merge fixes

# Conflicts:
#	app/orm.py

.DEBIAN/control

@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-josepy, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls

.DEBIAN/env.default

@@ -1,9 +1,6 @@
 # Toggle debug mode
 #DEBUG=false
 
-# Cert Path
-CERT_PATH="/etc/fastapi-dls/cert"
-
 # Where the client can find the DLS server
 DLS_URL=127.0.0.1
 DLS_PORT=443
@@ -24,3 +21,7 @@ DATABASE=sqlite:////etc/fastapi-dls/db.sqlite
 #SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
 #INSTANCE_REF="10000000-0000-0000-0000-000000000001"
 #ALLOTMENT_REF="20000000-0000-0000-0000-000000000001"
+
+# Site-wide signing keys
+INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem
+INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem

.DEBIAN/postinst

@@ -3,7 +3,13 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 
-source $CONFIG_DIR/env
+if [ ! -f $CONFIG_DIR/instance.private.pem ]; then
+  echo "> Create dls-instance keypair ..."
+  openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
+  openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
+else
+  echo "> Create dls-instance keypair skipped! (exists)"
+fi
 
 while true; do
   [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
@@ -27,32 +33,27 @@ if [ -f $CONFIG_DIR/webserver.key ]; then
 
   if [ -x "$(command -v curl)" ]; then
     echo "> Testing API ..."
+    source $CONFIG_DIR/env
     curl --insecure -X GET https://$DLS_URL:$DLS_PORT/-/health
   else
     echo "> Testing API failed, curl not available. Please test manually!"
   fi
 fi
 
-echo "> Create Certificate-Chain folder ..."
-mkdir -p $CERT_PATH
-
-echo "> Set permissions ..."
 chown -R www-data:www-data $CONFIG_DIR
 chown -R www-data:www-data $WORKING_DIR
 
-echo "> Done."
-
 cat <<EOF
 
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #                                                                             #
 #    fastapi-dls is now installed.                                            #
 #                                                                             #
-#    Service should be up and running (if you choose to auto-generate         #
+#    Service should be up and running.                                        #
-#     self-signed webserver certificate).                                     #
+#      Webservice is listen to https://localhost                              #
+#                                                                             #
+#    Configuration is stored in /etc/fastapi-dls/env.                         #
 #                                                                             #
-#    - Webservice is listen to https://localhost                              #                                                                       #
-#    - Configuration is stored in /etc/fastapi-dls/env                        #
 #                                                                             #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 

.PKGBUILD/PKGBUILD

@@ -17,7 +17,7 @@ source=("git+file://${CI_PROJECT_DIR}"
         "$pkgname.service"
         "$pkgname.tmpfiles")
 sha256sums=('SKIP'
-            'a4776a0ae4671751065bf3e98aa707030b8b5ffe42dde942c51050dab5028c54'
+            'fbd015449a30c0ae82733289a56eb98151dcfab66c91b37fe8e202e39f7a5edb'
             '2719338541104c537453a65261c012dda58e1dbee99154cf4f33b526ee6ca22e'
             '3dc60140c08122a8ec0e7fa7f0937eb8c1288058890ba09478420fc30ce9e30c')
 
@@ -30,6 +30,8 @@ pkgver() {
 check() {
     cd "$srcdir/$pkgname/test"
     mkdir "$srcdir/$pkgname/app/cert"
+    openssl genrsa -out "$srcdir/$pkgname/app/cert/instance.private.pem" 2048
+    openssl rsa -in "$srcdir/$pkgname/app/cert/instance.private.pem" -outform PEM -pubout -out "$srcdir/$pkgname/app/cert/instance.public.pem"
     python "$srcdir/$pkgname/test/main.py"
     rm -rf "$srcdir/$pkgname/app/cert"
 }

.PKGBUILD/fastapi-dls.default

@@ -19,6 +19,10 @@ DATABASE="sqlite:////var/lib/fastapi-dls/db.sqlite"
 SITE_KEY_XID="<<sitekey>>"
 INSTANCE_REF="<<instanceref>>"
 
+# Site-wide signing keys
+INSTANCE_KEY_RSA="/var/lib/fastapi-dls/instance.private.pem"
+INSTANCE_KEY_PUB="/var/lib/fastapi-dls/instance.public.pem"
+
 # TLS certificate
 INSTANCE_SSL_CERT="/var/lib/fastapi-dls/cert/webserver.crt"
 INSTANCE_SSL_KEY="/var/lib/fastapi-dls/cert/webserver.key"

.PKGBUILD/fastapi-dls.install

@@ -7,4 +7,8 @@ post_install() {
     echo
     echo 'A valid HTTPS certificate needs to be installed to /var/lib/fastapi-dls/cert/webserver.{crt,key}'
     echo 'A self-signed certificate can be generated with: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/lib/fastapi-dls/cert/webserver.key -out /var/lib/fastapi-dls/cert/webserver.crt'
+    echo
+    echo 'The signing keys for your instance need to be generated as well. Generate them with these commands:'
+    echo 'openssl genrsa -out /var/lib/fastapi-dls/instance.private.pem 2048'
+    echo 'openssl rsa -in /var/lib/fastapi-dls/instance.private.pem -outform PEM -pubout -out /var/lib/fastapi-dls/instance.public.pem'
 }

.UNRAID/FastAPI-DLS.xml

@@ -18,6 +18,9 @@ Make sure you create these certificates before starting the container for the fi
 WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
+# create instance private and public key for singing JWT's
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 ```


.gitlab-ci.yml

@@ -151,6 +151,8 @@ test:python:
     - pip install -r requirements.txt
     - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
+    - openssl genrsa -out app/cert/instance.private.pem 2048
+    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
     - cd test
   script:
     - python -m pytest main.py --junitxml=report.xml
@@ -162,22 +164,20 @@ test:apt:
   image: $IMAGE
   stage: test
   rules:
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .DEBIAN/**/*
-        - .gitlab-ci.yml
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
-      variables:
-        VERSION: "0.0.1"
   parallel:
     matrix:
       - IMAGE:
-          # - debian:trixie-slim # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
+          - debian:trixie-slim # EOL: t.b.a.
           - debian:bookworm-slim # EOL: June 06, 2026
           - debian:bookworm-slim # EOL: June 06, 2026
           - ubuntu:24.04 # EOL: April 2036
-          # - ubuntu:24.10 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
+          - ubuntu:24.10
-          # - ubuntu:25.04 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
   needs:
     - job: build:apt
       artifacts: true
@@ -212,7 +212,8 @@ test:apt:
 test:pacman:archlinux:
   image: archlinux:base
   rules:
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .PKGBUILD/**/*
@@ -262,6 +263,8 @@ test_coverage:
     - pip install -r requirements.txt
     - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
+    - openssl genrsa -out app/cert/instance.private.pem 2048
+    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
     - cd test
   script:
     - coverage run -m pytest main.py --junitxml=report.xml --suppress-no-test-exit-code
@@ -377,7 +380,7 @@ deploy:pacman:
 release:
   image: registry.gitlab.com/gitlab-org/release-cli:latest
   stage: .post
-  needs: [ deploy:docker, deploy:apt, deploy:pacman ]
+  needs: [ build:docker, build:apt, build:pacman ]
   rules:
     - if: $CI_COMMIT_TAG
   script:
@@ -392,4 +395,4 @@ release:
         - name: 'Package Registry'
           url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages'
         - name: 'Container Registry'
-          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/70'
+          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/40'

README.md

@@ -2,15 +2,12 @@
 
 Minimal Delegated License Service (DLS).
 
-> [!warning] Branch support
-> FastAPI-DLS Version 1.x supports up to **`17.x`** releases. \
-> FastAPI-DLS Version 2.x is backwards compatible to `17.x` and supports **`18.x`** releases in combination
-> with [gridd-unlock-patcher](https://git.collinwebdesigns.de/vgpu/gridd-unlock-patcher).
-> Other combinations of FastAPI-DLS and Driver-Branches may work but are not tested.
-
 > [!note] Compatibility
-> Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. **For Driver compatibility
+> Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility
-> see [compatibility matrix](#vgpu-software-compatibility-matrix)**.
+> see [compatibility matrix](#vgpu-software-compatibility-matrix).
+
+> [!warning] 18.x Drivers are not yet supported!
+> Drivers are only supported until **17.x releases**.
 
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
@@ -18,6 +15,7 @@ Only the clients need a connection to this service on configured port.
 **Official Links**
 
 * https://git.collinwebdesigns.de/oscar.krause/fastapi-dls (Private Git)
+* https://gitea.publichub.eu/oscar.krause/fastapi-dls (Public Git)
 * https://hub.docker.com/r/collinwebdesigns/fastapi-dls (Docker-Hub `collinwebdesigns/fastapi-dls:latest`)
 
 *All other repositories are forks! (which  is no bad - just for information and bug reports)*
@@ -68,6 +66,9 @@ The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 WORKING_DIR=/opt/docker/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
+# create instance private and public key for singing JWT's
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 ```
@@ -152,6 +153,9 @@ chown -R www-data:www-data $WORKING_DIR
 WORKING_DIR=/opt/fastapi-dls/app/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
+# create instance private and public key for singing JWT's
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 chown -R www-data:www-data $WORKING_DIR
@@ -251,6 +255,9 @@ CERT_DIR=${BASE_DIR}/app/cert
 SERVICE_USER=dls
 mkdir ${CERT_DIR}
 cd ${CERT_DIR}
+# create instance private and public key for singing JWT's
+openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 
+openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt
 chown -R ${SERVICE_USER} ${CERT_DIR}
@@ -333,13 +340,12 @@ Successful tested with (**LTS Version**):
 - *Ubuntu 23.04 (Lunar Lobster)* (EOL: January 2024)
 - *Ubuntu 23.10 (Mantic Minotaur)* (EOL: July 2024)
 - **Ubuntu 24.04 (Noble Numbat)** (EOL: Apr 2029)
+- *Ubuntu 24.10 (Oracular Oriole)* (EOL: Jul 2025)
 
 Not working with:
 
 - Debian 11 (Bullseye) and lower (missing `python-jose` dependency)
-- Debian 13 (Trixie) (missing `python-jose` dependency)
 - Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to [fastapi - uvicorn version missmatch](https://bugs.launchpad.net/ubuntu/+source/fastapi/+bug/1970557))
-- Ubuntu 24.10 (Oracular Oriole) (missing `python-jose` dependency)
 
 **Run this on your server instance**
 
@@ -415,148 +421,13 @@ acme.sh --issue -d example.com \
 
 After first success you have to replace `--issue` with `--renew`.
 
