From 470084fe087ddd1c44825433466b17cfb1be7307 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 21:28:07 +0100 Subject: [PATCH 01/20] added endpoint '/leasing/v1/config-token' --- app/main.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/app/main.py b/app/main.py index f11ba5c..fd1a0ce 100644 --- a/app/main.py +++ b/app/main.py @@ -412,6 +412,16 @@ async def auth_v1_token(request: Request): return JSONr(response) +# NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py +@app.post('/leasing/v1/config-token', description='request to get config token for lease operations') +async def leasing_v1_config_token(request: Request): + response = { + "service_instance_ref": INSTANCE_REF, + } + + return JSONr(response) + + # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin') async def leasing_v1_lessor(request: Request): From 025b718b7292fd8b06d82e825514eb77cbeea9e5 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 22:02:51 +0100 Subject: [PATCH 02/20] added debugging --- app/main.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/main.py b/app/main.py index fd1a0ce..22a6275 100644 --- a/app/main.py +++ b/app/main.py @@ -415,10 +415,17 @@ async def auth_v1_token(request: Request): # NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py @app.post('/leasing/v1/config-token', description='request to get config token for lease operations') async def leasing_v1_config_token(request: Request): + j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC) + + logging.debug('CALLED /leasing/v1/config-token') + logging.debug(j) + response = { "service_instance_ref": INSTANCE_REF, } + logging.debug(response) + return JSONr(response) From e927421fa6423132efbb8f86c82e91d0a6940b8c Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 22:10:26 +0100 Subject: [PATCH 03/20] added logging --- test/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/main.py b/test/main.py index 653548f..cf1f5db 100644 --- a/test/main.py +++ b/test/main.py @@ -166,6 +166,8 @@ def test_auth_v1_token(): assert payload.get('origin_ref') == ORIGIN_REF +# todo: /leasing/v1/config-token + def test_leasing_v1_lessor(): payload = { 'fulfillment_context': { From 35df4e4d8470afe4bbb4655a8a93601b3982a4aa Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 10 Mar 2025 23:19:16 +0100 Subject: [PATCH 04/20] implemented initial endpoint for /leasing/v1/config-token --- app/main.py | 55 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/app/main.py b/app/main.py index 22a6275..c2c9f52 100644 --- a/app/main.py +++ b/app/main.py @@ -417,16 +417,63 @@ async def auth_v1_token(request: Request): async def leasing_v1_config_token(request: Request): j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC) - logging.debug('CALLED /leasing/v1/config-token') - logging.debug(j) + logger.debug(f'CALLED /leasing/v1/config-token') + logger.debug(f'Headers: {request.headers}') + logger.debug(f'Request: {j}') + + cur_time = datetime.now(UTC) + exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA + + payload = { + "iss": "NLS Service Instance", + "aud": "NLS Licensed Client", + "iat": timegm(cur_time.timetuple()), + "nbf": timegm(cur_time.timetuple()), + "exp": timegm(exp_time.timetuple()), + "protocol_version": "2.0", + "d_name": "DLS", + "service_instance_ref": j.get('service_instance_ref'), + "service_instance_public_key_configuration": { + "service_instance_public_key_me": { + "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:], + "exp": int(INSTANCE_KEY_PUB.public_key().e), + }, + "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'), + "key_retention_mode": "LATEST_ONLY" + }, + } + + config_token = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) + + root_crt = load_file(join(dirname(__file__), 'cert\\root-ca.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + intermediate_crt = load_file(join(dirname(__file__), 'cert\\intermediate.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + public_crt = load_file(join(dirname(__file__), 'cert\\webserver.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + #public_key = load_key(join(dirname(__file__), 'cert\\webserver.pub.pem')) response = { - "service_instance_ref": INSTANCE_REF, + "certificateConfiguration": { + #"caChain": [public_crt], + "caChain": [intermediate_crt], + #"caChain": ["-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUCpVszfecRrnPa3EGwPKuyWESBmMwDQYJKoZIhvcNAQELBQAwcjELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRQwEgYDVQQDEwtOTFMgUm9vdCBDQTAeFw0y\r\nNDA5MjYwNzM4MTlaFw0zNDA5MjQwNzM4NDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp\r\nZm9ybmlhMQ8wDQYDVQQKEwZOdmlkaWExJzAlBgNVBAsTHk52aWRpYSBMaWNlbnNpbmcgU2Vydmlj\r\nZSAoTkxTKTEcMBoGA1UEAxMTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\r\nggIPADCCAgoCggIBAOIb5ZcYWR78WkJipEW4cOB2d3WkXhjzA9Omj0SBnA6fJad+zObguInmkgyB\r\nUC/0xMnHeEH1WQpZ0yZE1rdH0ziwPy07hmCgjMSC8iXSfV4QXoHzsQy80HSbD3dr0A5Fk9UrWdJu\r\nIlLnwqTfUjxMSqiVYbGI2JLVLDIPjnrCKgZ//vVTFWiMDQaGInDz5Qo3azHIt1Sw3u47/b88TzmK\r\ni3TMbjtAR3djlhQfJBY6nUdP8wWy2Fntx9fO7U723sp6cnGtHnbXGpon/QqxlPjT4RXXm1QmFQ/d\r\nyUmvmjoiJsCQ3v2KFJNei2bkUS29ZKPr4TGokojOilESQAQTLo+5s0cN7ZtPWvwZ4uets84GCRP5\r\ndC+aKoNQ7cg06A1tA3SxEL9r6D2LaTiheuWKFNiIJZzfmmbTPExsKt4Nzmv72wfG2i2+sY6l4f5x\r\nEFiKybn2EY1Hjpt0J3vL/goOOt/ejRtS5qKco3pu6zZBBWqB1qesA813AGgqbscht4y4m414rPmQ\r\naHA2PTe0JRDcradK75chFUOvLeIYD1Hy0XTxNxlhRA/5mFd2GkWZmtsW3D1iAV73VHAEvWDS0hXB\r\ng60B0y4d3fyYxI+pOTaZzsh0PAC2jUqDOhQ7dKELeYUKWsEDDMq9mg2bxqSNoQnQbITIsbu7IELu\r\nvmxIWT1omRptd5LrAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G\r\nA1UdDgQWBBRKNST8UPeZYQgLZLEKMBGklaADHjAfBgNVHSMEGDAWgBRiEXE0RonjkPN+XBjnSQbo\r\nA8X3ajANBgkqhkiG9w0BAQsFAAOCAgEAEq5FaQWhTWt1hNfoz/BeDQ68O9PEGGveCPouElE8s/uG\r\nPHYSJpmg7dq5Qoxb5dpdq1mJX2rTgixJu/iC3uRUsirdH6wsVjjqz4YsoAz5VqjlkriFJpXlfOpp\r\nw18ex5C5p4x3TrlPCowMgf9h6VBR1iCq3VikVVguqSPP/zf9G3Qhitvqs0+m7KJnbwFA/bDLMET8\r\nTJS/r4XKQYisXfu95XrG2TTCaOwytqx+uepqwB74tFMznfdjzKyztqGwniKLrcZ3kOuM4cyo5ZT4\r\nOORCV6FWmbRq2OtttI4o85zsVNkY1JF8hvyvjygRiX5dQROza5EStkXvGO6532atFU43KNJvLanZ\r\nZTaxIJvZGWeKvrH+HTCANp11cgq5qcRRltQHb7KWweYNM4nyCjyBQm5vTm7g1uVI7llVm2Txx5dT\r\n5OtenaohmJIr6POeq8Y2Z+DJ8s3UpZoZCc3Vj5PQyNZiAx2ErN6XgrsmljG3w6+k2ooLpT9Sr1Ql\r\nKc8okN5SJGUOLuFI+h8jX1hHqpQejjNKy3UkTzjosYNq6Kk0h2Tl1i8iO+wY4Wb3GbL6GtP1rcjI\r\np/d9mxPNJONlp4a0koaMEpHTODT/xyVjU7FkUyKE9Uj1O/1lBEANYsFrQGfmuHAZTGf9J+cvkrz3\r\n56OFWPHcA7gxkpU8wftrVMLFeDvLIGc=\r\n-----END CERTIFICATE-----"], + "publicCert": public_crt, + #"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIIE2zCCAsOgAwIBAgIUCX7sjz8B3HSAxRSPHAdNP/NCByEwDQYJKoZIhvcNAQELBQAwejELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRwwGgYDVQQDExNOTFMgSW50ZXJtZWRpYXRl\r\nIENBMB4XDTI1MDMxMDA3NDA1NloXDTI4MDMwOTA3NDEyNlowLzEtMCsGA1UEAxMkYTE3ZTA3OWUt\r\nNmE3My00ZWJmLThkM2ItOGM4OTYxMWI5YTI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\nAQEAuNfIEDxAbgpeeac1dDacwHBMEWNyr6bdWLcRRWrbXA1TUcsNpvmRN6ZgznDSG3JsGxaO5hhr\r\nI1UHwzTKwu/sAusYPPc354zW7i9aPS0izGoFKHDD2QgRQ/ECHzgoQirHWW6GecXlwoTDWBGtObWb\r\nVcPVcuxMMFIZ4Rt9Ru6S1qwdual7rdWG+Z7fWmBGMy9Xpn/+hmL1hRmqJRec7LVP7ejCQ5OtQp72\r\nKq8pm61WddEpw1Z148gXiflUlakjHbWmvAh5QTahkY2PBy7/1J+7Y6Ukj3aq7z/rrg4NaCJUvL7Q\r\nEr6qafujOLXsEMFFJxN5WIPm23Lvj8NQLJZO4zUtXwIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwID\r\nqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPfOsX87tbYT3irva9Tl\r\nWtLhYGccMB8GA1UdIwQYMBaAFEo1JPxQ95lhCAtksQowEaSVoAMeMC8GA1UdEQQoMCaCJGExN2Uw\r\nNzllLTZhNzMtNGViZi04ZDNiLThjODk2MTFiOWEyNzANBgkqhkiG9w0BAQsFAAOCAgEAa0Z0E0NW\r\n0KgpAgLLJ+6nGXfMVfG8sauXz9AQmobvuRsOvQi2DpTbfjrP4uT7q33Qw1vyQl2jlxoI0G1Ul1TO\r\nBVM/XYhs/Qp8TXSFFngCNQspAmDPCjSqnoeH3h6yW1EEfQY3R1hKac/krzuJs+Y4G2y1WLNmQiqF\r\now9FG2+APimLtPBDHCydn0tkAKRbDa9i5izty0qtAr+tlrSV6AOnn0fagJ5JjrVkGgAaO1GXwpWB\r\nEAteRDfsCIIMtPujZU0BAIYuXvxaX5zYiCN3KadBzheDh5IVZcTyOkHIRDvFl10exhMjcDjvAAfV\r\nHUUBliGAaIFBrgXz0y3CVcRNP7xp3PW1F/HZVBcQgi+cnqQfIF6us8+u8xLG51VtFHAUxP3NzSgU\r\nI54sIJmmNP30o8RRevD3wclk26A9PB+9MFBm6KFZb4Ue55cFqeI85ICKPoCfsBzP4CYNoNX3fscA\r\nhrJgXxbAVB9NC6rpEmpniyo7FGEPyQV41nuwqf8Y7SwAzPspGo0orynjrbJyr+N/l5oA0OblsqLw\r\nb963k2ssDS/YIQ79KaP1TWXl1e9WI46mgyPWha3Zm9P5FS1MedORwANafh+4PVo3JfaruUvSqQK/\r\nEwIjAdhNNrs2xMgQkGffl8cQF3TDbXAAstRQySKvt1cj3lTbhD+vNiidbQaZSxLGzPI=\r\n-----END CERTIFICATE-----", + "publicKey": { + "exp": int(INSTANCE_KEY_PUB.public_key().e), + "mod": [hex(INSTANCE_KEY_PUB.public_key().n)[2:]], + }, + #"publicKey": { + # "exp": 65537, + # "mod": [ + # "b8d7c8103c406e0a5e79a73574369cc0704c116372afa6dd58b711456adb5c0d5351cb0da6f99137a660ce70d21b726c1b168ee6186b235507c334cac2efec02eb183cf737e78cd6ee2f5a3d2d22cc6a052870c3d9081143f1021f3828422ac7596e8679c5e5c284c35811ad39b59b55c3d572ec4c305219e11b7d46ee92d6ac1db9a97badd586f99edf5a6046332f57a67ffe8662f58519aa25179cecb54fede8c24393ad429ef62aaf299bad5675d129c35675e3c81789f95495a9231db5a6bc08794136a1918d8f072effd49fbb63a5248f76aaef3febae0e0d682254bcbed012beaa69fba338b5ec10c1452713795883e6db72ef8fc3502c964ee3352d5f" + # ], + #}, + }, + "configToken": config_token, } logging.debug(response) - return JSONr(response) + return JSONr(response, status_code=200) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py From f6c618a7ef2dd7af6fef9c68aa210fe856ab1ada Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 07:54:39 +0200 Subject: [PATCH 05/20] added NixOS Pull-Request note --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f928f84..cd92a0e 100644 --- a/README.md +++ b/README.md @@ -402,6 +402,9 @@ Continue [here](#unraid-guest) for docker guest setup. Tanks to [@mrzenc](https://github.com/mrzenc) for [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos). +> [!WARNING] +> There is a [pull request](https://github.com/NixOS/nixpkgs/pull/358647) which adds fastapi-dls into nixpkgs. + ## Let's Encrypt Certificate (optional) If you're using installation via docker, you can use `traefik`. Please refer to their documentation. From 603ef5135c5eee4230453250882d8c15fbbbdf81 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 08:48:45 +0200 Subject: [PATCH 06/20] added test and code for /leasing/v1/config-token ref. https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py --- app/main.py | 178 +++++++++++++++++++++++++++++++++++++++++++++------ test/main.py | 31 ++++++++- 2 files changed, 185 insertions(+), 24 deletions(-) diff --git a/app/main.py b/app/main.py index c2c9f52..b3d5247 100644 --- a/app/main.py +++ b/app/main.py @@ -421,6 +421,149 @@ async def leasing_v1_config_token(request: Request): logger.debug(f'Headers: {request.headers}') logger.debug(f'Request: {j}') + # todo: THIS IS A DEMO ONLY - THIS ENDPOINT GENERATES A NEW ROOT-CA EVERY TIME IT IS CALLED !!! + + ### + # + # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py + # + ### + + from cryptography import x509 + from cryptography.hazmat._oid import NameOID + from cryptography.hazmat.primitives import serialization, hashes + from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key + from cryptography.hazmat.primitives.serialization import Encoding + + """ Create Root Key and Certificate """ + + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() + + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) + + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + """ Create CA (Intermediate) Key and Certificate """ + + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() + + # create ca-certificate subject + my_ca_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), + ]) + + # create self-signed ca-certificate + my_ca_certificate = ( + x509.CertificateBuilder() + .subject_name(my_ca_subject) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, + key_agreement=False, content_commitment=False, data_encipherment=False, + crl_sign=True, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + # with open('caChain_my.pem', 'wb') as f: + # f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) + + """ Create Service-Instance Key and Certificate """ + + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() + + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) + + # with open('instance.private.pem', 'wb') as f: + # f.write(my_si_private_key_as_pem) + + # with open('instance.public.pem', 'wb') as f: + # f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + #x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), + x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + #x509.DNSName(INSTANCE_REF) + x509.DNSName(j.get('service_instance_ref')) + ]), critical=False) + .sign(my_ca_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + # with open('cert_my.pem', 'wb') as f: + # f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + """ build out payload """ + cur_time = datetime.now(UTC) exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA @@ -435,38 +578,31 @@ async def leasing_v1_config_token(request: Request): "service_instance_ref": j.get('service_instance_ref'), "service_instance_public_key_configuration": { "service_instance_public_key_me": { - "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:], - "exp": int(INSTANCE_KEY_PUB.public_key().e), + "mod": hex(my_si_public_key.public_numbers().n)[2:], + "exp": int(my_si_public_key.public_numbers().e), }, - "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'), + # 64 chars per line (pem default) + "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } - config_token = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) + my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) + config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - root_crt = load_file(join(dirname(__file__), 'cert\\root-ca.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - intermediate_crt = load_file(join(dirname(__file__), 'cert\\intermediate.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - public_crt = load_file(join(dirname(__file__), 'cert\\webserver.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - #public_key = load_key(join(dirname(__file__), 'cert\\webserver.pub.pem')) + response_ca_chain = my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') + response_si_certificate = my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') response = { "certificateConfiguration": { - #"caChain": [public_crt], - "caChain": [intermediate_crt], - #"caChain": ["-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUCpVszfecRrnPa3EGwPKuyWESBmMwDQYJKoZIhvcNAQELBQAwcjELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRQwEgYDVQQDEwtOTFMgUm9vdCBDQTAeFw0y\r\nNDA5MjYwNzM4MTlaFw0zNDA5MjQwNzM4NDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp\r\nZm9ybmlhMQ8wDQYDVQQKEwZOdmlkaWExJzAlBgNVBAsTHk52aWRpYSBMaWNlbnNpbmcgU2Vydmlj\r\nZSAoTkxTKTEcMBoGA1UEAxMTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\r\nggIPADCCAgoCggIBAOIb5ZcYWR78WkJipEW4cOB2d3WkXhjzA9Omj0SBnA6fJad+zObguInmkgyB\r\nUC/0xMnHeEH1WQpZ0yZE1rdH0ziwPy07hmCgjMSC8iXSfV4QXoHzsQy80HSbD3dr0A5Fk9UrWdJu\r\nIlLnwqTfUjxMSqiVYbGI2JLVLDIPjnrCKgZ//vVTFWiMDQaGInDz5Qo3azHIt1Sw3u47/b88TzmK\r\ni3TMbjtAR3djlhQfJBY6nUdP8wWy2Fntx9fO7U723sp6cnGtHnbXGpon/QqxlPjT4RXXm1QmFQ/d\r\nyUmvmjoiJsCQ3v2KFJNei2bkUS29ZKPr4TGokojOilESQAQTLo+5s0cN7ZtPWvwZ4uets84GCRP5\r\ndC+aKoNQ7cg06A1tA3SxEL9r6D2LaTiheuWKFNiIJZzfmmbTPExsKt4Nzmv72wfG2i2+sY6l4f5x\r\nEFiKybn2EY1Hjpt0J3vL/goOOt/ejRtS5qKco3pu6zZBBWqB1qesA813AGgqbscht4y4m414rPmQ\r\naHA2PTe0JRDcradK75chFUOvLeIYD1Hy0XTxNxlhRA/5mFd2GkWZmtsW3D1iAV73VHAEvWDS0hXB\r\ng60B0y4d3fyYxI+pOTaZzsh0PAC2jUqDOhQ7dKELeYUKWsEDDMq9mg2bxqSNoQnQbITIsbu7IELu\r\nvmxIWT1omRptd5LrAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G\r\nA1UdDgQWBBRKNST8UPeZYQgLZLEKMBGklaADHjAfBgNVHSMEGDAWgBRiEXE0RonjkPN+XBjnSQbo\r\nA8X3ajANBgkqhkiG9w0BAQsFAAOCAgEAEq5FaQWhTWt1hNfoz/BeDQ68O9PEGGveCPouElE8s/uG\r\nPHYSJpmg7dq5Qoxb5dpdq1mJX2rTgixJu/iC3uRUsirdH6wsVjjqz4YsoAz5VqjlkriFJpXlfOpp\r\nw18ex5C5p4x3TrlPCowMgf9h6VBR1iCq3VikVVguqSPP/zf9G3Qhitvqs0+m7KJnbwFA/bDLMET8\r\nTJS/r4XKQYisXfu95XrG2TTCaOwytqx+uepqwB74tFMznfdjzKyztqGwniKLrcZ3kOuM4cyo5ZT4\r\nOORCV6FWmbRq2OtttI4o85zsVNkY1JF8hvyvjygRiX5dQROza5EStkXvGO6532atFU43KNJvLanZ\r\nZTaxIJvZGWeKvrH+HTCANp11cgq5qcRRltQHb7KWweYNM4nyCjyBQm5vTm7g1uVI7llVm2Txx5dT\r\n5OtenaohmJIr6POeq8Y2Z+DJ8s3UpZoZCc3Vj5PQyNZiAx2ErN6XgrsmljG3w6+k2ooLpT9Sr1Ql\r\nKc8okN5SJGUOLuFI+h8jX1hHqpQejjNKy3UkTzjosYNq6Kk0h2Tl1i8iO+wY4Wb3GbL6GtP1rcjI\r\np/d9mxPNJONlp4a0koaMEpHTODT/xyVjU7FkUyKE9Uj1O/1lBEANYsFrQGfmuHAZTGf9J+cvkrz3\r\n56OFWPHcA7gxkpU8wftrVMLFeDvLIGc=\r\n-----END