
-  rm /etc/systemd/system/fastapi-dls.service
-fi
+# is removed automatically
+#if [ "$1" = purge ] && [ -d /usr/share/fastapi-dls ]; then
+#  echo "> Removing app."
+#  rm -r /usr/share/fastapi-dls
+#fi
 
-# todo
+echo -e "> Done."

.DEBIAN/prerm

@@ -1,5 +1,3 @@
 #!/bin/bash
 
 echo -e "> Starting uninstallation of 'fastapi-dls'!"
-
-# todo

.PKGBUILD/PKGBUILD

@@ -11,6 +11,7 @@ license=('MIT')
 depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-pycryptodome' 'uvicorn' 'python-markdown' 'openssl')
 provider=("$pkgname")
 install="$pkgname.install"
+backup=('etc/default/fastapi-dls')
 source=('git+file:///builds/oscar.krause/fastapi-dls' # https://gitea.publichub.eu/oscar.krause/fastapi-dls.git
         "$pkgname.default"
         "$pkgname.service"

.gitlab-ci.yml

@@ -1,3 +1,10 @@
+include:
+  - template: Jobs/Code-Quality.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/Container-Scanning.gitlab-ci.yml
+  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
+
 cache:
   key: one-key-to-rule-them-all
 
@@ -46,7 +53,10 @@ build:apt:
     - cp README.md version.env build/usr/share/fastapi-dls
     # create conf file
     - mkdir -p build/etc/fastapi-dls
-    - touch build/etc/fastapi-dls/env
+    - cp .DEBIAN/env.default build/etc/fastapi-dls/env
+    # create service file
+    - mkdir -p build/etc/systemd/system
+    - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system/fastapi-dls.service
     # cd into "build/"
     - cd build/
   script:
@@ -94,7 +104,7 @@ build:pacman:
       - "*.pkg.tar.zst"
 
 test:
-  image: python:3.10-slim-bullseye
+  image: python:3.11-slim-bullseye
   stage: test
   rules:
     - if: $CI_COMMIT_BRANCH
@@ -109,7 +119,11 @@ test:
     - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
     - cd test
   script:
-    - pytest main.py
+    - python -m pytest main.py --junitxml=report.xml
+  artifacts:
+    reports:
+      dotenv: version.env
+      junit: ['**/report.xml']
 
 .test:linux:
   stage: test
@@ -142,6 +156,7 @@ test:
       --proxy-headers &
     - FASTAPI_DLS_PID=$!
     - echo "Started service with pid $FASTAPI_DLS_PID"
+    - cat /etc/fastapi-dls/env
     # testing service
     - if [ "`curl --insecure -s https://127.0.0.1/-/health | jq .status`" != "up" ]; then echo "Success"; else "Error"; fi
     # cleanup
@@ -172,6 +187,60 @@ test:archlinux:
     - pacman -Sy
     - pacman -U --noconfirm *.pkg.tar.zst
 
+code_quality:
+  rules:
+    - if: $CODE_QUALITY_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+secret_detection:
+  rules:
+    - if: $SECRET_DETECTION_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+semgrep-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+test_coverage:
+  extends: test
+  allow_failure: true
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  script:
+    - pip install pytest pytest-cov
+    - coverage run -m pytest main.py
+    - coverage report
+    - coverage xml
+  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: '**/coverage.xml'
+
+container_scanning:
+  dependencies: [ build:docker ]
+  rules:
+    - if: $CONTAINER_SCANNING_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+gemnasium-python-dependency_scanning:
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
 .deploy:
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
@@ -270,19 +339,17 @@ deploy:pacman:
 release:
   image: registry.gitlab.com/gitlab-org/release-cli:latest
   stage: .post
+  needs:
+    - job: test
+      artifacts: true
   rules:
     - if: $CI_COMMIT_TAG
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-  before_script:
-    - set -a # make variables from "source" command available to release-cli
-    - source version.env
   script:
     - echo "Running release-job for $VERSION"
-  after_script:
-    - set +a
   release:
-    name: $CI_PROJECT_TITLE $version
+    name: $CI_PROJECT_TITLE $VERSION
     description: Release of $CI_PROJECT_TITLE version $VERSION
     tag_name: $VERSION
     ref: $CI_COMMIT_SHA

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.10-alpine
+FROM python:3.11-alpine
 
 COPY requirements.txt /tmp/requirements.txt
 

FAQ.md

@@ -0,0 +1,17 @@
+# FAQ
+
+## `Failed to acquire license from <ip> (Info: <license> - Error: The allowed time to process response has expired)`
+
+- Did your timezone settings are correct on fastapi-dls **and your guest**?
+
+- Did you download the client-token more than an hour ago?
+
+Please download a new client-token. The guest have to register within an hour after client-token was created.
+
+
+## `jose.exceptions.JWTError: Signature verification failed.`
+
+- Did you recreated `instance.public.pem` / `instance.private.pem`?
+
+Then you have to download a **new** client-token on each of your guests.
+

README.md

@@ -2,75 +2,47 @@
 
 Minimal Delegated License Service (DLS).
 
+Compatibility tested with official DLS 2.0.1.
+
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
 
+**Official Links**
+
+- https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
+- https://gitea.publichub.eu/oscar.krause/fastapi-dls
+- Docker Image `collinwebdesigns/fastapi-dls:latest`
+
+*All other repositories are forks! (which  is no bad - just for information and bug reports)*
+
+---
+
 [[_TOC_]]
 
-## ToDo's
-
-- Support http mode for using external https proxy (disable uvicorn ssl for using behind proxy)
-
-## Endpoints
-
-### [`GET /`](/)
-
-Redirect to `/-/readme`.
-
-### [`GET /status`](/status) (deprecated: use `/-/health`)
-
-Status endpoint, used for *healthcheck*. Shows also current version and commit hash.
-
-### [`GET /-/health`](/-/health)
-
-Status endpoint, used for *healthcheck*. Shows also current version and commit hash.
-
-### [`GET /-/readme`](/-/readme)
-
-HTML rendered README.md.
-
-### [`GET /-/docs`](/-/docs), [`GET /-/redoc`](/-/redoc)
-
-OpenAPI specifications rendered from `GET /-/openapi.json`.
-
-### [`GET /-/manage`](/-/manage)
-
-Shows a very basic UI to delete origins or leases.
-
-### `GET /-/origins?leases=false`
-
-List registered origins.
-
-| Query Parameter | Default | Usage                                |
-|-----------------|---------|--------------------------------------|
-| `leases`        | `false` | Include referenced leases per origin |
-
-### `DELETE /-/origins`
-
-Deletes all origins and their leases.
-
-### `GET /-/leases?origin=false`
-
-List current leases.
-
-| Query Parameter | Default | Usage                               |
-|-----------------|---------|-------------------------------------|
-| `origin`        | `false` | Include referenced origin per lease |
-
-### `DELETE /-/lease/{lease_ref}`
-
-Deletes an lease.
-
-### `GET /client-token`
-
-Generate client token, (see [installation](#installation)).
-
-### Others
-
-There are some more internal api endpoints for handling authentication and lease process.
-
 # Setup (Service)
 
+**System requirements**
+
+- 256mb ram
+- 4gb hdd
+
+Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
+
+**Prepare your system**
+
+- Make sure your timezone is set correct on you fastapi-dls server and your client
+
+**HA Setup Notes**
+
+- only *failover mode* is supported by team-green (see *high availability* in official user guide)
+- make sure you're using same configuration on each node
+- use same `instance.private.pem` and `instance.private.key` on each node
+- add `cronjob` on each node with `curl -X GET --insecure https://localhost/-/ha/replicate`
+
+If you want to use *real* HA, you should use a proxy in front of this service and use a clustered database in backend.
+This is not documented and supported by me, but it *can* work. Please ask the community for help.
+Maybe the simplest solution for HA-ing this service is to use a Docker-Swarm with redundant storage and database.
+
 ## Docker
 