-## Nginx Reverse Proxy (experimental)
+# Configuration
-
-- This guide is written for Debian/Ubuntu systems, other may work, but you have to do your setup on your own
-- Uvicorn does no longer serve requests directly
-- NGINX is used as HTTP & HTTPS entrypoint
-- Assumes you already have set up webserver certificate and private-key
-
-**Install Nginx Webserver**
-
-```shell
-apt-get install nginx-light
-```
-
-**Remove default vhost**
-
-```shell
-rm /etc/nginx/sites-enabled/default
-```
-
-**Create fastapi-dls vhost**
-
-<details>
-    <summary>`/etc/nginx/sites-available/fastapi-dls`</summary>
-
-```
-upstream dls-backend {
-        server 127.0.0.1:8000;  # must match dls listen port
-}
-
-server {
-        listen 443 ssl http2 default_server;
-        listen [::]:443 ssl http2 default_server;
-
-        root /var/www/html;
-        index index.html;
-        server_name _;
-
-        ssl_certificate "/etc/fastapi-dls/cert/webserver.crt";
-        ssl_certificate_key "/etc/fastapi-dls/cert/webserver.key";
-        ssl_session_cache shared:SSL:1m;
-        ssl_session_timeout 10m;
-        ssl_protocols TLSv1.3 TLSv1.2;
-        # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
-        # ssl_ciphers PROFILE=SYSTEM;
-        ssl_prefer_server_ciphers on;
-
-        location / {
-                # https://www.uvicorn.org/deployment/
-                proxy_set_header Host $http_host;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection $connection_upgrade;
-                proxy_redirect off;
-                proxy_buffering off;
-
-                proxy_set_header X-Real-IP $remote_addr;
-
-                proxy_pass http://dls-backend$request_uri;
-        }
-
-        location = /-/health {
-                access_log off;
-                add_header 'Content-Type' 'application/json';
-                return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
-        }
-}
-
-map $http_upgrade $connection_upgrade {
-        default upgrade;
-        '' close;
-}
-
-server {
-        listen 80;
-        listen [::]:80;
-
-        root /var/www/html;
-        index index.html;
-        server_name _;
-
-        location /leasing/v1/lessor/shutdown {
-                proxy_set_header Host $http_host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
-        }
-
-        location / {
-                return 301 https://$host$request_uri;
-        }
-}
-```
-</details>
-
-**Enable and test vhost**
-
-```shell
-ln -s /etc/nginx/sites-available/fastapi-dls /etc/nginx/sites-enabled/fastapi-dls
-
-nginx -t
-# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
-# nginx: configuration file /etc/nginx/nginx.conf test is successful
-```
-
-**Override default fastapi-dls systemd service**
-
-```shell
-mkdir /etc/systemd/system/fastapi-dls.service.d
-```
-
-<details>
-    <summary>`/etc/systemd/system/fastapi-dls.service.d/override.conf`</summary>
-
-```
-[Service]
-ExecStart=
-ExecStart=uvicorn main:app \
-  --env-file /etc/fastapi-dls/env \
-  --host 127.0.0.1 --port 8000 \
-  --app-dir /usr/share/fastapi-dls/app \
-  --proxy-headers
-```
-</details>
-
-**Run**
-
-```shell
-systemctl daemon-reload
-service nginx start
-service fastapi-dls start
-```
-
-# Configuration (Service)
 
 | Variable                 | Default                                | Usage                                                                                                                               |
-|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|
+|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
 | `DEBUG`                  | `false`                                | Toggles `fastapi` debug mode                                                                                                        |
 | `DLS_URL`                | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                                                           |
 | `DLS_PORT`               | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                                                           |
-| `CERT_PATH`            | `None`                                 | Path to a Directory where generated Certificates are stored. Defaults to `/<app-dir>/cert`.          |
 | `TOKEN_EXPIRE_DAYS`      | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)                                         |
 | `LEASE_EXPIRE_DAYS`      | `90`                                   | Lease time in days                                                                                                                  |
 | `LEASE_RENEWAL_PERIOD`   | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1                                |
@@ -565,6 +436,8 @@ service fastapi-dls start
 | `SITE_KEY_XID`           | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                                                            |
 | `INSTANCE_REF`           | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                                                        |
 | `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       |
+| `INSTANCE_KEY_RSA`       | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                                                      |
+| `INSTANCE_KEY_PUB`       | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                                                            |
 
 \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
 every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
@@ -572,6 +445,8 @@ client has 19.2 hours in which to re-establish connectivity before its license e
 
 \*2 Always use `https`, since guest-drivers only support secure connections!
 
+\*3 If you recreate your instance keys you need to **recreate client-token for each guest**!
+
 # Setup (Client)
 
 **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.**
@@ -670,10 +545,6 @@ Status endpoint, used for *healthcheck*.
 
 Shows current runtime environment variables and their values.
 
-**`GET /-/config/root-certificate`**
-
-Returns the Root-Certificate Certificate which is used. This is required for patching `nvidia-gridd` on 18.x releases.
-
 **`GET /-/readme`**
 
 HTML rendered README.md.
@@ -746,7 +617,7 @@ Please download a new client-token. The guest have to register within an hour af
 
 ### `jose.exceptions.JWTError: Signature verification failed.`
 
-- Did you recreate any certificate or keypair?
+- Did you recreate `instance.public.pem` / `instance.private.pem`?
 
 Then you have to download a **new** client-token on each of your guests.
 
@@ -882,25 +753,33 @@ The error message can safely be ignored (since we have no license limitation :P)
 
 # vGPU Software Compatibility Matrix
 
-<details>
+**18.x Drivers are not supported on FastAPI-DLS Versions < 1.6.0**
-  <summary>Successfully tested with this package versions: Show Table</summary>
 
-| FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver |  Release Date |      EOL Date |
+<details>
-|---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:|
+  <summary>Show Table</summary>
-| `2.x`               |    `18.3`     |   **R570**    | `570.158.02`       | `570.158.01` | `573.36`       |     June 2025 |    March 2026 |
+
-|                     |    `18.2`     |   **R570**    | `570.148.06`       | `570.148.08` | `573.07`       |      May 2025 |               |
+Successfully tested with this package versions.
-|                     |    `18.1`     |   **R570**    | `570.133.08`       | `570.133.07` | `572.83`       |    April 2025 |               |
+
-|                     |    `18.0`     |   **R570**    | `570.124.03`       | `570.124.06` | `572.60`       |    March 2025 |               |
+| vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver |  Release Date |      EOL Date |
-| `1.x` & `2.x`       |    `17.6`     |   **R550**    | `550.163.02`       | `550.63.01`  | `553.74`       |    April 2025 |     June 2025 |
+|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:|
-|                     |    `17.5`     |               | `550.144.02`       | `550.144.03` | `553.62`       |  January 2025 |               |
+|    `17.5`     |     R550      | `550.144.02`       | `550.144.03` | `553.62`       |  January 2025 |     June 2025 |
-|                     |    `17.4`     |               | `550.127.06`       | `550.127.05` | `553.24`       |  October 2024 |               |
+|    `17.4`     |     R550      | `550.127.06`       | `550.127.05` | `553.24`       |  October 2024 |               |
-|                     |    `17.3`     |               | `550.90.05`        | `550.90.07`  | `552.74`       |     July 2024 |               |
+|    `17.3`     |     R550      | `550.90.05`        | `550.90.07`  | `552.74`       |     July 2024 |               |
-|                     |    `17.2`     |               | `550.90.05`        | `550.90.07`  | `552.55`       |     June 2024 |               |
+|    `17.2`     |     R550      | `550.90.05`        | `550.90.07`  | `552.55`       |     June 2024 |               |
-|                     |    `17.1`     |               | `550.54.16`        | `550.54.15`  | `551.78`       |    March 2024 |               |
+|    `17.1`     |     R550      | `550.54.16`        | `550.54.15`  | `551.78`       |    March 2024 |               |
-|                     |    `17.0`     |   **R550**    | `550.54.10`        | `550.54.14`  | `551.61`       | February 2024 |               |
+|    `17.0`     |     R550      | `550.54.10`        | `550.54.14`  | `551.61`       | February 2024 |               |
-| `1.x`               |    `16.10`    |   **R535**    | `535.247.02`       | `535.247.01` | `539.28`       |    April 2025 |     July 2026 |
+|    `16.9`     |     R535      | `535.230.02`       | `535.216.01` | `539.19`       |  October 2024 |     July 2026 |
-| `1.x`               |    `15.4`     |   **R525**    | `525.147.01`       | `525.147.05` | `529.19`       |     June 2023 | December 2023 |
+|    `16.8`     |     R535      | `535.216.01`       | `535.216.01` | `538.95`       |  October 2024 |               |
-| `1.x`               |    `14.4`     |   **R510**    | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 | February 2023 |
+|    `16.7`     |     R535      | `535.183.04`       | `535.183.06` | `538.78`       |     July 2024 |               |
+|    `16.6`     |     R535      | `535.183.04`       | `535.183.01` | `538.67`       |     June 2024 |               |
+|    `16.5`     |     R535      | `535.161.05`       | `535.161.08` | `538.46`       | February 2024 |               |
+|    `16.4`     |     R535      | `535.161.05`       | `535.161.07` | `538.33`       | February 2024 |               |
+|    `16.3`     |     R535      | `535.154.02`       | `535.154.05` | `538.15`       |  January 2024 |               |
+|    `16.2`     |     R535      | `535.129.03`       | `535.129.03` | `537.70`       |  October 2023 |               |
+|    `16.1`     |     R535      | `535.104.06`       | `535.104.05` | `537.13`       |   August 2023 |               |
+|    `16.0`     |     R535      | `535.54.06`        | `535.54.03`  | `536.22`       |     July 2023 |               |
+|    `15.4`     |     R525      | `525.147.01`       | `525.147.05` | `529.19`       |     June 2023 | December 2023 |
+|    `14.4`     |     R510      | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 | February 2023 |
 
 </details>
 
@@ -924,6 +803,5 @@ Special thanks to:
 - `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
 - `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
 - `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
-- `electricsheep49` who wrote [gridd-unlock-patcher](https://git.collinwebdesigns.de/vgpu/gridd-unlock-patcher)
 
 And thanks to all people who contributed to all these libraries!

ROADMAP.md

@@ -2,17 +2,6 @@
 
 I am planning to implement the following features in the future.
 