CERTIFICATE-----"], - "publicCert": public_crt, - #"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIIE2zCCAsOgAwIBAgIUCX7sjz8B3HSAxRSPHAdNP/NCByEwDQYJKoZIhvcNAQELBQAwejELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRwwGgYDVQQDExNOTFMgSW50ZXJtZWRpYXRl\r\nIENBMB4XDTI1MDMxMDA3NDA1NloXDTI4MDMwOTA3NDEyNlowLzEtMCsGA1UEAxMkYTE3ZTA3OWUt\r\nNmE3My00ZWJmLThkM2ItOGM4OTYxMWI5YTI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\nAQEAuNfIEDxAbgpeeac1dDacwHBMEWNyr6bdWLcRRWrbXA1TUcsNpvmRN6ZgznDSG3JsGxaO5hhr\r\nI1UHwzTKwu/sAusYPPc354zW7i9aPS0izGoFKHDD2QgRQ/ECHzgoQirHWW6GecXlwoTDWBGtObWb\r\nVcPVcuxMMFIZ4Rt9Ru6S1qwdual7rdWG+Z7fWmBGMy9Xpn/+hmL1hRmqJRec7LVP7ejCQ5OtQp72\r\nKq8pm61WddEpw1Z148gXiflUlakjHbWmvAh5QTahkY2PBy7/1J+7Y6Ukj3aq7z/rrg4NaCJUvL7Q\r\nEr6qafujOLXsEMFFJxN5WIPm23Lvj8NQLJZO4zUtXwIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwID\r\nqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPfOsX87tbYT3irva9Tl\r\nWtLhYGccMB8GA1UdIwQYMBaAFEo1JPxQ95lhCAtksQowEaSVoAMeMC8GA1UdEQQoMCaCJGExN2Uw\r\nNzllLTZhNzMtNGViZi04ZDNiLThjODk2MTFiOWEyNzANBgkqhkiG9w0BAQsFAAOCAgEAa0Z0E0NW\r\n0KgpAgLLJ+6nGXfMVfG8sauXz9AQmobvuRsOvQi2DpTbfjrP4uT7q33Qw1vyQl2jlxoI0G1Ul1TO\r\nBVM/XYhs/Qp8TXSFFngCNQspAmDPCjSqnoeH3h6yW1EEfQY3R1hKac/krzuJs+Y4G2y1WLNmQiqF\r\now9FG2+APimLtPBDHCydn0tkAKRbDa9i5izty0qtAr+tlrSV6AOnn0fagJ5JjrVkGgAaO1GXwpWB\r\nEAteRDfsCIIMtPujZU0BAIYuXvxaX5zYiCN3KadBzheDh5IVZcTyOkHIRDvFl10exhMjcDjvAAfV\r\nHUUBliGAaIFBrgXz0y3CVcRNP7xp3PW1F/HZVBcQgi+cnqQfIF6us8+u8xLG51VtFHAUxP3NzSgU\r\nI54sIJmmNP30o8RRevD3wclk26A9PB+9MFBm6KFZb4Ue55cFqeI85ICKPoCfsBzP4CYNoNX3fscA\r\nhrJgXxbAVB9NC6rpEmpniyo7FGEPyQV41nuwqf8Y7SwAzPspGo0orynjrbJyr+N/l5oA0OblsqLw\r\nb963k2ssDS/YIQ79KaP1TWXl1e9WI46mgyPWha3Zm9P5FS1MedORwANafh+4PVo3JfaruUvSqQK/\r\nEwIjAdhNNrs2xMgQkGffl8cQF3TDbXAAstRQySKvt1cj3lTbhD+vNiidbQaZSxLGzPI=\r\n-----END CERTIFICATE-----", + # 76 chars per line + "caChain": [response_ca_chain], + # 76 chars per line + "publicCert": response_si_certificate, "publicKey": { - "exp": int(INSTANCE_KEY_PUB.public_key().e), - "mod": [hex(INSTANCE_KEY_PUB.public_key().n)[2:]], + "exp": int(my_si_certificate.public_key().public_numbers().e), + "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]], }, - #"publicKey": { - # "exp": 65537, - # "mod": [ - # "b8d7c8103c406e0a5e79a73574369cc0704c116372afa6dd58b711456adb5c0d5351cb0da6f99137a660ce70d21b726c1b168ee6186b235507c334cac2efec02eb183cf737e78cd6ee2f5a3d2d22cc6a052870c3d9081143f1021f3828422ac7596e8679c5e5c284c35811ad39b59b55c3d572ec4c305219e11b7d46ee92d6ac1db9a97badd586f99edf5a6046332f57a67ffe8662f58519aa25179cecb54fede8c24393ad429ef62aaf299bad5675d129c35675e3c81789f95495a9231db5a6bc08794136a1918d8f072effd49fbb63a5248f76aaef3febae0e0d682254bcbed012beaa69fba338b5ec10c1452713795883e6db72ef8fc3502c964ee3352d5f" - # ], - #}, }, "configToken": config_token, } diff --git a/test/main.py b/test/main.py index cf1f5db..014a86f 100644 --- a/test/main.py +++ b/test/main.py @@ -1,3 +1,4 @@ +import json import sys from base64 import b64encode as b64enc from calendar import timegm @@ -7,7 +8,7 @@ from os.path import dirname, join from uuid import uuid4, UUID from dateutil.relativedelta import relativedelta -from jose import jwt, jwk +from jose import jwt, jwk, jws from jose.constants import ALGORITHMS from starlette.testclient import TestClient @@ -20,6 +21,7 @@ from util import PrivateKey, PublicKey client = TestClient(main.app) +INSTANCE_REF = '10000000-0000-0000-0000-000000000001' ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld' # INSTANCE_KEY_RSA = generate_key() @@ -69,6 +71,31 @@ def test_client_token(): assert response.status_code == 200 +def test_config_token(): # todo: /leasing/v1/config-token + # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py + + response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF}) + assert response.status_code == 200 + + nv_response_certificate_configuration = response.json().get('certificateConfiguration') + nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8') + nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256) + + nv_response_config_token = response.json().get('configToken') + + payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256) + payload = json.loads(payload) + assert payload.get('iss') == 'NLS Service Instance' + assert payload.get('aud') == 'NLS Licensed Client' + assert payload.get('service_instance_ref') == INSTANCE_REF + + nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration') + nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me') + # assert nv_si_public_key_me.get('mod') == 1 #nv_si_public_key_mod + assert len(nv_si_public_key_me.get('mod')) == 512 + assert nv_si_public_key_me.get('exp') == 65537 # nv_si_public_key_exp + + def test_origins(): pass @@ -166,8 +193,6 @@ def test_auth_v1_token(): assert payload.get('origin_ref') == ORIGIN_REF -# todo: /leasing/v1/config-token - def test_leasing_v1_lessor(): payload = { 'fulfillment_context': { From 0c06397ad6236d6d418b3c58e28e7f4070ce05a0 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 