 Docker-Images are available here:
@@ -78,6 +50,8 @@ Docker-Images are available here:
 - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
 - [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
 
+The images include database drivers for `postgres`, `mysql`, `mariadb` and `sqlite`.
+
 **Run this on the Docker-Host**
 
 ```shell
@@ -93,6 +67,8 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webse
 
 **Start container**
 
+To test if everything is set up properly you can start container as following:
+
 ```shell
 docker volume create dls-db
 docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert -v dls-db:/app/database collinwebdesigns/fastapi-dls:latest
@@ -100,14 +76,18 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/
 
 **Docker-Compose / Deploy stack**
 
+Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example (with reverse proxy usage).
+
 ```yaml
 version: '3.9'
 
 x-dls-variables: &dls-variables
-  DLS_URL: localhost # REQUIRED
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
+  DLS_URL: localhost # REQUIRED, change to your ip or hostname
   DLS_PORT: 443
-  LEASE_EXPIRE_DAYS: 90
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
   DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
 
 services:
   dls:
@@ -120,15 +100,22 @@ services:
     volumes:
       - /opt/docker/fastapi-dls/cert:/app/cert
       - dls-db:/app/database
-
+    logging:  # optional, for those who do not need logs
+      driver: "json-file"
+      options:
+        max-file: 5
+        max-size: 10m
+            
 volumes:
   dls-db:
 ```
 
-## Debian/Ubuntu (manual method using `git clone`)
+## Debian/Ubuntu (manual method using `git clone` and python virtual environment)
 
 Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
 
+**Make sure you are logged in as root.**
+
 **Install requirements**
 
 ```shell
@@ -153,7 +140,7 @@ chown -R www-data:www-data $WORKING_DIR
 
 ```shell
 WORKING_DIR=/opt/fastapi-dls/app/cert
-mkdir $WORKING_DIR
+mkdir -p $WORKING_DIR
 cd $WORKING_DIR
 # create instance private and public key for singing JWT's
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
@@ -170,11 +157,14 @@ This is only to test whether the service starts successfully.
 ```shell
 cd /opt/fastapi-dls/app
 su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
+# or
+sudo -u www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
 ```
 
 **Create config file**
 
 ```shell
+mkdir /etc/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
 DLS_URL=127.0.0.1
 DLS_PORT=443
@@ -219,6 +209,108 @@ EOF
 Now you have to run `systemctl daemon-reload`. After that you can start service
 with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
 
+## openSUSE Leap (manual method using `git clone` and python virtual environment)
+
+Tested on `openSUSE Leap 15.4`, openSUSE Tumbleweed may also work.
+
+**Install requirements**
+
+```shell
+zypper in -y python310 python3-virtualenv python3-pip
+```
+
+**Install FastAPI-DLS**
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+mkdir -p ${BASE_DIR}
+cd ${BASE_DIR}
+git clone https://git.collinwebdesigns.de/oscar.krause/fastapi-dls .
+python3.10 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+deactivate
+useradd -r ${SERVICE_USER} -M -d /opt/fastapi-dls
+chown -R ${SERVICE_USER} ${BASE_DIR}
+```
+
+**Create keypair and webserver certificate**
+
+```shell
+CERT_DIR=${BASE_DIR}/app/cert
+SERVICE_USER=dls
+mkdir ${CERT_DIR}
+cd ${CERT_DIR}
+# create instance private and public key for singing JWT's
+openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 
+openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt
+chown -R ${SERVICE_USER} ${CERT_DIR}
+```
+
+**Test Service**
+
+This is only to test whether the service starts successfully.
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+cd ${BASE_DIR}
+su - ${SERVICE_USER} -c "${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app"
+```
+
+**Create config file**
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+cat <<EOF >/etc/fastapi-dls/env
+# Adjust DSL_URL as needed (accessing from LAN won't work with 127.0.0.1)
+DLS_URL=127.0.0.1
+DLS_PORT=443
+LEASE_EXPIRE_DAYS=90
+DATABASE=sqlite:///${BASE_DIR}/app/db.sqlite
+
+EOF
+```
+
+**Create service**
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+cat <<EOF >/etc/systemd/system/fastapi-dls.service
+[Unit]
+Description=Service for fastapi-dls vGPU licensing service
+After=network.target
+
+[Service]
+User=${SERVICE_USER}
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+WorkingDirectory=${BASE_DIR}/app
+EnvironmentFile=/etc/fastapi-dls/env
+ExecStart=${BASE_DIR}/venv/bin/uvicorn main:app \\
+  --env-file /etc/fastapi-dls/env \\
+  --host \$DLS_URL --port \$DLS_PORT \\
+  --app-dir ${BASE_DIR}/app \\
+  --ssl-keyfile ${BASE_DIR}/app/cert/webserver.key \\
+  --ssl-certfile ${BASE_DIR}/app/cert/webserver.crt \\
+  --proxy-headers
+Restart=always
+KillSignal=SIGQUIT
+Type=simple
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+```
+
+Now you have to run `systemctl daemon-reload`. After that you can start service
+with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+
 ## Debian/Ubuntu (using `dpkg`)
 
 Packages are available here:
@@ -230,6 +322,11 @@ Successful tested with:
 - Debian 12 (Bookworm) (works but not recommended because it is currently in *testing* state)
 - Ubuntu 22.10 (Kinetic Kudu)
 
+Not working with:
+
+- Debian 11 (Bullseye) and lower (missing `python-jose` dependency)
+- Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to [fastapi - uvicorn version missmatch](https://bugs.launchpad.net/ubuntu/+source/fastapi/+bug/1970557))
+
 **Run this on your server instance**
 
 First go to [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages) and select your
@@ -256,13 +353,17 @@ Packages are available here:
 ```shell
 pacman -Sy
 FILENAME=/opt/fastapi-dls.pkg.tar.zst
-url -o $FILENAME <download-url>
+
+curl -o $FILENAME <download-url>
+# or
+wget -O $FILENAME <download-url>
+
 pacman -U --noconfirm fastapi-dls.pkg.tar.zst
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
 
-## Let's Encrypt Certificate
+## Let's Encrypt Certificate (optional)
 
 If you're using installation via docker, you can use `traefik`. Please refer to their documentation.
 
@@ -280,20 +381,34 @@ After first success you have to replace `--issue` with `--renew`.
 
 # Configuration
 
-| Variable            | Default                                | Usage                                                                               |
-|---------------------|----------------------------------------|-------------------------------------------------------------------------------------|
-| `DEBUG`             | `false`                                | Toggles `fastapi` debug mode                                                        |
-| `DLS_URL`           | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable           |
-| `DLS_PORT`          | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable           |
-| `LEASE_EXPIRE_DAYS` | `90`                                   | Lease time in days                                                                  |
-| `DATABASE`          | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) |
-| `CORS_ORIGINS`      | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*               |
-| `SITE_KEY_XID`      | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                            |
-| `INSTANCE_REF`      | `00000000-0000-0000-0000-000000000000` | Instance identification uuid                                                        |
-| `INSTANCE_KEY_RSA`  | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs                                          |
-| `INSTANCE_KEY_PUB`  | `<app-dir>/cert/instance.public.pem`   | Site-wide public key                                                                |
+| Variable               | Default                                | Usage                                                                                                              |
+|------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|
+| `DEBUG`                | `false`                                | Toggles `fastapi` debug mode                                                                                       |
+| `DLS_URL`              | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                                          |
+| `DLS_PORT`             | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                                          |
+| `HA_REPLICATE`         |                                        | `DLS_URL` + `DLS_PORT` of primary DLS instance, e.g. `dls-node:443` (for HA only **two** nodes are supported!) \*1 |
+| `HA_ROLE`              |                                        | `PRIMARY` or `SECONDARY`                                                                                           |
+| `TOKEN_EXPIRE_DAYS`    | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)                        |
+| `LEASE_EXPIRE_DAYS`    | `90`                                   | Lease time in days                                                                                                 |
+| `LEASE_RENEWAL_PERIOD` | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*2               |
+| `DATABASE`             | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html)                                |
+| `CORS_ORIGINS`         | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*3                                             |
+| `SITE_KEY_XID`         | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                                           |
+| `INSTANCE_REF`         | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                                       |
+| `ALLOTMENT_REF`        | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                      |
+| `INSTANCE_KEY_RSA`     | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*4                                                                     |
+| `INSTANCE_KEY_PUB`     | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*4                                                                                           |
 
-\* Always use `https`, since guest-drivers only support secure connections!
+\*1 If you want to use HA, this value should be point to `secondary` on `primary` and `primary` on `secondary`. Don't
+use same database for both instances!
+
+\*2 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
+every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
+client has 19.2 hours in which to re-establish connectivity before its license expires.
+
+\*3 Always use `https`, since guest-drivers only support secure connections!
+
+\*4 If you recreate instance keys you need to **recreate client-token for each guest**!
 
