added "16.3" support

> gcc -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tmp/pip-install-sazb8fvo/httptools_694f06fa2e354ed9ba9f5c167df7fce4/vendor/llhttp/include -I/tmp/pip-install-sazb8fvo/httptools_694f06fa2e354ed9ba9f5c167df7fce4/vendor/llhttp/src -I/usr/local/include/python3.11 -c httptools/parser/parser.c -o build/temp.linux-x86_64-cpython-311/httptools/parser/parser.o -O2
      httptools/parser/parser.c:212:12: fatal error: longintrepr.h: No such file or directory

.DEBIAN/requirements-bookworm-12.txt

@@ -0,0 +1,11 @@
+# https://packages.debian.org/hu/
+fastapi==0.92.0
+uvicorn[standard]==0.17.6
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.46
+markdown==3.4.1
+python-dotenv==0.21.0
+jinja2==3.1.2
+httpx==0.23.3

.DEBIAN/requirements-ubuntu-23.04.txt

@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.91.0
+uvicorn[standard]==0.15.0
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.46
+markdown==3.4.3
+python-dotenv==0.21.0
+jinja2==3.1.2

.DEBIAN/requirements-ubuntu-23.10.txt

@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.101.0
+uvicorn[standard]==0.23.2
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.47
+markdown==3.4.4
+python-dotenv==1.0.0
+jinja2==3.1.2

.PKGBUILD/PKGBUILD

@@ -12,7 +12,7 @@ depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastap
 provider=("$pkgname")
 install="$pkgname.install"
 backup=('etc/default/fastapi-dls')
-source=('git+file:///builds/oscar.krause/fastapi-dls' # https://gitea.publichub.eu/oscar.krause/fastapi-dls.git
+source=("git+file://${CI_PROJECT_DIR}"
         "$pkgname.default"
         "$pkgname.service"
         "$pkgname.tmpfiles")

.codeclimate.yml

@@ -1,7 +1,9 @@
+version: "2"
 plugins:
   bandit:
     enabled: true
   sonar-python:
     enabled: true
-  pylint:
-    enabled: true
+    config:
+      tests_patterns:
+        - test/**

.gitlab-ci.yml

@@ -8,6 +8,9 @@ include:
 cache:
   key: one-key-to-rule-them-all
 
+variables:
+  DOCKER_BUILDX_PLATFORM: "linux/amd64,linux/arm64"
+
 build:docker:
   image: docker:dind
   interruptible: true
@@ -25,7 +28,7 @@ build:docker:
   script:
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
     - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHA
-    - docker buildx build --progress=plain --platform linux/amd64,linux/arm64 --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
     - docker buildx imagetools inspect $IMAGE
     - echo "CS_IMAGE=$IMAGE" > container_scanning.env
   artifacts:
@@ -123,16 +126,28 @@ build:pacman:
       - "*.pkg.tar.zst"
 
 test:
-  image: python:3.11-slim-bullseye
+  image: python:3.11-slim-bookworm
   stage: test
+  interruptible: true
   rules:
-    - if: $CI_COMMIT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: $CI_COMMIT_TAG
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      changes:
+        - app/**/*
+        - test/**/*
   variables:
     DATABASE: sqlite:///../app/db.sqlite
+  parallel:
+    matrix:
+      - REQUIREMENTS:
+          - requirements.txt
+          - .DEBIAN/requirements-bookworm-12.txt
+          - .DEBIAN/requirements-ubuntu-23.10.txt
   before_script:
-    - pip install -r requirements.txt
+    - apt-get update && apt-get install -y python3-dev gcc
+    - pip install -r $REQUIREMENTS
     - pip install pytest httpx
     - mkdir -p app/cert
     - openssl genrsa -out app/cert/instance.private.pem 2048
@@ -190,7 +205,7 @@ test:debian:
 
 test:ubuntu:
   extends: .test:linux
-  image: ubuntu:22.10
+  image: ubuntu:23.10
 
 test:archlinux:
   image: archlinux:base
@@ -208,10 +223,13 @@ test:archlinux:
     - pacman -U --noconfirm *.pkg.tar.zst
 
 code_quality:
+  variables:
+    SOURCE_CODE: app
   rules:
     - if: $CODE_QUALITY_DISABLED
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 secret_detection:
   rules:
@@ -226,12 +244,25 @@ semgrep-sast:
     - if: $SAST_DISABLED
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 test_coverage:
-  extends: test
+#  extends: test
+  image: python:3.11-slim-bookworm
   allow_failure: true
+  stage: test
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  variables:
+    DATABASE: sqlite:///../app/db.sqlite
+  before_script:
+    - apt-get update && apt-get install -y python3-dev gcc
+    - pip install -r requirements.txt
+    - pip install pytest httpx
+    - mkdir -p app/cert
+    - openssl genrsa -out app/cert/instance.private.pem 2048
+    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
+    - cd test
   script:
     - pip install pytest pytest-cov
     - coverage run -m pytest main.py
@@ -256,6 +287,7 @@ gemnasium-python-dependency_scanning:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 .deploy:
   rules:
@@ -263,24 +295,24 @@ gemnasium-python-dependency_scanning:
 
 deploy:docker:
   extends: .deploy
+  image: docker:dind
   stage: deploy
+  tags: [ docker ]
   before_script:
     - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
+    - docker buildx inspect
+    - docker buildx create --use
   script:
     - echo "========== GitLab-Registry =========="
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest
-    - docker push $IMAGE:$CI_COMMIT_REF_NAME
-    - docker push $IMAGE:latest
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
     - echo "========== Docker-Hub =========="
     - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
     - IMAGE=$PUBLIC_REGISTRY_USER/$CI_PROJECT_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME
-    - docker build . --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest
-    - docker push $IMAGE:$CI_COMMIT_REF_NAME
-    - docker push $IMAGE:latest
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
 
 deploy:apt:
   # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
@@ -331,7 +363,6 @@ deploy:pacman:
       artifacts: true
   script:
     - source .PKGBUILD/PKGBUILD
-    - source version.env
     # fastapi-dls-1.0-1-any.pkg.tar.zst
     - BUILD_NAME=${pkgname}-${CI_COMMIT_REF_NAME}-${pkgrel}-any.pkg.tar.zst
     - PACKAGE_NAME=${pkgname}