-## Patching Endpoint
-
-A (optional) Path-Variable to `gridd-unlock-patcher` which enables an additional endpoint.
-Here you can upload your `nvidia-gridd` binary or `nvxdapix.dll` which then will be patched and responded.
-
-## All-In-One Installer Script Endpoint
-
-A new all-in-one installer endpoint
-(here a script is returned for linux or windows which then could be called like
-curl https://<fastapi-dls>/-/install/deb | sh which then
-download and place a client-token in the right directory, patch your girdd / dll and restart nvidia-gridd service)
 
 ## HA - High Availability
 

app/main.py

@@ -1,29 +1,27 @@
 import logging
+import sys
 from base64 import b64encode as b64enc
 from calendar import timegm
 from contextlib import asynccontextmanager
-from datetime import datetime, timedelta, UTC
+from datetime import datetime, UTC
 from hashlib import sha256
-from json import loads as json_loads, dumps as json_dumps
+from json import loads as json_loads
 from os import getenv as env
-from os.path import join, dirname, exists, isdir, isfile
+from os.path import join, dirname
-from textwrap import wrap
 from uuid import uuid4
 
 from dateutil.relativedelta import relativedelta
 from dotenv import load_dotenv
 from fastapi import FastAPI
 from fastapi.requests import Request
-from fastapi.responses import Response, RedirectResponse, StreamingResponse
+from jose import jws, jwt, JWTError
-from jose import jws, jwk, jwt, JWTError
 from jose.constants import ALGORITHMS
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 from starlette.middleware.cors import CORSMiddleware
-from starlette.staticfiles import StaticFiles
+from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 
-from orm import Origin, Lease, init as db_init, migrate
+from orm import Origin, Lease, init as db_init, migrate, Instance, Site
-from util import CASetup, PrivateKey, Cert, ProductMapping, load_file
 
 # Load variables
 load_dotenv('../version.env')
@@ -41,32 +39,9 @@ db_init(db), migrate(db)
 # Load DLS variables (all prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service)
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
-CERT_PATH = str(env('CERT_PATH', None))
-SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
-INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
-ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
-TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
-LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
-LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
-LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
-CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
-DRIVERS_DIR = env('DRIVERS_DIR', None)
-DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
-PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json'))
 
-# Create certificate chain and signing keys
+ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))  # todo
-ca_setup = CASetup(service_instance_ref=INSTANCE_REF, cert_path=CERT_PATH)
-my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename)
-my_root_public_key = my_root_private_key.public_key()
-my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename)
-my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename)
-my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename)
-my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename)
-my_si_public_key = my_si_private_key.public_key()
-
-jwt_encode_key = jwk.construct(my_si_private_key.pem(), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(my_si_private_key.public_key().pem(), algorithm=ALGORITHMS.RS256)
 
 # Logging
 LOG_LEVEL = logging.DEBUG if DEBUG else logging.INFO
@@ -74,25 +49,33 @@ logging.basicConfig(format='[{levelname:^7}] [{module:^15}] {message}', style='{
 logger = logging.getLogger(__name__)
 logger.setLevel(LOG_LEVEL)
 logging.getLogger('util').setLevel(LOG_LEVEL)
-logging.getLogger('NV').setLevel(LOG_LEVEL)
+logging.getLogger('DriverMatrix').setLevel(LOG_LEVEL)
 
 
 # FastAPI
 @asynccontextmanager
 async def lifespan(_: FastAPI):
     # on startup
+    default_instance = Instance.get_default_instance(db)
+
+    lease_renewal_period = default_instance.lease_renewal_period
+    lease_renewal_delta = default_instance.get_lease_renewal_delta()
+    client_token_expire_delta = default_instance.get_client_token_expire_delta()
+
     logger.info(f'''
     
     Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
     
-    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
+    Your clients will renew their license every {str(Lease.calculate_renewal(lease_renewal_period, lease_renewal_delta))}.
-    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
+    If the renewal fails, the license is valid for {str(lease_renewal_delta)}.
     
-    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
+    Your client-token file (.tok) is valid for {str(client_token_expire_delta)}.
     ''')
 
     logger.info(f'Debug is {"enabled" if DEBUG else "disabled"}.')
 
+    validate_settings()
+
     yield
 
     # on shutdown
@@ -102,9 +85,6 @@ async def lifespan(_: FastAPI):
 config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
 app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, lifespan=lifespan, **config)
 
-if DRIVERS_DIR is not None:
-    app.mount('/-/static-drivers', StaticFiles(directory=str(DRIVERS_DIR), html=False), name='drivers')
-
 app.debug = DEBUG
 app.add_middleware(
     CORSMiddleware,
@@ -116,12 +96,24 @@ app.add_middleware(
 
 
 # Helper
-def __get_token(request: Request) -> dict:
+def __get_token(request: Request, jwt_decode_key: "jose.jwt") -> dict:
     authorization_header = request.headers.get('authorization')
     token = authorization_header.split(' ')[1]
     return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
 
 
+def validate_settings():
+    session = sessionmaker(bind=db)()
+
+    lease_expire_delta_min, lease_expire_delta_max = 86_400, 7_776_000
+    for instance in session.query(Instance).all():
+        lease_expire_delta = instance.lease_expire_delta
+        if lease_expire_delta < 86_400 or lease_expire_delta > 7_776_000:
+            logging.warning(f'> [ instance ]: {instance.instance_ref}: "lease_expire_delta" should be between {lease_expire_delta_min} and {lease_expire_delta_max}')
+
+    session.close()
+
+
 # Endpoints
 
 @app.get('/', summary='Index')
@@ -136,41 +128,36 @@ async def _index():
 
 @app.get('/-/health', summary='* Health')
 async def _health():
-    return Response(content=json_dumps({'status': 'up'}), media_type='application/json', status_code=200)
+    return JSONr({'status': 'up'})
 
 
 @app.get('/-/config', summary='* Config', description='returns environment variables.')
 async def _config():
-    response = {
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+
+    return JSONr({
         'VERSION': str(VERSION),
         'COMMIT': str(COMMIT),
         'DEBUG': str(DEBUG),
         'DLS_URL': str(DLS_URL),
         'DLS_PORT': str(DLS_PORT),
-        'SITE_KEY_XID': str(SITE_KEY_XID),
+        'SITE_KEY_XID': str(default_site.site_key),
-        'INSTANCE_REF': str(INSTANCE_REF),
+        'INSTANCE_REF': str(default_instance.instance_ref),
         'ALLOTMENT_REF': [str(ALLOTMENT_REF)],
-        'TOKEN_EXPIRE_DELTA': str(TOKEN_EXPIRE_DELTA),
+        'TOKEN_EXPIRE_DELTA': str(default_instance.get_token_expire_delta()),
-        'LEASE_EXPIRE_DELTA': str(LEASE_EXPIRE_DELTA),
+        'LEASE_EXPIRE_DELTA': str(default_instance.get_lease_expire_delta()),
-        'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD),
+        'LEASE_RENEWAL_PERIOD': str(default_instance.lease_renewal_period),
         'CORS_ORIGINS': str(CORS_ORIGINS),
         'TZ': str(TZ),
-    }
+    })
-
-    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
-
-
-@app.get('/-/config/root-certificate', summary='* Root Certificate', description='returns Root--Certificate needed for patching nvidia-gridd')
-async def _config():
-    return Response(content=my_root_certificate.pem().decode('utf-8').strip(), media_type='text/plain')
 
 
 @app.get('/-/readme', summary='* Readme')
 async def _readme():
     from markdown import markdown
+    from util import load_file
     content = load_file(join(dirname(__file__), '../README.md')).decode('utf-8')
-    response = markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc'])
+    return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
-    return Response(response, media_type='text/html', status_code=200)
 
 
 @app.get('/-/manage', summary='* Management UI')
@@ -208,26 +195,7 @@ async def _manage(request: Request):
         </body>
     </html>
     '''
-    return Response(response, media_type='text/html', status_code=200)
+    return HTMLr(response)
-
-
-@app.get('/-/drivers/{directory:path}', summary='* List drivers directory')
-async def _drivers(request: Request, directory: str | None):
-    if DRIVERS_DIR is None:
-        return Response(status_code=404, content=f'Variable "DRIVERS_DIR" not set.')
-
-    path = join(DRIVERS_DIR, directory)
-
-    if not exists(path) and not isfile(path):
-        return Response(status_code=404, content=f'Resource "{path}" not found!')
-
-    content = [{
-        "type": "file" if isfile(f'{path}/{_}') else "folder" if isdir(f'{path}/{_}') else "unknown",
-        "name": _,
-        "link": f'/-/static-drivers/{directory}{_}',
-    } for _ in listdir(path)]
-
-    return Response(content=json_dumps({"directory": path, "content": content}), media_type='application/json', status_code=200)
 
 
 @app.get('/-/origins', summary='* Origins')
@@ -237,11 +205,10 @@ async def _origins(request: Request, leases: bool = False):
     for origin in session.query(Origin).all():
         x = origin.serialize()
         if leases:
-            serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+            x['leases'] = list(map(lambda _: _.serialize(), Lease.find_by_origin_ref(db, origin.origin_ref)))
-            x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref)))
         response.append(x)
     session.close()
-    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 @app.delete('/-/origins', summary='* Origins')
@@ -255,15 +222,14 @@ async def _leases(request: Request, origin: bool = False):
     session = sessionmaker(bind=db)()
     response = []
     for lease in session.query(Lease).all():
-        serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
+        x = lease.serialize()
-        x = lease.serialize(**serialize)
         if origin:
             lease_origin = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first()
             if lease_origin is not None:
                 x['origin'] = lease_origin.serialize()
         response.append(x)
     session.close()
-    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 @app.delete('/-/leases/expired', summary='* Leases')
@@ -276,15 +242,20 @@ async def _lease_delete_expired(request: Request):
 async def _lease_delete(request: Request, lease_ref: str):
     if Lease.delete(db, lease_ref) == 1:
         return Response(status_code=201)
-    response = {'status': 404, 'detail': 'lease not found'}
+    return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
-    return Response(content=json_dumps(response), media_type='application/json', status_code=404)
 
 
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
     cur_time = datetime.now(UTC)
-    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
+
+    default_instance = Instance.get_default_instance(db)
+    public_key = default_instance.get_public_key()
+    # todo: implemented request parameter to support different instances
+    jwt_encode_key = default_instance.get_jwt_encode_key()
+
+    exp_time = cur_time + default_instance.get_client_token_expire_delta()
 
     payload = {
         "jti": str(uuid4()),
@@ -293,17 +264,15 @@ async def _client_token():
         "iat": timegm(cur_time.timetuple()),
         "nbf": timegm(cur_time.timetuple()),
         "exp": timegm(exp_time.timetuple()),
-        "protocol_version": "2.0",
         "update_mode": "ABSOLUTE",
         "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
         "service_instance_configuration": {
-            "nls_service_instance_ref": INSTANCE_REF,
+            "nls_service_instance_ref": default_instance.instance_ref,
             "svc_port_set_list": [
                 {
                     "idx": 0,
                     "d_name": "DLS",
-                    # todo: {"service": "quick_release", "port": 80} - see "shutdown for windows"
                     "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}]
                 }
             ],
@@ -311,10 +280,10 @@ async def _client_token():
         },
         "service_instance_public_key_configuration": {
             "service_instance_public_key_me": {
-                "mod": my_si_public_key.mod(),
+                "mod": hex(public_key.raw().public_numbers().n)[2:],
-                "exp": my_si_public_key.exp(),
+                "exp": int(public_key.raw().public_numbers().e),
             },
-            "service_instance_public_key_pem": my_si_public_key.pem().decode('utf-8').strip(),
+            "service_instance_public_key_pem": public_key.pem().decode('utf-8'),
             "key_retention_mode": "LATEST_ONLY"
         },
     }
@@ -345,22 +314,17 @@ async def auth_v1_origin(request: Request):
 