 # Setup (Client)
 
@@ -307,27 +422,124 @@ Successfully tested with this package versions:
 
 ## Linux
 
+Download *client-token* and place it into `/etc/nvidia/ClientConfigToken`:
+
+```shell
+curl --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o /etc/nvidia/ClientConfigToken/client_configuration_token_$(date '+%d-%m-%Y-%H-%M-%S').tok
+# or
+wget --no-check-certificate -O /etc/nvidia/ClientConfigToken/client_configuration_token_$(date '+%d-%m-%Y-%H-%M-%S').tok https://<dls-hostname-or-ip>/-/client-token
+```
+
+Restart `nvidia-gridd` service:
+
 ```shell
-curl --insecure -X GET https://<dls-hostname-or-ip>/client-token -o /etc/nvidia/ClientConfigToken/client_configuration_token.tok
 service nvidia-gridd restart
+```
+
+Check licensing status:
+
+```shell
 nvidia-smi -q | grep "License"
 ```
 
-## Windows
+Output should be something like:
 
-Download file and place it into `C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken`.
-Now restart `NvContainerLocalSystem` service.
-
-**Power-Shell**
-
-```Shell
-curl.exe --insecure -X GET https://<dls-hostname-or-ip>/client-token -o "C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token_$($(Get-Date).tostring('dd-MM-yy-hh-mm-ss')).tok"
-Restart-Service NVDisplay.ContainerLocalSystem
-'C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe' -q | Select-String "License"
+```text
+vGPU Software Licensed Product
+    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)
 ```
 
+Done. For more information check [troubleshoot section](#troubleshoot).
+
+## Windows
+
+**Power-Shell** (run as administrator!)
+
+Download *client-token* and place it into `C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken`:
+
+```shell
+curl.exe --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o "C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token_$($(Get-Date).tostring('dd-MM-yy-hh-mm-ss')).tok"
+```
+
+Restart `NvContainerLocalSystem` service:
+
+```Shell
+Restart-Service NVDisplay.ContainerLocalSystem
+```
+
+Check licensing status:
+
+```shell
+& 'C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe' -q  | Select-String "License"
+```
+
+Output should be something like:
+
+```text
+vGPU Software Licensed Product
+    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)
+```
+
+Done. For more information check [troubleshoot section](#troubleshoot).
+
+# Endpoints
+
+### `GET /`
+
+Redirect to `/-/readme`.
+
+### `GET /-/health`
+
+Status endpoint, used for *healthcheck*.
+
+### `GET /-/config`
+
+Shows current runtime environment variables and their values.
+
+### `GET /-/readme`
+
+HTML rendered README.md.
+
+### `GET /-/manage`
+
+Shows a very basic UI to delete origins or leases.
+
+### `GET /-/origins?leases=false`
+
+List registered origins.
+
+| Query Parameter | Default | Usage                                |
+|-----------------|---------|--------------------------------------|
+| `leases`        | `false` | Include referenced leases per origin |
+
+### `DELETE /-/origins`
+
+Deletes all origins and their leases.
+
+### `GET /-/leases?origin=false`
+
+List current leases.
+
+| Query Parameter | Default | Usage                               |
+|-----------------|---------|-------------------------------------|
+| `origin`        | `false` | Include referenced origin per lease |
+
+### `DELETE /-/lease/{lease_ref}`
+
+Deletes an lease.
+
+### `GET /-/client-token`
+
+Generate client token, (see [installation](#installation)).
+
+### Others
+
+There are many other internal api endpoints for handling authentication and lease process.
+
 # Troubleshoot
 
+**Please make sure that fastapi-dls and your guests are on the same timezone!**
+
 ## Linux
 
 Logs are available with `journalctl -u nvidia-gridd -f`.
@@ -346,6 +558,9 @@ This message can be ignored.
 
 - Ref. https://github.com/encode/uvicorn/issues/441
 
+<details>
+  <summary>Log example</summary>
+
 ```
 WARNING:uvicorn.error:Invalid HTTP request received.
 Traceback (most recent call last):
@@ -364,6 +579,8 @@ Traceback (most recent call last):
 h11._util.RemoteProtocolError: no request line received
 ```
 
+</details>
+
 ## Windows
 
 ### Required cipher on Windows Guests (e.g. managed by domain controller with GPO)
@@ -431,9 +648,40 @@ Dec 20 17:53:34 ubuntu-grid-server nvidia-gridd[10354]: License acquired success
 
 </details>
 
+### Error on releasing leases on shutdown (can be ignored and/or fixed with reverse proxy)
+
+The driver wants to release current leases on shutting down windows. This endpoint needs to be a http endpoint.
+The error message can safely be ignored (since we have no license limitation :P) and looks like this:
+
+<details>
+  <summary>Log example</summary>
+
+```
+<1>:NLS initialized
+<1>:License acquired successfully. (Info: 192.168.178.110, NVIDIA RTX Virtual Workstation; Expiry: 2023-3-30 23:0:22 GMT)
+<0>:Failed to return license to 192.168.178.110 (Error: Generic network communication failure)
+<0>:End Logging
+```
+
+#### log with nginx as reverse proxy (see [docker-compose.yml](docker-compose.yml))
+
+```
+<1>:NLS initialized
+<2>:NLS initialized
+<1>:Valid GRID license not found. GPU features and performance will be fully degraded. To enable full functionality please configure licensing details.
+<1>:License acquired successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2023-1-4 16:48:20 GMT)
+<2>:Valid GRID license not found. GPU features and performance will be fully degraded. To enable full functionality please configure licensing details.
+<2>:License acquired successfully from local trusted store. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2023-1-4 16:48:20 GMT)
+<2>:End Logging
+<1>:End Logging
+<0>:License returned successfully. (Info: 192.168.178.33)
+<0>:End Logging
+```
+
+</details>
+
 # Credits
 
 Thanks to vGPU community and all who uses this project and report bugs.
 
-Special thanks to @samicrusader who created build file for ArchLinux.
-
+Special thanks to @samicrusader who created build file for ArchLinux and @cyrus who wrote the section for openSUSE.

app/main.py

@@ -6,40 +6,47 @@ from os.path import join, dirname
 from os import getenv as env
 
 from dotenv import load_dotenv
-from fastapi import FastAPI, HTTPException
+from fastapi import FastAPI, BackgroundTasks
 from fastapi.requests import Request
-import json
-from datetime import datetime
+from json import loads as json_loads
+from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
 from calendar import timegm
-from jose import jws, jwk, jwt
+from jose import jws, jwk, jwt, JWTError
 from jose.constants import ALGORITHMS
 from starlette.middleware.cors import CORSMiddleware
-from starlette.responses import StreamingResponse, JSONResponse, HTMLResponse, Response, RedirectResponse
+from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 
-from util import load_key, load_file
+from util import load_key, load_file, ha_replicate
 from orm import Origin, Lease, init as db_init, migrate
 
-logger = logging.getLogger()
 load_dotenv('../version.env')
 
+TZ = datetime.now().astimezone().tzinfo
+
 VERSION, COMMIT, DEBUG = env('VERSION', 'unknown'), env('COMMIT', 'unknown'), bool(env('DEBUG', False))
 
-config = dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
+config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
 app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, **config)
 db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
 db_init(db), migrate(db)
 
+# everything prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
+HA_REPLICATE, HA_ROLE = env('HA_REPLICATE', None), env('HA_ROLE', None)  # only failover is supported
 SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
-INSTANCE_REF = str(env('INSTANCE_REF', '00000000-0000-0000-0000-000000000000'))
+INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
+ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
 INSTANCE_KEY_RSA = load_key(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
 INSTANCE_KEY_PUB = load_key(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
-TOKEN_EXPIRE_DELTA = relativedelta(hours=1)  # days=1
-LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)))
+TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
+LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
+LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
+LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
+CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 
 jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
@@ -54,6 +61,8 @@ app.add_middleware(
     allow_headers=['*'],
 )
 
+logging.basicConfig()
+logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)
 
 
@@ -68,11 +77,6 @@ async def index():
     return RedirectResponse('/-/readme')
 
 
-@app.get('/status', summary='* Status', description='returns current service status, version (incl. git-commit) and some variables.', deprecated=True)
-async def status(request: Request):
-    return JSONResponse({'status': 'up', 'version': VERSION, 'commit': COMMIT, 'debug': DEBUG})
-
-
 @app.get('/-/', summary='* Index')
 async def _index():
     return RedirectResponse('/-/readme')
@@ -80,14 +84,33 @@ async def _index():
 
 @app.get('/-/health', summary='* Health')
 async def _health(request: Request):
-    return JSONResponse({'status': 'up', 'version': VERSION, 'commit': COMMIT, 'debug': DEBUG})
+    return JSONr({'status': 'up'})
+
+
+@app.get('/-/config', summary='* Config', description='returns environment variables.')
+async def _config():
+    return JSONr({
+        'VERSION': str(VERSION),
+        'COMMIT': str(COMMIT),
+        'DEBUG': str(DEBUG),
+        'DLS_URL': str(DLS_URL),
+        'DLS_PORT': str(DLS_PORT),
+        'SITE_KEY_XID': str(SITE_KEY_XID),
+        'INSTANCE_REF': str(INSTANCE_REF),
+        'ALLOTMENT_REF': [str(ALLOTMENT_REF)],
+        'TOKEN_EXPIRE_DELTA': str(TOKEN_EXPIRE_DELTA),
+        'LEASE_EXPIRE_DELTA': str(LEASE_EXPIRE_DELTA),
+        'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD),
+        'CORS_ORIGINS': str(CORS_ORIGINS),
+        'TZ': str(TZ),
+    })
 
 
 @app.get('/-/readme', summary='* Readme')
 async def _readme():
     from markdown import markdown
     content = load_file('../README.md').decode('utf-8')
-    return HTMLResponse(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
+    return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
 
 
 @app.get('/-/manage', summary='* Management UI')
@@ -99,14 +122,18 @@ async def _manage(request: Request):
             <title>FastAPI-DLS Management</title>
         </head>
         <body>
-            <button onclick="deleteOrigins()">delete origins and their leases</button>
+            <button onclick="deleteOrigins()">delete ALL origins and their leases</button>
             <button onclick="deleteLease()">delete specific lease</button>
             
             <script>
                 function deleteOrigins() {
-                    var xhr = new XMLHttpRequest();
-                    xhr.open("DELETE", '/-/origins', true);
-                    xhr.send();
+                    const response = confirm('Are you sure you want to delete all origins and their leases?');
+
+                    if (response) {
+                        var xhr = new XMLHttpRequest();
+                        xhr.open("DELETE", '/-/origins', true);
+                        xhr.send();
+                    }
                 }
                 function deleteLease(lease_ref) {
                     if(lease_ref === undefined)
@@ -121,7 +148,7 @@ async def _manage(request: Request):
         </body>
     </html>
     '''
-    return HTMLResponse(response)
+    return HTMLr(response)
 
 
 @app.get('/-/origins', summary='* Origins')
@@ -131,10 +158,11 @@ async def _origins(request: Request, leases: bool = False):
     for origin in session.query(Origin).all():
         x = origin.serialize()
         if leases:
-            x['leases'] = list(map(lambda _: _.serialize(), Lease.find_by_origin_ref(db, origin.origin_ref)))
+            serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+            x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref)))
         response.append(x)
     session.close()
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 @app.delete('/-/origins', summary='* Origins')
@@ -148,27 +176,59 @@ async def _leases(request: Request, origin: bool = False):
     session = sessionmaker(bind=db)()
     response = []
     for lease in session.query(Lease).all():
-        x = lease.serialize()
+        serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+        x = lease.serialize(**serialize)
         if origin:
-            # assume that each lease has a valid origin record
-            x['origin'] = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first().serialize()
+            lease_origin = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first()
+            if lease_origin is not None:
+                x['origin'] = lease_origin.serialize()
         response.append(x)
     session.close()
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 @app.delete('/-/lease/{lease_ref}', summary='* Lease')
 async def _lease_delete(request: Request, lease_ref: str):
     if Lease.delete(db, lease_ref) == 1:
         return Response(status_code=201)
-    raise HTTPException(status_code=404, detail='lease not found')
+    return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
 
 
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
     cur_time = datetime.utcnow()
-    exp_time = cur_time + relativedelta(years=12)
+    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
+
+    if HA_REPLICATE is not None and HA_ROLE.lower() == "secondary":
+        return RedirectResponse(f'https://{HA_REPLICATE}/-/client-token')
+
+    idx_port, idx_node = 0, 0
+
+    def create_svc_port_set(port: int):
+        idx = idx_port
+        return {
+            "idx": idx,
+            "d_name": "DLS",
+            "svc_port_map": [{"service": "auth", "port": port}, {"service": "lease", "port": port}]
+        }
+
+    def create_node_url(url: str, svc_port_set_idx: int):
+        idx = idx_node
+        return {"idx": idx, "url": url, "url_qr": url, "svc_port_set_idx": svc_port_set_idx}
+
+    service_instance_configuration = {
+        "nls_service_instance_ref": INSTANCE_REF,
+        "svc_port_set_list": [create_svc_port_set(DLS_PORT)],
+        "node_url_list": [create_node_url(DLS_URL, idx_port)]
+    }
+    idx_port += 1
+    idx_node += 1
+
+    if HA_REPLICATE is not None and HA_ROLE.lower() == "primary":
+        SEC_URL, SEC_PORT, *invalid = HA_REPLICATE.split(':')
+        service_instance_configuration['svc_port_set_list'].append(create_svc_port_set(SEC_PORT))
+        service_instance_configuration['node_url_list'].append(create_node_url(SEC_URL, idx_port))
 
     payload = {
         "jti": str(uuid4()),
@@ -178,19 +238,9 @@ async def _client_token():
         "nbf": timegm(cur_time.timetuple()),
         "exp": timegm(exp_time.timetuple()),
         "update_mode": "ABSOLUTE",
-        "scope_ref_list": [str(uuid4())],  # this is our LEASE_REF
+        "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
-        "service_instance_configuration": {
-            "nls_service_instance_ref": INSTANCE_REF,
-            "svc_port_set_list": [
-                {
-                    "idx": 0,
-                    "d_name": "DLS",
-                    "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}]
-                }
-            ],
-            "node_url_list": [{"idx": 0, "url": DLS_URL, "url_qr": DLS_URL, "svc_port_set_idx": 0}]
-        },
+        "service_instance_configuration": service_instance_configuration,
         "service_instance_public_key_configuration": {
             "service_instance_public_key_me": {
                 "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:],
@@ -210,32 +260,87 @@ async def _client_token():
     return response
 
 
-@app.get('/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance', deprecated=True)
-async def client_token():
-    return RedirectResponse('/-/client-token')
+@app.get('/-/ha/replicate', summary='* HA replicate - trigger')
+async def _ha_replicate_to_ha(request: Request, background_tasks: BackgroundTasks):
+    if HA_REPLICATE is None or HA_ROLE is None:
