From 61c9e472377a1995b94e35fc73c4687cef7d080d Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 21:28:07 +0100 Subject: [PATCH 01/69] added endpoint '/leasing/v1/config-token' --- app/main.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/app/main.py b/app/main.py index f11ba5c..fd1a0ce 100644 --- a/app/main.py +++ b/app/main.py @@ -412,6 +412,16 @@ async def auth_v1_token(request: Request): return JSONr(response) +# NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py +@app.post('/leasing/v1/config-token', description='request to get config token for lease operations') +async def leasing_v1_config_token(request: Request): + response = { + "service_instance_ref": INSTANCE_REF, + } + + return JSONr(response) + + # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin') async def leasing_v1_lessor(request: Request): From d71b66d1928c15051ca3d1563cdb91985a378d5f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 22:02:51 +0100 Subject: [PATCH 02/69] added debugging --- app/main.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/main.py b/app/main.py index fd1a0ce..22a6275 100644 --- a/app/main.py +++ b/app/main.py @@ -415,10 +415,17 @@ async def auth_v1_token(request: Request): # NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py @app.post('/leasing/v1/config-token', description='request to get config token for lease operations') async def leasing_v1_config_token(request: Request): + j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC) + + logging.debug('CALLED /leasing/v1/config-token') + logging.debug(j) + response = { "service_instance_ref": INSTANCE_REF, } + logging.debug(response) + return JSONr(response) From e438de62816871e1244f99e388731fb5abde1ac6 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Sun, 9 Mar 2025 22:10:26 +0100 Subject: [PATCH 03/69] added logging --- test/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/main.py b/test/main.py index 653548f..cf1f5db 100644 --- a/test/main.py +++ b/test/main.py @@ -166,6 +166,8 @@ def test_auth_v1_token(): assert payload.get('origin_ref') == ORIGIN_REF +# todo: /leasing/v1/config-token + def test_leasing_v1_lessor(): payload = { 'fulfillment_context': { From 88fbd0861032c67470a6cb01452cfaeea34bef80 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 10 Mar 2025 23:19:16 +0100 Subject: [PATCH 04/69] implemented initial endpoint for /leasing/v1/config-token --- app/main.py | 55 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/app/main.py b/app/main.py index 22a6275..c2c9f52 100644 --- a/app/main.py +++ b/app/main.py @@ -417,16 +417,63 @@ async def auth_v1_token(request: Request): async def leasing_v1_config_token(request: Request): j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC) - logging.debug('CALLED /leasing/v1/config-token') - logging.debug(j) + logger.debug(f'CALLED /leasing/v1/config-token') + logger.debug(f'Headers: {request.headers}') + logger.debug(f'Request: {j}') + + cur_time = datetime.now(UTC) + exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA + + payload = { + "iss": "NLS Service Instance", + "aud": "NLS Licensed Client", + "iat": timegm(cur_time.timetuple()), + "nbf": timegm(cur_time.timetuple()), + "exp": timegm(exp_time.timetuple()), + "protocol_version": "2.0", + "d_name": "DLS", + "service_instance_ref": j.get('service_instance_ref'), + "service_instance_public_key_configuration": { + "service_instance_public_key_me": { + "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:], + "exp": int(INSTANCE_KEY_PUB.public_key().e), + }, + "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'), + "key_retention_mode": "LATEST_ONLY" + }, + } + + config_token = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) + + root_crt = load_file(join(dirname(__file__), 'cert\\root-ca.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + intermediate_crt = load_file(join(dirname(__file__), 'cert\\intermediate.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + public_crt = load_file(join(dirname(__file__), 'cert\\webserver.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] + #public_key = load_key(join(dirname(__file__), 'cert\\webserver.pub.pem')) response = { - "service_instance_ref": INSTANCE_REF, + "certificateConfiguration": { + #"caChain": [public_crt], + "caChain": [intermediate_crt], + #"caChain": ["-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUCpVszfecRrnPa3EGwPKuyWESBmMwDQYJKoZIhvcNAQELBQAwcjELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRQwEgYDVQQDEwtOTFMgUm9vdCBDQTAeFw0y\r\nNDA5MjYwNzM4MTlaFw0zNDA5MjQwNzM4NDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp\r\nZm9ybmlhMQ8wDQYDVQQKEwZOdmlkaWExJzAlBgNVBAsTHk52aWRpYSBMaWNlbnNpbmcgU2Vydmlj\r\nZSAoTkxTKTEcMBoGA1UEAxMTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\r\nggIPADCCAgoCggIBAOIb5ZcYWR78WkJipEW4cOB2d3WkXhjzA9Omj0SBnA6fJad+zObguInmkgyB\r\nUC/0xMnHeEH1WQpZ0yZE1rdH0ziwPy07hmCgjMSC8iXSfV4QXoHzsQy80HSbD3dr0A5Fk9UrWdJu\r\nIlLnwqTfUjxMSqiVYbGI2JLVLDIPjnrCKgZ//vVTFWiMDQaGInDz5Qo3azHIt1Sw3u47/b88TzmK\r\ni3TMbjtAR3djlhQfJBY6nUdP8wWy2Fntx9fO7U723sp6cnGtHnbXGpon/QqxlPjT4RXXm1QmFQ/d\r\nyUmvmjoiJsCQ3v2KFJNei2bkUS29ZKPr4TGokojOilESQAQTLo+5s0cN7ZtPWvwZ4uets84GCRP5\r\ndC+aKoNQ7cg06A1tA3SxEL9r6D2LaTiheuWKFNiIJZzfmmbTPExsKt4Nzmv72wfG2i2+sY6l4f5x\r\nEFiKybn2EY1Hjpt0J3vL/goOOt/ejRtS5qKco3pu6zZBBWqB1qesA813AGgqbscht4y4m414rPmQ\r\naHA2PTe0JRDcradK75chFUOvLeIYD1Hy0XTxNxlhRA/5mFd2GkWZmtsW3D1iAV73VHAEvWDS0hXB\r\ng60B0y4d3fyYxI+pOTaZzsh0PAC2jUqDOhQ7dKELeYUKWsEDDMq9mg2bxqSNoQnQbITIsbu7IELu\r\nvmxIWT1omRptd5LrAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G\r\nA1UdDgQWBBRKNST8UPeZYQgLZLEKMBGklaADHjAfBgNVHSMEGDAWgBRiEXE0RonjkPN+XBjnSQbo\r\nA8X3ajANBgkqhkiG9w0BAQsFAAOCAgEAEq5FaQWhTWt1hNfoz/BeDQ68O9PEGGveCPouElE8s/uG\r\nPHYSJpmg7dq5Qoxb5dpdq1mJX2rTgixJu/iC3uRUsirdH6wsVjjqz4YsoAz5VqjlkriFJpXlfOpp\r\nw18ex5C5p4x3TrlPCowMgf9h6VBR1iCq3VikVVguqSPP/zf9G3Qhitvqs0+m7KJnbwFA/bDLMET8\r\nTJS/r4XKQYisXfu95XrG2TTCaOwytqx+uepqwB74tFMznfdjzKyztqGwniKLrcZ3kOuM4cyo5ZT4\r\nOORCV6FWmbRq2OtttI4o85zsVNkY1JF8hvyvjygRiX5dQROza5EStkXvGO6532atFU43KNJvLanZ\r\nZTaxIJvZGWeKvrH+HTCANp11cgq5qcRRltQHb7KWweYNM4nyCjyBQm5vTm7g1uVI7llVm2Txx5dT\r\n5OtenaohmJIr6POeq8Y2Z+DJ8s3UpZoZCc3Vj5PQyNZiAx2ErN6XgrsmljG3w6+k2ooLpT9Sr1Ql\r\nKc8okN5SJGUOLuFI+h8jX1hHqpQejjNKy3UkTzjosYNq6Kk0h2Tl1i8iO+wY4Wb3GbL6GtP1rcjI\r\np/d9mxPNJONlp4a0koaMEpHTODT/xyVjU7FkUyKE9Uj1O/1lBEANYsFrQGfmuHAZTGf9J+cvkrz3\r\n56OFWPHcA7gxkpU8wftrVMLFeDvLIGc=\r\n-----END CERTIFICATE-----"], + "publicCert": public_crt, + #"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIIE2zCCAsOgAwIBAgIUCX7sjz8B3HSAxRSPHAdNP/NCByEwDQYJKoZIhvcNAQELBQAwejELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRwwGgYDVQQDExNOTFMgSW50ZXJtZWRpYXRl\r\nIENBMB4XDTI1MDMxMDA3NDA1NloXDTI4MDMwOTA3NDEyNlowLzEtMCsGA1UEAxMkYTE3ZTA3OWUt\r\nNmE3My00ZWJmLThkM2ItOGM4OTYxMWI5YTI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\nAQEAuNfIEDxAbgpeeac1dDacwHBMEWNyr6bdWLcRRWrbXA1TUcsNpvmRN6ZgznDSG3JsGxaO5hhr\r\nI1UHwzTKwu/sAusYPPc354zW7i9aPS0izGoFKHDD2QgRQ/ECHzgoQirHWW6GecXlwoTDWBGtObWb\r\nVcPVcuxMMFIZ4Rt9Ru6S1qwdual7rdWG+Z7fWmBGMy9Xpn/+hmL1hRmqJRec7LVP7ejCQ5OtQp72\r\nKq8pm61WddEpw1Z148gXiflUlakjHbWmvAh5QTahkY2PBy7/1J+7Y6Ukj3aq7z/rrg4NaCJUvL7Q\r\nEr6qafujOLXsEMFFJxN5WIPm23Lvj8NQLJZO4zUtXwIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwID\r\nqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPfOsX87tbYT3irva9Tl\r\nWtLhYGccMB8GA1UdIwQYMBaAFEo1JPxQ95lhCAtksQowEaSVoAMeMC8GA1UdEQQoMCaCJGExN2Uw\r\nNzllLTZhNzMtNGViZi04ZDNiLThjODk2MTFiOWEyNzANBgkqhkiG9w0BAQsFAAOCAgEAa0Z0E0NW\r\n0KgpAgLLJ+6nGXfMVfG8sauXz9AQmobvuRsOvQi2DpTbfjrP4uT7q33Qw1vyQl2jlxoI0G1Ul1TO\r\nBVM/XYhs/Qp8TXSFFngCNQspAmDPCjSqnoeH3h6yW1EEfQY3R1hKac/krzuJs+Y4G2y1WLNmQiqF\r\now9FG2+APimLtPBDHCydn0tkAKRbDa9i5izty0qtAr+tlrSV6AOnn0fagJ5JjrVkGgAaO1GXwpWB\r\nEAteRDfsCIIMtPujZU0BAIYuXvxaX5zYiCN3KadBzheDh5IVZcTyOkHIRDvFl10exhMjcDjvAAfV\r\nHUUBliGAaIFBrgXz0y3CVcRNP7xp3PW1F/HZVBcQgi+cnqQfIF6us8+u8xLG51VtFHAUxP3NzSgU\r\nI54sIJmmNP30o8RRevD3wclk26A9PB+9MFBm6KFZb4Ue55cFqeI85ICKPoCfsBzP4CYNoNX3fscA\r\nhrJgXxbAVB9NC6rpEmpniyo7FGEPyQV41nuwqf8Y7SwAzPspGo0orynjrbJyr+N/l5oA0OblsqLw\r\nb963k2ssDS/YIQ79KaP1TWXl1e9WI46mgyPWha3Zm9P5FS1MedORwANafh+4PVo3JfaruUvSqQK/\r\nEwIjAdhNNrs2xMgQkGffl8cQF3TDbXAAstRQySKvt1cj3lTbhD+vNiidbQaZSxLGzPI=\r\n-----END CERTIFICATE-----", + "publicKey": { + "exp": int(INSTANCE_KEY_PUB.public_key().e), + "mod": [hex(INSTANCE_KEY_PUB.public_key().n)[2:]], + }, + #"publicKey": { + # "exp": 65537, + # "mod": [ + # "b8d7c8103c406e0a5e79a73574369cc0704c116372afa6dd58b711456adb5c0d5351cb0da6f99137a660ce70d21b726c1b168ee6186b235507c334cac2efec02eb183cf737e78cd6ee2f5a3d2d22cc6a052870c3d9081143f1021f3828422ac7596e8679c5e5c284c35811ad39b59b55c3d572ec4c305219e11b7d46ee92d6ac1db9a97badd586f99edf5a6046332f57a67ffe8662f58519aa25179cecb54fede8c24393ad429ef62aaf299bad5675d129c35675e3c81789f95495a9231db5a6bc08794136a1918d8f072effd49fbb63a5248f76aaef3febae0e0d682254bcbed012beaa69fba338b5ec10c1452713795883e6db72ef8fc3502c964ee3352d5f" + # ], + #}, + }, + "configToken": config_token, } logging.debug(response) - return JSONr(response) + return JSONr(response, status_code=200) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py From 7ce79ec95b94cad2f2da4a6382c17540b41d577b Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 08:48:45 +0200 Subject: [PATCH 05/69] added test and code for /leasing/v1/config-token ref. https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py --- app/main.py | 178 +++++++++++++++++++++++++++++++++++++++++++++------ test/main.py | 31 ++++++++- 2 files changed, 185 insertions(+), 24 deletions(-) diff --git a/app/main.py b/app/main.py index c2c9f52..b3d5247 100644 --- a/app/main.py +++ b/app/main.py @@ -421,6 +421,149 @@ async def leasing_v1_config_token(request: Request): logger.debug(f'Headers: {request.headers}') logger.debug(f'Request: {j}') + # todo: THIS IS A DEMO ONLY - THIS ENDPOINT GENERATES A NEW ROOT-CA EVERY TIME IT IS CALLED !!! + + ### + # + # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py + # + ### + + from cryptography import x509 + from cryptography.hazmat._oid import NameOID + from cryptography.hazmat.primitives import serialization, hashes + from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key + from cryptography.hazmat.primitives.serialization import Encoding + + """ Create Root Key and Certificate """ + + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() + + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) + + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + """ Create CA (Intermediate) Key and Certificate """ + + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() + + # create ca-certificate subject + my_ca_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), + ]) + + # create self-signed ca-certificate + my_ca_certificate = ( + x509.CertificateBuilder() + .subject_name(my_ca_subject) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, + key_agreement=False, content_commitment=False, data_encipherment=False, + crl_sign=True, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + # with open('caChain_my.pem', 'wb') as f: + # f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) + + """ Create Service-Instance Key and Certificate """ + + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() + + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) + + # with open('instance.private.pem', 'wb') as f: + # f.write(my_si_private_key_as_pem) + + # with open('instance.public.pem', 'wb') as f: + # f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + #x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), + x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + #x509.DNSName(INSTANCE_REF) + x509.DNSName(j.get('service_instance_ref')) + ]), critical=False) + .sign(my_ca_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + # with open('cert_my.pem', 'wb') as f: + # f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + """ build out payload """ + cur_time = datetime.now(UTC) exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA @@ -435,38 +578,31 @@ async def leasing_v1_config_token(request: Request): "service_instance_ref": j.get('service_instance_ref'), "service_instance_public_key_configuration": { "service_instance_public_key_me": { - "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:], - "exp": int(INSTANCE_KEY_PUB.public_key().e), + "mod": hex(my_si_public_key.public_numbers().n)[2:], + "exp": int(my_si_public_key.public_numbers().e), }, - "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'), + # 64 chars per line (pem default) + "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } - config_token = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) + my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) + config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - root_crt = load_file(join(dirname(__file__), 'cert\\root-ca.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - intermediate_crt = load_file(join(dirname(__file__), 'cert\\intermediate.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - public_crt = load_file(join(dirname(__file__), 'cert\\webserver.crt.pem')).decode('utf-8').replace('\n', '\r\n')[:-2] - #public_key = load_key(join(dirname(__file__), 'cert\\webserver.pub.pem')) + response_ca_chain = my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') + response_si_certificate = my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') response = { "certificateConfiguration": { - #"caChain": [public_crt], - "caChain": [intermediate_crt], - #"caChain": ["-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUCpVszfecRrnPa3EGwPKuyWESBmMwDQYJKoZIhvcNAQELBQAwcjELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRQwEgYDVQQDEwtOTFMgUm9vdCBDQTAeFw0y\r\nNDA5MjYwNzM4MTlaFw0zNDA5MjQwNzM4NDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp\r\nZm9ybmlhMQ8wDQYDVQQKEwZOdmlkaWExJzAlBgNVBAsTHk52aWRpYSBMaWNlbnNpbmcgU2Vydmlj\r\nZSAoTkxTKTEcMBoGA1UEAxMTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\r\nggIPADCCAgoCggIBAOIb5ZcYWR78WkJipEW4cOB2d3WkXhjzA9Omj0SBnA6fJad+zObguInmkgyB\r\nUC/0xMnHeEH1WQpZ0yZE1rdH0ziwPy07hmCgjMSC8iXSfV4QXoHzsQy80HSbD3dr0A5Fk9UrWdJu\r\nIlLnwqTfUjxMSqiVYbGI2JLVLDIPjnrCKgZ//vVTFWiMDQaGInDz5Qo3azHIt1Sw3u47/b88TzmK\r\ni3TMbjtAR3djlhQfJBY6nUdP8wWy2Fntx9fO7U723sp6cnGtHnbXGpon/QqxlPjT4RXXm1QmFQ/d\r\nyUmvmjoiJsCQ3v2KFJNei2bkUS29ZKPr4TGokojOilESQAQTLo+5s0cN7ZtPWvwZ4uets84GCRP5\r\ndC+aKoNQ7cg06A1tA3SxEL9r6D2LaTiheuWKFNiIJZzfmmbTPExsKt4Nzmv72wfG2i2+sY6l4f5x\r\nEFiKybn2EY1Hjpt0J3vL/goOOt/ejRtS5qKco3pu6zZBBWqB1qesA813AGgqbscht4y4m414rPmQ\r\naHA2PTe0JRDcradK75chFUOvLeIYD1Hy0XTxNxlhRA/5mFd2GkWZmtsW3D1iAV73VHAEvWDS0hXB\r\ng60B0y4d3fyYxI+pOTaZzsh0PAC2jUqDOhQ7dKELeYUKWsEDDMq9mg2bxqSNoQnQbITIsbu7IELu\r\nvmxIWT1omRptd5LrAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G\r\nA1UdDgQWBBRKNST8UPeZYQgLZLEKMBGklaADHjAfBgNVHSMEGDAWgBRiEXE0RonjkPN+XBjnSQbo\r\nA8X3ajANBgkqhkiG9w0BAQsFAAOCAgEAEq5FaQWhTWt1hNfoz/BeDQ68O9PEGGveCPouElE8s/uG\r\nPHYSJpmg7dq5Qoxb5dpdq1mJX2rTgixJu/iC3uRUsirdH6wsVjjqz4YsoAz5VqjlkriFJpXlfOpp\r\nw18ex5C5p4x3TrlPCowMgf9h6VBR1iCq3VikVVguqSPP/zf9G3Qhitvqs0+m7KJnbwFA/bDLMET8\r\nTJS/r4XKQYisXfu95XrG2TTCaOwytqx+uepqwB74tFMznfdjzKyztqGwniKLrcZ3kOuM4cyo5ZT4\r\nOORCV6FWmbRq2OtttI4o85zsVNkY1JF8hvyvjygRiX5dQROza5EStkXvGO6532atFU43KNJvLanZ\r\nZTaxIJvZGWeKvrH+HTCANp11cgq5qcRRltQHb7KWweYNM4nyCjyBQm5vTm7g1uVI7llVm2Txx5dT\r\n5OtenaohmJIr6POeq8Y2Z+DJ8s3UpZoZCc3Vj5PQyNZiAx2ErN6XgrsmljG3w6+k2ooLpT9Sr1Ql\r\nKc8okN5SJGUOLuFI+h8jX1hHqpQejjNKy3UkTzjosYNq6Kk0h2Tl1i8iO+wY4Wb3GbL6GtP1rcjI\r\np/d9mxPNJONlp4a0koaMEpHTODT/xyVjU7FkUyKE9Uj1O/1lBEANYsFrQGfmuHAZTGf9J+cvkrz3\r\n56OFWPHcA7gxkpU8wftrVMLFeDvLIGc=\r\n-----END CERTIFICATE-----"], - "publicCert": public_crt, - #"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIIE2zCCAsOgAwIBAgIUCX7sjz8B3HSAxRSPHAdNP/NCByEwDQYJKoZIhvcNAQELBQAwejELMAkG\r\nA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAoTBk52aWRpYTEnMCUGA1UECxMe\r\nTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMpMRwwGgYDVQQDExNOTFMgSW50ZXJtZWRpYXRl\r\nIENBMB4XDTI1MDMxMDA3NDA1NloXDTI4MDMwOTA3NDEyNlowLzEtMCsGA1UEAxMkYTE3ZTA3OWUt\r\nNmE3My00ZWJmLThkM2ItOGM4OTYxMWI5YTI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\nAQEAuNfIEDxAbgpeeac1dDacwHBMEWNyr6bdWLcRRWrbXA1TUcsNpvmRN6ZgznDSG3JsGxaO5hhr\r\nI1UHwzTKwu/sAusYPPc354zW7i9aPS0izGoFKHDD2QgRQ/ECHzgoQirHWW6GecXlwoTDWBGtObWb\r\nVcPVcuxMMFIZ4Rt9Ru6S1qwdual7rdWG+Z7fWmBGMy9Xpn/+hmL1hRmqJRec7LVP7ejCQ5OtQp72\r\nKq8pm61WddEpw1Z148gXiflUlakjHbWmvAh5QTahkY2PBy7/1J+7Y6Ukj3aq7z/rrg4NaCJUvL7Q\r\nEr6qafujOLXsEMFFJxN5WIPm23Lvj8NQLJZO4zUtXwIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwID\r\nqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPfOsX87tbYT3irva9Tl\r\nWtLhYGccMB8GA1UdIwQYMBaAFEo1JPxQ95lhCAtksQowEaSVoAMeMC8GA1UdEQQoMCaCJGExN2Uw\r\nNzllLTZhNzMtNGViZi04ZDNiLThjODk2MTFiOWEyNzANBgkqhkiG9w0BAQsFAAOCAgEAa0Z0E0NW\r\n0KgpAgLLJ+6nGXfMVfG8sauXz9AQmobvuRsOvQi2DpTbfjrP4uT7q33Qw1vyQl2jlxoI0G1Ul1TO\r\nBVM/XYhs/Qp8TXSFFngCNQspAmDPCjSqnoeH3h6yW1EEfQY3R1hKac/krzuJs+Y4G2y1WLNmQiqF\r\now9FG2+APimLtPBDHCydn0tkAKRbDa9i5izty0qtAr+tlrSV6AOnn0fagJ5JjrVkGgAaO1GXwpWB\r\nEAteRDfsCIIMtPujZU0BAIYuXvxaX5zYiCN3KadBzheDh5IVZcTyOkHIRDvFl10exhMjcDjvAAfV\r\nHUUBliGAaIFBrgXz0y3CVcRNP7xp3PW1F/HZVBcQgi+cnqQfIF6us8+u8xLG51VtFHAUxP3NzSgU\r\nI54sIJmmNP30o8RRevD3wclk26A9PB+9MFBm6KFZb4Ue55cFqeI85ICKPoCfsBzP4CYNoNX3fscA\r\nhrJgXxbAVB9NC6rpEmpniyo7FGEPyQV41nuwqf8Y7SwAzPspGo0orynjrbJyr+N/l5oA0OblsqLw\r\nb963k2ssDS/YIQ79KaP1TWXl1e9WI46mgyPWha3Zm9P5FS1MedORwANafh+4PVo3JfaruUvSqQK/\r\nEwIjAdhNNrs2xMgQkGffl8cQF3TDbXAAstRQySKvt1cj3lTbhD+vNiidbQaZSxLGzPI=\r\n-----END CERTIFICATE-----", + # 76 chars per line + "caChain": [response_ca_chain], + # 76 chars per line + "publicCert": response_si_certificate, "publicKey": { - "exp": int(INSTANCE_KEY_PUB.public_key().e), - "mod": [hex(INSTANCE_KEY_PUB.public_key().n)[2:]], + "exp": int(my_si_certificate.public_key().public_numbers().e), + "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]], }, - #"publicKey": { - # "exp": 65537, - # "mod": [ - # "b8d7c8103c406e0a5e79a73574369cc0704c116372afa6dd58b711456adb5c0d5351cb0da6f99137a660ce70d21b726c1b168ee6186b235507c334cac2efec02eb183cf737e78cd6ee2f5a3d2d22cc6a052870c3d9081143f1021f3828422ac7596e8679c5e5c284c35811ad39b59b55c3d572ec4c305219e11b7d46ee92d6ac1db9a97badd586f99edf5a6046332f57a67ffe8662f58519aa25179cecb54fede8c24393ad429ef62aaf299bad5675d129c35675e3c81789f95495a9231db5a6bc08794136a1918d8f072effd49fbb63a5248f76aaef3febae0e0d682254bcbed012beaa69fba338b5ec10c1452713795883e6db72ef8fc3502c964ee3352d5f" - # ], - #}, }, "configToken": config_token, } diff --git a/test/main.py b/test/main.py index cf1f5db..014a86f 100644 --- a/test/main.py +++ b/test/main.py @@ -1,3 +1,4 @@ +import json import sys from base64 import b64encode as b64enc from calendar import timegm @@ -7,7 +8,7 @@ from os.path import dirname, join from uuid import uuid4, UUID from dateutil.relativedelta import relativedelta -from jose import jwt, jwk +from jose import jwt, jwk, jws from jose.constants import ALGORITHMS from starlette.testclient import TestClient @@ -20,6 +21,7 @@ from util import PrivateKey, PublicKey client = TestClient(main.app) +INSTANCE_REF = '10000000-0000-0000-0000-000000000001' ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld' # INSTANCE_KEY_RSA = generate_key() @@ -69,6 +71,31 @@ def test_client_token(): assert response.status_code == 200 +def test_config_token(): # todo: /leasing/v1/config-token + # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py + + response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF}) + assert response.status_code == 200 + + nv_response_certificate_configuration = response.json().get('certificateConfiguration') + nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8') + nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256) + + nv_response_config_token = response.json().get('configToken') + + payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256) + payload = json.loads(payload) + assert payload.get('iss') == 'NLS Service Instance' + assert payload.get('aud') == 'NLS Licensed Client' + assert payload.get('service_instance_ref') == INSTANCE_REF + + nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration') + nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me') + # assert nv_si_public_key_me.get('mod') == 1 #nv_si_public_key_mod + assert len(nv_si_public_key_me.get('mod')) == 512 + assert nv_si_public_key_me.get('exp') == 65537 # nv_si_public_key_exp + + def test_origins(): pass @@ -166,8 +193,6 @@ def test_auth_v1_token(): assert payload.get('origin_ref') == ORIGIN_REF -# todo: /leasing/v1/config-token - def test_leasing_v1_lessor(): payload = { 'fulfillment_context': { From c15cdee6103c5dcd439f439d1a1dcda0e0aef210 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Thu, 10 Apr 2025 21:38:25 +0200 Subject: [PATCH 06/69] created "init_config_token_demo" --- app/main.py | 288 ++++++++++++++++++++++++++++++---------------------- app/util.py | 24 +++++ 2 files changed, 190 insertions(+), 122 deletions(-) diff --git a/app/main.py b/app/main.py index b3d5247..17bff68 100644 --- a/app/main.py +++ b/app/main.py @@ -6,7 +6,7 @@ from datetime import datetime, timedelta, UTC from hashlib