     Origin.create_or_update(db, data)
 
-    environment = {
-        'raw_env': j.get('environment')
-    }
-    environment.update(j.get('environment'))
-
     response = {
         "origin_ref": origin_ref,
-        "environment": environment,
+        "environment": j.get('environment'),
         "svc_port_set_list": None,
         "node_url_list": None,
         "node_query_order": None,
         "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT)
+        "sync_timestamp": cur_time.isoformat()
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
@@ -383,10 +347,10 @@ async def auth_v1_origin_update(request: Request):
     response = {
         "environment": j.get('environment'),
         "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT)
+        "sync_timestamp": cur_time.isoformat()
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
@@ -401,24 +365,27 @@ async def auth_v1_code(request: Request):
     delta = relativedelta(minutes=15)
     expires = cur_time + delta
 
+    default_site = Site.get_default_site(db)
+    jwt_encode_key = Instance.get_default_instance(db).get_jwt_encode_key()
+
     payload = {
         'iat': timegm(cur_time.timetuple()),
         'exp': timegm(expires.timetuple()),
         'challenge': j.get('code_challenge'),
         'origin_ref': j.get('origin_ref'),
-        'key_ref': SITE_KEY_XID,
+        'key_ref': default_site.site_key,
-        'kid': SITE_KEY_XID
+        'kid': default_site.site_key,
     }
 
     auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
 
     response = {
         "auth_code": auth_code,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
@@ -427,11 +394,13 @@ async def auth_v1_code(request: Request):
 async def auth_v1_token(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+    jwt_encode_key, jwt_decode_key = default_instance.get_jwt_encode_key(), default_instance.get_jwt_decode_key()
+
     try:
         payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
     except JWTError as e:
-        response = {'status': 400, 'title': 'invalid token', 'detail': str(e)}
+        return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=400)
 
     origin_ref = payload.get('origin_ref')
     logger.info(f'> [   auth   ]: {origin_ref}: {j}')
@@ -439,10 +408,9 @@ async def auth_v1_token(request: Request):
     # validate the code challenge
     challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
     if payload.get('challenge') != challenge:
-        response = {'status': 401, 'detail': 'expected challenge did not match verifier'}
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=401)
 
-    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
+    access_expires_on = cur_time + default_instance.get_token_expire_delta()
 
     new_payload = {
         'iat': timegm(cur_time.timetuple()),
@@ -450,168 +418,84 @@ async def auth_v1_token(request: Request):
         'iss': 'https://cls.nvidia.org',
         'aud': 'https://cls.nvidia.org',
         'exp': timegm(access_expires_on.timetuple()),
-        'key_ref': SITE_KEY_XID,
-        'kid': SITE_KEY_XID,
         'origin_ref': origin_ref,
+        'key_ref': default_site.site_key,
+        'kid': default_site.site_key,
     }
 
     auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
 
     response = {
+        "expires": access_expires_on.isoformat(),
         "auth_token": auth_token,
-        "expires": access_expires_on.strftime(DT_FORMAT),
+        "sync_timestamp": cur_time.isoformat(),
-        "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
-
-
-# NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py
-@app.post('/leasing/v1/config-token', description='request to get config token for lease operations')
-async def leasing_v1_config_token(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
-
-    cur_time = datetime.now(UTC)
-    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
-
-    payload = {
-        "iss": "NLS Service Instance",
-        "aud": "NLS Licensed Client",
-        "iat": timegm(cur_time.timetuple()),
-        "nbf": timegm(cur_time.timetuple()),
-        "exp": timegm(exp_time.timetuple()),
-        "protocol_version": "2.0",
-        "d_name": "DLS",
-        "service_instance_ref": j.get('service_instance_ref'),
-        "service_instance_public_key_configuration": {
-            "service_instance_public_key_me": {
-                "mod": my_si_public_key.mod(),
-                "exp": my_si_public_key.exp(),
-            },
-            "service_instance_public_key_pem": my_si_public_key.pem().decode('utf-8').strip(),
-            "key_retention_mode": "LATEST_ONLY"
-        },
-    }
-
-    my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-    config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
-
-    response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip()
-
-    # 76 chars per line on original response with "\r\n"
-    """
-    response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip()
-    response_ca_chain = response_ca_chain.replace('-----BEGIN CERTIFICATE-----', '')
-    response_ca_chain = response_ca_chain.replace('-----END CERTIFICATE-----', '')
-    response_ca_chain = response_ca_chain.replace('\n', '')
-    response_ca_chain = wrap(response_ca_chain, 76)
-    response_ca_chain = '\r\n'.join(response_ca_chain)
-    response_ca_chain = f'-----BEGIN CERTIFICATE-----\r\n{response_ca_chain}\r\n-----END CERTIFICATE-----'
-    """
-    response_si_certificate = my_si_certificate.pem().decode('utf-8').strip()
-
-    # 76 chars per line on original response with "\r\n"
-    """
-    response_si_certificate = my_si_certificate.pem().decode('utf-8').strip()
-    response_si_certificate = response_si_certificate.replace('-----BEGIN CERTIFICATE-----', '')
-    response_si_certificate = response_si_certificate.replace('-----END CERTIFICATE-----', '')
-    response_si_certificate = response_si_certificate.replace('\n', '')
-    response_si_certificate = wrap(response_si_certificate, 76)
-    response_si_certificate = '\r\n'.join(response_si_certificate)
-    """
-
-    response = {
-        "certificateConfiguration": {
-            "caChain": [response_ca_chain],
-            "publicCert": response_si_certificate,
-            "publicKey": {
-                "exp": my_si_certificate.public_key().exp(),
-                "mod": [my_si_certificate.public_key().mod()],
-            },
-        },
-        "configToken": config_token,
-    }
-
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
 
     try:
-        token = __get_token(request)
+        token = __get_token(request, jwt_decode_key)
     except JWTError:
-        response = {'status': 401, 'detail': 'token is not valid'}
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=401)
 
     origin_ref = token.get('origin_ref')
     scope_ref_list = j.get('scope_ref_list')
-    lease_proposal_list = j.get('lease_proposal_list')
     logger.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
 
+    lease_result_list = []
     for scope_ref in scope_ref_list:
         # if scope_ref not in [ALLOTMENT_REF]:
-        #     response = {'status': 400, 'detail': f'service instances not found for scopes: ["{scope_ref}"]')}
+        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
-        #     return Response(content=json_dumps(response), media_type='application/json', status_code=400)
-        pass
 
-    lease_result_list = []
-    for lease_proposal in lease_proposal_list:
         lease_ref = str(uuid4())
-        expires = cur_time + LEASE_EXPIRE_DELTA
+        expires = cur_time + default_instance.get_lease_expire_delta()
-
-        product_name = lease_proposal.get('product').get('name')
-        feature_name = PRODUCT_MAPPING.get_feature_name(product_name=product_name)
-
         lease_result_list.append({
-            "error": None,
+            "ordinal": 0,
+            # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
             "lease": {
-                "created": cur_time.strftime(DT_FORMAT),
-                "expires": expires.strftime(DT_FORMAT),  # todo: lease_proposal.get('duration') => "P0Y0M0DT12H0M0S
-                "feature_name": feature_name,
-                "lease_intent_id": None,
-                "license_type": "CONCURRENT_COUNTED_SINGLE",
-                "metadata": None,
-                "offline_lease": False,  # todo
-                "product_name": product_name,
-                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
                 "ref": lease_ref,
-            },
+                "created": cur_time.isoformat(),
-            "ordinal": None,
+                "expires": expires.isoformat(),
+                "recommended_lease_renewal": default_instance.lease_renewal_period,
+                "offline_lease": "true",
+                "license_type": "CONCURRENT_COUNTED_SINGLE"
+            }
         })
 
-        data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
+        data = Lease(instance_ref=default_instance.instance_ref, origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
         Lease.create_or_update(db, data)
 
     response = {
-        "client_challenge": j.get('client_challenge'),
         "lease_result_list": lease_result_list,
-        "prompts": None,
+        "result_code": "SUCCESS",
-        "result_code": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
     }
 
-    content = json_dumps(response, separators=(',', ':'))
+    return JSONr(response)
-    content = f'{content}\n'.encode('ascii')
-    signature = my_si_private_key.generate_signature(content)
-
-    headers = {
-        'Content-Type': 'application/json',
-        'access-control-expose-headers': 'X-NLS-Signature',
-        'X-NLS-Signature': f'{signature.hex().encode()}'
-    }
-
-    return Response(content=content, media_type='application/json', headers=headers)
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
 @app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    token, cur_time = __get_token(request), datetime.now(UTC)
+    cur_time = datetime.now(UTC)
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
 
@@ -620,90 +504,93 @@ async def leasing_v1_lessor_lease(request: Request):
 
     response = {
         "active_lease_list": active_lease_list,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
+    cur_time = datetime.now(UTC)
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
     logger.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
 
     entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref)
     if entity is None:
-        response = {'status': 404, 'detail': 'requested lease not available'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
 
-    expires = cur_time + LEASE_EXPIRE_DELTA
+    expires = cur_time + default_instance.get_lease_expire_delta()
     response = {
-        "client_challenge": j.get('client_challenge'),
-        "expires": expires.strftime('%Y-%m-%dT%H:%M:%S.%f'),  # DT_FORMAT => "trailing 'Z' missing in this response
-        "feature_expired": False,
         "lease_ref": lease_ref,
-        "metadata": None,
+        "expires": expires.isoformat(),
-        "offline_lease": False,  # todo
+        "recommended_lease_renewal": default_instance.lease_renewal_period,
+        "offline_lease": True,
         "prompts": None,
-        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     Lease.renew(db, entity, expires, cur_time)
 
-    content = json_dumps(response, separators=(',', ':'))
+    return JSONr(response)
-    content = f'{content}\n'.encode('ascii')
-    signature = my_si_private_key.generate_signature(content)
-
-    headers = {
-        'Content-Type': 'application/json',
-        'access-control-expose-headers': 'X-NLS-Signature',
-        'X-NLS-Signature': f'{signature.hex().encode()}'
-    }
-
-    return Response(content=content, media_type='application/json', headers=headers)
-
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.now(UTC)
+    cur_time = datetime.now(UTC)
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
     logger.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
 
     entity = Lease.find_by_lease_ref(db, lease_ref)
     if entity.origin_ref != origin_ref:
-        response = {'status': 403, 'detail': 'access or operation forbidden'}
+        return JSONr(status_code=403, content={'status': 403, 'detail': 'access or operation forbidden'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=403)
     if entity is None:
-        response = {'status': 404, 'detail': 'requested lease not available'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
 
     if Lease.delete(db, lease_ref) == 0:
-        response = {'status': 404, 'detail': 'lease not found'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
-        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
 
     response = {
-        "client_challenge": None,
         "lease_ref": lease_ref,
         "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "sync_timestamp": cur_time.isoformat(),
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    token, cur_time = __get_token(request), datetime.now(UTC)
+    cur_time = datetime.now(UTC)
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
 