+        logger.warning('HA replicate endpoint triggerd, but no value for "HA_REPLICATE" or "HA_ROLE" is set!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'no value for "HA_REPLICATE" or "HA_ROLE" set'})
+
+    session = sessionmaker(bind=db)()
+    origins = [origin.serialize() for origin in session.query(Origin).all()]
+    leases = [lease.serialize(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA) for lease in session.query(Lease).all()]
+
+    background_tasks.add_task(ha_replicate, logger, HA_REPLICATE, HA_ROLE, VERSION, DLS_URL, DLS_PORT, SITE_KEY_XID, INSTANCE_REF, origins, leases)
+    return JSONr(status_code=202, content=None)
+
+
+@app.put('/-/ha/replicate', summary='* HA replicate')
+async def _ha_replicate_by_ha(request: Request):
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+
+    if HA_REPLICATE is None:
+        logger.warning(f'HA replicate endpoint triggerd, but no value for "HA_REPLICATE" is set!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'no value for "HA_REPLICATE" set'})
+
+    version = j.get('VERSION')
+    if version != VERSION:
+        logger.error(f'Version missmatch on HA replication task!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "VERSION"'})
+
+    site_key_xid = j.get('SITE_KEY_XID')
+    if site_key_xid != SITE_KEY_XID:
+        logger.error(f'Site-Key missmatch on HA replication task!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "SITE_KEY_XID"'})
+
+    instance_ref = j.get('INSTANCE_REF')
+    if instance_ref != INSTANCE_REF:
+        logger.error(f'Version missmatch on HA replication task!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "INSTANCE_REF"'})
+
+    sync_timestamp, max_seconds_behind = datetime.fromisoformat(j.get('sync_timestamp')), 30
+    if sync_timestamp <= cur_time - timedelta(seconds=max_seconds_behind):
+        logger.error(f'Request time more than {max_seconds_behind}s behind!')
+        return JSONr(status_code=503, content={'status': 503, 'detail': 'Request time behind'})
+
+    origins, leases = j.get('origins'), j.get('leases')
+    for origin in origins:
+        origin_ref = origin.get('origin_ref')
+        logging.info(f'> [    ha    ]: origin {origin_ref}')
+        data = Origin.deserialize(origin)
+        Origin.create_or_update(db, data)
+
+    for lease in leases:
+        lease_ref = lease.get('lease_ref')
+        x = Lease.find_by_lease_ref(db, lease_ref)
+        if x is not None and x.lease_updated > sync_timestamp:
+            continue
+        logging.info(f'> [    ha    ]: lease {lease_ref}')
+        data = Lease.deserialize(lease)
+        Lease.create_or_update(db, data)
+
+    return JSONr(status_code=202, content=None)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
-# {"candidate_origin_ref":"00112233-4455-6677-8899-aabbccddeeff","environment":{"fingerprint":{"mac_address_list":["ff:ff:ff:ff:ff:ff"]},"hostname":"my-hostname","ip_address_list":["192.168.178.123","fe80::","fe80::1%enp6s18"],"guest_driver_version":"510.85.02","os_platform":"Debian GNU/Linux 11 (bullseye) 11","os_version":"11 (bullseye)"},"registration_pending":false,"update_pending":false}
 @app.post('/auth/v1/origin', description='find or create an origin')
 async def auth_v1_origin(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    origin_ref = j['candidate_origin_ref']
+    origin_ref = j.get('candidate_origin_ref')
     logging.info(f'> [  origin  ]: {origin_ref}: {j}')
 
     data = Origin(
         origin_ref=origin_ref,
-        hostname=j['environment']['hostname'],
-        guest_driver_version=j['environment']['guest_driver_version'],
-        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version'],
+        hostname=j.get('environment').get('hostname'),
+        guest_driver_version=j.get('environment').get('guest_driver_version'),
+        os_platform=j.get('environment').get('os_platform'), os_version=j.get('environment').get('os_version'),
     )
 
     Origin.create_or_update(db, data)
 
     response = {
         "origin_ref": origin_ref,
-        "environment": j['environment'],
+        "environment": j.get('environment'),
         "svc_port_set_list": None,
         "node_url_list": None,
         "node_query_order": None,
@@ -243,44 +348,42 @@ async def auth_v1_origin(request: Request):
         "sync_timestamp": cur_time.isoformat()
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
-# { "environment" : { "guest_driver_version" : "guest_driver_version", "hostname" : "myhost", "ip_address_list" : [ "192.168.1.129" ], "os_version" : "os_version", "os_platform" : "os_platform", "fingerprint" : { "mac_address_list" : [ "e4:b9:7a:e5:7b:ff" ] }, "host_driver_version" : "host_driver_version" }, "origin_ref" : "00112233-4455-6677-8899-aabbccddeeff" }
 @app.post('/auth/v1/origin/update', description='update an origin evidence')
 async def auth_v1_origin_update(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    origin_ref = j['origin_ref']
+    origin_ref = j.get('origin_ref')
     logging.info(f'> [  update  ]: {origin_ref}: {j}')
 
     data = Origin(
         origin_ref=origin_ref,
-        hostname=j['environment']['hostname'],
-        guest_driver_version=j['environment']['guest_driver_version'],
-        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version'],
+        hostname=j.get('environment').get('hostname'),
+        guest_driver_version=j.get('environment').get('guest_driver_version'),
+        os_platform=j.get('environment').get('os_platform'), os_version=j.get('environment').get('os_version'),
     )
 
     Origin.create_or_update(db, data)
 
     response = {
-        "environment": j['environment'],
+        "environment": j.get('environment'),
         "prompts": None,
         "sync_timestamp": cur_time.isoformat()
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - CodeResponse
-# {"code_challenge":"...","origin_ref":"00112233-4455-6677-8899-aabbccddeeff"}
 @app.post('/auth/v1/code', description='get an authorization code')
 async def auth_v1_code(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    origin_ref = j['origin_ref']
+    origin_ref = j.get('origin_ref')
     logging.info(f'> [   code   ]: {origin_ref}: {j}')
 
     delta = relativedelta(minutes=15)
@@ -289,8 +392,8 @@ async def auth_v1_code(request: Request):
     payload = {
         'iat': timegm(cur_time.timetuple()),
         'exp': timegm(expires.timetuple()),
-        'challenge': j['code_challenge'],
-        'origin_ref': j['origin_ref'],
+        'challenge': j.get('code_challenge'),
+        'origin_ref': j.get('origin_ref'),
         'key_ref': SITE_KEY_XID,
         'kid': SITE_KEY_XID
     }
@@ -303,23 +406,27 @@ async def auth_v1_code(request: Request):
         "prompts": None
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - TokenResponse
-# {"auth_code":"...","code_verifier":"..."}
 @app.post('/auth/v1/token', description='exchange auth code and verifier for token')
 async def auth_v1_token(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
-    payload = jwt.decode(token=j['auth_code'], key=jwt_decode_key)
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
-    origin_ref = payload['origin_ref']
+    try:
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key)
+    except JWTError as e:
+        return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
+
+    origin_ref = payload.get('origin_ref')
     logging.info(f'> [   auth   ]: {origin_ref}: {j}')
 
     # validate the code challenge
-    if payload['challenge'] != b64enc(sha256(j['code_verifier'].encode('utf-8')).digest()).rstrip(b'=').decode('utf-8'):
-        raise HTTPException(status_code=401, detail='expected challenge did not match verifier')
+    challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
+    if payload.get('challenge') != challenge:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
 
     access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
 
@@ -342,36 +449,44 @@ async def auth_v1_token(request: Request):
         "sync_timestamp": cur_time.isoformat(),
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