import sha256 from json import loads as json_loads from os import getenv as env -from os.path import join, dirname +from os.path import join, dirname, isfile from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -18,10 +18,11 @@ from jose.constants import ALGORITHMS from sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware -from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse +from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, \ + RedirectResponse from orm import Origin, Lease, init as db_init, migrate -from util import PrivateKey, PublicKey, load_file +from util import PrivateKey, PublicKey, load_file, Cert # Load variables load_dotenv('../version.env') @@ -421,7 +422,7 @@ async def leasing_v1_config_token(request: Request): logger.debug(f'Headers: {request.headers}') logger.debug(f'Request: {j}') - # todo: THIS IS A DEMO ONLY - THIS ENDPOINT GENERATES A NEW ROOT-CA EVERY TIME IT IS CALLED !!! + # todo: THIS IS A DEMO ONLY ### # @@ -429,138 +430,181 @@ async def leasing_v1_config_token(request: Request): # ### - from cryptography import x509 - from cryptography.hazmat._oid import NameOID - from cryptography.hazmat.primitives import serialization, hashes - from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key - from cryptography.hazmat.primitives.serialization import Encoding + root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem') + root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem') + ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem') + ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem') + si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem') + si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') - """ Create Root Key and Certificate """ + def init_config_token_demo(): + from cryptography import x509 + from cryptography.hazmat._oid import NameOID + from cryptography.hazmat.primitives import serialization, hashes + from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key + from cryptography.hazmat.primitives.serialization import Encoding - # create root keypair - my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_root_public_key = my_root_private_key.public_key() + """ Create Root Key and Certificate """ - # create root-certificate subject - my_root_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), - ]) + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() - # create self-signed root-certificate - my_root_certificate = ( - x509.CertificateBuilder() - .subject_name(my_root_subject) - .issuer_name(my_root_subject) - .public_key(my_root_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) - .sign(my_root_private_key, hashes.SHA256())) + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) - """ Create CA (Intermediate) Key and Certificate """ + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) - # create ca keypair - my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_ca_public_key = my_ca_private_key.public_key() + my_root_private_key_as_pem = my_root_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) - # create ca-certificate subject - my_ca_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), - ]) + with open(root_private_key_filename, 'wb') as f: + f.write(my_root_private_key_as_pem) - # create self-signed ca-certificate - my_ca_certificate = ( - x509.CertificateBuilder() - .subject_name(my_ca_subject) - .issuer_name(my_root_subject) - .public_key(my_ca_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, - key_agreement=False, content_commitment=False, data_encipherment=False, - crl_sign=True, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .sign(my_root_private_key, hashes.SHA256())) + with open(root_certificate_filename, 'wb') as f: + f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM)) - # with open('caChain_my.pem', 'wb') as f: - # f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) + """ Create CA (Intermediate) Key and Certificate """ - """ Create Service-Instance Key and Certificate """ + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() - # create si keypair - my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) - my_si_public_key = my_si_private_key.public_key() + # create ca-certificate subject + my_ca_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), + ]) - my_si_private_key_as_pem = my_si_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - my_si_public_key_as_pem = my_si_public_key.public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo, - ) + # create self-signed ca-certificate + my_ca_certificate = ( + x509.CertificateBuilder() + .subject_name(my_ca_subject) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, + key_agreement=False, content_commitment=False, data_encipherment=False, + crl_sign=True, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) - # with open('instance.private.pem', 'wb') as f: - # f.write(my_si_private_key_as_pem) + my_ca_private_key_as_pem = my_ca_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) - # with open('instance.public.pem', 'wb') as f: - # f.write(my_si_public_key_as_pem) + with open(ca_private_key_filename, 'wb') as f: + f.write(my_ca_private_key_as_pem) - # create si-certificate subject - my_si_subject = x509.Name([ - #x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), - x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), - ]) + with open(ca_certificate_filename, 'wb') as f: + f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) - # create self-signed si-certificate - my_si_certificate = ( - x509.CertificateBuilder() - .subject_name(my_si_subject) - .issuer_name(my_ca_subject) - .public_key(my_si_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, - key_agreement=True, content_commitment=False, data_encipherment=False, - crl_sign=False, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.ExtendedKeyUsage([ - x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, - x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] - ), critical=False) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .add_extension(x509.SubjectAlternativeName([ - #x509.DNSName(INSTANCE_REF) - x509.DNSName(j.get('service_instance_ref')) - ]), critical=False) - .sign(my_ca_private_key, hashes.SHA256())) + """ Create Service-Instance Key and Certificate """ - my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e - my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() - # with open('cert_my.pem', 'wb') as f: - # f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) + + with open(si_private_key_filename, 'wb') as f: + f.write(my_si_private_key_as_pem) + + # with open('instance.public.pem', 'wb') as f: + # f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), + x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + # x509.DNSName(INSTANCE_REF) + x509.DNSName(j.get('service_instance_ref')) + ]), critical=False) + .sign(my_ca_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + with open(si_certificate_filename, 'wb') as f: + f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + if not (isfile(root_private_key_filename) + and isfile(ca_private_key_filename) + and isfile(ca_certificate_filename) + and isfile(si_private_key_filename) + and isfile(si_certificate_filename)): + init_config_token_demo() + + my_ca_certificate = Cert.from_file(ca_certificate_filename) + my_si_certificate = Cert.from_file(si_certificate_filename) + my_si_private_key = PrivateKey.from_file(si_private_key_filename) + my_si_private_key_as_pem = my_si_private_key.pem() + my_si_public_key = my_si_private_key.public_key().raw() + my_si_public_key_as_pem = my_si_private_key.public_key().pem() """ build out payload """ @@ -590,8 +634,8 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') - response_si_certificate = my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8') + response_ca_chain = my_ca_certificate.pem().decode('utf-8') + response_si_certificate = my_si_certificate.pem().decode('utf-8') response = { "certificateConfiguration": { @@ -600,8 +644,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": int(my_si_certificate.public_key().public_numbers().e), - "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]], + "exp": int(my_si_certificate.raw().public_key().public_numbers().e), + "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]], }, }, "configToken": config_token, diff --git a/app/util.py b/app/util.py index 1aae17b..14f20f2 100644 --- a/app/util.py +++ b/app/util.py @@ -3,6 +3,7 @@ import logging from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key +from cryptography.x509 import load_pem_x509_certificate, Certificate logging.basicConfig() @@ -76,6 +77,29 @@ class PublicKey: format=serialization.PublicFormat.SubjectPublicKeyInfo ) + +class Cert: + + def __init__(self, data: bytes): + self.__cert = load_pem_x509_certificate(data) + + @staticmethod + def from_file(filename: str) -> "Cert": + log = logging.getLogger(__name__) + log.debug(f'Importing Certificate from "{filename}"') + + with open(filename, 'rb') as f: + data = f.read() + + return Cert(data=data.strip()) + + def raw(self) -> Certificate: + return self.__cert + + def pem(self) -> bytes: + return self.__cert.public_bytes(encoding=serialization.Encoding.PEM) + + def load_file(filename: str) -> bytes: log = logging.getLogger(f'{__name__}') log.debug(f'Loading contents of file "{filename}') From 0982106b4f39d488986f8175e6e95b943308f890 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 18:51:17 +0200 Subject: [PATCH 07/69] updated new responses for 18.x drivers --- app/main.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 17bff68..ea32547 100644 --- a/app/main.py +++ b/app/main.py @@ -299,9 +299,14 @@ async def auth_v1_origin(request: Request): Origin.create_or_update(db, data) + environment = { + 'raw_env': j.get('environment') + } + environment.update(j.get('environment')) + response = { "origin_ref": origin_ref, - "environment": j.get('environment'), + "environment": environment, "svc_port_set_list": None, "node_url_list": None, "node_query_order": None, @@ -408,6 +413,7 @@ async def auth_v1_token(request: Request): "expires": access_expires_on.isoformat(), "auth_token": auth_token, "sync_timestamp": cur_time.isoformat(), + "prompts": None } return JSONr(response) @@ -679,6 +685,7 @@ async def leasing_v1_lessor(request: Request): expires = cur_time + LEASE_EXPIRE_DELTA lease_result_list.append({ "ordinal": 0, + "error": 0, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, @@ -687,6 +694,9 @@ async def leasing_v1_lessor(request: Request): "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", "license_type": "CONCURRENT_COUNTED_SINGLE" + "license_type": "CONCURRENT_COUNTED_SINGLE", + "lease_intent_id": None, + "metadata": None, } }) @@ -694,6 +704,7 @@ async def leasing_v1_lessor(request: Request): Lease.create_or_update(db, data) response = { + "client_challenge": None, "lease_result_list": lease_result_list, "result_code": "SUCCESS", "sync_timestamp": cur_time.isoformat(), From 1908b44bedb9f1e72b93c32eabb36feca9090b36 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 18:51:33 +0200 Subject: [PATCH 08/69] added debugging --- app/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/main.py b/app/main.py index ea32547..a53f514 100644 --- a/app/main.py +++ b/app/main.py @@ -667,6 +667,8 @@ async def leasing_v1_config_token(request: Request): async def leasing_v1_lessor(request: Request): j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) + logger.debug(j) + try: token = __get_token(request) except JWTError: From 30ef56f956a2df1566b927f5e17500d443441e8d Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 19:08:41 +0200 Subject: [PATCH 09/69] fixes --- app/main.py | 1 - 1 file changed, 1 deletion(-) diff --git a/app/main.py b/app/main.py index a53f514..3820c3a 100644 --- a/app/main.py +++ b/app/main.py @@ -695,7 +695,6 @@ async def leasing_v1_lessor(request: Request): "expires": expires.isoformat(), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", - "license_type": "CONCURRENT_COUNTED_SINGLE" "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None, From c7e8414934cdf7692826d31153b3fdb6fb1bae88 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 19:36:25 +0200 Subject: [PATCH 10/69] added missing lessor attributes --- app/main.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/main.py b/app/main.py index 3820c3a..4fe2c82 100644 --- a/app/main.py +++ b/app/main.py @@ -679,6 +679,7 @@ async def leasing_v1_lessor(request: Request): logger.info(f'> [ create ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}') lease_result_list = [] + # todo: for lease_proposal in lease_proposal_list for scope_ref in scope_ref_list: # if scope_ref not in [ALLOTMENT_REF]: # return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]') @@ -698,6 +699,8 @@ async def leasing_v1_lessor(request: Request): "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None, + "feature_name": "GRID-Virtual-WS", # todo + "product_name": "NVIDIA RTX Virtual Workstation", # todo } }) From 5eb0c55f3f7ff5e0b200e231296008f7cc388fbe Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:14:17 +0200 Subject: [PATCH 11/69] fixed datetime format --- app/main.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/app/main.py b/app/main.py index 4fe2c82..6fa1c9a 100644 --- a/app/main.py +++ b/app/main.py @@ -51,6 +51,7 @@ LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15)) LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0))) CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12) CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}'] +DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256) jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256) @@ -311,7 +312,7 @@ async def auth_v1_origin(request: Request): "node_url_list": None, "node_query_order": None, "prompts": None, - "sync_timestamp": cur_time.isoformat() + "sync_timestamp": cur_time.strftime(DT_FORMAT) } return JSONr(response) @@ -337,7 +338,7 @@ async def auth_v1_origin_update(request: Request): response = { "environment": j.get('environment'), "prompts": None, - "sync_timestamp": cur_time.isoformat() + "sync_timestamp": cur_time.strftime(DT_FORMAT) } return JSONr(response) @@ -368,7 +369,7 @@ async def auth_v1_code(request: Request): response = { "auth_code": auth_code, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -410,9 +411,9 @@ async def auth_v1_token(request: Request): auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256) response = { - "expires": access_expires_on.isoformat(), + "expires": access_expires_on.strftime(DT_FORMAT), "auth_token": auth_token, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -692,8 +693,8 @@ async def leasing_v1_lessor(request: Request): # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, - "created": cur_time.isoformat(), - "expires": expires.isoformat(), + "created": cur_time.strftime(DT_FORMAT), + "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": "true", "license_type": "CONCURRENT_COUNTED_SINGLE", @@ -710,8 +711,8 @@ async def leasing_v1_lessor(request: Request): response = { "client_challenge": None, "lease_result_list": lease_result_list, - "result_code": "SUCCESS", - "sync_timestamp": cur_time.isoformat(), + "result_code": None, + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -731,7 +732,7 @@ async def leasing_v1_lessor_lease(request: Request): response = { "active_lease_list": active_lease_list, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -754,11 +755,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): expires = cur_time + LEASE_EXPIRE_DELTA response = { "lease_ref": lease_ref, - "expires": expires.isoformat(), + "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "offline_lease": True, "prompts": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), } Lease.renew(db, entity, expires, cur_time) @@ -786,7 +787,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str): response = { "lease_ref": lease_ref, "prompts": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), } return JSONr(response) @@ -806,7 +807,7 @@ async def leasing_v1_lessor_lease_remove(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } @@ -828,7 +829,7 @@ async def leasing_v1_lessor_shutdown(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, - "sync_timestamp": cur_time.isoformat(), + "sync_timestamp": cur_time.strftime(DT_FORMAT), "prompts": None } From 2ffee4aee172c5023b1d0d8488881c84bd1e1017 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:35:10 +0200 Subject: [PATCH 12/69] also debug response --- app/main.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/main.py b/app/main.py index 6fa1c9a..ffb4513 100644 --- a/app/main.py +++ b/app/main.py @@ -716,6 +716,8 @@ async def leasing_v1_lessor(request: Request): "prompts": None } + logger.debug(response) + return JSONr(response) From 601d733addb0c093d47d2e7c60b59f196e6a47af Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 20:38:58 +0200 Subject: [PATCH 13/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index ffb4513..2f9fc95 100644 --- a/app/main.py +++ b/app/main.py @@ -688,8 +688,8 @@ async def leasing_v1_lessor(request: Request): lease_ref = str(uuid4()) expires = cur_time + LEASE_EXPIRE_DELTA lease_result_list.append({ - "ordinal": 0, - "error": 0, + "ordinal": None, + "error": None, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "ref": lease_ref, From 743c702921c434f02c7ef0c136507cf7ad4355d9 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:01:36 +0200 Subject: [PATCH 14/69] added new "protocol_version" to client-token --- app/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/main.py b/app/main.py index 2f9fc95..7e08bf3 100644 --- a/app/main.py +++ b/app/main.py @@ -250,6 +250,7 @@ async def _client_token(): "iat": timegm(cur_time.timetuple()), "nbf": timegm(cur_time.timetuple()), "exp": timegm(exp_time.timetuple()), + "protocol_version": "2.0", "update_mode": "ABSOLUTE", "scope_ref_list": [ALLOTMENT_REF], "fulfillment_class_ref_list": [], From beebf9e81255f253793e1e01787fcfe1f28dffb8 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:22:44 +0200 Subject: [PATCH 15/69] code styling --- app/main.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index 7e08bf3..297e940 100644 --- a/app/main.py +++ b/app/main.py @@ -18,8 +18,7 @@ from jose.constants import ALGORITHMS from sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware -from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, \ - RedirectResponse +from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse from orm import Origin, Lease, init as db_init, migrate from util import PrivateKey, PublicKey, load_file, Cert From 672ddb16c7c6fae29830cb2fb79d33066487e711 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:22:56 +0200 Subject: [PATCH 16/69] added debug headers --- app/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/main.py b/app/main.py index 297e940..c672b09 100644 --- a/app/main.py +++ b/app/main.py @@ -669,6 +669,7 @@ async def leasing_v1_lessor(request: Request): j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) logger.debug(j) + logger.debug(request.headers) try: token = __get_token(request) From 60f7e40ca4c0c01b7fd3339e12578e6f4b0cfc1c Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 21:23:15 +0200 Subject: [PATCH 17/69] added EMPTY (!!!) X-NLS-Signature response header --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index c672b09..5f606f9 100644 --- a/app/main.py +++ b/app/main.py @@ -719,7 +719,7 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - return JSONr(response) + return JSONr(response, headers={'X-NLS-Signature': '?'