@@ -714,17 +601,19 @@ async def leasing_v1_lessor_lease_remove(request: Request):
     response = {
         "released_lease_list": released_lease_list,
         "release_failure_list": None,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 @app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
 async def leasing_v1_lessor_shutdown(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
     token = j.get('token')
     token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
     origin_ref = token.get('origin_ref')
@@ -736,11 +625,11 @@ async def leasing_v1_lessor_shutdown(request: Request):
     response = {
         "released_lease_list": released_lease_list,
         "release_failure_list": None,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
     }
 
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 
 
 if __name__ == '__main__':

app/orm.py

@@ -1,20 +1,143 @@
+import logging
 from datetime import datetime, timedelta, timezone, UTC
+from os import getenv as env
+from os.path import join, dirname, isfile
 
 from dateutil.relativedelta import relativedelta
-from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
+from jose import jwk
+from jose.constants import ALGORITHMS
+from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text, BLOB, INT, FLOAT
 from sqlalchemy.engine import Engine
-from sqlalchemy.orm import sessionmaker, declarative_base
+from sqlalchemy.orm import sessionmaker, declarative_base, Session, relationship
+from sqlalchemy.schema import CreateTable
 
-from util import DriverMatrix
+from util import DriverMatrix, PrivateKey, PublicKey, DriverMatrix
+
+logging.basicConfig()
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
 
 Base = declarative_base()
 
 
+class Site(Base):
+    __tablename__ = "site"
+
+    INITIAL_SITE_KEY_XID = '10000000-0000-0000-0000-000000000000'
+    INITIAL_SITE_NAME = 'default-site'
+
+    site_key = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, SITE_KEY_XID
+    name = Column(VARCHAR(length=256), nullable=False)
+
+    def __str__(self):
+        return f'SITE_KEY_XID: {self.site_key}'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        return CreateTable(Site.__table__).compile(engine)
+
+    @staticmethod
+    def get_default_site(engine: Engine) -> "Site":
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Site).filter(Site.site_key == Site.INITIAL_SITE_KEY_XID).first()
+        session.close()
+        return entity
+
+
+class Instance(Base):
+    __tablename__ = "instance"
+
+    DEFAULT_INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
+    DEFAULT_TOKEN_EXPIRE_DELTA = 86_400  # 1 day
+    DEFAULT_LEASE_EXPIRE_DELTA = 7_776_000  # 90 days
+    DEFAULT_LEASE_RENEWAL_PERIOD = 0.15
+    DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA = 378_432_000  # 12 years
+    # 1 day = 86400 (min. in production setup, max 90 days), 1 hour = 3600
+
+    instance_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, INSTANCE_REF
+    site_key = Column(CHAR(length=36), ForeignKey(Site.site_key, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
+    private_key = Column(BLOB(length=2048), nullable=False)
+    public_key = Column(BLOB(length=512), nullable=False)
+    token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+    lease_expire_delta = Column(INT(), nullable=False, default=DEFAULT_LEASE_EXPIRE_DELTA, comment='in seconds')
+    lease_renewal_period = Column(FLOAT(precision=2), nullable=False, default=DEFAULT_LEASE_RENEWAL_PERIOD)
+    client_token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+
+    __origin = relationship(Site, foreign_keys=[site_key])
+
+    def __str__(self):
+        return f'INSTANCE_REF: {self.instance_ref} (SITE_KEY_XID: {self.site_key})'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        return CreateTable(Instance.__table__).compile(engine)
+
+    @staticmethod
+    def create_or_update(engine: Engine, instance: "Instance"):
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Instance).filter(Instance.instance_ref == instance.instance_ref).first()
+        if entity is None:
+            session.add(instance)
+        else:
+            x = dict(
+                site_key=instance.site_key,
+                private_key=instance.private_key,
+                public_key=instance.public_key,
+                token_expire_delta=instance.token_expire_delta,
+                lease_expire_delta=instance.lease_expire_delta,
+                lease_renewal_period=instance.lease_renewal_period,
+                client_token_expire_delta=instance.client_token_expire_delta,
+            )
+            session.execute(update(Instance).where(Instance.instance_ref == instance.instance_ref).values(**x))
+        session.commit()
+        session.flush()
+        session.close()
+
+    # todo: validate on startup that "lease_expire_delta" is between 1 day and 90 days
+
+    @staticmethod
+    def get_default_instance(engine: Engine) -> "Instance":
+        session = sessionmaker(bind=engine)()
+        site = Site.get_default_site(engine)
+        entity = session.query(Instance).filter(Instance.site_key == site.site_key).first()
+        session.close()
+        return entity
+
+    def get_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.token_expire_delta)
+
+    def get_lease_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.lease_expire_delta)
+
+    def get_lease_renewal_delta(self) -> "datetime.timedelta":
+        return timedelta(seconds=self.lease_expire_delta)
+
+    def get_client_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.client_token_expire_delta)
+
+    def __get_private_key(self) -> "PrivateKey":
+        return PrivateKey(self.private_key)
+
+    def get_public_key(self) -> "PublicKey":
+        return PublicKey(self.public_key)
+
+    def get_jwt_encode_key(self) -> "jose.jkw":
+        return jwk.construct(self.__get_private_key().pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_jwt_decode_key(self) -> "jose.jwt":
+        return jwk.construct(self.get_public_key().pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_private_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+    def get_public_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+
 class Origin(Base):
     __tablename__ = "origin"
 
     origin_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4
-
     # service_instance_xid = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one service_instance_xid ('INSTANCE_REF')
     hostname = Column(VARCHAR(length=256), nullable=True)
     guest_driver_version = Column(VARCHAR(length=10), nullable=True)
@@ -39,7 +162,6 @@ class Origin(Base):
 
     @staticmethod
     def create_statement(engine: Engine):
-        from sqlalchemy.schema import CreateTable
         return CreateTable(Origin.__table__).compile(engine)
 
     @staticmethod
@@ -85,18 +207,24 @@ class Origin(Base):
 class Lease(Base):
     __tablename__ = "lease"
 
+    instance_ref = Column(CHAR(length=36), ForeignKey(Instance.instance_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     lease_ref = Column(CHAR(length=36), primary_key=True, nullable=False, index=True)  # uuid4
-
     origin_ref = Column(CHAR(length=36), ForeignKey(Origin.origin_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     # scope_ref = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one scope_ref ('ALLOTMENT_REF')
     lease_created = Column(DATETIME(), nullable=False)
     lease_expires = Column(DATETIME(), nullable=False)
     lease_updated = Column(DATETIME(), nullable=False)
 
+    __instance = relationship(Instance, foreign_keys=[instance_ref])
+    __origin = relationship(Origin, foreign_keys=[origin_ref])
+
     def __repr__(self):
         return f'Lease(origin_ref={self.origin_ref}, lease_ref={self.lease_ref}, expires={self.lease_expires})'
 
-    def serialize(self, renewal_period: float, renewal_delta: timedelta) -> dict:
+    def serialize(self) -> dict:
+        renewal_period = self.__instance.lease_renewal_period
+        renewal_delta = self.__instance.get_lease_renewal_delta
+
         lease_renewal = int(Lease.calculate_renewal(renewal_period, renewal_delta).total_seconds())
         lease_renewal = self.lease_updated + relativedelta(seconds=lease_renewal)
 
@@ -112,7 +240,6 @@ class Lease(Base):
 
     @staticmethod
     def create_statement(engine: Engine):
-        from sqlalchemy.schema import CreateTable
         return CreateTable(Lease.__table__).compile(engine)
 
     @staticmethod
@@ -206,38 +333,104 @@ class Lease(Base):
         return renew
 
 
+def init_default_site(session: Session):
+    private_key = PrivateKey.generate()
+    public_key = private_key.public_key()
+
+    site = Site(
+        site_key=Site.INITIAL_SITE_KEY_XID,
+        name=Site.INITIAL_SITE_NAME
+    )
+    session.add(site)
+    session.commit()
+
+    instance = Instance(
+        instance_ref=Instance.DEFAULT_INSTANCE_REF,
+        site_key=site.site_key,
+        private_key=private_key.pem(),
+        public_key=public_key.pem(),
+    )
+    session.add(instance)
+    session.commit()
+
+
 def init(engine: Engine):
-    tables = [Origin, Lease]
+    tables = [Site, Instance, Origin, Lease]
     db = inspect(engine)
     session = sessionmaker(bind=engine)()
     for table in tables:
-        if not db.dialect.has_table(engine.connect(), table.__tablename__):
+        exists = db.dialect.has_table(engine.connect(), table.__tablename__)
+        logger.info(f'> Table "{table.__tablename__:<16}" exists: {exists}')
+        if not exists:
             session.execute(text(str(table.create_statement(engine))))
             session.commit()
+
+    # create default site
+    cnt = session.query(Site).count()
+    if cnt == 0:
+        init_default_site(session)
+
+    session.flush()
     session.close()
 
 
 def migrate(engine: Engine):
     db = inspect(engine)
 
-    def upgrade_1_0_to_1_1():
+    # todo: add update guide to use 1.LATEST to 2.0
-        x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
+    def upgrade_1_x_to_2_0():
-        x = next(_ for _ in x if _['name'] == 'origin_ref')
+        site = Site.get_default_site(engine)
-        if x['primary_key'] > 0:
+        logger.info(site)
-            print('Found old database schema with "origin_ref" as primary-key in "lease" table. Dropping table!')
+        instance = Instance.get_default_instance(engine)
-            print('  Your leases are recreated on next renewal!')
+        logger.info(instance)
-            print('  If an error message appears on the client, you can ignore it.')
-            Lease.__table__.drop(bind=engine)
-            init(engine)
 
-    # def upgrade_1_2_to_1_3():
+        # SITE_KEY_XID
-    #    x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
+        if site_key := env('SITE_KEY_XID', None) is not None:
-    #    x = next((_ for _ in x if _['name'] == 'scope_ref'), None)
+            site.site_key = str(site_key)
-    #    if x is None:
-    #        Lease.scope_ref.compile()
-    #        column_name = Lease.scope_ref.name
-    #        column_type = Lease.scope_ref.type.compile(engine.dialect)
-    #        engine.execute(f'ALTER TABLE "{Lease.__tablename__}" ADD COLUMN "{column_name}" {column_type}')
 
