Merge branch 'dev' into 'main'

Dev

See merge request oscar.krause/fastapi-dls!41

.DEBIAN/control

@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-pycryptodome, python3-markdown, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-josepy, python3-sqlalchemy, python3-pycryptodome, python3-markdown, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls

.DEBIAN/requirements-ubuntu-23.04.txt

@@ -1,10 +0,0 @@
-# https://packages.ubuntu.com
-fastapi==0.91.0
-uvicorn[standard]==0.15.0
-python-jose[pycryptodome]==3.3.0
-pycryptodome==3.11.0
-python-dateutil==2.8.2
-sqlalchemy==1.4.46
-markdown==3.4.3
-python-dotenv==0.21.0
-jinja2==3.1.2

.DEBIAN/requirements-ubuntu-23.10.txt

@@ -1,10 +0,0 @@
-# https://packages.ubuntu.com
-fastapi==0.101.0
-uvicorn[standard]==0.23.2
-python-jose[pycryptodome]==3.3.0
-pycryptodome==3.11.0
-python-dateutil==2.8.2
-sqlalchemy==1.4.47
-markdown==3.4.4
-python-dotenv==1.0.0
-jinja2==3.1.2

.DEBIAN/requirements-ubuntu-24.10.txt

@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.110.3
+uvicorn[standard]==0.30.3
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.20.0
+python-dateutil==2.9.0
+sqlalchemy==2.0.32
+markdown==3.6
+python-dotenv==1.0.1
+jinja2==3.1.3

.gitlab-ci.yml

@@ -20,6 +20,7 @@ build:docker:
       changes:
         - app/**/*
         - Dockerfile
+        - requirements.txt
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
   tags: [ docker ]
   before_script:
@@ -126,7 +127,7 @@ build:pacman:
       - "*.pkg.tar.zst"
 
 test:
-  image: $IMAGE
+  image: python:3.12-slim-bookworm
   stage: test
   interruptible: true
   rules:
@@ -141,14 +142,16 @@ test:
     DATABASE: sqlite:///../app/db.sqlite
   parallel:
     matrix:
-      - IMAGE: [ 'python:3.11-slim-bookworm', 'python:3.12-slim-bullseye' ]
+      - REQUIREMENTS:
-        REQUIREMENTS:
+          - 'requirements.txt'
-          - requirements.txt
+#          - '.DEBIAN/requirements-bookworm-12.txt'
-          - .DEBIAN/requirements-bookworm-12.txt
+#          - '.DEBIAN/requirements-ubuntu-24.04.txt'
-          - .DEBIAN/requirements-ubuntu-23.10.txt
+#          - '.DEBIAN/requirements-ubuntu-24.10.txt'
-          - .DEBIAN/requirements-ubuntu-24.04.txt
   before_script:
-    - apt-get update && apt-get install -y python3-dev gcc
+    - apt-get update && apt-get install -y python3-dev python3-pip python3-venv gcc
+    - python3 -m venv venv
+    - source venv/bin/activate
+    - pip install --upgrade pip
     - pip install -r $REQUIREMENTS
     - pip install pytest httpx
     - mkdir -p app/cert
@@ -162,7 +165,7 @@ test:
       dotenv: version.env
       junit: ['**/report.xml']
 
-.test:linux:
+.test:apt:
   stage: test
   rules:
     - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
@@ -201,15 +204,17 @@ test:
     - apt-get purge -qq -y fastapi-dls
     - apt-get autoremove -qq -y && apt-get clean -qq
 
-test:debian:
+test:apt:
-  extends: .test:linux
+  extends: .test:apt
-  image: debian:bookworm-slim
+  image: $IMAGE
+  parallel:
+    matrix:
+      - IMAGE:
+          - debian:bookworm-slim # EOL: June 06, 2026
+          - ubuntu:24.04 # EOL: April 2036
+          - ubuntu:24.10
 
-test:ubuntu:
+test:pacman:archlinux:
-  extends: .test:linux
-  image: ubuntu:24.04
-
-test:archlinux:
   image: archlinux:base
   rules:
     - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
@@ -250,7 +255,7 @@ semgrep-sast:
 
 test_coverage:
 #  extends: test
-  image: python:3.11-slim-bookworm
+  image: python:3.12-slim-bookworm
   allow_failure: true
   stage: test
   rules:

Dockerfile

@@ -10,7 +10,7 @@ RUN apk update \
  && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev pkgconfig \
  && apk add --no-cache curl postgresql postgresql-dev mariadb-dev sqlite-dev \
  && pip install --no-cache-dir --upgrade uvicorn \
- && pip install --no-cache-dir psycopg2==2.9.9 mysqlclient==2.2.4 pysqlite3==0.5.2 \
+ && pip install --no-cache-dir psycopg2==2.9.10 mysqlclient==2.2.6 pysqlite3==0.5.4 \
  && pip install --no-cache-dir -r /tmp/requirements.txt \
  && apk del build-deps
 

README.md

@@ -2,7 +2,7 @@
 
 Minimal Delegated License Service (DLS).
 
-Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1. For Driver compatibility
+Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility
 see [compatibility matrix](#vgpu-software-compatibility-matrix).
 
 This service can be used without internet connection.
@@ -330,11 +330,12 @@ Packages are available here:
 
 Successful tested with:
 
-- Debian 12 (Bookworm) (EOL: tba.)
+- **Debian 12 (Bookworm)** (EOL: June 06, 2026)
-- Ubuntu 22.10 (Kinetic Kudu) (EOL: July 20, 2023)
+- *Ubuntu 22.10 (Kinetic Kudu)* (EOL: July 20, 2023)
-- Ubuntu 23.04 (Lunar Lobster) (EOL: January 2024)
+- *Ubuntu 23.04 (Lunar Lobster)* (EOL: January 2024)
-- Ubuntu 23.10 (Mantic Minotaur) (EOL: July 2024)
+- *Ubuntu 23.10 (Mantic Minotaur)* (EOL: July 2024)
-- Ubuntu 24.04 (Noble Numbat) (EOL: April 2036)
+- **Ubuntu 24.04 (Noble Numbat)** (EOL: April 2036)
+- *Ubuntu 24.10 (Oracular Oriole)* (EOL: tba.)
 
 Not working with:
 
@@ -392,6 +393,10 @@ Now you have to edit `/etc/default/fastapi-dls` as needed.
 
 Continue [here](#unraid-guest) for docker guest setup.
 
+## NixOS
+
+Tanks to [@mrzenc](https://github.com/mrzenc) for [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos).
+
 ## Let's Encrypt Certificate (optional)
 
 If you're using installation via docker, you can use `traefik`. Please refer to their documentation.
@@ -410,21 +415,21 @@ After first success you have to replace `--issue` with `--renew`.
 
 # Configuration
 
-| Variable               | Default                                | Usage                                                                                                |
+| Variable                 | Default                                | Usage                                                                                                                               |
-|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|
+|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| `DEBUG`                | `false`                                | Toggles `fastapi` debug mode                                                                         |
+| `DEBUG`                  | `false`                                | Toggles `fastapi` debug mode                                                                                                        |
-| `DLS_URL`              | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                            |
+| `DLS_URL`                | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                                                           |
-| `DLS_PORT`             | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                            |
+| `DLS_PORT`               | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                                                           |
-| `TOKEN_EXPIRE_DAYS`    | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)          |
+| `TOKEN_EXPIRE_DAYS`      | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)                                         |
-| `LEASE_EXPIRE_DAYS`    | `90`                                   | Lease time in days                                                                                   |
+| `LEASE_EXPIRE_DAYS`      | `90`                                   | Lease time in days                                                                                                                  |
-| `LEASE_RENEWAL_PERIOD` | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 |
+| `LEASE_RENEWAL_PERIOD`   | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1                                |
-| `DATABASE`             | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html)                  |
+| `DATABASE`               | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html)                                                 |
-| `CORS_ORIGINS`         | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                               |
+| `CORS_ORIGINS`           | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                                                              |
-| `SITE_KEY_XID`         | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                             |
+| `SITE_KEY_XID`           | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                                                            |
-| `INSTANCE_REF`         | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                         |
+| `INSTANCE_REF`           | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                                                        |
-| `ALLOTMENT_REF`        | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                        |
+| `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       |
-| `INSTANCE_KEY_RSA`     | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                       |
+| `INSTANCE_KEY_RSA`       | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                                                      |
-| `INSTANCE_KEY_PUB`     | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                             |
+| `INSTANCE_KEY_PUB`       | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                                                            |
 
 \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
 every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
@@ -765,5 +770,6 @@ Special thanks to:
 - @DualCoder who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
 - Krutav Shah who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
 - Wim van 't Hoog for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
+- @mrzenc who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
 
 And thanks to all people who contributed to all these libraries!

app/main.py

@@ -2,7 +2,7 @@ import logging
 from base64 import b64encode as b64enc
 from calendar import timegm
 from contextlib import asynccontextmanager
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, UTC
 from hashlib import sha256
 from json import loads as json_loads
 from os import getenv as env
@@ -238,7 +238,7 @@ async def _lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
-    cur_time = datetime.utcnow()
+    cur_time = datetime.now(UTC)
     exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
 
     payload = {
@@ -284,7 +284,7 @@ async def _client_token():
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
 @app.post('/auth/v1/origin', description='find or create an origin')
 async def auth_v1_origin(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('candidate_origin_ref')
     logging.info(f'> [  origin  ]: {origin_ref}: {j}')
@@ -314,7 +314,7 @@ async def auth_v1_origin(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
 @app.post('/auth/v1/origin/update', description='update an origin evidence')
 async def auth_v1_origin_update(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('origin_ref')
     logging.info(f'> [  update  ]: {origin_ref}: {j}')
@@ -341,7 +341,7 @@ async def auth_v1_origin_update(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - CodeResponse
 @app.post('/auth/v1/code', description='get an authorization code')
 async def auth_v1_code(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('origin_ref')
     logging.info(f'> [   code   ]: {origin_ref}: {j}')
@@ -373,10 +373,10 @@ async def auth_v1_code(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - TokenResponse
 @app.post('/auth/v1/token', description='exchange auth code and verifier for token')
 async def auth_v1_token(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     try:
-        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key)
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
     except JWTError as e:
         return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
 