}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py From d8cddd4b296fe56a109f2e49d2cb67a751c3d4f7 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Fri, 11 Apr 2025 22:22:22 +0200 Subject: [PATCH 18/69] set "offline_lease" to false --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 5f606f9..60f56a2 100644 --- a/app/main.py +++ b/app/main.py @@ -697,7 +697,7 @@ async def leasing_v1_lessor(request: Request): "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, - "offline_lease": "true", + "offline_lease": "false", # todo "license_type": "CONCURRENT_COUNTED_SINGLE", "lease_intent_id": None, "metadata": None, From 685e1ce0bb5d0c7c3df6c7636333cad591c5ac3d Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 07:34:07 +0200 Subject: [PATCH 19/69] implemented client_challenge on lease apis --- app/main.py | 6 ++++-- test/main.py | 10 +++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/app/main.py b/app/main.py index 60f56a2..6c6935a 100644 --- a/app/main.py +++ b/app/main.py @@ -710,7 +710,7 @@ async def leasing_v1_lessor(request: Request): Lease.create_or_update(db, data) response = { - "client_challenge": None, + "client_challenge": j.get('client_challenge'), "lease_result_list": lease_result_list, "result_code": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), @@ -746,7 +746,7 @@ async def leasing_v1_lessor_lease(request: Request): # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease') async def leasing_v1_lease_renew(request: Request, lease_ref: str): - token, cur_time = __get_token(request), datetime.now(UTC) + j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) origin_ref = token.get('origin_ref') logger.info(f'> [ renew ]: {origin_ref}: renew {lease_ref}') @@ -757,6 +757,7 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): expires = cur_time + LEASE_EXPIRE_DELTA response = { + "client_challenge": j.get('client_challenge'), "lease_ref": lease_ref, "expires": expires.strftime(DT_FORMAT), "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, @@ -788,6 +789,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str): return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'}) response = { + "client_challenge": None, "lease_ref": lease_ref, "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), diff --git a/test/main.py b/test/main.py index 014a86f..681d538 100644 --- a/test/main.py +++ b/test/main.py @@ -195,6 +195,7 @@ def test_auth_v1_token(): def test_leasing_v1_lessor(): payload = { + 'client_challenge': 'my_unique_string', 'fulfillment_context': { 'fulfillment_class_ref_list': [] }, @@ -209,6 +210,9 @@ def test_leasing_v1_lessor(): response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)}) assert response.status_code == 200 + client_challenge = response.json().get('client_challenge') + assert client_challenge == payload.get('client_challenge') + lease_result_list = response.json().get('lease_result_list') assert len(lease_result_list) == 1 assert len(lease_result_list[0]['lease']['ref']) == 36 @@ -232,9 +236,13 @@ def test_leasing_v1_lease_renew(): ### - response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)}) + payload = {'client_challenge': 'my_unique_string'} + response = client.put(f'/leasing/v1/lease/{active_lease_ref}', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)}) assert response.status_code == 200 + client_challenge = response.json().get('client_challenge') + assert client_challenge == payload.get('client_challenge') + lease_ref = response.json().get('lease_ref') assert len(lease_ref) == 36 assert lease_ref == active_lease_ref From d7c29f834c4d8fde61bcee403c8173886bb98bd4 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 10:09:27 +0200 Subject: [PATCH 20/69] test with "X-NLS-Signature" --- app/main.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 6c6935a..cb8b007 100644 --- a/app/main.py +++ b/app/main.py @@ -719,7 +719,12 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - return JSONr(response, headers={'X-NLS-Signature': '?'}) + si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') + my_si_certificate = Cert.from_file(si_certificate_filename) + signature = my_si_certificate.signature().hex() + signature = f'b\'{signature}\'' + + return JSONr(response, headers={'X-NLS-Signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py From e69e93bcb4bfd8800429a77c1be938f34521ba4f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 10:20:22 +0200 Subject: [PATCH 21/69] fixed missing code --- app/util.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/util.py b/app/util.py index 14f20f2..9287336 100644 --- a/app/util.py +++ b/app/util.py @@ -99,6 +99,9 @@ class Cert: def pem(self) -> bytes: return self.__cert.public_bytes(encoding=serialization.Encoding.PEM) + def signature(self) -> bytes: + return self.__cert.signature + def load_file(filename: str) -> bytes: log = logging.getLogger(f'{__name__}') From 3871dfe6a61c27d05a2080ae5d33a547aaf44218 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 10:48:43 +0200 Subject: [PATCH 22/69] test "x-nls-signature" --- app/main.py | 7 +++---- test/main.py | 2 ++ 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/main.py b/app/main.py index cb8b007..3c7d47e 100644 --- a/app/main.py +++ b/app/main.py @@ -7,6 +7,7 @@ from hashlib import sha256 from json import loads as json_loads from os import getenv as env from os.path import join, dirname, isfile +from random import randbytes from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -719,12 +720,10 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') - my_si_certificate = Cert.from_file(si_certificate_filename) - signature = my_si_certificate.signature().hex() + signature = randbytes(256).hex() signature = f'b\'{signature}\'' - return JSONr(response, headers={'X-NLS-Signature': signature}) + return JSONr(response, headers={'access-control-expose-headers': 'x-nls-signature', 'x-nls-signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py diff --git a/test/main.py b/test/main.py index 681d538..269f0fd 100644 --- a/test/main.py +++ b/test/main.py @@ -212,6 +212,8 @@ def test_leasing_v1_lessor(): client_challenge = response.json().get('client_challenge') assert client_challenge == payload.get('client_challenge') + signature = eval(response.headers.get('x-nls-signature')) + assert len(signature) == 512 lease_result_list = response.json().get('lease_result_list') assert len(lease_result_list) == 1 From 54d38953bff52bb7ef118899f12b888280d9f1e5 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 11:05:17 +0200 Subject: [PATCH 23/69] x-nls-signature --- app/main.py | 9 ++++----- test/main.py | 2 ++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/app/main.py b/app/main.py index 3c7d47e..933b43c 100644 --- a/app/main.py +++ b/app/main.py @@ -720,10 +720,8 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - signature = randbytes(256).hex() - signature = f'b\'{signature}\'' - - return JSONr(response, headers={'access-control-expose-headers': 'x-nls-signature', 'x-nls-signature': signature}) + signature = f'b\'{randbytes(256).hex()}\'' + return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -772,7 +770,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) - return JSONr(response) + signature = f'b\'{randbytes(256).hex()}\'' + return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py diff --git a/test/main.py b/test/main.py index 269f0fd..cbba5aa 100644 --- a/test/main.py +++ b/test/main.py @@ -244,6 +244,8 @@ def test_leasing_v1_lease_renew(): client_challenge = response.json().get('client_challenge') assert client_challenge == payload.get('client_challenge') + signature = eval(response.headers.get('x-nls-signature')) + assert len(signature) == 512 lease_ref = response.json().get('lease_ref') assert len(lease_ref) == 36 From 94a7772c7b92be3d99487ca0ac2b4340a00a2332 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 12:13:18 +0200 Subject: [PATCH 24/69] updated attributes to match nvidia-nls response order --- app/main.py | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/app/main.py b/app/main.py index 933b43c..220aeea 100644 --- a/app/main.py +++ b/app/main.py @@ -370,8 +370,8 @@ async def auth_v1_code(request: Request): response = { "auth_code": auth_code, + "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } return JSONr(response) @@ -404,18 +404,18 @@ async def auth_v1_token(request: Request): 'iss': 'https://cls.nvidia.org', 'aud': 'https://cls.nvidia.org', 'exp': timegm(access_expires_on.timetuple()), - 'origin_ref': origin_ref, 'key_ref': SITE_KEY_XID, 'kid': SITE_KEY_XID, + 'origin_ref': origin_ref, } auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256) response = { - "expires": access_expires_on.strftime(DT_FORMAT), "auth_token": auth_token, + "expires": access_expires_on.strftime(DT_FORMAT), + "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } return JSONr(response) @@ -694,17 +694,18 @@ async def leasing_v1_lessor(request: Request): "error": None, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { - "ref": lease_ref, "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), - "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, - "offline_lease": "false", # todo - "license_type": "CONCURRENT_COUNTED_SINGLE", - "lease_intent_id": None, - "metadata": None, "feature_name": "GRID-Virtual-WS", # todo + "lease_intent_id": None, + "license_type": "CONCURRENT_COUNTED_SINGLE", + "metadata": None, + "offline_lease": False, # todo "product_name": "NVIDIA RTX Virtual Workstation", # todo - } + "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, + "ref": lease_ref, + }, + "ordinal": None, }) data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires) @@ -713,9 +714,9 @@ async def leasing_v1_lessor(request: Request): response = { "client_challenge": j.get('client_challenge'), "lease_result_list": lease_result_list, + "prompts": None, "result_code": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } logger.debug(response) @@ -737,8 +738,8 @@ async def leasing_v1_lessor_lease(request: Request): response = { "active_lease_list": active_lease_list, + "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } return JSONr(response) @@ -760,11 +761,13 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): expires = cur_time + LEASE_EXPIRE_DELTA response = { "client_challenge": j.get('client_challenge'), - "lease_ref": lease_ref, "expires": expires.strftime(DT_FORMAT), - "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, + "feature_expired": False, + "lease_ref": lease_ref, + "metadata": None, "offline_lease": True, "prompts": None, + "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "sync_timestamp": cur_time.strftime(DT_FORMAT), } @@ -815,8 +818,8 @@ async def leasing_v1_lessor_lease_remove(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, + "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } return JSONr(response) @@ -837,8 +840,8 @@ async def leasing_v1_lessor_shutdown(request: Request): response = { "released_lease_list": released_lease_list, "release_failure_list": None, + "prompts": None, "sync_timestamp": cur_time.strftime(DT_FORMAT), - "prompts": None } return JSONr(response) From fbb73c73ab6c969c29c77e716e0bda9c6c90b531 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 13:03:47 +0200 Subject: [PATCH 25/69] changed "feature_name" --- app/main.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index 220aeea..0dbee24 100644 --- a/app/main.py +++ b/app/main.py @@ -690,13 +690,12 @@ async def leasing_v1_lessor(request: Request): lease_ref = str(uuid4()) expires = cur_time + LEASE_EXPIRE_DELTA lease_result_list.append({ - "ordinal": None, "error": None, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), - "feature_name": "GRID-Virtual-WS", # todo + "feature_name": "Quadro-Virtual-DWS", # todo "lease_intent_id": None, "license_type": "CONCURRENT_COUNTED_SINGLE", "metadata": None, From 70cac5bbf3a4d6f18ccfdd25ba079d2211550c23 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 13:26:58 +0200 Subject: [PATCH 26/69] test "X-NLS-Signature" upper/lowercase --- app/main.py | 6 +++--- test/main.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/main.py b/app/main.py index 0dbee24..36a2641 100644 --- a/app/main.py +++ b/app/main.py @@ -695,7 +695,7 @@ async def leasing_v1_lessor(request: Request): "lease": { "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), - "feature_name": "Quadro-Virtual-DWS", # todo + "feature_name": "GRID-Virtual-WS", # todo "lease_intent_id": None, "license_type": "CONCURRENT_COUNTED_SINGLE", "metadata": None, @@ -721,7 +721,7 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) signature = f'b\'{randbytes(256).hex()}\'' - return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature}) + return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -773,7 +773,7 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) signature = f'b\'{randbytes(256).hex()}\'' - return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature}) + return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py diff --git a/test/main.py b/test/main.py index cbba5aa..d3ef989 100644 --- a/test/main.py +++ b/test/main.py @@ -212,7 +212,7 @@ def test_leasing_v1_lessor(): client_challenge = response.json().get('client_challenge') assert client_challenge == payload.get('client_challenge') - signature = eval(response.headers.get('x-nls-signature')) + signature = eval(response.headers.get('X-NLS-Signature')) assert len(signature) == 512 lease_result_list = response.json().get('lease_result_list') @@ -244,7 +244,7 @@ def test_leasing_v1_lease_renew(): client_challenge = response.json().get('client_challenge') assert client_challenge == payload.get('client_challenge') - signature = eval(response.headers.get('x-nls-signature')) + signature = eval(response.headers.get('X-NLS-Signature')) assert len(signature) == 512 lease_ref = response.json().get('lease_ref') From f9fccd55027823377d984b70f129854e9e8524da Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 20:05:10 +0200 Subject: [PATCH 27/69] implemented product_mapping support --- app/main.py | 20 +- app/static/product_mapping.json | 643 ++++++++++++++++++++++++++++++++ app/util.py | 31 ++ test/main.py | 7 +- 4 files changed, 693 insertions(+), 8 deletions(-) create mode 100644 app/static/product_mapping.json diff --git a/app/main.py b/app/main.py index 36a2641..a30d205 100644 --- a/app/main.py +++ b/app/main.py @@ -22,7 +22,7 @@ from starlette.middleware.cors import CORSMiddleware from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse from orm import Origin, Lease, init as db_init, migrate -from util import PrivateKey, PublicKey, load_file, Cert +from util import PrivateKey, PublicKey, load_file, Cert, ProductMapping # Load variables load_dotenv('../version.env') @@ -52,6 +52,8 @@ LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=in CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12) CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}'] DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' +PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json')) + jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256) jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256) @@ -679,28 +681,34 @@ async def leasing_v1_lessor(request: Request): origin_ref = token.get('origin_ref') scope_ref_list = j.get('scope_ref_list') + lease_proposal_list = j.get('lease_proposal_list') logger.info(f'> [ create ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}') - lease_result_list = [] - # todo: for lease_proposal in lease_proposal_list for scope_ref in scope_ref_list: # if scope_ref not in [ALLOTMENT_REF]: # return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]') + pass + lease_result_list = [] + for lease_proposal in lease_proposal_list: lease_ref = str(uuid4()) expires = cur_time + LEASE_EXPIRE_DELTA + + product_name = lease_proposal.get('product').get('name') + feature_name = PRODUCT_MAPPING.get_feature_name(product_name=product_name) + lease_result_list.append({ "error": None, # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "created": cur_time.strftime(DT_FORMAT), - "expires": expires.strftime(DT_FORMAT), - "feature_name": "GRID-Virtual-WS", # todo + "expires": expires.strftime(DT_FORMAT), # todo: lease_proposal.get('duration') => "P0Y0M0DT12H0M0S + "feature_name": feature_name, "lease_intent_id": None, "license_type": "CONCURRENT_COUNTED_SINGLE", "metadata": None, "offline_lease": False, # todo - "product_name": "NVIDIA RTX Virtual Workstation", # todo + "product_name": product_name, "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "ref": lease_ref, }, diff --git a/app/static/product_mapping.json b/app/static/product_mapping.json new file mode 100644 index 0000000..1235e31 --- /dev/null +++ b/app/static/product_mapping.json @@ -0,0 +1,643 @@ +{ + "product": [ + { + "xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA-vComputeServer-9.0", + "name": "NVIDIA-vComputeServer-9.0", + "description": null + }, + { + "xid": "2a99638e-493f-424b-bc3a-629935307490", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "vGaming_Flexera_License-0.1", + "name": "vGaming_Flexera_License-0.1", + "description": null + }, + { + "xid": "a013d60c-3cd6-4e61-ae51-018b5e342178", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-Virtual-Apps-3.0", + "name": "GRID-Virtual-Apps-3.0", + "description": null + }, + { + "xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-vGaming-NLS-Metered-8.0", + "name": "GRID-vGaming-NLS-Metered-8.0", + "description": null + }, + { + "xid": "c653e131-695c-4477-b77c-42ade3dcb02c", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-Virtual-WS-Ext-2.0", + "name": "GRID-Virtual-WS-Ext-2.0", + "description": null + }, + { + "xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-vGaming-8.0", + "name": "GRID-vGaming-8.0", + "description": null + }, + { + "xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-Virtual-PC-2.0", + "name": "GRID-Virtual-PC-2.0", + "description": null + }, + { + "xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVAIE_Licensing-1.0", + "name": "NVAIE_Licensing-1.0", + "description": null + }, + { + "xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA-vComputeServer NLS Metered-9.0", + "name": "NVIDIA-vComputeServer NLS Metered-9.0", + "description": null + }, + { + "xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "vGaming_FB_License-0.1", + "name": "vGaming_FB_License-0.1", + "description": null + }, + { + "xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "Quadro-Virtual-DWS-5.0", + "name": "Quadro-Virtual-DWS-5.0", + "description": null + }, + { + "xid": "07a1d2b5-c147-48bc-bf44-9390339ca388", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID-Virtual-WS-2.0", + "name": "GRID-Virtual-WS-2.0", + "description": null + }, + { + "xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "vGaming_Flexera_License-0.1", + "name": "vGaming_Flexera_License-0.1", + "description": null + }, + { + "xid": "bdfbde00-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA Virtual Applications", + "name": "NVIDIA Virtual Applications", + "description": null + }, + { + "xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA Virtual PC", + "name": "NVIDIA Virtual PC", + "description": null + }, + { + "xid": "bdfbe308-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA RTX Virtual Workstation", + "name": "NVIDIA RTX Virtual Workstation", + "description": null + }, + { + "xid": "bdfbe405-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA vGaming", + "name": "NVIDIA vGaming", + "description": null + }, + { + "xid": "bdfbe509-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID Virtual Applications", + "name": "GRID Virtual Applications", + "description": null + }, + { + "xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID Virtual PC", + "name": "GRID Virtual PC", + "description": null + }, + { + "xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "Quadro Virtual Data Center Workstation", + "name": "Quadro Virtual Data Center Workstation", + "description": null + }, + { + "xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "GRID vGaming", + "name": "GRID vGaming", + "description": null + }, + { + "xid": "bdfbe884-2cdb-11ec-9838-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA Virtual Compute Server", + "name": "NVIDIA Virtual Compute Server", + "description": null + }, + { + "xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59", + "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59", + "identifier": "NVIDIA OVE Licensing", + "name": "NVIDIA Omniverse Nucleus", + "description": null + } + ], + "product_fulfillment": [ + { + "xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb", + "product_xid": "07a1d2b5-c147-48bc-bf44-9390339ca388", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "90d0f05f-9431-4a15-86e7-740a4f08d457", + "product_xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3", + "product_xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "6733f2cc-0736-47ee-bcc8-20c4c624ce37", + "product_xid": "2a99638e-493f-424b-bc3a-629935307490", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56", + "product_xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc", + "product_xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "9bd09610-6190-4684-9be6-3d9503833e80", + "product_xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de", + "product_xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe", + "product_xid": "a013d60c-3cd6-4e61-ae51-018b5e342178", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5", + "product_xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a", + "product_xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf", + "product_xid": "c653e131-695c-4477-b77c-42ade3dcb02c", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "9e162d3c-0c26-11ef-b3b6-371045c70906", + "product_xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be2769b9-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbde00-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be276d7b-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be276efe-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe308-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be276ff0-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe405-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be2770af-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe509-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be277164-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be277214-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be2772c8-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "be277379-2cdb-11ec-9838-061a22468b59", + "product_xid": "bdfbe884-2cdb-11ec-9838-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + }, + { + "xid": "c4284597-5c09-11ed-9fa6-061a22468b59", + "product_xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59", + "qualifier_specification": null, + "evaluation_order_index": 0 + } + ], + "product_fulfillment_feature": [ + { + "xid": "9ca32d2b-736e-4e4f-8f5a-895a755b4c41", + "product_fulfillment_xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe", + "feature_identifier": "GRID-Virtual-Apps", + "feature_version": "3.