09:00:58 +0200 Subject: [PATCH 07/20] typos --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cd92a0e..25d3588 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Minimal Delegated License Service (DLS). -> [!note] +> [!note] Compatibility > Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility > see [compatibility matrix](#vgpu-software-compatibility-matrix). @@ -402,7 +402,7 @@ Continue [here](#unraid-guest) for docker guest setup. Tanks to [@mrzenc](https://github.com/mrzenc) for [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos). -> [!WARNING] +> [!note] Native NixOS-Package > There is a [pull request](https://github.com/NixOS/nixpkgs/pull/358647) which adds fastapi-dls into nixpkgs. ## Let's Encrypt Certificate (optional) From 7c6aea5da7f8b6a728ca483039c0b4076ae0ecfb Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 21:38:25 +0200 Subject: [PATCH 08/20] created "init_config_token_demo" --- app/main.py | 288 ++++++++++++++++++++++++++++++---------------------- app/util.py | 24 +++++ 2 files changed, 190 insertions(+), 122 deletions(-) diff --git a/app/main.py b/app/main.py index b3d5247..17bff68 100644 --- a/app/main.py +++ b/app/main.py @@ -6,7 +6,7 @@ from datetime import datetime, timedelta, UTC from hashlib import sha256 from json import loads as json_loads from os import getenv as env -from os.path import join, dirname +from os.path import join, dirname, isfile from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -18,10 +18,11 @@ from jose.constants import ALGORITHMS from sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware -from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse +from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, \ + RedirectResponse from orm import Origin, Lease, init as db_init, migrate -from util import PrivateKey, PublicKey, load_file +from util import PrivateKey, PublicKey, load_file, Cert # Load variables load_dotenv('../version.env') @@ -421,7 +422,7 @@ async def leasing_v1_config_token(request: Request): logger.debug(f'Headers: {request.headers}') logger.debug(f'Request: {j}') - # todo: THIS IS A DEMO ONLY - THIS ENDPOINT GENERATES A NEW ROOT-CA EVERY TIME IT IS CALLED !!! + # todo: THIS IS A DEMO ONLY ### # @@ -429,138 +430,181 @@ async def leasing_v1_config_token(request: Request): # ### - from cryptography import x509 - from cryptography.hazmat._oid import NameOID - from cryptography.hazmat.primitives import serialization, hashes - from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key - from cryptography.hazmat.primitives.serialization import Encoding + root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem') + root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem') + ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem') + ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem') + si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem') + si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') - """ Create Root Key and Certificate """ + def init_config_token_demo(): + from cryptography import x509 + from cryptography.hazmat._oid import NameOID + from cryptography.hazmat.primitives import serialization, hashes + from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key + from cryptography.hazmat.primitives.serialization import Encoding - # create root keypair - my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_root_public_key = my_root_private_key.public_key() + """ Create Root Key and Certificate """ - # create root-certificate subject - my_root_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), - ]) + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() - # create self-signed root-certificate - my_root_certificate = ( - x509.CertificateBuilder() - .subject_name(my_root_subject) - .issuer_name(my_root_subject) - .public_key(my_root_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) - .sign(my_root_private_key, hashes.SHA256())) + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) - """ Create CA (Intermediate) Key and Certificate """ + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) - # create ca keypair - my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_ca_public_key = my_ca_private_key.public_key() + my_root_private_key_as_pem = my_root_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) - # create ca-certificate subject - my_ca_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), - ]) + with open(root_private_key_filename, 'wb') as f: + f.write(my_root_private_key_as_pem) - # create self-signed ca-certificate - my_ca_certificate = ( - x509.CertificateBuilder() - .subject_name(my_ca_subject) - .issuer_name(my_root_subject) - .public_key(my_ca_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, - key_agreement=False, content_commitment=False, data_encipherment=False, - crl_sign=True, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .sign(my_root_private_key, hashes.SHA256())) + with open(root_certificate_filename, 'wb') as f: + f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM)) - # with open('caChain_my.pem', 'wb') as f: - # f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) + """ Create CA (Intermediate) Key and Certificate """ - """ Create Service-Instance Key and Certificate """ + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() - # create