-# {'fulfillment_context': {'fulfillment_class_ref_list': []}, 'lease_proposal_list': [{'license_type_qualifiers': {'count': 1}, 'product': {'name': 'NVIDIA RTX Virtual Workstation'}}], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': ['00112233-4455-6677-8899-aabbccddeeff']}
+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json.loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+
+    try:
+        token = __get_token(request)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
-    scope_ref_list = j['scope_ref_list']
+    scope_ref_list = j.get('scope_ref_list')
     logging.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
 
     lease_result_list = []
     for scope_ref in scope_ref_list:
+        # if scope_ref not in [ALLOTMENT_REF]:
+        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
+
+        lease_ref = str(uuid4())
         expires = cur_time + LEASE_EXPIRE_DELTA
         lease_result_list.append({
             "ordinal": 0,
             # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
             "lease": {
-                "ref": scope_ref,
+                "ref": lease_ref,
                 "created": cur_time.isoformat(),
                 "expires": expires.isoformat(),
-                # The percentage of the lease period that must elapse before a licensed client can renew a license
-                "recommended_lease_renewal": 0.15,
+                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
                 "offline_lease": "true",
                 "license_type": "CONCURRENT_COUNTED_SINGLE"
             }
         })
 
-        data = Lease(origin_ref=origin_ref, lease_ref=scope_ref, lease_created=cur_time, lease_expires=expires)
+        data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
         Lease.create_or_update(db, data)
 
     response = {
@@ -381,7 +496,7 @@ async def leasing_v1_lessor(request: Request):
         "prompts": None
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@@ -401,9 +516,10 @@ async def leasing_v1_lessor_lease(request: Request):
         "prompts": None
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
@@ -414,13 +530,13 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 
     entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref)
     if entity is None:
-        raise HTTPException(status_code=404, detail='requested lease not available')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
 
     expires = cur_time + LEASE_EXPIRE_DELTA
     response = {
         "lease_ref": lease_ref,
         "expires": expires.isoformat(),
-        "recommended_lease_renewal": 0.16,
+        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
         "offline_lease": True,
         "prompts": None,
         "sync_timestamp": cur_time.isoformat(),
@@ -428,9 +544,10 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 
     Lease.renew(db, entity, expires, cur_time)
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
     token, cur_time = __get_token(request), datetime.utcnow()
@@ -440,12 +557,12 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
 
     entity = Lease.find_by_lease_ref(db, lease_ref)
     if entity.origin_ref != origin_ref:
-        raise HTTPException(status_code=403, detail='access or operation forbidden')
+        return JSONr(status_code=403, content={'status': 403, 'detail': 'access or operation forbidden'})
     if entity is None:
-        raise HTTPException(status_code=404, detail='requested lease not available')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
 
     if Lease.delete(db, lease_ref) == 0:
-        raise HTTPException(status_code=404, detail='lease not found')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
 
     response = {
         "lease_ref": lease_ref,
@@ -453,9 +570,10 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
         "sync_timestamp": cur_time.isoformat(),
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
 
 
+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
     token, cur_time = __get_token(request), datetime.utcnow()
@@ -473,7 +591,57 @@ async def leasing_v1_lessor_lease_remove(request: Request):
         "prompts": None
     }
 
-    return JSONResponse(response)
+    return JSONr(response)
+
+
+@app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
+async def leasing_v1_lessor_shutdown(request: Request):
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+
+    token = j.get('token')
+    token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+    origin_ref = token.get('origin_ref')
+
+    released_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
+    deletions = Lease.cleanup(db, origin_ref)
+    logging.info(f'> [ shutdown ]: {origin_ref}: removed {deletions} leases')
+
+    response = {
+        "released_lease_list": released_lease_list,
+        "release_failure_list": None,
+        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None
+    }
+
+    return JSONr(response)
+
+
+@app.on_event('startup')
+async def app_on_startup():
+    logger.info(f'''
+    Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
+    
+    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
+    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
+    
+    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
+    ''')
+
+    if HA_REPLICATE is not None and HA_ROLE is not None:
+        from hashlib import sha1
+
+        sha1digest = sha1(INSTANCE_KEY_RSA.export_key()).hexdigest()
+        fingerprint_key = ':'.join(sha1digest[i: i + 2] for i in range(0, len(sha1digest), 2))
+        sha1digest = sha1(INSTANCE_KEY_PUB.export_key()).hexdigest()
+        fingerprint_pub = ':'.join(sha1digest[i: i + 2] for i in range(0, len(sha1digest), 2))
+
+        logger.info(f'''
+    HA mode is enabled. Make sure theses fingerprints matches on all your nodes:
+      - INSTANCE_KEY_RSA: "{str(fingerprint_key)}"
+      - INSTANCE_KEY_PUB: "{str(fingerprint_pub)}"
+    
+    This node ({HA_ROLE}) listens to "https://{DLS_URL}:{DLS_PORT}" and replicates to "https://{HA_REPLICATE}".
+        ''')
 
 
 if __name__ == '__main__':

app/orm.py

@@ -1,9 +1,9 @@
-import datetime
+from datetime import datetime, timedelta
+from dateutil.relativedelta import relativedelta
 
-from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect
-from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
 from sqlalchemy.engine import Engine
-from sqlalchemy.orm import sessionmaker
+from sqlalchemy.orm import sessionmaker, declarative_base
 
 Base = declarative_base()
 
@@ -13,6 +13,7 @@ class Origin(Base):
 
     origin_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4
 
+    # service_instance_xid = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one service_instance_xid ('INSTANCE_REF')
     hostname = Column(VARCHAR(length=256), nullable=True)
     guest_driver_version = Column(VARCHAR(length=10), nullable=True)
     os_platform = Column(VARCHAR(length=256), nullable=True)
@@ -24,12 +25,23 @@ class Origin(Base):
     def serialize(self) -> dict:
         return {
             'origin_ref': self.origin_ref,
+            # 'service_instance_xid': self.service_instance_xid,
             'hostname': self.hostname,
             'guest_driver_version': self.guest_driver_version,
             'os_platform': self.os_platform,
             'os_version': self.os_version,
         }
 
+    @staticmethod
+    def deserialize(j) -> "Origin":
+        return Origin(
+            origin_ref=j.get('origin_ref'),
+            hostname=j.get('hostname'),
+            guest_driver_version=j.get('guest_driver_version'),
+            os_platform=j.get('os_platform'),
+            os_version=j.get('os_version'),
+        )
+
     @staticmethod
     def create_statement(engine: Engine):
         from sqlalchemy.schema import CreateTable
@@ -39,7 +51,6 @@ class Origin(Base):
     def create_or_update(engine: Engine, origin: "Origin"):
         session = sessionmaker(bind=engine)()
         entity = session.query(Origin).filter(Origin.origin_ref == origin.origin_ref).first()
-        print(entity)
         if entity is None:
             session.add(origin)
         else:
@@ -55,12 +66,12 @@ class Origin(Base):
         session.close()
 
     @staticmethod