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "d8b25329-f47f-43dc-a278-f2d38f9e939b", + "product_fulfillment_xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56", + "feature_identifier": "GRID-Virtual-PC", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "e7102df8-d88a-4bd0-aa79-9a53d8b77888", + "product_fulfillment_xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb", + "feature_identifier": "GRID-Virtual-WS", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "30761db3-0afe-454d-b284-efba6d9b13a3", + "product_fulfillment_xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf", + "feature_identifier": "GRID-Virtual-WS-Ext", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "10fd7701-83ae-4caf-a27f-75880fab23f6", + "product_fulfillment_xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de", + "feature_identifier": "GRID-vGaming", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "cbd61276-fb1e-42e1-b844-43e94465da8f", + "product_fulfillment_xid": "9bd09610-6190-4684-9be6-3d9503833e80", + "feature_identifier": "NVAIE_Licensing", + "feature_version": "1.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "6b1c74b5-1511-46ee-9f12-8bc6d5636fef", + "product_fulfillment_xid": "90d0f05f-9431-4a15-86e7-740a4f08d457", + "feature_identifier": "NVIDIA-vComputeServer NLS Metered", + "feature_version": "9.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "db53af09-7295-48b7-b927-24b23690c959", + "product_fulfillment_xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a", + "feature_identifier": "NVIDIA-vComputeServer", + "feature_version": "9.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "1f62be61-a887-4e54-a34e-61cfa7b2db30", + "product_fulfillment_xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "5.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "8a4b5e98-f1ca-4c18-b0d4-8f4f9f0462e2", + "product_fulfillment_xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3", + "feature_identifier": "vGaming_FB_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be531e98-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be2769b9-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-Apps", + "feature_version": "3.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be53219e-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-PC", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be5322f0-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "5.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "be5323d8-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "be5324a6-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS-Ext", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "be532568-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "5.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be532630-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "be5326e7-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS-Ext", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "be5327a7-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-vGaming", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be532923-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be2770af-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-Apps", + "feature_version": "3.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be5329e0-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-PC", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be532aa0-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "5.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "be532b5c-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "be532c19-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS-Ext", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "be532ccb-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "5.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be532d92-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "be532e45-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-Virtual-WS-Ext", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "be532efa-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-vGaming", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be53306d-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "NVIDIA-vComputeServer", + "feature_version": "9.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "be533228-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "NVIDIA-vComputeServer NLS Metered", + "feature_version": "9.0", + "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "be5332f6-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "NVAIE_Licensing", + "feature_version": "1.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "15ff4f16-57a8-4593-93ec-58352a256f12", + "product_fulfillment_xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5", + "feature_identifier": "GRID-vGaming-NLS-Metered", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "0c1552ca-3ef8-11ed-9fa6-061a22468b59", + "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "vGaming_Flexera_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "31c3be8c-5c0a-11ed-9fa6-061a22468b59", + "product_fulfillment_xid": "c4284597-5c09-11ed-9fa6-061a22468b59", + "feature_identifier": "OVE_Licensing", + "feature_version": "1.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + }, + { + "xid": "6caeb4cf-360f-11ee-b67d-02f279bf2bff", + "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "NVAIE_Licensing", + "feature_version": "2.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 4 + }, + { + "xid": "7fb1d01d-3f0e-11ed-9fa6-061a22468b59", + "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "vGaming_FB_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "8eabcb08-3f0e-11ed-9fa6-061a22468b59", + "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "vGaming_FB_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 2 + }, + { + "xid": "a1dfe741-3e49-11ed-9fa6-061a22468b59", + "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "vGaming_Flexera_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "be53286a-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-vGaming-NLS-Metered", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "be532fb2-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "GRID-vGaming-NLS-Metered", + "feature_version": "8.0", + "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE", + "evaluation_order_index": 3 + }, + { + "xid": "be533144-2cdb-11ec-9838-061a22468b59", + "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59", + "feature_identifier": "Quadro-Virtual-DWS", + "feature_version": "0.0", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 1 + }, + { + "xid": "bf105e18-0c26-11ef-b3b6-371045c70906", + "product_fulfillment_xid": "9e162d3c-0c26-11ef-b3b6-371045c70906", + "feature_identifier": "vGaming_Flexera_License", + "feature_version": "0.1", + "license_type_identifier": "CONCURRENT_COUNTED_SINGLE", + "evaluation_order_index": 0 + } + ] +} diff --git a/app/util.py b/app/util.py index 9287336..a8288de 100644 --- a/app/util.py +++ b/app/util.py @@ -153,3 +153,34 @@ class NV: 'is_latest': is_latest, } return None + + +class ProductMapping: + + def __init__(self, filename: str): + with open(filename, 'r') as file: + self.data = json_loads(file.read()) + + + def get_feature_name(self, product_name: str) -> (str, str): + product = self.__get_product(product_name) + product_fulfillment = self.__get_product_fulfillment(product.get('xid')) + feature = self.__get_product_fulfillment_feature(product_fulfillment.get('xid')) + + return feature.get('feature_identifier') + + + def __get_product(self, product_name: str): + product_list = self.data.get('product') + return next(filter(lambda _: _.get('identifier') == product_name, product_list)) + + + def __get_product_fulfillment(self, product_xid: str): + product_fulfillment_list = self.data.get('product_fulfillment') + return next(filter(lambda _: _.get('product_xid') == product_xid, product_fulfillment_list)) + + def __get_product_fulfillment_feature(self, product_fulfillment_xid: str): + feature_list = self.data.get('product_fulfillment_feature') + features = list(filter(lambda _: _.get('product_fulfillment_xid') == product_fulfillment_xid, feature_list)) + features.sort(key=lambda _: _.get('evaluation_order_index')) + return features[0] diff --git a/test/main.py b/test/main.py index d3ef989..f9c44d6 100644 --- a/test/main.py +++ b/test/main.py @@ -201,7 +201,7 @@ def test_leasing_v1_lessor(): }, 'lease_proposal_list': [{ 'license_type_qualifiers': {'count': 1}, - 'product': {'name': 'NVIDIA RTX Virtual Workstation'} + 'product': {'name': 'NVIDIA Virtual Applications'} }], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': [ALLOTMENT_REF] @@ -219,6 +219,9 @@ def test_leasing_v1_lessor(): assert len(lease_result_list) == 1 assert len(lease_result_list[0]['lease']['ref']) == 36 assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref'] + assert lease_result_list[0]['lease']['product_name'] == 'NVIDIA Virtual Applications' + assert lease_result_list[0]['lease']['feature_name'] == 'GRID-Virtual-Apps' + def test_leasing_v1_lessor_lease(): @@ -275,7 +278,7 @@ def test_leasing_v1_lessor_lease_remove(): }, 'lease_proposal_list': [{ 'license_type_qualifiers': {'count': 1}, - 'product': {'name': 'NVIDIA RTX Virtual Workstation'} + 'product': {'name': 'NVIDIA Virtual Applications'} }], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': [ALLOTMENT_REF] From 7b2d61b3293c1c2f2583d6b16312af92575777ca Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 20:05:43 +0200 Subject: [PATCH 28/69] fixed signature --- app/main.py | 9 +++++---- app/util.py | 7 ++++++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/app/main.py b/app/main.py index a30d205..29e5c95 100644 --- a/app/main.py +++ b/app/main.py @@ -4,10 +4,9 @@ from calendar import timegm from contextlib import asynccontextmanager from datetime import datetime, timedelta, UTC from hashlib import sha256 -from json import loads as json_loads +from json import loads as json_loads, dumps as json_dumps from os import getenv as env from os.path import join, dirname, isfile -from random import randbytes from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -728,7 +727,8 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - signature = f'b\'{randbytes(256).hex()}\'' + signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response).encode('utf-8')) + signature = f'b\'{signature.hex()}\'' return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) @@ -780,7 +780,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) - signature = f'b\'{randbytes(256).hex()}\'' + signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response).encode('utf-8')) + signature = f'b\'{signature.hex()}\'' return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) diff --git a/app/util.py b/app/util.py index a8288de..c5b0187 100644 --- a/app/util.py +++ b/app/util.py @@ -1,7 +1,9 @@ import logging - +from json import loads as json_loads from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key +from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key from cryptography.x509 import load_pem_x509_certificate, Certificate @@ -40,6 +42,9 @@ class PrivateKey: ) return PublicKey(data=data) + def generate_signature(self, data: bytes) -> bytes: + return self.__key.sign(data, PKCS1v15(), SHA256()) + @staticmethod def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey": log = logging.getLogger(__name__) From 79f1015a8667e3accb75b17c741c1001af78a50c Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 21:37:26 +0200 Subject: [PATCH 29/69] code styling --- app/main.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/app/main.py b/app/main.py index 29e5c95..f32301e 100644 --- a/app/main.py +++ b/app/main.py @@ -13,12 +13,12 @@ from dateutil.relativedelta import relativedelta from dotenv import load_dotenv from fastapi import FastAPI from fastapi.requests import Request +from fastapi.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse from jose import jws, jwk, jwt, JWTError from jose.constants import ALGORITHMS from sqlalchemy import create_engine from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware -from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse from orm import Origin, Lease, init as db_init, migrate from util import PrivateKey, PublicKey, load_file, Cert, ProductMapping @@ -670,9 +670,6 @@ async def leasing_v1_config_token(request: Request): async def leasing_v1_lessor(request: Request): j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC) - logger.debug(j) - logger.debug(request.headers) - try: token = __get_token(request) except JWTError: @@ -698,7 +695,6 @@ async def leasing_v1_lessor(request: Request): lease_result_list.append({ "error": None, - # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html "lease": { "created": cur_time.strftime(DT_FORMAT), "expires": expires.strftime(DT_FORMAT), # todo: lease_proposal.get('duration') => "P0Y0M0DT12H0M0S @@ -727,8 +723,8 @@ async def leasing_v1_lessor(request: Request): logger.debug(response) - signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response).encode('utf-8')) - signature = f'b\'{signature.hex()}\'' + signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response, ensure_ascii=False, allow_nan=False, indent=None, separators=(",", ":")).encode('utf-8')) + signature = f'{signature.hex().encode()}' return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) @@ -780,8 +776,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) - signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response).encode('utf-8')) - signature = f'b\'{signature.hex()}\'' + signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response, ensure_ascii=False, allow_nan=False, indent=None, separators=(",", ":")).encode('utf-8')) + signature = f'{signature.hex().encode()}' return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) From 445a3039558495e70ec4f8110e6868c86e816419 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 14 Apr 2025 21:38:01 +0200 Subject: [PATCH 30/69] added signature tests --- app/util.py | 5 ++++- test/main.py | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/app/util.py b/app/util.py index c5b0187..953b928 100644 --- a/app/util.py +++ b/app/util.py @@ -43,7 +43,7 @@ class PrivateKey: return PublicKey(data=data) def generate_signature(self, data: bytes) -> bytes: - return self.__key.sign(data, PKCS1v15(), SHA256()) + return self.__key.sign(data, padding=PKCS1v15(), algorithm=SHA256()) @staticmethod def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey": @@ -82,6 +82,9 @@ class PublicKey: format=serialization.PublicFormat.SubjectPublicKeyInfo ) + def verify_signature(self, signature: bytes, data: bytes) -> bytes: + return self.__key.verify(signature, data, padding=PKCS1v15(), algorithm=SHA256()) + class Cert: diff --git a/test/main.py b/test/main.py index f9c44d6..664b754 100644 --- a/test/main.py +++ b/test/main.py @@ -40,6 +40,23 @@ def __bearer_token(origin_ref: str) -> str: return token +def test_signing(): + signature_set_header = INSTANCE_KEY_RSA.generate_signature(b'Hello') + + # test plain + INSTANCE_KEY_PUB.verify_signature(signature_set_header, b'Hello') + + # test "X-NLS-Signature: b'....' + x_nls_signature_header_value = f'{signature_set_header.hex().encode()}' + assert f'{x_nls_signature_header_value}'.startswith('b\'') + assert f'{x_nls_signature_header_value}'.endswith('\'') + + # test eval + signature_get_header = eval(x_nls_signature_header_value) + signature_get_header = bytes.fromhex(signature_get_header.decode('ascii')) + INSTANCE_KEY_PUB.verify_signature(signature_get_header, b'Hello') + + def test_index(): response = client.get('/') assert response.status_code == 200 @@ -214,6 +231,9 @@ def test_leasing_v1_lessor(): assert client_challenge == payload.get('client_challenge') signature = eval(response.headers.get('X-NLS-Signature')) assert len(signature) == 512 + signature = bytes.fromhex(signature.decode('ascii')) + assert len(signature) == 256 + INSTANCE_KEY_PUB.verify_signature(signature, response.content) lease_result_list = response.json().get('lease_result_list') assert len(lease_result_list) == 1 @@ -249,6 +269,9 @@ def test_leasing_v1_lease_renew(): assert client_challenge == payload.get('client_challenge') signature = eval(response.headers.get('X-NLS-Signature')) assert len(signature) == 512 + signature = bytes.fromhex(signature.decode('ascii')) + assert len(signature) == 256 + INSTANCE_KEY_PUB.verify_signature(signature, response.content) lease_ref = response.json().get('lease_ref') assert len(lease_ref) == 36 From 33a561793ee59aed9298d57e1d2756c692a64e64 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 15 Apr 2025 07:35:41 +0200 Subject: [PATCH 31/69] test case sensitive headers --- app/main.py | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/app/main.py b/app/main.py index f32301e..40c684b 100644 --- a/app/main.py +++ b/app/main.py @@ -721,11 +721,17 @@ async def leasing_v1_lessor(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - logger.debug(response) + content = json_dumps(response).encode('utf-8') + signature = INSTANCE_KEY_RSA.generate_signature(content) - signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response, ensure_ascii=False, allow_nan=False, indent=None, separators=(",", ":")).encode('utf-8')) - signature = f'{signature.hex().encode()}' - return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) + headers = { + 'Content-Type': 'application/json', + 'access-control-expose-headers': 'X-NLS-Signature', + 'X-NLS-Signature': f'{signature.hex().encode()}' + } + x = Response(content=content, media_type='text/plain') + x.raw_headers = [(k.encode("latin-1"), v.encode("latin-1")) for k, v in headers.items()] + return x # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -776,9 +782,17 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) - signature = INSTANCE_KEY_RSA.generate_signature(json_dumps(response, ensure_ascii=False, allow_nan=False, indent=None, separators=(",", ":")).encode('utf-8')) - signature = f'{signature.hex().encode()}' - return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature}) + content = json_dumps(response).encode('utf-8') + signature = INSTANCE_KEY_RSA.generate_signature(content) + + headers = { + 'Content-Type': 'application/json', + 'access-control-expose-headers': 'X-NLS-Signature', + 'X-NLS-Signature': f'{signature.hex().encode()}' + } + x = Response(content=content, media_type='text/plain') + x.raw_headers = [(k.encode("latin-1"), v.encode("latin-1")) for k, v in headers.items()] + return x # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py From b9e78dbeeb66f701189e03214f2487bd824ecf7f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 15 Apr 2025 07:58:55 +0200 Subject: [PATCH 32/69] response fixes --- app/main.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/app/main.py b/app/main.py index 40c684b..8652b62 100644 --- a/app/main.py +++ b/app/main.py @@ -721,7 +721,8 @@ async def leasing_v1_lessor(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - content = json_dumps(response).encode('utf-8') + content = json_dumps(response, separators=(',', ':')) + content = f'{content}\n'.encode('utf-8') signature = INSTANCE_KEY_RSA.generate_signature(content) headers = { @@ -770,11 +771,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): expires = cur_time + LEASE_EXPIRE_DELTA response = { "client_challenge": j.get('client_challenge'), - "expires": expires.strftime(DT_FORMAT), + "expires": expires.strftime('%Y-%m-%dT%H:%M:%S.