si keypair - my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) - my_si_public_key = my_si_private_key.public_key() + # create ca-certificate subject + my_ca_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), + ]) - my_si_private_key_as_pem = my_si_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - my_si_public_key_as_pem = my_si_public_key.public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo, - ) + # create self-signed ca-certificate + my_ca_certificate = ( + x509.CertificateBuilder() + .subject_name(my_ca_subject) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, + key_agreement=False, content_commitment=False, data_encipherment=False, + crl_sign=True, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) - # with open('instance.private.pem', 'wb') as f: - # f.write(my_si_private_key_as_pem) + my_ca_private_key_as_pem = my_ca_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) - # with open('instance.public.pem', 'wb') as f: - # f.write(my_si_public_key_as_pem) + with open(ca_private_key_filename, 'wb') as f: + f.write(my_ca_private_key_as_pem) - # create si-certificate subject - my_si_subject = x509.Name([ - #x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), - x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), - ]) + with open(ca_certificate_filename, 'wb') as f: + f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) - # create self-signed si-certificate - my_si_certificate = ( - x509.CertificateBuilder() - .subject_name(my_si_subject) - .issuer_name(my_ca_subject) - .public_key(my_si_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, - key_agreement=True, content_commitment=False, data_encipherment=False, - crl_sign=False, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.ExtendedKeyUsage([ - x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, - x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] - ), critical=False) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .add_extension(x509.SubjectAlternativeName([ - #x509.DNSName(INSTANCE_REF) - x509.DNSName(j.get('service_instance_ref')) - ]), critical=False) - .sign(my_ca_private_key, hashes.SHA256())) + """ Create Service-Instance Key and Certificate """ - my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e - my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() - # with open('cert_my.pem', 'wb') as f: - # f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) + + with open(si_private_key_filename, 'wb') as f: + f.write(my_si_private_key_as_pem) + + # with open('instance.public.pem', 'wb') as f: + # f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), + x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + # x509.DNSName(INSTANCE_REF) + x509.DNSName(j.get('service_instance_ref')) + ]), critical=False) + .sign(my_ca_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + with open(si_certificate_filename, 'wb') as f: + f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + if not (isfile(root_private_key_filename) + and isfile(ca_private_key_filename) + and isfile(ca_certificate_filename) + and isfile(si_private_key_filename) + and isfile(si_certificate_filename)): + init_config_token_demo() + + my_ca_certificate = Cert.from_file(ca_certificate_filename) + my_si_certificate = Cert.from_file(si_certificate_filename) + my_si_private_key = PrivateKey.from_file(si_private_key_filename) + my_si_private_key_as_pem = my_si_private_key.pem() + my_si_public_key = my_si_private_key.public_key().raw() + my_si_public_key_as_pem = my_si_private_key.public_key().pem() """ build out payload """ @@ -590,8 +634,8 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') - response_si_certificate = my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') + response_ca_chain = my_ca_certificate.pem().decode('utf-8') + response_si_certificate = my_si_certificate.pem().decode('utf-8') response = { "certificateConfiguration": { @@ -600,8 +644,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": int(my_si_certificate.public_key().public_numbers().e), - "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]], + "exp": int(my_si_certificate.raw().public_key().public_numbers().e), + "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]], }, }, "configToken": config_token, diff --git a/app/util.py b/app/util.py index 1aae17b..14f20f2 100644 --- a/app/util.py +++ b/app/util.py @@ -3,6 +3,7 @@ import logging from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key +from cryptography.x509 import load_pem_x509_certificate, Certificate logging.basicConfig() @@ -76,6 +77,29 @@ class PublicKey: format=serialization.PublicFormat.SubjectPublicKeyInfo ) + +class Cert: + + def __init__(self, data: bytes): + self.__cert = load_pem_x509_certificate(data) + + @staticmethod + def from_file(filename: str) -> "Cert": + log = logging.getLogger(__name__) + log.debug(f'Importing Certificate from "{filename}"') + + with open(filename, 'rb') as f: + data = f.read() + + return Cert(data=data.strip()) + + def raw(self) -> Certificate: + return self.__cert + + def pem(self) -> bytes: + return self.__cert.public_bytes(encoding=serialization.Encoding.PEM) + + def load_file(filename: str) -> bytes: log = logging.getLogger(f'{__name__}') log.debug(f'Loading contents of file "{filename}') From ff4748fef904292ce9ee742f99ce2d9e62ab8d45 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 18:51:17 +0200 Subject: [PATCH 09/20] updated new responses for 18.x drivers --- app/main.