@@ -415,7 +415,7 @@ async def auth_v1_token(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
 
     try:
         token = __get_token(request)
@@ -463,7 +463,7 @@ async def leasing_v1_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
 @app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
 
@@ -483,7 +483,7 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
@@ -510,7 +510,7 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
@@ -536,7 +536,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
 
@@ -556,7 +556,7 @@ async def leasing_v1_lessor_lease_remove(request: Request):
 
 @app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
 async def leasing_v1_lessor_shutdown(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     token = j.get('token')
     token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})

app/orm.py

@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone, UTC
 
 from dateutil.relativedelta import relativedelta
 from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
@@ -66,7 +66,17 @@ class Origin(Base):
         if origin_refs is None:
             deletions = session.query(Origin).delete()
         else:
-            deletions = session.query(Origin).filter(Origin.origin_ref in origin_refs).delete()
+            deletions = session.query(Origin).filter(Origin.origin_ref.in_(origin_refs)).delete()
+        session.commit()
+        session.close()
+        return deletions
+
+    @staticmethod
+    def delete_expired(engine: Engine) -> int:
+        session = sessionmaker(bind=engine)()
+        origins = session.query(Origin).join(Lease, Origin.origin_ref == Lease.origin_ref, isouter=True).filter(Lease.lease_ref.is_(None)).all()
+        origin_refs = [origin.origin_ref for origin in origins]
+        deletions = session.query(Origin).filter(Origin.origin_ref.in_(origin_refs)).delete()
         session.commit()
         session.close()
         return deletions
@@ -94,10 +104,10 @@ class Lease(Base):
             'lease_ref': self.lease_ref,
             'origin_ref': self.origin_ref,
             # 'scope_ref': self.scope_ref,
-            'lease_created': self.lease_created.isoformat(),
+            'lease_created': self.lease_created.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_expires': self.lease_expires.isoformat(),
+            'lease_expires': self.lease_expires.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_updated': self.lease_updated.isoformat(),
+            'lease_updated': self.lease_updated.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_renewal': lease_renewal.isoformat(),
+            'lease_renewal': lease_renewal.replace(tzinfo=timezone.utc).isoformat(),
         }
 
     @staticmethod
@@ -168,7 +178,7 @@ class Lease(Base):
     @staticmethod
     def delete_expired(engine: Engine) -> int:
         session = sessionmaker(bind=engine)()
-        deletions = session.query(Lease).filter(Lease.lease_expires <= datetime.utcnow()).delete()
+        deletions = session.query(Lease).filter(Lease.lease_expires <= datetime.now(UTC)).delete()
         session.commit()
         session.close()
         return deletions

requirements.txt

@@ -1,4 +1,4 @@
-fastapi==0.115.3
+fastapi==0.115.5
 uvicorn[standard]==0.32.0
 python-jose==3.3.0
 pycryptodome==3.21.0

test/main.py

@@ -1,7 +1,8 @@
+import sys
 from base64 import b64encode as b64enc
-from hashlib import sha256
 from calendar import timegm
-from datetime import datetime
+from datetime import datetime, UTC
+from hashlib import sha256
 from os.path import dirname, join
 from uuid import uuid4, UUID
 
@@ -9,7 +10,6 @@ from dateutil.relativedelta import relativedelta
 from jose import jwt, jwk
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
-import sys
 
 # add relative path to use packages as they were in the app/ dir
 sys.path.append('../')
@@ -106,6 +106,7 @@ def test_auth_v1_origin():
     assert response.json().get('origin_ref') == ORIGIN_REF
 
 
+
 def auth_v1_origin_update():
     payload = {
         "registration_pending": False,
@@ -141,7 +142,7 @@ def test_auth_v1_code():
 
 
 def test_auth_v1_token():
-    cur_time = datetime.utcnow()
+    cur_time = datetime.now(UTC)
     access_expires_on = cur_time + relativedelta(hours=1)
 
     payload = {
@@ -153,8 +154,7 @@ def test_auth_v1_token():
         "kid": "00000000-0000-0000-0000-000000000000"
     }
     payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')},
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
-                                algorithm=ALGORITHMS.RS256),
         "code_verifier": SECRET,
     }