%f'), # DT_FORMAT => "trailing 'Z' missing in this response "feature_expired": False, "lease_ref": lease_ref, "metadata": None, - "offline_lease": True, + "offline_lease": False, # todo "prompts": None, "recommended_lease_renewal": LEASE_RENEWAL_PERIOD, "sync_timestamp": cur_time.strftime(DT_FORMAT), @@ -782,7 +783,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) - content = json_dumps(response).encode('utf-8') + content = json_dumps(response, separators=(',', ':')) + content = f'{content}\n'.encode('utf-8') signature = INSTANCE_KEY_RSA.generate_signature(content) headers = { From e23912c49ab14ac237ceeb39ec555a13b5f8f030 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 07:54:23 +0200 Subject: [PATCH 33/69] code refactorings - removed INSTANCE_KEY_RSA and INSTANCE_KEY_PUB from configuration and implemented CASetup instead --- .DEBIAN/env.default | 4 - .PKGBUILD/fastapi-dls.default | 4 - README.md | 6 +- app/main.py | 231 ++++------------------------------ app/util.py | 197 ++++++++++++++++++++++++++++- test/main.py | 29 ++--- 6 files changed, 236 insertions(+), 235 deletions(-) diff --git a/.DEBIAN/env.default b/.DEBIAN/env.default index 835f29e..0bb6549 100644 --- a/.DEBIAN/env.default +++ b/.DEBIAN/env.default @@ -21,7 +21,3 @@ DATABASE=sqlite:////etc/fastapi-dls/db.sqlite #SITE_KEY_XID="00000000-0000-0000-0000-000000000000" #INSTANCE_REF="10000000-0000-0000-0000-000000000001" #ALLOTMENT_REF="20000000-0000-0000-0000-000000000001" - -# Site-wide signing keys -INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem -INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem diff --git a/.PKGBUILD/fastapi-dls.default b/.PKGBUILD/fastapi-dls.default index 0bfb664..97258ae 100644 --- a/.PKGBUILD/fastapi-dls.default +++ b/.PKGBUILD/fastapi-dls.default @@ -19,10 +19,6 @@ DATABASE="sqlite:////var/lib/fastapi-dls/db.sqlite" SITE_KEY_XID="<>" INSTANCE_REF="<>" -# Site-wide signing keys -INSTANCE_KEY_RSA="/var/lib/fastapi-dls/instance.private.pem" -INSTANCE_KEY_PUB="/var/lib/fastapi-dls/instance.public.pem" - # TLS certificate INSTANCE_SSL_CERT="/var/lib/fastapi-dls/cert/webserver.crt" INSTANCE_SSL_KEY="/var/lib/fastapi-dls/cert/webserver.key" diff --git a/README.md b/README.md index 25d3588..9bc0094 100644 --- a/README.md +++ b/README.md @@ -435,9 +435,7 @@ After first success you have to replace `--issue` with `--renew`. | `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2 | | `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | | `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | -| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | -| `INSTANCE_KEY_RSA` | `/cert/instance.private.pem` | Site-wide private RSA key for singing JWTs \*3 | -| `INSTANCE_KEY_PUB` | `/cert/instance.public.pem` | Site-wide public key \*3 | +| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | | \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the @@ -445,8 +443,6 @@ client has 19.2 hours in which to re-establish connectivity before its license e \*2 Always use `https`, since guest-drivers only support secure connections! -\*3 If you recreate your instance keys you need to **recreate client-token for each guest**! - # Setup (Client) **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.** diff --git a/app/main.py b/app/main.py index 8652b62..0894adb 100644 --- a/app/main.py +++ b/app/main.py @@ -6,7 +6,7 @@ from datetime import datetime, timedelta, UTC from hashlib import sha256 from json import loads as json_loads, dumps as json_dumps from os import getenv as env -from os.path import join, dirname, isfile +from os.path import join, dirname from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -21,7 +21,7 @@ from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware from orm import Origin, Lease, init as db_init, migrate -from util import PrivateKey, PublicKey, load_file, Cert, ProductMapping +from util import CASetup, PrivateKey, PublicKey, load_file, Cert, ProductMapping # Load variables load_dotenv('../version.env') @@ -42,8 +42,6 @@ DLS_PORT = int(env('DLS_PORT', '443')) SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000')) INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001')) ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001')) -INSTANCE_KEY_RSA = PrivateKey.from_file(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem')))) -INSTANCE_KEY_PUB = PublicKey.from_file(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem')))) TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0))) LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0))) LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15)) @@ -53,9 +51,15 @@ CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json')) +# Create certificate chain and signing keys +ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename) +my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename) +my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename) +my_si_public_key = my_si_private_key.public_key() -jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256) -jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256) +jwt_encode_key = jwk.construct(my_si_private_key.pem(), algorithm=ALGORITHMS.RS256) +jwt_decode_key = jwk.construct(my_si_private_key.public_key().pem(), algorithm=ALGORITHMS.RS256) # Logging LOG_LEVEL = logging.DEBUG if DEBUG else logging.INFO @@ -268,10 +272,10 @@ async def _client_token(): }, "service_instance_public_key_configuration": { "service_instance_public_key_me": { - "mod": hex(INSTANCE_KEY_PUB.raw().public_numbers().n)[2:], - "exp": int(INSTANCE_KEY_PUB.raw().public_numbers().e), + "mod": my_si_public_key.mod(), + "exp": my_si_public_key.exp(), }, - "service_instance_public_key_pem": INSTANCE_KEY_PUB.pem().decode('utf-8'), + "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8'), "key_retention_mode": "LATEST_ONLY" }, } @@ -431,190 +435,6 @@ async def leasing_v1_config_token(request: Request): logger.debug(f'Headers: {request.headers}') logger.debug(f'Request: {j}') - # todo: THIS IS A DEMO ONLY - - ### - # - # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py - # - ### - - root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem') - root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem') - ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem') - ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem') - si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem') - si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') - - def init_config_token_demo(): - from cryptography import x509 - from cryptography.hazmat._oid import NameOID - from cryptography.hazmat.primitives import serialization, hashes - from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key - from cryptography.hazmat.primitives.serialization import Encoding - - """ Create Root Key and Certificate """ - - # create root keypair - my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_root_public_key = my_root_private_key.public_key() - - # create root-certificate subject - my_root_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), - ]) - - # create self-signed root-certificate - my_root_certificate = ( - x509.CertificateBuilder() - .subject_name(my_root_subject) - .issuer_name(my_root_subject) - .public_key(my_root_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) - .sign(my_root_private_key, hashes.SHA256())) - - my_root_private_key_as_pem = my_root_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - - with open(root_private_key_filename, 'wb') as f: - f.write(my_root_private_key_as_pem) - - with open(root_certificate_filename, 'wb') as f: - f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM)) - - """ Create CA (Intermediate) Key and Certificate """ - - # create ca keypair - my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) - my_ca_public_key = my_ca_private_key.public_key() - - # create ca-certificate subject - my_ca_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), - ]) - - # create self-signed ca-certificate - my_ca_certificate = ( - x509.CertificateBuilder() - .subject_name(my_ca_subject) - .issuer_name(my_root_subject) - .public_key(my_ca_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, - key_agreement=False, content_commitment=False, data_encipherment=False, - crl_sign=True, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .sign(my_root_private_key, hashes.SHA256())) - - my_ca_private_key_as_pem = my_ca_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - - with open(ca_private_key_filename, 'wb') as f: - f.write(my_ca_private_key_as_pem) - - with open(ca_certificate_filename, 'wb') as f: - f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) - - """ Create Service-Instance Key and Certificate """ - - # create si keypair - my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) - my_si_public_key = my_si_private_key.public_key() - - my_si_private_key_as_pem = my_si_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - my_si_public_key_as_pem = my_si_public_key.public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo, - ) - - with open(si_private_key_filename, 'wb') as f: - f.write(my_si_private_key_as_pem) - - # with open('instance.public.pem', 'wb') as f: - # f.write(my_si_public_key_as_pem) - - # create si-certificate subject - my_si_subject = x509.Name([ - # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), - x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), - ]) - - # create self-signed si-certificate - my_si_certificate = ( - x509.CertificateBuilder() - .subject_name(my_si_subject) - .issuer_name(my_ca_subject) - .public_key(my_si_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) - .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, - key_agreement=True, content_commitment=False, data_encipherment=False, - crl_sign=False, encipher_only=False, decipher_only=False), critical=True) - .add_extension(x509.ExtendedKeyUsage([ - x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, - x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] - ), critical=False) - .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) - .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value - ), critical=False) - .add_extension(x509.SubjectAlternativeName([ - # x509.DNSName(INSTANCE_REF) - x509.DNSName(j.get('service_instance_ref')) - ]), critical=False) - .sign(my_ca_private_key, hashes.SHA256())) - - my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e - my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix - - with open(si_certificate_filename, 'wb') as f: - f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) - - if not (isfile(root_private_key_filename) - and isfile(ca_private_key_filename) - and isfile(ca_certificate_filename) - and isfile(si_private_key_filename) - and isfile(si_certificate_filename)): - init_config_token_demo() - - my_ca_certificate = Cert.from_file(ca_certificate_filename) - my_si_certificate = Cert.from_file(si_certificate_filename) - my_si_private_key = PrivateKey.from_file(si_private_key_filename) - my_si_private_key_as_pem = my_si_private_key.pem() - my_si_public_key = my_si_private_key.public_key().raw() - my_si_public_key_as_pem = my_si_private_key.public_key().pem() - """ build out payload """ cur_time = datetime.now(UTC) @@ -631,16 +451,16 @@ async def leasing_v1_config_token(request: Request): "service_instance_ref": j.get('service_instance_ref'), "service_instance_public_key_configuration": { "service_instance_public_key_me": { - "mod": hex(my_si_public_key.public_numbers().n)[2:], - "exp": int(my_si_public_key.public_numbers().e), + "mod": my_si_public_key.mod(), + "exp": my_si_public_key.exp(), }, # 64 chars per line (pem default) - "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(), + "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } - my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) + my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) response_ca_chain = my_ca_certificate.pem().decode('utf-8') @@ -722,17 +542,15 @@ async def leasing_v1_lessor(request: Request): } content = json_dumps(response, separators=(',', ':')) - content = f'{content}\n'.encode('utf-8') - signature = INSTANCE_KEY_RSA.generate_signature(content) + content = f'{content}\n'.encode('ascii') + signature = my_si_private_key.generate_signature(content) headers = { 'Content-Type': 'application/json', 'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': f'{signature.hex().encode()}' } - x = Response(content=content, media_type='text/plain') - x.raw_headers = [(k.encode("latin-1"), v.encode("latin-1")) for k, v in headers.items()] - return x + return Response(content=content, media_type='text/plain', headers=headers) # return JSONr(content, headers=headers) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -784,17 +602,16 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): Lease.renew(db, entity, expires, cur_time) content = json_dumps(response, separators=(',', ':')) - content = f'{content}\n'.encode('utf-8') - signature = INSTANCE_KEY_RSA.generate_signature(content) + content = f'{content}\n'.encode('ascii') + signature = my_si_private_key.generate_signature(content) headers = { 'Content-Type': 'application/json', 'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': f'{signature.hex().encode()}' } - x = Response(content=content, media_type='text/plain') - x.raw_headers = [(k.encode("latin-1"), v.encode("latin-1")) for k, v in headers.items()] - return x + return Response(content=content, media_type='text/plain', headers=headers) #return JSONr(content, headers=headers) + # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py diff --git a/app/util.py b/app/util.py index 953b928..7b60026 100644 --- a/app/util.py +++ b/app/util.py @@ -1,15 +1,204 @@ import logging +from datetime import datetime, UTC, timedelta from json import loads as json_loads -from cryptography.hazmat.primitives import serialization +from os.path import join, dirname, isfile + +from cryptography import x509 +from cryptography.hazmat._oid import NameOID +from cryptography.hazmat.primitives import serialization, hashes from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key from cryptography.hazmat.primitives.hashes import SHA256 +from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key from cryptography.x509 import load_pem_x509_certificate, Certificate logging.basicConfig() +class CASetup: + ### + # + # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py + # + ### + + def __init__(self, service_instance_ref: str): + self.service_instance_ref = service_instance_ref + self.root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem') + self.root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem') + self.ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem') + self.ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem') + self.si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem') + self.si_public_key_filename = join(dirname(__file__), 'cert/my_demo_si_public_key.pem') + self.si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') + + if not (isfile(self.root_private_key_filename) + and isfile(self.ca_private_key_filename) + and isfile(self.ca_certificate_filename) + and isfile(self.si_private_key_filename) + and isfile(self.si_certificate_filename)): + self.init_config_token_demo() + + def init_config_token_demo(self): + """ Create Root Key and Certificate """ + + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() + + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) + + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + my_root_private_key_as_pem = my_root_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + + with open(self.root_private_key_filename, 'wb') as f: + f.write(my_root_private_key_as_pem) + + with open(self.root_certificate_filename, 'wb') as f: + f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM)) + + """ Create CA (Intermediate) Key and Certificate """ + + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() + + # create ca-certificate subject + my_ca_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), + ]) + + # create self-signed ca-certificate + my_ca_certificate = ( + x509.CertificateBuilder() + .subject_name(my_ca_subject) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage( + digital_signature=False, + key_encipherment=False, + key_cert_sign=True, + key_agreement=False, + content_commitment=False, + data_encipherment=False, + crl_sign=True, + encipher_only=False, + decipher_only=False), + critical=True + ) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + my_ca_private_key_as_pem = my_ca_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + + with open(self.ca_private_key_filename, 'wb') as f: + f.write(my_ca_private_key_as_pem) + + with open(self.ca_certificate_filename, 'wb') as f: + f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) + + """ Create Service-Instance Key and Certificate """ + + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() + + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, + ) + + with open(self.si_private_key_filename, 'wb') as f: + f.write(my_si_private_key_as_pem) + + with open(self.si_public_key_filename, 'wb') as f: + f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), + x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + # x509.DNSName(INSTANCE_REF) + x509.DNSName(self.service_instance_ref) + ]), critical=False) + .sign(my_ca_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + with open(self.si_certificate_filename, 'wb') as f: + f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + class PrivateKey: def __init__(self, data: bytes): @@ -82,6 +271,12 @@ class PublicKey: format=serialization.PublicFormat.SubjectPublicKeyInfo ) + def mod(self) -> str: + return hex(self.__key.public_numbers().n)[2:] + + def exp(self): + return int(self.__key.public_numbers().e) + def verify_signature(self, signature: bytes, data: bytes) -> bytes: return self.__key.verify(signature, data, padding=PKCS1v15(), algorithm=SHA256()) diff --git a/test/main.py b/test/main.py index 664b754..2547412 100644 --- a/test/main.py +++ b/test/main.py @@ -4,7 +4,6 @@ from base64 import b64encode as b64enc from calendar import timegm from datetime import datetime, UTC from hashlib import sha256 -from os.path import dirname, join from uuid import uuid4, UUID from dateutil.relativedelta import relativedelta @@ -17,21 +16,23 @@ sys.path.append('../') sys.path.append('../app') from app import main -from util import PrivateKey, PublicKey +from util import CASetup, PrivateKey, PublicKey client = TestClient(main.app) +# Instance INSTANCE_REF = '10000000-0000-0000-0000-000000000001' ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld' -# INSTANCE_KEY_RSA = generate_key() -# INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key() +# CA & Signing +ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename) +my_si_private_key_as_pem = my_si_private_key.pem() +my_si_public_key = my_si_private_key.public_key() +my_si_public_key_as_pem = my_si_private_key.public_key().pem() -INSTANCE_KEY_RSA = PrivateKey.from_file(str(join(dirname(__file__), '../app/cert/instance.private.pem'))) -INSTANCE_KEY_PUB = PublicKey.from_file(str(join(dirname(__file__), '../app/cert/instance.public.pem'))) - -jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256) -jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256) +jwt_encode_key = jwk.construct(my_si_private_key_as_pem, algorithm=ALGORITHMS.RS256) +jwt_decode_key = jwk.construct(my_si_public_key_as_pem, algorithm=ALGORITHMS.RS256) def __bearer_token(origin_ref: str) -> str: @@ -41,10 +42,10 @@ def __bearer_token(origin_ref: str) -> str: def test_signing(): - signature_set_header = INSTANCE_KEY_RSA.generate_signature(b'Hello') + signature_set_header = my_si_private_key.generate_signature(b'Hello') # test plain - INSTANCE_KEY_PUB.verify_signature(signature_set_header, b'Hello') + my_si_public_key.verify_signature(signature_set_header, b'Hello') # test "X-NLS-Signature: b'....' x_nls_signature_header_value = f'{signature_set_header.hex().encode()}' @@ -54,7 +55,7 @@ def test_signing(): # test eval signature_get_header = eval(x_nls_signature_header_value) signature_get_header = bytes.fromhex(signature_get_header.decode('ascii')) - INSTANCE_KEY_PUB.verify_signature(signature_get_header, b'Hello') + my_si_public_key.verify_signature(signature_get_header, b'Hello') def test_index(): @@ -233,7 +234,7 @@ def test_leasing_v1_lessor(): assert len(signature) == 512 signature = bytes.fromhex(signature.decode('ascii')) assert len(signature) == 256 - INSTANCE_KEY_PUB.verify_signature(signature, response.content) + my_si_public_key.verify_signature(signature, response.content) lease_result_list = response.json().get('lease_result_list') assert len(lease_result_list) == 1 @@ -271,7 +272,7 @@ def test_leasing_v1_lease_renew(): assert len(signature) == 512 signature = bytes.fromhex(signature.decode('ascii')) assert len(signature) == 256 - INSTANCE_KEY_PUB.verify_signature(signature, response.content) + my_si_public_key.verify_signature(signature, response.content) lease_ref = response.json().get('lease_ref') assert len(lease_ref) == 36 From 1265be5fbed1b91ebd6a779bdb049a2c81da3d80 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 08:05:58 +0200 Subject: [PATCH 34/69] fixes --- .PKGBUILD/PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.PKGBUILD/PKGBUILD b/.PKGBUILD/PKGBUILD index 2504aaa..7e56b3a 100644 --- a/.PKGBUILD/PKGBUILD +++ b/.PKGBUILD/PKGBUILD @@ -17,7 +17,7 @@ source=("git+file://${CI_PROJECT_DIR}" "$pkgname.service" "$pkgname.tmpfiles") sha256sums=('SKIP' - 'fbd015449a30c0ae82733289a56eb98151dcfab66c91b37fe8e202e39f7a5edb' + 'a4776a0ae4671751065bf3e98aa707030b8b5ffe42dde942c51050dab5028c54' '2719338541104c537453a65261c012dda58e1dbee99154cf4f33b526ee6ca22e' '3dc60140c08122a8ec0e7fa7f0937eb8c1288058890ba09478420fc30ce9e30c') From da31c5f0a72d805884a166d9e6146e754bab16a6 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 08:10:49 +0200 Subject: [PATCH 35/69] fixes --- app/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/util.py