-    upgrade_1_0_to_1_1()
+        # INSTANCE_REF
-    # upgrade_1_2_to_1_3()
+        if instance_ref := env('INSTANCE_REF', None) is not None:
+            instance.instance_ref = str(instance_ref)
+
+        # ALLOTMENT_REF
+        if allotment_ref := env('ALLOTMENT_REF', None) is not None:
+            pass  # todo
+
+        # INSTANCE_KEY_RSA, INSTANCE_KEY_PUB
+        default_instance_private_key_path = str(join(dirname(__file__), 'cert/instance.private.pem'))
+        instance_private_key = env('INSTANCE_KEY_RSA', None)
+        if instance_private_key is not None:
+            instance.private_key = PrivateKey(instance_private_key.encode('utf-8'))
+        elif isfile(default_instance_private_key_path):
+            instance.private_key = PrivateKey.from_file(default_instance_private_key_path)
+        default_instance_public_key_path = str(join(dirname(__file__), 'cert/instance.public.pem'))
+        instance_public_key = env('INSTANCE_KEY_PUB', None)
+        if instance_public_key is not None:
+            instance.public_key = PublicKey(instance_public_key.encode('utf-8'))
+        elif isfile(default_instance_public_key_path):
+            instance.public_key = PublicKey.from_file(default_instance_public_key_path)
+
+        # TOKEN_EXPIRE_DELTA
+        token_expire_delta = env('TOKEN_EXPIRE_DAYS', None)
+        if token_expire_delta not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 86_400
+        token_expire_delta = env('TOKEN_EXPIRE_HOURS', None)
+        if token_expire_delta not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 3_600
+
+        # LEASE_EXPIRE_DELTA, LEASE_RENEWAL_DELTA
+        lease_expire_delta = env('LEASE_EXPIRE_DAYS', None)
+        if lease_expire_delta not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 86_400
+        lease_expire_delta = env('LEASE_EXPIRE_HOURS', None)
+        if lease_expire_delta not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 3_600
+
+        # LEASE_RENEWAL_PERIOD
+        lease_renewal_period = env('LEASE_RENEWAL_PERIOD', None)
+        if lease_renewal_period is not None:
+            instance.lease_renewal_period = lease_renewal_period
+
+        # todo: update site, instance
+
+    upgrade_1_x_to_2_0()

app/static/product_mapping.json

@@ -1,643 +0,0 @@
-{
-  "product": [
-    {
-      "xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA-vComputeServer-9.0",
-      "name": "NVIDIA-vComputeServer-9.0",
-      "description": null
-    },
-    {
-      "xid": "2a99638e-493f-424b-bc3a-629935307490",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "vGaming_Flexera_License-0.1",
-      "name": "vGaming_Flexera_License-0.1",
-      "description": null
-    },
-    {
-      "xid": "a013d60c-3cd6-4e61-ae51-018b5e342178",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-Virtual-Apps-3.0",
-      "name": "GRID-Virtual-Apps-3.0",
-      "description": null
-    },
-    {
-      "xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-vGaming-NLS-Metered-8.0",
-      "name": "GRID-vGaming-NLS-Metered-8.0",
-      "description": null
-    },
-    {
-      "xid": "c653e131-695c-4477-b77c-42ade3dcb02c",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-Virtual-WS-Ext-2.0",
-      "name": "GRID-Virtual-WS-Ext-2.0",
-      "description": null
-    },
-    {
-      "xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-vGaming-8.0",
-      "name": "GRID-vGaming-8.0",
-      "description": null
-    },
-    {
-      "xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-Virtual-PC-2.0",
-      "name": "GRID-Virtual-PC-2.0",
-      "description": null
-    },
-    {
-      "xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVAIE_Licensing-1.0",
-      "name": "NVAIE_Licensing-1.0",
-      "description": null
-    },
-    {
-      "xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA-vComputeServer NLS Metered-9.0",
-      "name": "NVIDIA-vComputeServer NLS Metered-9.0",
-      "description": null
-    },
-    {
-      "xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "vGaming_FB_License-0.1",
-      "name": "vGaming_FB_License-0.1",
-      "description": null
-    },
-    {
-      "xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "Quadro-Virtual-DWS-5.0",
-      "name": "Quadro-Virtual-DWS-5.0",
-      "description": null
-    },
-    {
-      "xid": "07a1d2b5-c147-48bc-bf44-9390339ca388",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID-Virtual-WS-2.0",
-      "name": "GRID-Virtual-WS-2.0",
-      "description": null
-    },
-    {
-      "xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "vGaming_Flexera_License-0.1",
-      "name": "vGaming_Flexera_License-0.1",
-      "description": null
-    },
-    {
-      "xid": "bdfbde00-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA Virtual Applications",
-      "name": "NVIDIA Virtual Applications",
-      "description": null
-    },
-    {
-      "xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA Virtual PC",
-      "name": "NVIDIA Virtual PC",
-      "description": null
-    },
-    {
-      "xid": "bdfbe308-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA RTX Virtual Workstation",
-      "name": "NVIDIA RTX Virtual Workstation",
-      "description": null
-    },
-    {
-      "xid": "bdfbe405-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA vGaming",
-      "name": "NVIDIA vGaming",
-      "description": null
-    },
-    {
-      "xid": "bdfbe509-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID Virtual Applications",
-      "name": "GRID Virtual Applications",
-      "description": null
-    },
-    {
-      "xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID Virtual PC",
-      "name": "GRID Virtual PC",
-      "description": null
-    },
-    {
-      "xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "Quadro Virtual Data Center Workstation",
-      "name": "Quadro Virtual Data Center Workstation",
-      "description": null
-    },
-    {
-      "xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "GRID vGaming",
-      "name": "GRID vGaming",
-      "description": null
-    },
-    {
-      "xid": "bdfbe884-2cdb-11ec-9838-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA Virtual Compute Server",
-      "name": "NVIDIA Virtual Compute Server",
-      "description": null
-    },
-    {
-      "xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59",
-      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
-      "identifier": "NVIDIA OVE Licensing",
-      "name": "NVIDIA Omniverse Nucleus",
-      "description": null
-    }
-  ],
-  "product_fulfillment": [
-    {
-      "xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb",
-      "product_xid": "07a1d2b5-c147-48bc-bf44-9390339ca388",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "90d0f05f-9431-4a15-86e7-740a4f08d457",
-      "product_xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3",
-      "product_xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "6733f2cc-0736-47ee-bcc8-20c4c624ce37",
-      "product_xid": "2a99638e-493f-424b-bc3a-629935307490",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56",
-      "product_xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc",
-      "product_xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "9bd09610-6190-4684-9be6-3d9503833e80",
-      "product_xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de",
-      "product_xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe",
-      "product_xid": "a013d60c-3cd6-4e61-ae51-018b5e342178",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5",
-      "product_xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a",
-      "product_xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf",
-      "product_xid": "c653e131-695c-4477-b77c-42ade3dcb02c",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "9e162d3c-0c26-11ef-b3b6-371045c70906",
-      "product_xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be2769b9-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbde00-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be276efe-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe308-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe405-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be2770af-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe509-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be277164-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be277214-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "product_xid": "bdfbe884-2cdb-11ec-9838-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "c4284597-5c09-11ed-9fa6-061a22468b59",
-      "product_xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59",
-      "qualifier_specification": null,
-      "evaluation_order_index": 0
-    }
-  ],
-  "product_fulfillment_feature": [
-    {
-      "xid": "9ca32d2b-736e-4e4f-8f5a-895a755b4c41",
-      "product_fulfillment_xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe",
-      "feature_identifier": "GRID-Virtual-Apps",
-      "feature_version": "3.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "d8b25329-f47f-43dc-a278-f2d38f9e939b",
-      "product_fulfillment_xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56",
-      "feature_identifier": "GRID-Virtual-PC",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "e7102df8-d88a-4bd0-aa79-9a53d8b77888",
-      "product_fulfillment_xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb",
-      "feature_identifier": "GRID-Virtual-WS",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "30761db3-0afe-454d-b284-efba6d9b13a3",
-      "product_fulfillment_xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf",
-      "feature_identifier": "GRID-Virtual-WS-Ext",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "10fd7701-83ae-4caf-a27f-75880fab23f6",
-      "product_fulfillment_xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de",
-      "feature_identifier": "GRID-vGaming",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "cbd61276-fb1e-42e1-b844-43e94465da8f",
-      "product_fulfillment_xid": "9bd09610-6190-4684-9be6-3d9503833e80",
-      "feature_identifier": "NVAIE_Licensing",
-      "feature_version": "1.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "6b1c74b5-1511-46ee-9f12-8bc6d5636fef",
-      "product_fulfillment_xid": "90d0f05f-9431-4a15-86e7-740a4f08d457",
-      "feature_identifier": "NVIDIA-vComputeServer NLS Metered",
-      "feature_version": "9.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "db53af09-7295-48b7-b927-24b23690c959",
-      "product_fulfillment_xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a",
-      "feature_identifier": "NVIDIA-vComputeServer",
-      "feature_version": "9.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "1f62be61-a887-4e54-a34e-61cfa7b2db30",
-      "product_fulfillment_xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "5.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "8a4b5e98-f1ca-4c18-b0d4-8f4f9f0462e2",
-      "product_fulfillment_xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3",
-      "feature_identifier": "vGaming_FB_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be531e98-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be2769b9-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-Apps",
-      "feature_version": "3.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be53219e-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-PC",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be5322f0-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "5.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "be5323d8-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "be5324a6-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS-Ext",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "be532568-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "5.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be532630-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "be5326e7-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS-Ext",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "be5327a7-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-vGaming",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be532923-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be2770af-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-Apps",
-      "feature_version": "3.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be5329e0-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-PC",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be532aa0-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "5.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "be532b5c-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "be532c19-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS-Ext",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "be532ccb-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "5.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be532d92-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "be532e45-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-Virtual-WS-Ext",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "be532efa-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-vGaming",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be53306d-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "NVIDIA-vComputeServer",
-      "feature_version": "9.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "be533228-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "NVIDIA-vComputeServer NLS Metered",
-      "feature_version": "9.0",
-      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "be5332f6-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "NVAIE_Licensing",
-      "feature_version": "1.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "15ff4f16-57a8-4593-93ec-58352a256f12",
-      "product_fulfillment_xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5",
-      "feature_identifier": "GRID-vGaming-NLS-Metered",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "0c1552ca-3ef8-11ed-9fa6-061a22468b59",
-      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "vGaming_Flexera_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "31c3be8c-5c0a-11ed-9fa6-061a22468b59",
-      "product_fulfillment_xid": "c4284597-5c09-11ed-9fa6-061a22468b59",
-      "feature_identifier": "OVE_Licensing",
-      "feature_version": "1.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    },
-    {
-      "xid": "6caeb4cf-360f-11ee-b67d-02f279bf2bff",
-      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "NVAIE_Licensing",
-      "feature_version": "2.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 4
-    },
-    {
-      "xid": "7fb1d01d-3f0e-11ed-9fa6-061a22468b59",
-      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "vGaming_FB_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "8eabcb08-3f0e-11ed-9fa6-061a22468b59",
-      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "vGaming_FB_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 2
-    },
-    {
-      "xid": "a1dfe741-3e49-11ed-9fa6-061a22468b59",
-      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "vGaming_Flexera_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "be53286a-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-vGaming-NLS-Metered",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "be532fb2-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "GRID-vGaming-NLS-Metered",
-      "feature_version": "8.0",
-      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
-      "evaluation_order_index": 3
-    },
-    {
-      "xid": "be533144-2cdb-11ec-9838-061a22468b59",
-      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
-      "feature_identifier": "Quadro-Virtual-DWS",
-      "feature_version": "0.0",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 1
-    },
-    {
-      "xid": "bf105e18-0c26-11ef-b3b6-371045c70906",
-      "product_fulfillment_xid": "9e162d3c-0c26-11ef-b3b6-371045c70906",
-      "feature_identifier": "vGaming_Flexera_License",
-      "feature_version": "0.1",
-      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
-      "evaluation_order_index": 0
-    }
-  ]
-}

app/util.py

@@ -1,17 +1,9 @@
 import logging
-from datetime import datetime, UTC, timedelta
+from json import load as json_load
-from json import loads as json_loads
-from os.path import join, dirname, isfile, isdir
 