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 17bff68..ea32547 100644 --- a/app/main.py +++ b/app/main.py @@ -299,9 +299,14 @@ async def auth_v1_origin(request: Request): Origin.create_or_update(db, data) + environment = { + 'raw_env': j.get('environment') + } + environment.update(j.get('environment')) + response = { "origin_ref": origin_ref, - "environment": j.get('environment'), + "environment": environment, "svc_port_set_list": None, "node_url_list": None, "node_query_order": None, @@ -408,6 +413,7 @@ async def auth_v1_token(request: Request): "expires": access_expires_on.isoformat(), "auth_token": auth_token, "sync_timestamp": cur_time.isoformat(), + "prompts": None } return JSONr(response) @@ -679,6 +685,7 @@ async def leasing_v1_lessor(request: Request): expires = cur_time + LEASE_EXPIRE_DELTA lease_result_list.append({ "ordinal": 0, + "error": 0, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, @@ -687,6 +694,9 @@ async def leasing_v1_lessor(request: Request): "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", "license_type": "CONCURRENT_COUNTED_SINGLE" + "license_type": "CONCURRENT_COUNTED_SINGLE", + "lease_intent_id": None, + "metadata": None, } }) @@ -694,6 +704,7 @@ async def leasing_v1_lessor(request: Request): Lease.create_or_update(db, data) response = { + "client_challenge": None, "lease_result_list": lease_result_list, "result_code": "SUCCESS", "sync_timestamp": cur_time.isoformat(), From d0e64c3e94a32b4515cfd75d29f657c14ffb9c54 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 18:51:33 +0200 Subject: [PATCH 10/20] added debugging --- app/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/main.py b/app/main.py index ea32547..a53f514 100644 --- a/app/main.py +++ b/app/main.py @@ -667,6 +667,8 @@ async def leasing_v1_config_token(request: Request): async def leasing_v1_lessor(request: Request): j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) + logger.debug(j) + try: token = __get_token(request) except JWTError: From 6a50bdfb894e022c0a3f0b6979f89a20d93f5376 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 19:08:41 +0200 Subject: [PATCH 11/20] fixes --- app/main.py | 1 - 1 file changed, 1 deletion(-) diff --git a/app/main.py b/app/main.py index a53f514..3820c3a 100644 --- a/app/main.py +++ b/app/main.py @@ -695,7 +695,6 @@ async def leasing_v1_lessor(request: Request): "expires": expires.isoformat(), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", - "license_type": "CONCURRENT_COUNTED_SINGLE" "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None, From 3dcfa66d158e336128ff8d1cbcee845959e40d85 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 19:36:25 +0200 Subject: [PATCH 12/20] added missing lessor attributes --- app/main.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/main.py b/app/main.py index 3820c3a..4fe2c82 100644 --- a/app/main.py +++ b/app/main.py @@ -679,6 +679,7 @@ async def leasing_v1_lessor(request: Request): logger.info(f'> [ create ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}') lease_result_list = [] + # todo: for lease_proposal in lease_proposal_list for scope_ref in scope_ref_list: # if scope_ref not in [ALLOTMENT_REF]: # return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]') @@ -698,6 +699,8 @@ async def leasing_v1_lessor(request: Request): "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None, + "feature_name": "GRID-Virtual-WS", # todo + "product_name": "NVIDIA RTX Virtual Workstation", # todo } }) From 3ed7ae8fdbd62f2d52cea264bc326d928eab4d8b Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:14:17 +0200 Subject: [PATCH 13/20] fixed datetime format --- app/main.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/app/main.py b/app/main.py index 4fe2c82..6fa1c9a 100644 --- a/app/main.py +++ b/app/main.py @@ -51,6 +51,7 @@ LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15)) LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0))) CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12) CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}'] +DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256) jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256) @@ -311,7 +312,7 @@ async def auth_v1_origin(request: Request): "node_url_list": None, "node_query_order": None, "prompts": None, - "sync_timestamp": cur_time.isoformat() + "sync_timestamp": cur_time.strftime(DT_FORMAT) } return JSONr(response) @@ -337,7 +338,7 @@ async def auth_v1_origin_update(request: Request): response = { "environment": j.get('environment'), "prompts": None, - "sync_timestamp": cur_time.isoformat() + "sync_timestamp": cur_time.strftime(DT_FORMAT) } return JSONr(response) @@ -368,7 +369,7 @@ async def auth_v1_code(request: Request): response = { "auth_code": auth_code, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -410,9 +411,9 @@ async def auth_v1_token(request: Request): auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256) response = { - "expires": access_expires_on.isoformat(), + "expires": access_expires_on.strftime(DT_FORMAT), "auth_token": auth_token, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -692,8 +693,8 @@ async def leasing_v1_lessor(request: Request): # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, - "created": cur_time.isoformat(), - "expires": expires.isoformat(), + "created": cur_time.strftime(DT_FORMAT), + "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", "license_type": "CONCURRENT_COUNTED_SINGLE", @@ -710,8 +711,8 @@ async def leasing_v1_lessor(request: Request): response = { "client_challenge": None, "lease_result_list": lease_result_list, - "result_code": "SUCCESS", - "sync_timestamp": cur_time.isoformat(), + "result_code": None, + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -731,7 +732,7 @@ async def leasing_v1_lessor_lease(request: Request): response = { "active_lease_list": active_lease_list, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -754,11 +755,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): expires = cur_time + LEASE_EXPIRE_DELTA response = { "lease_ref": lease_ref, - "expires": expires.isoformat(), + "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": True, "prompts": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), } Lease.renew(db, entity, expires, cur_time) @@ -786,7 +787,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str): response = { "lease_ref": lease_ref, "prompts": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), } return JSONr(response) @@ -806,7 +807,7 @@ async def leasing_v1_lessor_lease_remove(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -828,7 +829,7 @@ async def leasing_v1_lessor_shutdown(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } From 7a3c8e20516cf64bca2a990e87d05a31863dd373 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:35:10 +0200 Subject: [PATCH 14/20] also debug response --- app/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/main.py b/app/main.py index 6fa1c9a..ffb4513 100644 --- a/app/main.py +++ b/app/main.py @@ -716,6 +716,8 @@ async def leasing_v1_lessor(request: Request): "prompts": None } + logger.debug(response) + return JSONr(response) From d46690fd0e9ec00a5e8eddda851c089d118bc503 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:38:58 +0200 Subject: [PATCH 15/20] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index ffb4513..2f9fc95 100644 --- a/app/main.py +++ b/app/main.py @@ -688,8 +688,8 @@ async def leasing_v1_lessor(request: Request): lease_ref = str(uuid4()) expires = cur_time + LEASE_EXPIRE_DELTA lease_result_list.append({ - "ordinal": 0, - "error": 0, + "ordinal": None, + "error": None, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, From 39bf74fba9dda908b3935ee71e20ab9fd0c68ce4 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:01:36 +0200 Subject: [PATCH 16/20] added new "protocol_version" to client-token --- app/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/main.py b/app/main.py index 2f9fc95..7e08bf3 100644 --- a/app/main.py +++ b/app/main.py @@ -250,6 +250,7 @@ async def _client_token(): "iat": timegm(cur_time.timetuple()), "nbf": timegm(cur_time.timetuple()), "exp": timegm(exp_time.timetuple()), + "protocol_version": "2.0", "update_mode": "ABSOLUTE", "scope_ref_list": [ALLOTMENT_REF], "fulfillment_class_ref_list": [], From bd02e3d4b89c8998175772c2c6b26d3a4cf00ece Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:22:44 +0200 Subject: [PATCH 17/20] code styling --- app/main.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index 7e08bf3..297e940 100644 --- a/app/main.py +++ b/app/main.py @@ -18,8 +18,7 @@ from jose.constants import ALGORITHMS from sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware -from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, \ - RedirectResponse +from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse from orm import Origin, Lease, init as db_init, migrate from util import PrivateKey, PublicKey, load_file, Cert From b6639f9bfb3cbdcbe7b413c103efe6ab985b1102 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:22:56 +0200 Subject: [PATCH 18/20] added debug headers --- app/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/main.py b/app/main.py index 297e940..c672b09 100644 --- a/app/main.py +++ b/app/main.py @@ -669,6 +669,7 @@ async def leasing_v1_lessor(request: Request): j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) logger.debug(j) + logger.debug(request.headers) try: token = __get_token(request) From f20232d425943a475445bd989aec0029e5b580ab Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:23:15 +0200 Subject: [PATCH 19/20] added EMPTY (!!!) X-NLS-Signature response header --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index c672b09..5f606f9 100644 --- a/app/main.py +++ b/app/main.py @@ -719,7 +719,7 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - return JSONr(response) + return JSONr(response, headers={'X-NLS-Signature': '?'}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py From a7553716de01b4a2d66c9dc37c9ac92dd9edd4f0 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 22:22:22 +0200 Subject: [PATCH 20/20] set "offline_lease" to false --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 5f606f9..60f56a2 100644 --- a/app/main.py +++ b/app/main.py @@ -697,7 +697,7 @@ async def leasing_v1_lessor(request: Request): "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, - "offline_lease": "true", + "offline_lease": "false", # todo "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None,