b/app/util.py index 7b60026..16c1a38 100644 --- a/app/util.py +++ b/app/util.py @@ -162,7 +162,7 @@ class CASetup: # create si-certificate subject my_si_subject = x509.Name([ # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF), - x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')), + x509.NameAttribute(NameOID.COMMON_NAME, self.service_instance_ref), ]) # create self-signed si-certificate From 31957ec6d7659783b00a942eefd08e71b274feab Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 08:37:28 +0200 Subject: [PATCH 36/69] added '/-/config/root-ca' endpoint --- README.md | 4 ++++ app/main.py | 6 ++++++ test/main.py | 9 ++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9bc0094..e0185a1 100644 --- a/README.md +++ b/README.md @@ -541,6 +541,10 @@ Status endpoint, used for *healthcheck*. Shows current runtime environment variables and their values. +**`GET /-/config/root-ca`** + +Returns the Root-CA Certificate which is used. This is required for patching `nvidia-gridd` on 18.x releases. + **`GET /-/readme`** HTML rendered README.md. diff --git a/app/main.py b/app/main.py index 0894adb..60377b9 100644 --- a/app/main.py +++ b/app/main.py @@ -53,6 +53,7 @@ PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/produc # Create certificate chain and signing keys ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename) my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename) my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename) @@ -148,6 +149,11 @@ async def _config(): }) +@app.get('/-/config/root-ca', summary='* Root CA', description='returns Root-CA needed for patching nvidia-gridd') +async def _config(): + return Response(content=my_root_certificate.pem().decode('utf-8'), media_type='text/plain') + + @app.get('/-/readme', summary='* Readme') async def _readme(): from markdown import markdown diff --git a/test/main.py b/test/main.py index 2547412..fda7354 100644 --- a/test/main.py +++ b/test/main.py @@ -16,7 +16,7 @@ sys.path.append('../') sys.path.append('../app') from app import main -from util import CASetup, PrivateKey, PublicKey +from util import CASetup, PrivateKey, PublicKey, Cert client = TestClient(main.app) @@ -26,6 +26,7 @@ ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-00000 # CA & Signing ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename) my_si_private_key_as_pem = my_si_private_key.pem() my_si_public_key = my_si_private_key.public_key() @@ -74,6 +75,12 @@ def test_config(): assert response.status_code == 200 +def test_config_root_ca(): + response = client.get('/-/config/root-ca') + assert response.status_code == 200 + assert response.content.decode('utf-8') == my_root_certificate.pem().decode('utf-8') + + def test_readme(): response = client.get('/-/readme') assert response.status_code == 200 From a767e73ca63294ca4e47afad99e90541a8d2fb59 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 09:03:27 +0200 Subject: [PATCH 37/69] code styling --- app/main.py | 81 +++++++++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 37 deletions(-) diff --git a/app/main.py b/app/main.py index 60377b9..7116422 100644 --- a/app/main.py +++ b/app/main.py @@ -13,7 +13,7 @@ from dateutil.relativedelta import relativedelta from dotenv import load_dotenv from fastapi import FastAPI from fastapi.requests import Request -from fastapi.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse +from fastapi.responses import Response, RedirectResponse, StreamingResponse from jose import jws, jwk, jwt, JWTError from jose.constants import ALGORITHMS from sqlalchemy import create_engine @@ -21,7 +21,7 @@ from sqlalchemy.orm import sessionmaker from starlette.middleware.cors import CORSMiddleware from orm import Origin, Lease, init as db_init, migrate -from util import CASetup, PrivateKey, PublicKey, load_file, Cert, ProductMapping +from util import CASetup, PrivateKey, Cert, ProductMapping, load_file # Load variables load_dotenv('../version.env') @@ -127,12 +127,12 @@ async def _index(): @app.get('/-/health', summary='* Health') async def _health(): - return JSONr({'status': 'up'}) + return Response(content=json_dumps({'status': 'up'}), media_type='application/json', status_code=200) @app.get('/-/config', summary='* Config', description='returns environment variables.') async def _config(): - return JSONr({ + response = { 'VERSION': str(VERSION), 'COMMIT': str(COMMIT), 'DEBUG': str(DEBUG), @@ -146,7 +146,10 @@ async def _config(): 'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD), 'CORS_ORIGINS': str(CORS_ORIGINS), 'TZ': str(TZ), - }) + } + + return Response(content=json_dumps(response), media_type='application/json', status_code=200) + @app.get('/-/config/root-ca', summary='* Root CA', description='returns Root-CA needed for patching nvidia-gridd') @@ -158,7 +161,8 @@ async def _config(): async def _readme(): from markdown import markdown content = load_file(join(dirname(__file__), '../README.md')).decode('utf-8') - return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc'])) + response = markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']) + return Response(response, media_type='text/html', status_code=200) @app.get('/-/manage', summary='* Management UI') @@ -196,7 +200,7 @@ async def _manage(request: Request): ''' - return HTMLr(response) + return Response(response, media_type='text/html', status_code=200) @app.get('/-/origins', summary='* Origins') @@ -210,7 +214,7 @@ async def _origins(request: Request, leases: bool = False): x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref))) response.append(x) session.close() - return JSONr(response) + return Response(content=json_dumps(response), media_type='application/json', status_code=200) @app.delete('/-/origins', summary='* Origins') @@ -232,7 +236,7 @@ async def _leases(request: Request, origin: bool = False): x['origin'] = lease_origin.serialize() response.append(x) session.close() - return JSONr(response) + return Response(content=json_dumps(response), media_type='application/json', status_code=200) @app.delete('/-/leases/expired', summary='* Leases') @@ -245,7 +249,8 @@ async def _lease_delete_expired(request: Request): async def _lease_delete(request: Request, lease_ref: str): if Lease.delete(db, lease_ref) == 1: return Response(status_code=201) - return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'}) + response = {'status': 404, 'detail': 'lease not found'} + return Response(content=json_dumps(response), media_type='application/json', status_code=404) # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py @@ -327,7 +332,7 @@ async def auth_v1_origin(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT) } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py @@ -353,7 +358,7 @@ async def auth_v1_origin_update(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT) } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py @@ -385,7 +390,7 @@ async def auth_v1_code(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py @@ -397,7 +402,8 @@ async def auth_v1_token(request: Request): try: payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256) except JWTError as e: - return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)}) + response = {'status': 400, 'title': 'invalid token', 'detail': str(e)} + return Response(content=json_dumps(response), media_type='application/json', status_code=400) origin_ref = payload.get('origin_ref') logger.info(f'> [ auth ]: {origin_ref}: {j}') @@ -405,7 +411,8 @@ async def auth_v1_token(request: Request): # validate the code challenge challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8') if payload.get('challenge') != challenge: - return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'}) + response = {'status': 401, 'detail': 'expected challenge did not match verifier'} + return Response(content=json_dumps(response), media_type='application/json', status_code=401) access_expires_on = cur_time + TOKEN_EXPIRE_DELTA @@ -429,7 +436,7 @@ async def auth_v1_token(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py @@ -437,12 +444,6 @@ async def auth_v1_token(request: Request): async def leasing_v1_config_token(request: Request): j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC) - logger.debug(f'CALLED /leasing/v1/config-token') - logger.debug(f'Headers: {request.headers}') - logger.debug(f'Request: {j}') - - """ build out payload """ - cur_time = datetime.now(UTC) exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA @@ -486,9 +487,7 @@ async def leasing_v1_config_token(request: Request): "configToken": config_token, } - logging.debug(response) - - return JSONr(response, status_code=200) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -499,7 +498,8 @@ async def leasing_v1_lessor(request: Request): try: token = __get_token(request) except JWTError: - return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'}) + response = {'status': 401, 'detail': 'token is not valid'} + return Response(content=json_dumps(response), media_type='application/json', status_code=401) origin_ref = token.get('origin_ref') scope_ref_list = j.get('scope_ref_list') @@ -508,7 +508,8 @@ async def leasing_v1_lessor(request: Request): for scope_ref in scope_ref_list: # if scope_ref not in [ALLOTMENT_REF]: - # return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]') + # response = {'status': 400, 'detail': f'service instances not found for scopes: ["{scope_ref}"]')} + # return Response(content=json_dumps(response), media_type='application/json', status_code=400) pass lease_result_list = [] @@ -556,7 +557,8 @@ async def leasing_v1_lessor(request: Request): 'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': f'{signature.hex().encode()}' } - return Response(content=content, media_type='text/plain', headers=headers) # return JSONr(content, headers=headers) + + return Response(content=content, media_type='application/json', headers=headers) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -576,7 +578,7 @@ async def leasing_v1_lessor_lease(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py @@ -590,7 +592,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref) if entity is None: - return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'}) + response = {'status': 404, 'detail': 'requested lease not available'} + return Response(content=json_dumps(response), media_type='application/json', status_code=404) expires = cur_time + LEASE_EXPIRE_DELTA response = { @@ -616,7 +619,8 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str): 'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': f'{signature.hex().encode()}' } - return Response(content=content, media_type='text/plain', headers=headers) #return JSONr(content, headers=headers) + + return Response(content=content, media_type='application/json', headers=headers) @@ -630,12 +634,15 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str): entity = Lease.find_by_lease_ref(db, lease_ref) if entity.origin_ref != origin_ref: - return JSONr(status_code=403, content={'status': 403, 'detail': 'access or operation forbidden'}) + response = {'status': 403, 'detail': 'access or operation forbidden'} + return Response(content=json_dumps(response), media_type='application/json', status_code=403) if entity is None: - return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'}) + response = {'status': 404, 'detail': 'requested lease not available'} + return Response(content=json_dumps(response), media_type='application/json', status_code=404) if Lease.delete(db, lease_ref) == 0: - return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'}) + response = {'status': 404, 'detail': 'lease not found'} + return Response(content=json_dumps(response), media_type='application/json', status_code=404) response = { "client_challenge": None, @@ -644,7 +651,7 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py @@ -665,7 +672,7 @@ async def leasing_v1_lessor_lease_remove(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) @app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases') @@ -687,7 +694,7 @@ async def leasing_v1_lessor_shutdown(request: Request): "sync_timestamp": cur_time.strftime(DT_FORMAT), } - return JSONr(response) + return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200) if __name__ == '__main__': From 389b36fcb88d481a3f823b28cec409820aa208cc Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 09:19:17 +0200 Subject: [PATCH 38/69] removed any 'instance.*.pem' reference --- .DEBIAN/postinst | 8 ------- .PKGBUILD/PKGBUILD | 2 -- .PKGBUILD/fastapi-dls.install | 4 ---- .UNRAID/FastAPI-DLS.xml | 3 --- .gitlab-ci.yml | 4 ---- README.md | 11 +-------- app/util.py | 28 ++++++++++++---------- examples/docker-compose-http-and-https.yml | 2 +- 8 files changed, 18 insertions(+), 44 deletions(-) diff --git a/.DEBIAN/postinst b/.DEBIAN/postinst index 8213736..35c33fb 100644 --- a/.DEBIAN/postinst +++ b/.DEBIAN/postinst @@ -3,14 +3,6 @@ WORKING_DIR=/usr/share/fastapi-dls CONFIG_DIR=/etc/fastapi-dls -if [ ! -f $CONFIG_DIR/instance.private.pem ]; then - echo "> Create dls-instance keypair ..." - openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048 - openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem -else - echo "> Create dls-instance keypair skipped! (exists)" -fi - while true; do [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y" [ $default_answer == "Y" ] && V="Y/n" || V="y/N" diff --git a/.PKGBUILD/PKGBUILD b/.PKGBUILD/PKGBUILD index 7e56b3a..0d83324 100644 --- a/.PKGBUILD/PKGBUILD +++ b/.PKGBUILD/PKGBUILD @@ -30,8 +30,6 @@ pkgver() { check() { cd "$srcdir/$pkgname/test" mkdir "$srcdir/$pkgname/app/cert" - openssl genrsa -out "$srcdir/$pkgname/app/cert/instance.private.pem" 2048 - openssl rsa -in "$srcdir/$pkgname/app/cert/instance.private.pem" -outform PEM -pubout -out "$srcdir/$pkgname/app/cert/instance.public.pem" python "$srcdir/$pkgname/test/main.py" rm -rf "$srcdir/$pkgname/app/cert" } diff --git a/.PKGBUILD/fastapi-dls.install b/.PKGBUILD/fastapi-dls.install index 17ad880..764b5a7 100644 --- a/.PKGBUILD/fastapi-dls.install +++ b/.PKGBUILD/fastapi-dls.install @@ -7,8 +7,4 @@ post_install() { echo echo 'A valid HTTPS certificate needs to be installed to /var/lib/fastapi-dls/cert/webserver.{crt,key}' echo 'A self-signed certificate can be generated with: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/lib/fastapi-dls/cert/webserver.key -out /var/lib/fastapi-dls/cert/webserver.crt' - echo - echo 'The signing keys for your instance need to be generated as well. Generate them with these commands:' - echo 'openssl genrsa -out /var/lib/fastapi-dls/instance.private.pem 2048' - echo 'openssl rsa -in /var/lib/fastapi-dls/instance.private.pem -outform PEM -pubout -out /var/lib/fastapi-dls/instance.public.pem' } diff --git a/.UNRAID/FastAPI-DLS.xml b/.UNRAID/FastAPI-DLS.xml index f6bf52b..bac00e8 100644 --- a/.UNRAID/FastAPI-DLS.xml +++ b/.UNRAID/FastAPI-DLS.xml @@ -18,9 +18,6 @@ Make sure you create these certificates before starting the container for the fi WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert mkdir -p $WORKING_DIR cd $WORKING_DIR -# create instance private and public key for singing JWT's -openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 -openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt ``` diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fde7b6e..4901b27 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -151,8 +151,6 @@ test: - pip install -r $REQUIREMENTS - pip install pytest pytest-cov pytest-custom_exit_code httpx - mkdir -p app/cert - - openssl genrsa -out app/cert/instance.private.pem 2048 - - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem - cd test script: - python -m pytest main.py --junitxml=report.xml @@ -265,8 +263,6 @@ test_coverage: - pip install -r requirements.txt - pip install pytest pytest-cov pytest-custom_exit_code httpx - mkdir -p app/cert - - openssl genrsa -out app/cert/instance.private.pem 2048 - - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem - cd test script: - coverage run -m pytest main.py --junitxml=report.xml --suppress-no-test-exit-code diff --git a/README.md b/README.md index e0185a1..4979d7c 100644 --- a/README.md +++ b/README.md @@ -66,9 +66,6 @@ The images include database drivers for `postgres`, `mariadb` and `sqlite`. WORKING_DIR=/opt/docker/fastapi-dls/cert mkdir -p $WORKING_DIR cd $WORKING_DIR -# create instance private and public key for singing JWT's -openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 -openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt ``` @@ -153,9 +150,6 @@ chown -R www-data:www-data $WORKING_DIR WORKING_DIR=/opt/fastapi-dls/app/cert mkdir -p $WORKING_DIR cd $WORKING_DIR -# create instance private and public key for singing JWT's -openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 -openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt chown -R www-data:www-data $WORKING_DIR @@ -255,9 +249,6 @@ CERT_DIR=${BASE_DIR}/app/cert SERVICE_USER=dls mkdir ${CERT_DIR} cd ${CERT_DIR} -# create instance private and public key for singing JWT's -openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 -openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt chown -R ${SERVICE_USER} ${CERT_DIR} @@ -617,7 +608,7 @@ Please download a new client-token. The guest have to register within an hour af ### `jose.exceptions.JWTError: Signature verification failed.` -- Did you recreate `instance.public.pem` / `instance.private.pem`? +- Did you recreate any certificate or keypair? Then you have to download a **new** client-token on each of your guests. diff --git a/app/util.py b/app/util.py index 16c1a38..e302787 100644 --- a/app/util.py +++ b/app/util.py @@ -23,17 +23,24 @@ class CASetup: # ### + ROOT_PRIVATE_KEY_FILENAME = 'root_private_key.pem' + ROOT_CERTIFICATE_FILENAME = 'root_certificate.pem' + CA_PRIVATE_KEY_FILENAME = 'ca_private_key.pem' + CA_CERTIFICATE_FILENAME = 'ca_certificate.pem' + SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem' + SI_CERTIFICATE_FILENAME = 'si_certificate.pem' + def __init__(self, service_instance_ref: str): self.service_instance_ref = service_instance_ref - self.root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem') - self.root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem') - self.ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem') - self.ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem') - self.si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem') - self.si_public_key_filename = join(dirname(__file__), 'cert/my_demo_si_public_key.pem') - self.si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem') + self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME) + self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME) + self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME) + self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME) + self.si_private_key_filename = join(dirname(__file__), 'cert', CASetup.SI_PRIVATE_KEY_FILENAME) + self.si_certificate_filename = join(dirname(__file__), 'cert', CASetup.SI_CERTIFICATE_FILENAME) if not (isfile(self.root_private_key_filename) + and isfile(self.root_certificate_filename) and isfile(self.ca_private_key_filename) and isfile(self.ca_certificate_filename) and isfile(self.si_private_key_filename) @@ -156,8 +163,8 @@ class CASetup: with open(self.si_private_key_filename, 'wb') as f: f.write(my_si_private_key_as_pem) - with open(self.si_public_key_filename, 'wb') as f: - f.write(my_si_public_key_as_pem) + # with open(self.si_public_key_filename, 'wb') as f: + # f.write(my_si_public_key_as_pem) # create si-certificate subject my_si_subject = x509.Name([ @@ -192,9 +199,6 @@ class CASetup: ]), critical=False) .sign(my_ca_private_key, hashes.SHA256())) - my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e - my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix - with open(self.si_certificate_filename, 'wb') as f: f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) diff --git a/examples/docker-compose-http-and-https.yml b/examples/docker-compose-http-and-https.yml index 3f02cdc..e8695a6 100644 --- a/examples/docker-compose-http-and-https.yml +++ b/examples/docker-compose-http-and-https.yml @@ -15,7 +15,7 @@ services: <<: *dls-variables volumes: - /etc/timezone:/etc/timezone:ro - - /opt/docker/fastapi-dls/cert:/app/cert # instance.private.pem, instance.public.pem + - /opt/docker/fastapi-dls/cert:/app/cert - db:/app/database entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"] healthcheck: From 8f4d2e6086d4534a36f56811c755d5bb5d7b95b5 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 09:26:52 +0200 Subject: [PATCH 39/69] updated versions matrix and infos --- README.md | 51 ++++++++++++++++++++++++++------------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 4979d7c..ffb3cc8 100644 --- a/README.md +++ b/README.md @@ -2,13 +2,15 @@ Minimal Delegated License Service (DLS). +> [!warning] Branch support +> Use FastAPI-DLS == 1.x until **17.x** releases. +> Use FastAPI-DLS == 2.x since **18.x** releases in combination +> with [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher). + > [!note] Compatibility > Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility > see [compatibility matrix](#vgpu-software-compatibility-matrix). -> [!warning] 18.x Drivers are not yet supported! -> Drivers are only supported until **17.x releases**. - This service can be used without internet connection. Only the clients need a connection to this service on configured port. @@ -744,33 +746,32 @@ The error message can safely be ignored (since we have no license limitation :P) # vGPU Software Compatibility Matrix -**18.x Drivers are not supported on FastAPI-DLS Versions < 1.6.0** -