-from cryptography import x509
+from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat._oid import NameOID
-from cryptography.hazmat.primitives import serialization, hashes
-from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key
-from cryptography.hazmat.primitives.hashes import SHA256
-from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
-from cryptography.x509 import load_pem_x509_certificate, Certificate
 
 logging.basicConfig()
 
@@ -24,209 +16,6 @@ def load_file(filename: str) -> bytes:
     return content
 
 
-class CASetup:
-    ###
-    #
-    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
-    #
-    ###
-
-    ROOT_PRIVATE_KEY_FILENAME = 'root_private_key.pem'
-    ROOT_CERTIFICATE_FILENAME = 'root_certificate.pem'
-    CA_PRIVATE_KEY_FILENAME = 'ca_private_key.pem'
-    CA_CERTIFICATE_FILENAME = 'ca_certificate.pem'
-    SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem'
-    SI_CERTIFICATE_FILENAME = 'si_certificate.pem'
-
-    def __init__(self, service_instance_ref: str, cert_path: str = None):
-        cert_path_prefix = join(dirname(__file__), 'cert')
-        if cert_path is not None and len(cert_path) > 0 and isdir(cert_path):
-            cert_path_prefix = cert_path
-
-        self.service_instance_ref = service_instance_ref
-        self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME)
-        self.root_certificate_filename = join(cert_path_prefix, CASetup.ROOT_CERTIFICATE_FILENAME)
-        self.ca_private_key_filename = join(cert_path_prefix, CASetup.CA_PRIVATE_KEY_FILENAME)
-        self.ca_certificate_filename = join(cert_path_prefix, CASetup.CA_CERTIFICATE_FILENAME)
-        self.si_private_key_filename = join(cert_path_prefix, CASetup.SI_PRIVATE_KEY_FILENAME)
-        self.si_certificate_filename = join(cert_path_prefix, CASetup.SI_CERTIFICATE_FILENAME)
-
-        if not (isfile(self.root_private_key_filename)
-                and isfile(self.root_certificate_filename)
-                and isfile(self.ca_private_key_filename)
-                and isfile(self.ca_certificate_filename)
-                and isfile(self.si_private_key_filename)
-                and isfile(self.si_certificate_filename)):
-            self.init_config_token_demo()
-
-    def init_config_token_demo(self):
-        """ Create Root Key and Certificate """
-
-        # create root keypair
-        my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
-        my_root_public_key = my_root_private_key.public_key()
-
-        # create root-certificate subject
-        my_root_subject = x509.Name([
-            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
-            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
-            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
-            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
-            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
-        ])
-
-        # create self-signed root-certificate
-        my_root_certificate = (
-            x509.CertificateBuilder()
-            .subject_name(my_root_subject)
-            .issuer_name(my_root_subject)
-            .public_key(my_root_public_key)
-            .serial_number(x509.random_serial_number())
-            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
-            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
-            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
-            .add_extension(x509.KeyUsage(
-                digital_signature=False,
-                key_encipherment=False,
-                key_cert_sign=True,
-                key_agreement=False,
-                content_commitment=False,
-                data_encipherment=False,
-                crl_sign=True,
-                encipher_only=False,
-                decipher_only=False),
-                critical=True
-            )
-            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
-            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
-            .sign(my_root_private_key, hashes.SHA256()))
-
-        my_root_private_key_as_pem = my_root_private_key.private_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
-            encryption_algorithm=serialization.NoEncryption(),
-        )
-
-        with open(self.root_private_key_filename, 'wb') as f:
-            f.write(my_root_private_key_as_pem)
-
-        with open(self.root_certificate_filename, 'wb') as f:
-            f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM))
-
-        """ Create CA (Intermediate) Key and Certificate """
-
-        # create ca keypair
-        my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
-        my_ca_public_key = my_ca_private_key.public_key()
-
-        # create ca-certificate subject
-        my_ca_subject = x509.Name([
-            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
-            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
-            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
-            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
-            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
-        ])
-
-        # create self-signed ca-certificate
-        my_ca_certificate = (
-            x509.CertificateBuilder()
-            .subject_name(my_ca_subject)
-            .issuer_name(my_root_subject)
-            .public_key(my_ca_public_key)
-            .serial_number(x509.random_serial_number())
-            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
-            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
-            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
-            .add_extension(x509.KeyUsage(
-                digital_signature=False,
-                key_encipherment=False,
-                key_cert_sign=True,
-                key_agreement=False,
-                content_commitment=False,
-                data_encipherment=False,
-                crl_sign=True,
-                encipher_only=False,
-                decipher_only=False),
-                critical=True
-            )
-            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
-            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
-                my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
-            ), critical=False)
-            .sign(my_root_private_key, hashes.SHA256()))
-
-        my_ca_private_key_as_pem = my_ca_private_key.private_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
-            encryption_algorithm=serialization.NoEncryption(),
-        )
-
-        with open(self.ca_private_key_filename, 'wb') as f:
-            f.write(my_ca_private_key_as_pem)
-
-        with open(self.ca_certificate_filename, 'wb') as f:
-            f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
-
-        """ Create Service-Instance Key and Certificate """
-
-        # create si keypair
-        my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
-        my_si_public_key = my_si_private_key.public_key()
-
-        my_si_private_key_as_pem = my_si_private_key.private_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
-            encryption_algorithm=serialization.NoEncryption(),
-        )
-        my_si_public_key_as_pem = my_si_public_key.public_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PublicFormat.SubjectPublicKeyInfo,
-        )
-
-        with open(self.si_private_key_filename, 'wb') as f:
-            f.write(my_si_private_key_as_pem)
-
-        # with open(self.si_public_key_filename, 'wb') as f:
-        #    f.write(my_si_public_key_as_pem)
-
-        # create si-certificate subject
-        my_si_subject = x509.Name([
-            # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF),
-            x509.NameAttribute(NameOID.COMMON_NAME, self.service_instance_ref),
-        ])
-
-        # create self-signed si-certificate
-        my_si_certificate = (
-            x509.CertificateBuilder()
-            .subject_name(my_si_subject)
-            .issuer_name(my_ca_subject)
-            .public_key(my_si_public_key)
-            .serial_number(x509.random_serial_number())
-            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
-            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
-            .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
-                                         key_agreement=True, content_commitment=False, data_encipherment=False,
-                                         crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
-            .add_extension(x509.ExtendedKeyUsage([
-                x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
-                x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
-            ), critical=False)
-            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
-            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
-            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
-                my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
-            ), critical=False)
-            .add_extension(x509.SubjectAlternativeName([
-                # x509.DNSName(INSTANCE_REF)
-                x509.DNSName(self.service_instance_ref)
-            ]), critical=False)
-            .sign(my_ca_private_key, hashes.SHA256()))
-
-        with open(self.si_certificate_filename, 'wb') as f:
-            f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
-
-
 class PrivateKey:
 
     def __init__(self, data: bytes):
@@ -259,9 +48,6 @@ class PrivateKey:
         )
         return PublicKey(data=data)
 
-    def generate_signature(self, data: bytes) -> bytes:
-        return self.__key.sign(data=data, padding=PKCS1v15(), algorithm=SHA256())
-
     @staticmethod
     def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey":
         log = logging.getLogger(__name__)
@@ -299,53 +85,6 @@ class PublicKey:
             format=serialization.PublicFormat.SubjectPublicKeyInfo
         )
 
-    def mod(self) -> str:
-        return hex(self.__key.public_numbers().n)[2:]
-
-    def exp(self):
-        return int(self.__key.public_numbers().e)
-
-    def verify_signature(self, signature: bytes, data: bytes) -> None:
-        self.__key.verify(signature=signature, data=data, padding=PKCS1v15(), algorithm=SHA256())
-
-
-class Cert:
-
-    def __init__(self, data: bytes):
-        self.__cert = load_pem_x509_certificate(data)
-
-    @staticmethod
-    def from_file(filename: str) -> "Cert":
-        log = logging.getLogger(__name__)
-        log.debug(f'Importing Certificate from "{filename}"')
-
-        with open(filename, 'rb') as f:
-            data = f.read()
-
-        return Cert(data=data.strip())
-
-    def raw(self) -> Certificate:
-        return self.__cert
-
-    def pem(self) -> bytes:
-        return self.__cert.public_bytes(encoding=serialization.Encoding.PEM)
-
-    def public_key(self) -> "PublicKey":
-        data = self.__cert.public_key().public_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PublicFormat.SubjectPublicKeyInfo
-        )
-        return PublicKey(data=data)
-
-    def signature(self) -> bytes:
-        return self.__cert.signature
-
-    def subject_key_identifier(self):
-        return self.__cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value.key_identifier
-
-    def authority_key_identifier(self):
-        return self.__cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier).value.key_identifier
-
 
 class DriverMatrix:
     __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json'
@@ -359,12 +98,13 @@ class DriverMatrix:
 
     def __load(self):
         try:
-            with open(DriverMatrix.__DRIVER_MATRIX_FILENAME, 'r') as f:
+            file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME)
-                DriverMatrix.__DRIVER_MATRIX = json_loads(f.read())
+            DriverMatrix.__DRIVER_MATRIX = json_load(file)
+            file.close()
             self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".')
         except Exception as e:
             DriverMatrix.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
-            # self.log.warning(f'Failed to load "{NV.__DRIVER_MATRIX_FILENAME}": {e}')
+            # self.log.warning(f'Failed to load "{DriverMatrix.__DRIVER_MATRIX_FILENAME}": {e}')
 