-    def delete(engine: Engine, origins: ["Origin"] = None) -> int:
+    def delete(engine: Engine, origin_refs: [str] = None) -> int:
         session = sessionmaker(bind=engine)()
-        if origins is None:
+        if origin_refs is None:
             deletions = session.query(Origin).delete()
         else:
-            deletions = session.query(Origin).filter(Origin.origin_ref in origins).delete()
+            deletions = session.query(Origin).filter(Origin.origin_ref in origin_refs).delete()
         session.commit()
         session.close()
         return deletions
@@ -72,6 +83,7 @@ class Lease(Base):
     lease_ref = Column(CHAR(length=36), primary_key=True, nullable=False, index=True)  # uuid4
 
     origin_ref = Column(CHAR(length=36), ForeignKey(Origin.origin_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
+    # scope_ref = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one scope_ref ('ALLOTMENT_REF')
     lease_created = Column(DATETIME(), nullable=False)
     lease_expires = Column(DATETIME(), nullable=False)
     lease_updated = Column(DATETIME(), nullable=False)
@@ -79,15 +91,30 @@ class Lease(Base):
     def __repr__(self):
         return f'Lease(origin_ref={self.origin_ref}, lease_ref={self.lease_ref}, expires={self.lease_expires})'
 
-    def serialize(self) -> dict:
+    def serialize(self, renewal_period: float, renewal_delta: timedelta) -> dict:
+        lease_renewal = int(Lease.calculate_renewal(renewal_period, renewal_delta).total_seconds())
+        lease_renewal = self.lease_updated + relativedelta(seconds=lease_renewal)
+
         return {
             'lease_ref': self.lease_ref,
             'origin_ref': self.origin_ref,
+            # 'scope_ref': self.scope_ref,
             'lease_created': self.lease_created.isoformat(),
             'lease_expires': self.lease_expires.isoformat(),
             'lease_updated': self.lease_updated.isoformat(),
+            'lease_renewal': lease_renewal.isoformat(),
         }
 
+    @staticmethod
+    def deserialize(j) -> "Lease":
+        return Lease(
+            lease_ref=j.get('lease_ref'),
+            origin_ref=j.get('origin_ref'),
+            lease_created=datetime.fromisoformat(j.get('lease_created')),
+            lease_expires=datetime.fromisoformat(j.get('lease_expires')),
+            lease_updated=datetime.fromisoformat(j.get('lease_updated')),
+        )
+
     @staticmethod
     def create_statement(engine: Engine):
         from sqlalchemy.schema import CreateTable
@@ -130,7 +157,7 @@ class Lease(Base):
         return entity
 
     @staticmethod
-    def renew(engine: Engine, lease: "Lease", lease_expires: datetime.datetime, lease_updated: datetime.datetime):
+    def renew(engine: Engine, lease: "Lease", lease_expires: datetime, lease_updated: datetime):
         session = sessionmaker(bind=engine)()
         x = dict(lease_expires=lease_expires, lease_updated=lease_updated)
         session.execute(update(Lease).where(and_(Lease.origin_ref == lease.origin_ref, Lease.lease_ref == lease.lease_ref)).values(**x))
@@ -153,6 +180,28 @@ class Lease(Base):
         session.close()
         return deletions
 
+    @staticmethod
+    def calculate_renewal(renewal_period: float, delta: timedelta) -> timedelta:
+        """
+        import datetime
+        LEASE_RENEWAL_PERIOD=0.2  # 20%
+        delta = datetime.timedelta(days=1)
+        renew = delta.total_seconds() * LEASE_RENEWAL_PERIOD
+        renew = datetime.timedelta(seconds=renew)
+        expires = delta - renew  # 19.2
+
+        import datetime
+        LEASE_RENEWAL_PERIOD=0.15  # 15%
+        delta = datetime.timedelta(days=90)
+        renew = delta.total_seconds() * LEASE_RENEWAL_PERIOD
+        renew = datetime.timedelta(seconds=renew)
+        expires = delta - renew  # 76 days, 12:00:00 hours
+
+        """
+        renew = delta.total_seconds() * renewal_period
+        renew = timedelta(seconds=renew)
+        return renew
+
 
 def init(engine: Engine):
     tables = [Origin, Lease]
@@ -160,7 +209,7 @@ def init(engine: Engine):
     session = sessionmaker(bind=engine)()
     for table in tables:
         if not db.dialect.has_table(engine.connect(), table.__tablename__):
-            session.execute(str(table.create_statement(engine)))
+            session.execute(text(str(table.create_statement(engine))))
             session.commit()
     session.close()
 
@@ -178,4 +227,14 @@ def migrate(engine: Engine):
             Lease.__table__.drop(bind=engine)
             init(engine)
 
+    # def upgrade_1_2_to_1_3():
+    #    x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
+    #    x = next((_ for _ in x if _['name'] == 'scope_ref'), None)
+    #    if x is None:
+    #        Lease.scope_ref.compile()
+    #        column_name = Lease.scope_ref.name
+    #        column_type = Lease.scope_ref.type.compile(engine.dialect)
+    #        engine.execute(f'ALTER TABLE "{Lease.__tablename__}" ADD COLUMN "{column_name}" {column_type}')
+
     upgrade_1_0_to_1_1()
+    # upgrade_1_2_to_1_3()

app/util.py

@@ -26,3 +26,29 @@ def generate_key() -> "RsaKey":
         from Cryptodome.PublicKey.RSA import RsaKey
 
     return RSA.generate(bits=2048)
+
+
+def ha_replicate(logger: "logging.Logger", ha_replicate: str, ha_role: str, version: str, dls_url: str, dls_port: int, site_key_xid: str, instance_ref: str, origins: list, leases: list) -> bool:
+    from datetime import datetime
+    import httpx
+
+    if f'{dls_url}:{dls_port}' == ha_replicate:
+        logger.error(f'Failed to replicate this node ({ha_role}) to "{ha_replicate}": can\'t replicate to itself')
+        return False
+
+    data = {
+        'VERSION': str(version),
+        'HA_REPLICATE': f'{dls_url}:{dls_port}',
+        'SITE_KEY_XID': str(site_key_xid),
+        'INSTANCE_REF': str(instance_ref),
+        'origins': origins,
+        'leases': leases,
+        'sync_timestamp': datetime.utcnow().isoformat(),
+    }
+
+    r = httpx.put(f'https://{ha_replicate}/-/ha/replicate', json=data, verify=False)
+    if r.status_code == 202:
+        logger.info(f'Successfully replicated this node ({ha_role}) to "{ha_replicate}".')
+        return True
+    logger.error(f'Failed to replicate this node ({ha_role}) to "{ha_replicate}": {r.status_code} - {r.content}')
+    return False

doc/Database.md

@@ -0,0 +1,26 @@
+# Database structure
+
+## `request_routing.service_instance`
+
+| xid                                    | org_name                 |
+|----------------------------------------|--------------------------|
+| `10000000-0000-0000-0000-000000000000` | `lic-000000000000000000` |
+
+- `xid` is used as `SERVICE_INSTANCE_XID`
+
+## `request_routing.license_allotment_service_instance`
+
+| xid                                    | service_instance_xid                   | license_allotment_xid                  |
+|----------------------------------------|----------------------------------------|----------------------------------------|
+| `90000000-0000-0000-0000-000000000001` | `10000000-0000-0000-0000-000000000000` | `80000000-0000-0000-0000-000000000001` |
+
+- `xid` is only a primary-key and never used as foreign-key or reference
+- `license_allotment_xid` must be used to fetch `xid`'s from `request_routing.license_allotment_reference`
+
+## `request_routing.license_allotment_reference`
+
+| xid                                    | license_allotment_xid                  |
+|----------------------------------------|----------------------------------------|
+| `20000000-0000-0000-0000-000000000001` | `80000000-0000-0000-0000-000000000001` | 
+
+- `xid` is used as `scope_ref_list` on token request

doc/Reverse Engineering Notes.md

@@ -33,6 +33,9 @@ nvidia-gridd[2986]: License acquired successfully. (Info: license.nvidia.space,
 
 Most variables and configs are stored in `/var/lib/docker/volumes/configurations/_data`.
 
+Files can be modified with `docker cp <container-id>:/venv/... /opt/localfile/...` and back.
+(May you need to fix permissions with `docker exec -u 0 <container-id> chown nonroot:nonroot /venv/...`)
+
 ## Dive / Docker image inspector
 
 - `dive dls:appliance`

docker-compose.yml