Show Table Successfully tested with this package versions. -| vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date | EOL Date | -|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:| -| `17.5` | R550 | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | -| `17.4` | R550 | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | -| `17.3` | R550 | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | -| `17.2` | R550 | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | -| `17.1` | R550 | `550.54.16` | `550.54.15` | `551.78` | March 2024 | | -| `17.0` | R550 | `550.54.10` | `550.54.14` | `551.61` | February 2024 | | -| `16.9` | R535 | `535.230.02` | `535.216.01` | `539.19` | October 2024 | July 2026 | -| `16.8` | R535 | `535.216.01` | `535.216.01` | `538.95` | October 2024 | | -| `16.7` | R535 | `535.183.04` | `535.183.06` | `538.78` | July 2024 | | -| `16.6` | R535 | `535.183.04` | `535.183.01` | `538.67` | June 2024 | | -| `16.5` | R535 | `535.161.05` | `535.161.08` | `538.46` | February 2024 | | -| `16.4` | R535 | `535.161.05` | `535.161.07` | `538.33` | February 2024 | | -| `16.3` | R535 | `535.154.02` | `535.154.05` | `538.15` | January 2024 | | -| `16.2` | R535 | `535.129.03` | `535.129.03` | `537.70` | October 2023 | | -| `16.1` | R535 | `535.104.06` | `535.104.05` | `537.13` | August 2023 | | -| `16.0` | R535 | `535.54.06` | `535.54.03` | `536.22` | July 2023 | | -| `15.4` | R525 | `525.147.01` | `525.147.05` | `529.19` | June 2023 | December 2023 | -| `14.4` | R510 | `510.108.03` | `510.108.03` | `514.08` | December 2022 | February 2023 | +| FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date | EOL Date | +|---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:| +| `2.x` | `18.0` | R570 | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | +| `1.x` | `17.5` | R550 | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | +| | `17.4` | R550 | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | +| | `17.3` | R550 | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | +| | `17.2` | R550 | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | +| | `17.1` | R550 | `550.54.16` | `550.54.15` | `551.78` | March 2024 | | +| | `17.0` | R550 | `550.54.10` | `550.54.14` | `551.61` | February 2024 | | +| `1.x` | `16.9` | R535 | `535.230.02` | `535.216.01` | `539.19` | October 2024 | July 2026 | +| | `16.8` | R535 | `535.216.01` | `535.216.01` | `538.95` | October 2024 | | +| | `16.7` | R535 | `535.183.04` | `535.183.06` | `538.78` | July 2024 | | +| | `16.6` | R535 | `535.183.04` | `535.183.01` | `538.67` | June 2024 | | +| | `16.5` | R535 | `535.161.05` | `535.161.08` | `538.46` | February 2024 | | +| | `16.4` | R535 | `535.161.05` | `535.161.07` | `538.33` | February 2024 | | +| | `16.3` | R535 | `535.154.02` | `535.154.05` | `538.15` | January 2024 | | +| | `16.2` | R535 | `535.129.03` | `535.129.03` | `537.70` | October 2023 | | +| | `16.1` | R535 | `535.104.06` | `535.104.05` | `537.13` | August 2023 | | +| | `16.0` | R535 | `535.54.06` | `535.54.03` | `536.22` | July 2023 | | +| `1.x` | `15.4` | R525 | `525.147.01` | `525.147.05` | `529.19` | June 2023 | December 2023 | +| `1.x` | `14.4` | R510 | `510.108.03` | `510.108.03` | `514.08` | December 2022 | February 2023 |
From 133b1e24e2a2863e525f666c422c8c90ae586b8e Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 09:29:10 +0200 Subject: [PATCH 40/69] code styling --- README.md | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index ffb3cc8..1c3cfb7 100644 --- a/README.md +++ b/README.md @@ -753,25 +753,16 @@ Successfully tested with this package versions. | FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date | EOL Date | |---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:| -| `2.x` | `18.0` | R570 | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | -| `1.x` | `17.5` | R550 | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | -| | `17.4` | R550 | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | -| | `17.3` | R550 | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | -| | `17.2` | R550 | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | -| | `17.1` | R550 | `550.54.16` | `550.54.15` | `551.78` | March 2024 | | -| | `17.0` | R550 | `550.54.10` | `550.54.14` | `551.61` | February 2024 | | -| `1.x` | `16.9` | R535 | `535.230.02` | `535.216.01` | `539.19` | October 2024 | July 2026 | -| | `16.8` | R535 | `535.216.01` | `535.216.01` | `538.95` | October 2024 | | -| | `16.7` | R535 | `535.183.04` | `535.183.06` | `538.78` | July 2024 | | -| | `16.6` | R535 | `535.183.04` | `535.183.01` | `538.67` | June 2024 | | -| | `16.5` | R535 | `535.161.05` | `535.161.08` | `538.46` | February 2024 | | -| | `16.4` | R535 | `535.161.05` | `535.161.07` | `538.33` | February 2024 | | -| | `16.3` | R535 | `535.154.02` | `535.154.05` | `538.15` | January 2024 | | -| | `16.2` | R535 | `535.129.03` | `535.129.03` | `537.70` | October 2023 | | -| | `16.1` | R535 | `535.104.06` | `535.104.05` | `537.13` | August 2023 | | -| | `16.0` | R535 | `535.54.06` | `535.54.03` | `536.22` | July 2023 | | -| `1.x` | `15.4` | R525 | `525.147.01` | `525.147.05` | `529.19` | June 2023 | December 2023 | -| `1.x` | `14.4` | R510 | `510.108.03` | `510.108.03` | `514.08` | December 2022 | February 2023 | +| `2.x` | `18.0` | **R570** | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | +| `1.x` | `17.5` | | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | +| | `17.4` | | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | +| | `17.3` | | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | +| | `17.2` | | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | +| | `17.1` | | `550.54.16` | `550.54.15` | `551.78` | March 2024 | | +| | `17.0` | **R550** | `550.54.10` | `550.54.14` | `551.61` | February 2024 | | +| `1.x` | `16.9` | **R535** | `535.230.02` | `535.216.01` | `539.19` | October 2024 | July 2026 | +| `1.x` | `15.4` | **R525** | `525.147.01` | `525.147.05` | `529.19` | June 2023 | December 2023 | +| `1.x` | `14.4` | **R510** | `510.108.03` | `510.108.03` | `514.08` | December 2022 | February 2023 | From 9712a84a00201730c4aab59d9a2c9df5b911b4e7 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 09:30:04 +0200 Subject: [PATCH 41/69] code styling --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c3cfb7..6662e3d 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ Minimal Delegated License Service (DLS). -> [!warning] Branch support -> Use FastAPI-DLS == 1.x until **17.x** releases. +> [!warning] Branch support \ +> Use FastAPI-DLS == 1.x until **17.x** releases. \ > Use FastAPI-DLS == 2.x since **18.x** releases in combination > with [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher). From 383c7f86848ab5167551e845e7b649576d7678ae Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 11:59:53 +0200 Subject: [PATCH 42/69] updated compatibility --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6662e3d..c061776 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,10 @@ Minimal Delegated License Service (DLS). > [!warning] Branch support \ -> Use FastAPI-DLS == 1.x until **17.x** releases. \ -> Use FastAPI-DLS == 2.x since **18.x** releases in combination +> FastAPI-DLS Version 1.x supports up to **`17.x`** releases. \ +> FastAPI-DLS Version 2.x is backwards compatible to `17.x` and supports **`18.x`** releases in combination > with [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher). +> Other combinations of FastAPI-DLS and Driver-Branches may work but are not tested. > [!note] Compatibility > Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility @@ -754,7 +755,7 @@ Successfully tested with this package versions. | FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date | EOL Date | |---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:| | `2.x` | `18.0` | **R570** | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | -| `1.x` | `17.5` | | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | +| `1.x` & `2.x` | `17.5` | | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | | | `17.4` | | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | | | `17.3` | | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | | | `17.2` | | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | From 4650e18821ab9a0c480f7dd0999262ecb20eb5b0 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 12:00:21 +0200 Subject: [PATCH 43/69] added todo --- app/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/main.py b/app/main.py index 7116422..b9e9595 100644 --- a/app/main.py +++ b/app/main.py @@ -276,6 +276,7 @@ async def _client_token(): { "idx": 0, "d_name": "DLS", + # todo: {"service": "quick_release", "port": 80} - see "shutdown for windows" "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}] } ], From e00e7569eb56aaec595806ec71b03798e25a3aa9 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 12:01:19 +0200 Subject: [PATCH 44/69] removed todo --- test/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/main.py b/test/main.py index fda7354..afc15c0 100644 --- a/test/main.py +++ b/test/main.py @@ -96,7 +96,7 @@ def test_client_token(): assert response.status_code == 200 -def test_config_token(): # todo: /leasing/v1/config-token +def test_config_token(): # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF}) From ff2fbaf83fba2e304c473906ddf9a5c9dcfad16d Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 14:11:04 +0200 Subject: [PATCH 45/69] code styling --- app/util.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/util.py b/app/util.py index e302787..f01e187 100644 --- a/app/util.py +++ b/app/util.py @@ -236,7 +236,7 @@ class PrivateKey: return PublicKey(data=data) def generate_signature(self, data: bytes) -> bytes: - return self.__key.sign(data, padding=PKCS1v15(), algorithm=SHA256()) + return self.__key.sign(data=data, padding=PKCS1v15(), algorithm=SHA256()) @staticmethod def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey": @@ -281,8 +281,8 @@ class PublicKey: def exp(self): return int(self.__key.public_numbers().e) - def verify_signature(self, signature: bytes, data: bytes) -> bytes: - return self.__key.verify(signature, data, padding=PKCS1v15(), algorithm=SHA256()) + def verify_signature(self, signature: bytes, data: bytes) -> None: + self.__key.verify(signature=signature, data=data, padding=PKCS1v15(), algorithm=SHA256()) class Cert: From cd4c3d379a6f8f95db0f07503bd3d9fbfc5dc086 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 15:01:14 +0200 Subject: [PATCH 46/69] code styling --- app/util.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/app/util.py b/app/util.py index a9e9b58..66df77e 100644 --- a/app/util.py +++ b/app/util.py @@ -1,5 +1,4 @@ import logging -from json import load as json_load from datetime import datetime, UTC, timedelta from json import loads as json_loads from os.path import join, dirname, isfile @@ -338,9 +337,8 @@ class DriverMatrix: def __load(self): try: - file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME) - DriverMatrix.__DRIVER_MATRIX = json_load(file) - file.close() + with open(DriverMatrix.__DRIVER_MATRIX_FILENAME, 'r') as f: + DriverMatrix.__DRIVER_MATRIX = json_loads(f.read()) self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".') except Exception as e: DriverMatrix.__DRIVER_MATRIX = {} # init empty dict to not try open file everytime, just when restarting app From f38378bbc811eab22368f526c726f9482f365d9d Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 16 Apr 2025 15:05:45 +0200 Subject: [PATCH 47/69] updated credits --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b55ba3c..d1367bd 100644 --- a/README.md +++ b/README.md @@ -787,5 +787,6 @@ Special thanks to: - `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/) - `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/) - `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos) +- `electricsheep49` who wrote [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher) And thanks to all people who contributed to all these libraries! From 3666e22707cc65e58952e779e611f4fe408b9a31 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Mon, 21 Apr 2025 21:57:40 +0200 Subject: [PATCH 48/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index b9e9595..9099c34 100644 --- a/app/main.py +++ b/app/main.py @@ -471,8 +471,8 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.pem().decode('utf-8') - response_si_certificate = my_si_certificate.pem().decode('utf-8') + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') response = { "certificateConfiguration": { From dc783e65189acee4f25739d459c238efde23badf Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 07:32:05 +0200 Subject: [PATCH 49/69] typos --- README.md | 4 ++-- app/main.py | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d1367bd..43a5490 100644 --- a/README.md +++ b/README.md @@ -535,9 +535,9 @@ Status endpoint, used for *healthcheck*. Shows current runtime environment variables and their values. -**`GET /-/config/root-ca`** +**`GET /-/config/root-certificate`** -Returns the Root-CA Certificate which is used. This is required for patching `nvidia-gridd` on 18.x releases. +Returns the Root-Certificate Certificate which is used. This is required for patching `nvidia-gridd` on 18.x releases. **`GET /-/readme`** diff --git a/app/main.py b/app/main.py index 9099c34..b3c167c 100644 --- a/app/main.py +++ b/app/main.py @@ -151,10 +151,9 @@ async def _config(): return Response(content=json_dumps(response), media_type='application/json', status_code=200) - -@app.get('/-/config/root-ca', summary='* Root CA', description='returns Root-CA needed for patching nvidia-gridd') +@app.get('/-/config/root-certificate', summary='* Root Certificate', description='returns Root--Certificate needed for patching nvidia-gridd') async def _config(): - return Response(content=my_root_certificate.pem().decode('utf-8'), media_type='text/plain') + return Response(content=my_root_certificate.pem().decode('ascii'), media_type='text/plain') @app.get('/-/readme', summary='* Readme') From 14f8b5475202c72e50caf8ec2e706f555c595150 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 07:32:30 +0200 Subject: [PATCH 50/69] test with "76 chars per line" --- app/main.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index b3c167c..8c52810 100644 --- a/app/main.py +++ b/app/main.py @@ -7,6 +7,7 @@ from hashlib import sha256 from json import loads as json_loads, dumps as json_dumps from os import getenv as env from os.path import join, dirname +from textwrap import wrap from uuid import uuid4 from dateutil.relativedelta import relativedelta @@ -470,8 +471,21 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') - response_si_certificate = my_si_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') + response_ca_chain = response_ca_chain.replace('-----BEGIN CERTIFICATE-----', '') + response_ca_chain = response_ca_chain.replace('-----END CERTIFICATE-----', '') + response_ca_chain = response_ca_chain.replace('\n', '') + response_ca_chain = wrap(response_ca_chain, 76) + response_ca_chain = '\r\n'.join(response_ca_chain) + response_ca_chain = f'-----BEGIN CERTIFICATE-----\r\n{response_ca_chain}\r\n-----END CERTIFICATE-----' + + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') + response_si_certificate = response_si_certificate.replace('-----BEGIN CERTIFICATE-----', '') + response_si_certificate = response_si_certificate.replace('-----END CERTIFICATE-----', '') + response_si_certificate = response_si_certificate.replace('\n', '') + response_si_certificate = wrap(response_si_certificate, 76) + response_si_certificate = '\r\n'.join(response_si_certificate) + response_si_certificate = f'-----BEGIN CERTIFICATE-----\r\n{response_si_certificate}\r\n-----END CERTIFICATE-----' response = { "certificateConfiguration": { From b0ca5d7ab53692c8179c68c67a77dc0a050ca627 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 08:06:17 +0200 Subject: [PATCH 51/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index 8c52810..b828dce 100644 --- a/app/main.py +++ b/app/main.py @@ -494,8 +494,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": int(my_si_certificate.raw().public_key().public_numbers().e), - "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]], + "exp": my_si_private_key.public_key().mod(), + "mod": [my_si_private_key.public_key().exp()], }, }, "configToken": config_token, From e1ae757a508ba03fdcc0138f1a3c698b78cdca2f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 08:53:30 +0200 Subject: [PATCH 52/69] updated tests --- test/main.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/main.py b/test/main.py index afc15c0..3edba8d 100644 --- a/test/main.py +++ b/test/main.py @@ -76,7 +76,7 @@ def test_config(): def test_config_root_ca(): - response = client.get('/-/config/root-ca') + response = client.get('/-/config/root-certificate') assert response.status_code == 200 assert response.content.decode('utf-8') == my_root_certificate.pem().decode('utf-8') @@ -116,8 +116,8 @@ def test_config_token(): nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration') nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me') - # assert nv_si_public_key_me.get('mod') == 1 #nv_si_public_key_mod - assert len(nv_si_public_key_me.get('mod')) == 512 + + assert len(nv_si_public_key_me.get('mod')) == 512 # nv_si_public_key_mod assert nv_si_public_key_me.get('exp') == 65537 # nv_si_public_key_exp From 6ed4bdfe6f517051e0e96c5c0c68d804dfd21272 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 09:05:18 +0200 Subject: [PATCH 53/69] fixes --- app/main.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/main.py b/app/main.py index b828dce..bef65fb 100644 --- a/app/main.py +++ b/app/main.py @@ -287,7 +287,7 @@ async def _client_token(): "mod": my_si_public_key.mod(), "exp": my_si_public_key.exp(), }, - "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8'), + "service_instance_public_key_pem": my_si_public_key.pem().decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } @@ -462,8 +462,7 @@ async def leasing_v1_config_token(request: Request): "mod": my_si_public_key.mod(), "exp": my_si_public_key.exp(), }, - # 64 chars per line (pem default) - "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8').strip(), + "service_instance_public_key_pem": my_si_public_key.pem().decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } From cd9c655d65e59e090ffe538fd6c7566291bf41d6 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 09:45:58 +0200 Subject: [PATCH 54/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index bef65fb..e6f389b 100644 --- a/app/main.py +++ b/app/main.py @@ -493,8 +493,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": my_si_private_key.public_key().mod(), - "mod": [my_si_private_key.public_key().exp()], + "exp": my_si_public_key.exp(), + "mod": [my_si_public_key.mod()], }, }, "configToken": config_token, From fd1babaca532e5252fb0b53b35aa099bff846b30 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 10:10:32 +0200 Subject: [PATCH 55/69] fixes --- app/main.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index e6f389b..d5799d4 100644 --- a/app/main.py +++ b/app/main.py @@ -54,6 +54,8 @@ PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/produc # Create certificate chain and signing keys ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename) +my_root_public_key = my_root_private_key.public_key() my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename) my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename) @@ -493,8 +495,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": my_si_public_key.exp(), - "mod": [my_si_public_key.mod()], + "exp": my_root_public_key.exp(), + "mod": [my_root_public_key.mod()], }, }, "configToken": config_token, From d248496f3439e437d8ca0ec6a5d72af992dcfea4 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 10:45:41 +0200 Subject: [PATCH 56/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index d5799d4..76e0ea6 100644 --- a/app/main.py +++ b/app/main.py @@ -495,8 +495,8 @@ async def leasing_v1_config_token(request: Request): # 76 chars per line "publicCert": response_si_certificate, "publicKey": { - "exp": my_root_public_key.exp(), - "mod": [my_root_public_key.mod()], + "exp": my_si_public_key.exp(), + "mod": [my_si_public_key.mod()], }, }, "configToken": config_token, From 6c1a8d42dc29de2fb1372847bc9792b8fa6c0c8c Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 11:04:32 +0200 Subject: [PATCH 57/69] fixes --- app/util.