     @staticmethod
     def find(version: str) -> dict | None:
@@ -390,34 +130,3 @@ class DriverMatrix:
                         'is_latest': is_latest,
                     }
         return None
-
-
-class ProductMapping:
-
-    def __init__(self, filename: str):
-        with open(filename, 'r') as file:
-            self.data = json_loads(file.read())
-
-
-    def get_feature_name(self, product_name: str) -> (str, str):
-        product = self.__get_product(product_name)
-        product_fulfillment = self.__get_product_fulfillment(product.get('xid'))
-        feature = self.__get_product_fulfillment_feature(product_fulfillment.get('xid'))
-
-        return feature.get('feature_identifier')
-
-
-    def __get_product(self, product_name: str):
-        product_list = self.data.get('product')
-        return next(filter(lambda _: _.get('identifier') == product_name, product_list))
-
-
-    def __get_product_fulfillment(self, product_xid: str):
-        product_fulfillment_list = self.data.get('product_fulfillment')
-        return next(filter(lambda _: _.get('product_xid') == product_xid, product_fulfillment_list))
-
-    def __get_product_fulfillment_feature(self, product_fulfillment_xid: str):
-        feature_list = self.data.get('product_fulfillment_feature')
-        features = list(filter(lambda _: _.get('product_fulfillment_xid') == product_fulfillment_xid, feature_list))
-        features.sort(key=lambda _: _.get('evaluation_order_index'))
-        return features[0]

examples/docker-compose-http-and-https.yml

@@ -15,7 +15,7 @@ services:
       <<: *dls-variables
     volumes:
       - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
       - db:/app/database
     entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
     healthcheck:

requirements.txt

@@ -1,8 +1,8 @@
-fastapi==0.115.14
+fastapi==0.115.12
-uvicorn[standard]==0.35.0
+uvicorn[standard]==0.34.1
-python-jose[cryptography]==3.5.0
+python-jose[cryptography]==3.4.0
-cryptography==45.0.5
+cryptography==44.0.2
 python-dateutil==2.9.0
-sqlalchemy==2.0.41
+sqlalchemy==2.0.40
-markdown==3.8.2
+markdown==3.8
-python-dotenv==1.1.1
+python-dotenv==1.1.0

test/main.py

@@ -1,16 +1,15 @@
-import json
 import sys
 from base64 import b64encode as b64enc
 from calendar import timegm
 from datetime import datetime, UTC
 from hashlib import sha256
+from os import getenv as env
 from uuid import uuid4, UUID
 
-from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
-from cryptography.hazmat.primitives.hashes import SHA256
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk, jws
+from jose import jwt
 from jose.constants import ALGORITHMS
+from sqlalchemy import create_engine
 from starlette.testclient import TestClient
 
 # add relative path to use packages as they were in the app/ dir
@@ -18,28 +17,23 @@ sys.path.append('../')
 sys.path.append('../app')
 
 from app import main
-from util import CASetup, PrivateKey, PublicKey, Cert
+from orm import init as db_init, migrate, Site, Instance
 
-client = TestClient(main.app)
 
-# Instance
-INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 
-# CA & Signing
+# fastapi setup
-ca_setup = CASetup(service_instance_ref=INSTANCE_REF)
+client = TestClient(main.app)
-my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename)
-my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename)
-my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename)
-my_ca_private_key = PrivateKey.from_file(ca_setup.ca_private_key_filename)
-my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename)
-my_si_private_key_as_pem = my_si_private_key.pem()
-my_si_public_key = my_si_private_key.public_key()
-my_si_public_key_as_pem = my_si_private_key.public_key().pem()
-my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename)
 
-jwt_encode_key = jwk.construct(my_si_private_key_as_pem, algorithm=ALGORITHMS.RS256)
+# database setup
-jwt_decode_key = jwk.construct(my_si_public_key_as_pem, algorithm=ALGORITHMS.RS256)
+db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
+db_init(db), migrate(db)
+
+# test vars
+DEFAULT_SITE, DEFAULT_INSTANCE = Site.get_default_site(db), Instance.get_default_instance(db)
+
+SITE_KEY = DEFAULT_SITE.site_key
+jwt_encode_key, jwt_decode_key = DEFAULT_INSTANCE.get_jwt_encode_key(), DEFAULT_INSTANCE.get_jwt_decode_key()
 
 
 def __bearer_token(origin_ref: str) -> str:
@@ -48,46 +42,10 @@ def __bearer_token(origin_ref: str) -> str:
     return token
 
 
-def test_signing():
+def test_initial_default_site_and_instance():
-    signature_set_header = my_si_private_key.generate_signature(b'Hello')
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
-
+    assert default_site.site_key == Site.INITIAL_SITE_KEY_XID
-    # test plain
+    assert default_instance.instance_ref == Instance.DEFAULT_INSTANCE_REF
-    my_si_public_key.verify_signature(signature_set_header, b'Hello')
-
-    # test "X-NLS-Signature: b'....'
-    x_nls_signature_header_value = f'{signature_set_header.hex().encode()}'
-    assert f'{x_nls_signature_header_value}'.startswith('b\'')
-    assert f'{x_nls_signature_header_value}'.endswith('\'')
-
-    # test eval
-    signature_get_header = eval(x_nls_signature_header_value)
-    signature_get_header = bytes.fromhex(signature_get_header.decode('ascii'))
-    my_si_public_key.verify_signature(signature_get_header, b'Hello')
-
-
-def test_keypair_and_certificates():
-    assert my_root_certificate.public_key().mod() == my_root_private_key.public_key().mod()
-    assert my_ca_certificate.public_key().mod() == my_ca_private_key.public_key().mod()
-    assert my_si_certificate.public_key().mod() == my_si_public_key.mod()
-
-    assert len(my_root_certificate.public_key().mod()) == 1024
-    assert len(my_ca_certificate.public_key().mod()) == 1024
-    assert len(my_si_certificate.public_key().mod()) == 512
-
-    #assert my_si_certificate.public_key().mod() != my_si_public_key.mod()
-
-    my_root_certificate.public_key().raw().verify(
-        my_ca_certificate.raw().signature,
-        my_ca_certificate.raw().tbs_certificate_bytes,
-        PKCS1v15(),
-        SHA256(),
-    )
-    my_ca_certificate.public_key().raw().verify(
-        my_si_certificate.raw().signature,
-        my_si_certificate.raw().tbs_certificate_bytes,
-        PKCS1v15(),
-        SHA256(),
-    )
 
 
 def test_index():
@@ -106,12 +64,6 @@ def test_config():
     assert response.status_code == 200
 
 
-def test_config_root_ca():
-    response = client.get('/-/config/root-certificate')
-    assert response.status_code == 200
-    assert response.content.decode('utf-8').strip() == my_root_certificate.pem().decode('utf-8').strip()
-
-
 def test_readme():
     response = client.get('/-/readme')
     assert response.status_code == 200
@@ -127,41 +79,6 @@ def test_client_token():
     assert response.status_code == 200
 
 
-def test_config_token():
-    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
-
-    response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF})
-    assert response.status_code == 200
-
-    nv_response_certificate_configuration = response.json().get('certificateConfiguration')
-
-    nv_ca_chain = nv_response_certificate_configuration.get('caChain')[0].encode('utf-8')
-    nv_ca_chain = Cert(nv_ca_chain)
-
-    nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8')
-    nv_response_public_key = nv_response_certificate_configuration.get('publicKey')
-
-    nv_si_certificate = Cert(nv_response_public_cert)
-    assert nv_si_certificate.public_key().mod() == nv_response_public_key.get('mod')[0]
-    assert nv_si_certificate.authority_key_identifier() == nv_ca_chain.subject_key_identifier()
-
-    nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)
-
-    nv_response_config_token = response.json().get('configToken')
-
-    payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
-    payload = json.loads(payload)
-    assert payload.get('iss') == 'NLS Service Instance'
-    assert payload.get('aud') == 'NLS Licensed Client'
-    assert payload.get('service_instance_ref') == INSTANCE_REF
-
-    nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration')
-    nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me')
-
-    assert len(nv_si_public_key_me.get('mod')) == 512 # nv_si_public_key_mod
-    assert nv_si_public_key_me.get('exp') == 65537  # nv_si_public_key_exp
-
-
 def test_origins():
     pass
 
@@ -261,13 +178,12 @@ def test_auth_v1_token():
 
 def test_leasing_v1_lessor():
     payload = {
-        'client_challenge': 'my_unique_string',
         'fulfillment_context': {
             'fulfillment_class_ref_list': []
         },
         'lease_proposal_list': [{
             'license_type_qualifiers': {'count': 1},
-            'product': {'name': 'NVIDIA Virtual Applications'}
+            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
         }],
         'proposal_evaluation_mode': 'ALL_OF',
         'scope_ref_list': [ALLOTMENT_REF]
@@ -276,21 +192,10 @@ def test_leasing_v1_lessor():
     response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    client_challenge = response.json().get('client_challenge')
-    assert client_challenge == payload.get('client_challenge')
-    signature = eval(response.headers.get('X-NLS-Signature'))
-    assert len(signature) == 512
-    signature = bytes.fromhex(signature.decode('ascii'))
-    assert len(signature) == 256
-    my_si_public_key.verify_signature(signature, response.content)
-
     lease_result_list = response.json().get('lease_result_list')
     assert len(lease_result_list) == 1
     assert len(lease_result_list[0]['lease']['ref']) == 36
     assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref']
-    assert lease_result_list[0]['lease']['product_name'] == 'NVIDIA Virtual Applications'
-    assert lease_result_list[0]['lease']['feature_name'] == 'GRID-Virtual-Apps'
-
 
 
 def test_leasing_v1_lessor_lease():
@@ -310,18 +215,9 @@ def test_leasing_v1_lease_renew():
 
     ###
 
-    payload = {'client_challenge': 'my_unique_string'}
+    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
-    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
-    client_challenge = response.json().get('client_challenge')
-    assert client_challenge == payload.get('client_challenge')
-    signature = eval(response.headers.get('X-NLS-Signature'))
-    assert len(signature) == 512
-    signature = bytes.fromhex(signature.decode('ascii'))
-    assert len(signature) == 256
-    my_si_public_key.verify_signature(signature, response.content)
-
     lease_ref = response.json().get('lease_ref')
     assert len(lease_ref) == 36
     assert lease_ref == active_lease_ref
@@ -350,7 +246,7 @@ def test_leasing_v1_lessor_lease_remove():
         },
         'lease_proposal_list': [{
             'license_type_qualifiers': {'count': 1},
-            'product': {'name': 'NVIDIA Virtual Applications'}
+            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
         }],
         'proposal_evaluation_mode': 'ALL_OF',
         'scope_ref_list': [ALLOTMENT_REF]