@@ -0,0 +1,120 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443  # must match nginx listen & exposed port
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - db:/app/database
+    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+  proxy:
+    image: nginx
+    ports:
+      # thees are ports where nginx (!) is listen to
+      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
+      - "443:443"  # first part must match "DLS_PORT"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/opt/cert
+    healthcheck:
+      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    command: |
+      bash -c "bash -s <<\"EOF\"
+      cat > /etc/nginx/nginx.conf <<\"EON\"
+      daemon off;
+      user root;
+      worker_processes auto;
+      
+      events {
+        worker_connections 1024;
+      }
+      
+      http {
+        gzip on;
+        gzip_disable "msie6";
+        include /etc/nginx/mime.types;
+      
+        upstream dls-backend {
+          server dls:8000;  # must match dls listen port
+        }
+      
+        server {
+          listen 443 ssl http2 default_server;
+          listen [::]:443 ssl http2 default_server;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          ssl_certificate "/opt/cert/webserver.crt";
+          ssl_certificate_key "/opt/cert/webserver.key";
+          ssl_session_cache shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_protocols TLSv1.3 TLSv1.2;
+          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+          # ssl_ciphers PROFILE=SYSTEM;
+          ssl_prefer_server_ciphers on;
+      
+          location / {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend$$request_uri;
+          }
+      
+          location = /-/health {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+          }
+        }
+      
+        server {
+          listen 80;
+          listen [::]:80;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          location /leasing/v1/lessor/shutdown {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+          }
+      
+          location / {
+            return 301 https://$$host$$request_uri;
+          }
+        }
+      }
+      EON
+      nginx
+      EOF"
+
+volumes:
+  db:

requirements.txt

@@ -1,8 +1,9 @@
-fastapi==0.88.0
+fastapi==0.92.0
 uvicorn[standard]==0.20.0
 python-jose==3.3.0
-pycryptodome==3.16.0
+pycryptodome==3.17
 python-dateutil==2.8.2
-sqlalchemy==1.4.45
+sqlalchemy==2.0.3
 markdown==3.4.1
-python-dotenv==0.21.0
+python-dotenv==0.21.1
+httpx==0.23.3

test/main.py

@@ -3,7 +3,7 @@ from hashlib import sha256
 from calendar import timegm
 from datetime import datetime
 from os.path import dirname, join
-from uuid import uuid4
+from uuid import uuid4, UUID
 
 from dateutil.relativedelta import relativedelta
 from jose import jwt, jwk
@@ -20,8 +20,7 @@ from app.util import load_key
 
 client = TestClient(main.app)
 
-ORIGIN_REF, LEASE_REF = str(uuid4()), str(uuid4())
-SECRET = "HelloWorld"
+ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 
 # INSTANCE_KEY_RSA = generate_key()
 # INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
@@ -44,16 +43,15 @@ def test_index():
     assert response.status_code == 200
 
 
-def test_status():
-    response = client.get('/status')
-    assert response.status_code == 200
-    assert response.json()['status'] == 'up'
-
-
 def test_health():
     response = client.get('/-/health')
     assert response.status_code == 200
-    assert response.json()['status'] == 'up'
+    assert response.json().get('status') == 'up'
+
+
+def test_config():
+    response = client.get('/-/config')
+    assert response.status_code == 200
 
 
 def test_readme():
@@ -71,11 +69,6 @@ def test_client_token():
     assert response.status_code == 200
 
 
-def test_client_token_deprecated():
-    response = client.get('/client-token')
-    assert response.status_code == 200
-
-
 def test_origins():
     pass
 
@@ -110,7 +103,7 @@ def test_auth_v1_origin():
 
     response = client.post('/auth/v1/origin', json=payload)
     assert response.status_code == 200
-    assert response.json()['origin_ref'] == ORIGIN_REF
+    assert response.json().get('origin_ref') == ORIGIN_REF
 
 
 def auth_v1_origin_update():
@@ -131,7 +124,7 @@ def auth_v1_origin_update():
 
     response = client.post('/auth/v1/origin/update', json=payload)
     assert response.status_code == 200
-    assert response.json()['origin_ref'] == ORIGIN_REF
+    assert response.json().get('origin_ref') == ORIGIN_REF
 
 
 def test_auth_v1_code():
@@ -143,8 +136,8 @@ def test_auth_v1_code():
     response = client.post('/auth/v1/code', json=payload)
     assert response.status_code == 200
 
-    payload = jwt.get_unverified_claims(token=response.json()['auth_code'])
-    assert payload['origin_ref'] == ORIGIN_REF
+    payload = jwt.get_unverified_claims(token=response.json().get('auth_code'))
+    assert payload.get('origin_ref') == ORIGIN_REF
 
 
 def test_auth_v1_token():
@@ -168,9 +161,9 @@ def test_auth_v1_token():
     response = client.post('/auth/v1/token', json=payload)
     assert response.status_code == 200
 
-    token = response.json()['auth_token']
+    token = response.json().get('auth_token')
     payload = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
-    assert payload['origin_ref'] == ORIGIN_REF
+    assert payload.get('origin_ref') == ORIGIN_REF
 
 
 def test_leasing_v1_lessor():
@@ -183,46 +176,67 @@ def test_leasing_v1_lessor():
             'product': {'name': 'NVIDIA RTX Virtual Workstation'}
         }],
         'proposal_evaluation_mode': 'ALL_OF',
-        'scope_ref_list': [LEASE_REF]
+        'scope_ref_list': [ALLOTMENT_REF]
     }
 
     response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    lease_result_list = response.json()['lease_result_list']
+    lease_result_list = response.json().get('lease_result_list')
     assert len(lease_result_list) == 1
-    assert lease_result_list[0]['lease']['ref'] == LEASE_REF
+    assert len(lease_result_list[0]['lease']['ref']) == 36
+    assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref']
+
+    return lease_result_list[0]['lease']['ref']
 
 
 def test_leasing_v1_lessor_lease():
     response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    active_lease_list = response.json()['active_lease_list']
+    active_lease_list = response.json().get('active_lease_list')
     assert len(active_lease_list) == 1
-    assert active_lease_list[0] == LEASE_REF
+    assert len(active_lease_list[0]) == 36
+    assert str(UUID(active_lease_list[0])) == active_lease_list[0]
 
 
 def test_leasing_v1_lease_renew():
-    response = client.put(f'/leasing/v1/lease/{LEASE_REF}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    active_lease_list = response.json().get('active_lease_list')
+    active_lease_ref = active_lease_list[0]
+
+    ###
+
+    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    assert response.json()['lease_ref'] == LEASE_REF
+    lease_ref = response.json().get('lease_ref')
+    assert len(lease_ref) == 36
+    assert lease_ref == active_lease_ref
 
 
 def test_leasing_v1_lease_delete():
-    response = client.delete(f'/leasing/v1/lease/{LEASE_REF}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    active_lease_list = response.json().get('active_lease_list')
+    active_lease_ref = active_lease_list[0]
+
+    ###
+
+    response = client.delete(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    assert response.json()['lease_ref'] == LEASE_REF
+    lease_ref = response.json().get('lease_ref')
+    assert len(lease_ref) == 36
+    assert lease_ref == active_lease_ref
 
 
 def test_leasing_v1_lessor_lease_remove():
-    test_leasing_v1_lessor()
+    lease_ref = test_leasing_v1_lessor()
 
     response = client.delete('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    released_lease_list = response.json()['released_lease_list']
+    released_lease_list = response.json().get('released_lease_list')
     assert len(released_lease_list) == 1
-    assert released_lease_list[0] == LEASE_REF
+    assert len(released_lease_list[0]) == 36
+    assert released_lease_list[0] == lease_ref

version.env

@@ -1 +1 @@
-VERSION=1.2
+VERSION=1.3.5