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/app/util.py b/app/util.py index 66df77e..23d6125 100644 --- a/app/util.py +++ b/app/util.py @@ -81,7 +81,20 @@ class CASetup: .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.KeyUsage( + digital_signature=False, + key_encipherment=False, + key_cert_sign=True, + key_agreement=False, + content_commitment=False, + data_encipherment=False, + crl_sign=True, + encipher_only=False, + decipher_only=False), + critical=True + ) .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) .sign(my_root_private_key, hashes.SHA256())) my_root_private_key_as_pem = my_root_private_key.private_bytes( @@ -134,7 +147,6 @@ class CASetup: critical=True ) .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) - # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value ), critical=False) From 1ccb203b2567e753e834ebbaa427abd8e2ed84fa Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 11:05:03 +0200 Subject: [PATCH 58/69] code styling --- app/main.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/app/main.py b/app/main.py index 76e0ea6..1fae859 100644 --- a/app/main.py +++ b/app/main.py @@ -490,10 +490,8 @@ async def leasing_v1_config_token(request: Request): response = { "certificateConfiguration": { - # 76 chars per line - "caChain": [response_ca_chain], - # 76 chars per line - "publicCert": response_si_certificate, + "caChain": [response_ca_chain], # 76 chars per line on original response + "publicCert": response_si_certificate, # 76 chars per line on original response "publicKey": { "exp": my_si_public_key.exp(), "mod": [my_si_public_key.mod()], From 161a1430cf56809a0781828e0dd47c408d71adee Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 11:06:54 +0200 Subject: [PATCH 59/69] code styling --- app/main.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/app/main.py b/app/main.py index 1fae859..1f4bc97 100644 --- a/app/main.py +++ b/app/main.py @@ -472,26 +472,29 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') # 76 chars per line on original response + """ response_ca_chain = response_ca_chain.replace('-----BEGIN CERTIFICATE-----', '') response_ca_chain = response_ca_chain.replace('-----END CERTIFICATE-----', '') response_ca_chain = response_ca_chain.replace('\n', '') response_ca_chain = wrap(response_ca_chain, 76) response_ca_chain = '\r\n'.join(response_ca_chain) response_ca_chain = f'-----BEGIN CERTIFICATE-----\r\n{response_ca_chain}\r\n-----END CERTIFICATE-----' - - response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') + """ + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') # 76 chars per line on original response + """ response_si_certificate = response_si_certificate.replace('-----BEGIN CERTIFICATE-----', '') response_si_certificate = response_si_certificate.replace('-----END CERTIFICATE-----', '') response_si_certificate = response_si_certificate.replace('\n', '') response_si_certificate = wrap(response_si_certificate, 76) response_si_certificate = '\r\n'.join(response_si_certificate) response_si_certificate = f'-----BEGIN CERTIFICATE-----\r\n{response_si_certificate}\r\n-----END CERTIFICATE-----' + """ response = { "certificateConfiguration": { - "caChain": [response_ca_chain], # 76 chars per line on original response - "publicCert": response_si_certificate, # 76 chars per line on original response + "caChain": [response_ca_chain], + "publicCert": response_si_certificate, "publicKey": { "exp": my_si_public_key.exp(), "mod": [my_si_public_key.mod()], From e7e007a45f8edbd42c270194ce5932ad3cfa06ee Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 11:22:57 +0200 Subject: [PATCH 60/69] fixes --- app/main.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index 1f4bc97..a331775 100644 --- a/app/main.py +++ b/app/main.py @@ -472,8 +472,9 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') # 76 chars per line on original response + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') # 76 chars per line on original response """ + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() response_ca_chain = response_ca_chain.replace('-----BEGIN CERTIFICATE-----', '') response_ca_chain = response_ca_chain.replace('-----END CERTIFICATE-----', '') response_ca_chain = response_ca_chain.replace('\n', '') @@ -481,8 +482,9 @@ async def leasing_v1_config_token(request: Request): response_ca_chain = '\r\n'.join(response_ca_chain) response_ca_chain = f'-----BEGIN CERTIFICATE-----\r\n{response_ca_chain}\r\n-----END CERTIFICATE-----' """ - response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() # .replace('\n', '\r\n') # 76 chars per line on original response + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') # 76 chars per line on original response """ + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() response_si_certificate = response_si_certificate.replace('-----BEGIN CERTIFICATE-----', '') response_si_certificate = response_si_certificate.replace('-----END CERTIFICATE-----', '') response_si_certificate = response_si_certificate.replace('\n', '') From 55b7437fe7d2c76586bb2c5ddba2cbda02ed54d7 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 11:29:31 +0200 Subject: [PATCH 61/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index a331775..260f0be 100644 --- a/app/main.py +++ b/app/main.py @@ -498,8 +498,8 @@ async def leasing_v1_config_token(request: Request): "caChain": [response_ca_chain], "publicCert": response_si_certificate, "publicKey": { - "exp": my_si_public_key.exp(), - "mod": [my_si_public_key.mod()], + "exp": my_root_public_key.exp(), + "mod": [my_root_public_key.mod()], }, }, "configToken": config_token, From 16870e9d671944b0105f3a55a0a4e8894a7103b0 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 12:35:34 +0200 Subject: [PATCH 62/69] code styling --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 260f0be..b08f465 100644 --- a/app/main.py +++ b/app/main.py @@ -156,7 +156,7 @@ async def _config(): @app.get('/-/config/root-certificate', summary='* Root Certificate', description='returns Root--Certificate needed for patching nvidia-gridd') async def _config(): - return Response(content=my_root_certificate.pem().decode('ascii'), media_type='text/plain') + return Response(content=my_root_certificate.pem().decode('ascii').strip(), media_type='text/plain') @app.get('/-/readme', summary='* Readme') From 938a112b8a2c76773675343a263ea1d72c56474f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 14:00:56 +0200 Subject: [PATCH 63/69] fixes --- app/main.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main.py b/app/main.py index b08f465..dcdcba8 100644 --- a/app/main.py +++ b/app/main.py @@ -498,8 +498,8 @@ async def leasing_v1_config_token(request: Request): "caChain": [response_ca_chain], "publicCert": response_si_certificate, "publicKey": { - "exp": my_root_public_key.exp(), - "mod": [my_root_public_key.mod()], + "exp": my_si_certificate.public_key().exp(), + "mod": [my_si_certificate.public_key().mod()], }, }, "configToken": config_token, From 29268b1658fdf9de5799d732f9bf6d245b8d2958 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 14:16:30 +0200 Subject: [PATCH 64/69] code styling and tests --- app/util.py | 18 ++++++++++++------ test/main.py | 29 ++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/app/util.py b/app/util.py index 23d6125..f112000 100644 --- a/app/util.py +++ b/app/util.py @@ -326,16 +326,22 @@ class Cert: def pem(self) -> bytes: return self.__cert.public_bytes(encoding=serialization.Encoding.PEM) + def public_key(self) -> "PublicKey": + data = self.__cert.public_key().public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo + ) + return PublicKey(data=data) + def signature(self) -> bytes: return self.__cert.signature + def subject_key_identifier(self): + return self.__cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value.key_identifier + + def authority_key_identifier(self): + return self.__cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier).value.key_identifier -def load_file(filename: str) -> bytes: - log = logging.getLogger(f'{__name__}') - log.debug(f'Loading contents of file "{filename}') - with open(filename, 'rb') as file: - content = file.read() - return content class DriverMatrix: __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json' diff --git a/test/main.py b/test/main.py index 3edba8d..a386196 100644 --- a/test/main.py +++ b/test/main.py @@ -26,11 +26,15 @@ ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-00000 # CA & Signing ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename) my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) +my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename) +my_ca_private_key = PrivateKey.from_file(ca_setup.ca_private_key_filename) my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename) my_si_private_key_as_pem = my_si_private_key.pem() my_si_public_key = my_si_private_key.public_key() my_si_public_key_as_pem = my_si_private_key.public_key().pem() +my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename) jwt_encode_key = jwk.construct(my_si_private_key_as_pem, algorithm=ALGORITHMS.RS256) jwt_decode_key = jwk.construct(my_si_public_key_as_pem, algorithm=ALGORITHMS.RS256) @@ -59,6 +63,19 @@ def test_signing(): my_si_public_key.verify_signature(signature_get_header, b'Hello') +def test_keypair_and_certificates(): + assert my_root_certificate.public_key().mod() == my_root_private_key.public_key().mod() + assert my_ca_certificate.public_key().mod() == my_ca_private_key.public_key().mod() + assert my_si_certificate.public_key().mod() == my_si_public_key.mod() + + assert len(my_root_certificate.public_key().mod()) == 1024 + assert len(my_ca_certificate.public_key().mod()) == 1024 + assert len(my_si_certificate.public_key().mod()) == 512 + + #assert my_si_certificate.public_key().mod() != my_si_public_key.mod() + + + def test_index(): response = client.get('/') assert response.status_code == 200 @@ -78,7 +95,7 @@ def test_config(): def test_config_root_ca(): response = client.get('/-/config/root-certificate') assert response.status_code == 200 - assert response.content.decode('utf-8') == my_root_certificate.pem().decode('utf-8') + assert response.content.decode('utf-8').strip() == my_root_certificate.pem().decode('utf-8').strip() def test_readme(): @@ -103,7 +120,17 @@ def test_config_token(): assert response.status_code == 200 nv_response_certificate_configuration = response.json().get('certificateConfiguration') + + nv_ca_chain = nv_response_certificate_configuration.get('caChain')[0].encode('utf-8') + nv_ca_chain = Cert(nv_ca_chain) + nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8') + nv_response_public_key = nv_response_certificate_configuration.get('publicKey') + + nv_si_certificate = Cert(nv_response_public_cert) + assert nv_si_certificate.public_key().mod() == nv_response_public_key.get('mod')[0] + assert nv_si_certificate.authority_key_identifier() == nv_ca_chain.subject_key_identifier() + nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256) nv_response_config_token = response.json().get('configToken') From 6af9cd04c9c35404c056f326c1702f0594e44f11 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 14:38:05 +0200 Subject: [PATCH 65/69] added variable for custom cert path --- README.md | 27 ++++++++++++++------------- app/main.py | 3 ++- app/util.py | 10 +++++++--- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 43a5490..fe20827 100644 --- a/README.md +++ b/README.md @@ -417,19 +417,20 @@ After first success you have to replace `--issue` with `--renew`. # Configuration -| Variable | Default | Usage | -|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| `DEBUG` | `false` | Toggles `fastapi` debug mode | -| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | -| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | -| `TOKEN_EXPIRE_DAYS` | `1` | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**) | -| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | -| `LEASE_RENEWAL_PERIOD` | `0.15` | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 | -| `DATABASE` | `sqlite:///db.sqlite` | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) | -| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2 | -| `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | -| `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | -| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | | +| Variable | Default | Usage | +|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------| +| `DEBUG` | `false` | Toggles `fastapi` debug mode | +| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | +| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | +| `CERT_PATH` | `None` | Path to a Directory where generated Certificates are stored. Defaults to `//cert`. | +| `TOKEN_EXPIRE_DAYS` | `1` | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**) | +| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | +| `LEASE_RENEWAL_PERIOD` | `0.15` | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 | +| `DATABASE` | `sqlite:///db.sqlite` | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) | +| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2 | +| `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | +| `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | +| `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the diff --git a/app/main.py b/app/main.py index dcdcba8..9278936 100644 --- a/app/main.py +++ b/app/main.py @@ -40,6 +40,7 @@ db_init(db), migrate(db) # Load DLS variables (all prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service) DLS_URL = str(env('DLS_URL', 'localhost')) DLS_PORT = int(env('DLS_PORT', '443')) +CERT_PATH = str(env('CERT_PATH', None)) SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000')) INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001')) ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001')) @@ -53,7 +54,7 @@ DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ' PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json')) # Create certificate chain and signing keys -ca_setup = CASetup(service_instance_ref=INSTANCE_REF) +ca_setup = CASetup(service_instance_ref=INSTANCE_REF, cert_path=CERT_PATH) my_root_private_key = PrivateKey.from_file(ca_setup.root_private_key_filename) my_root_public_key = my_root_private_key.public_key() my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename) diff --git a/app/util.py b/app/util.py index f112000..ac58f74 100644 --- a/app/util.py +++ b/app/util.py @@ -1,7 +1,7 @@ import logging from datetime import datetime, UTC, timedelta from json import loads as json_loads -from os.path import join, dirname, isfile +from os.path import join, dirname, isfile, isdir from cryptography import x509 from cryptography.hazmat._oid import NameOID @@ -38,9 +38,13 @@ class CASetup: SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem' SI_CERTIFICATE_FILENAME = 'si_certificate.pem' - def __init__(self, service_instance_ref: str): + def __init__(self, service_instance_ref: str, cert_path: str = None): + cert_path_prefix = join(dirname(__file__), 'cert') + if cert_path is not None and len(cert_path) > 0 and isdir(cert_path): + cert_path_prefix = cert_path + self.service_instance_ref = service_instance_ref - self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME) + self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME) self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME) self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME) self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME) From 04914740a4f575d5c8bf996726fc715c54345048 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 14:38:17 +0200 Subject: [PATCH 66/69] improved tests --- test/main.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/main.py b/test/main.py index a386196..c56296c 100644 --- a/test/main.py +++ b/test/main.py @@ -6,6 +6,8 @@ from datetime import datetime, UTC from hashlib import sha256 from uuid import uuid4, UUID +from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 +from cryptography.hazmat.primitives.hashes import SHA256 from dateutil.relativedelta import relativedelta from jose import jwt, jwk, jws from jose.constants import ALGORITHMS @@ -74,6 +76,18 @@ def test_keypair_and_certificates(): #assert my_si_certificate.public_key().mod() != my_si_public_key.mod() + my_root_certificate.public_key().raw().verify( + my_ca_certificate.raw().signature, + my_ca_certificate.raw().tbs_certificate_bytes, + PKCS1v15(), + SHA256(), + ) + my_ca_certificate.public_key().raw().verify( + my_si_certificate.raw().signature, + my_si_certificate.raw().tbs_certificate_bytes, + PKCS1v15(), + SHA256(), + ) def test_index(): From 3961acf231fd0ee95131e713ee43b57210578905 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 15:07:29 +0200 Subject: [PATCH 67/69] fixes --- app/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index 9278936..deea5a2 100644 --- a/app/main.py +++ b/app/main.py @@ -157,7 +157,7 @@ async def _config(): @app.get('/-/config/root-certificate', summary='* Root Certificate', description='returns Root--Certificate needed for patching nvidia-gridd') async def _config(): - return Response(content=my_root_certificate.pem().decode('ascii').strip(), media_type='text/plain') + return Response(content=my_root_certificate.pem().decode('utf-8').strip(), media_type='text/plain') @app.get('/-/readme', summary='* Readme') From 295e3c94821e2728aad4637e080cd034ed406371 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 22 Apr 2025 20:42:11 +0200 Subject: [PATCH 68/69] fixes --- app/main.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/app/main.py b/app/main.py index deea5a2..13dd5a9 100644 --- a/app/main.py +++ b/app/main.py @@ -473,7 +473,9 @@ async def leasing_v1_config_token(request: Request): my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256) config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256) - response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') # 76 chars per line on original response + response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() + + # 76 chars per line on original response with "\r\n" """ response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip() response_ca_chain = response_ca_chain.replace('-----BEGIN CERTIFICATE-----', '') @@ -483,7 +485,9 @@ async def leasing_v1_config_token(request: Request): response_ca_chain = '\r\n'.join(response_ca_chain) response_ca_chain = f'-----BEGIN CERTIFICATE-----\r\n{response_ca_chain}\r\n-----END CERTIFICATE-----' """ - response_si_certificate = my_si_certificate.pem().decode('utf-8').strip().replace('\n', '\r\n') # 76 chars per line on original response + response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() + + # 76 chars per line on original response with "\r\n" """ response_si_certificate = my_si_certificate.pem().decode('utf-8').strip() response_si_certificate = response_si_certificate.replace('-----BEGIN CERTIFICATE-----', '') @@ -491,7 +495,6 @@ async def leasing_v1_config_token(request: Request): response_si_certificate = response_si_certificate.replace('\n', '') response_si_certificate = wrap(response_si_certificate, 76) response_si_certificate = '\r\n'.join(response_si_certificate) - response_si_certificate = f'-----BEGIN CERTIFICATE-----\r\n{response_si_certificate}\r\n-----END CERTIFICATE-----' """ response = { From ae03867502176b0837f72b0c3521244b8d1b8262 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 23 Apr 2025 10:35:07 +0200 Subject: [PATCH 69/69] updated compatibility matrix --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fe20827..1f2c765 100644 --- a/README.md +++ b/README.md @@ -755,14 +755,16 @@ Successfully tested with this package versions. | FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date | EOL Date | |---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:| -| `2.x` | `18.0` | **R570** | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | -| `1.x` & `2.x` | `17.5` | | `550.144.02` | `550.144.03` | `553.62` | January 2025 | June 2025 | +| `2.x` | `18.1` | **R570** | `570.133.08` | `570.133.07` | `572.83` | April 2025 | March 2026 | +| | `18.0` | **R570** | `570.124.03` | `570.124.06` | `572.60` | March 2025 | March 2026 | +| `1.x` & `2.x` | `17.6` | **R550** | `550.163.02` | `550.63.01` | `553.74` | April 2025 | June 2025 | +| | `17.5` | | `550.144.02` | `550.144.03` | `553.62` | January 2025 | | | | `17.4` | | `550.127.06` | `550.127.05` | `553.24` | October 2024 | | | | `17.3` | | `550.90.05` | `550.90.07` | `552.74` | July 2024 | | | | `17.2` | | `550.90.05` | `550.90.07` | `552.55` | June 2024 | | | | `17.1` | | `550.54.16` | `550.54.15` | `551.78` | March 2024 | | | | `17.0` | **R550** | `550.54.10` | `550.54.14` | `551.61` | February 2024 | | -| `1.x` | `16.9` | **R535** | `535.230.02` | `535.216.01` | `539.19` | October 2024 | July 2026 | +| `1.x` | `16.10` | **R535** | `535.247.02` | `535.247.01` | `539.28` | April 2025 | July 2026 | | `1.x` | `15.4` | **R525** | `525.147.01` | `525.147.05` | `529.19` | June 2023 | December 2023 | | `1.x` | `14.4` | **R510** | `510.108.03` | `510.108.03` | `514.08` | December 2022 | February 2023 |