Dockerfile

@@ -7,10 +7,10 @@ RUN echo -e "VERSION=$VERSION\nCOMMIT=$COMMIT" > /version.env
 COPY requirements.txt /tmp/requirements.txt
 
 RUN apk update \
- && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev \
- && apk add --no-cache curl postgresql postgresql-dev mariadb-connector-c-dev sqlite-dev \
+ && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev pkgconfig \
+ && apk add --no-cache curl postgresql postgresql-dev mariadb-dev sqlite-dev \
  && pip install --no-cache-dir --upgrade uvicorn \
- && pip install --no-cache-dir psycopg2==2.9.5 mysqlclient==2.1.1 pysqlite3==0.5.0 \
+ && pip install --no-cache-dir psycopg2==2.9.6 mysqlclient==2.2.0 pysqlite3==0.5.1 \
  && pip install --no-cache-dir -r /tmp/requirements.txt \
  && apk del build-deps
 

README.md

@@ -2,7 +2,7 @@
 
 Minimal Delegated License Service (DLS).
 
-Compatibility tested with official DLS 2.0.1.
+Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0. For Driver compatibility see [here](#setup-client).
 
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
@@ -25,8 +25,9 @@ Only the clients need a connection to this service on configured port.
 
 - 256mb ram
 - 4gb hdd
+- *maybe IPv6 must be disabled*
 
-Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
+Tested with Ubuntu 22.10 (EOL!) (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
 
 **Prepare your system**
 
@@ -34,12 +35,12 @@ Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb
 
 ## Docker
 
-Docker-Images are available here:
+Docker-Images are available here for Intel (x86), AMD (amd64) and ARM (arm64):
 
 - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
-- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
+- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls:latest`
 
-The images include database drivers for `postgres`, `mysql`, `mariadb` and `sqlite`.
+The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 
 **Run this on the Docker-Host**
 
@@ -65,7 +66,9 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/
 
 **Docker-Compose / Deploy stack**
 
-Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example (with reverse proxy usage).
+See [`examples`](examples) directory for more advanced examples (with reverse proxy usage).
+
+> Adjust *REQUIRED* variables as needed
 
 ```yaml
 version: '3.9'
@@ -99,9 +102,10 @@ volumes:
   dls-db:
 ```
 
-## Debian/Ubuntu (manual method using `git clone` and python virtual environment)
+## Debian/Ubuntu/macOS (manual method using `git clone` and python virtual environment)
 
-Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
+Tested on `Debian 11 (bullseye)`, `Debian 12 (bookworm)` and `macOS Ventura (13.6)`, Ubuntu may also work.
+**Please note that setup on macOS differs from Debian based systems.**
 
 **Make sure you are logged in as root.**
 
@@ -152,6 +156,8 @@ su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fast
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 mkdir /etc/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
@@ -254,10 +260,11 @@ su - ${SERVICE_USER} -c "${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 BASE_DIR=/opt/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
-# Adjust DSL_URL as needed (accessing from LAN won't work with 127.0.0.1)
 DLS_URL=127.0.0.1
 DLS_PORT=443
 LEASE_EXPIRE_DAYS=90
@@ -311,7 +318,9 @@ Packages are available here:
 Successful tested with:
 
 - Debian 12 (Bookworm)
-- Ubuntu 22.10 (Kinetic Kudu)
+- Ubuntu 22.10 (Kinetic Kudu) (EOL: July 20, 2023)
+- Ubuntu 23.04 (Lunar Lobster) (EOL: January 2024)
+- Ubuntu 23.10 (Mantic Minotaur) (EOL: July 2024)
 
 Not working with:
 
@@ -332,6 +341,7 @@ apt-get install -f --fix-missing
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/fastapi-dls/env` as needed.
 
 ## ArchLinux (using `pacman`)
 
@@ -353,6 +363,7 @@ pacman -U --noconfirm fastapi-dls.pkg.tar.zst
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/default/fastapi-dls` as needed.
 
 ## unRAID
 
@@ -415,16 +426,26 @@ client has 19.2 hours in which to re-establish connectivity before its license e
 
 Successfully tested with this package versions:
 
-| vGPU Suftware | vGPU Manager | Linux Driver | Windows Driver | Release Date  |
-|---------------|--------------|--------------|----------------|---------------|
-| `15.2`        | `525.105.14` | `525.105.17` | `528.89`       | March 2023    |
-| `15.1`        | `525.85.07`  | `525.85.05`  | `528.24`       | January 2023  |
-| `15.0`        | `525.60.12`  | `525.60.13`  | `527.41`       | December 2022 |
-| `14.4`        | `510.108.03` | `510.108.03` | `514.08`       | December 2022 |
-| `14.3`        | `510.108.03` | `510.108.03` | `513.91`       | November 2022 |
+| vGPU Suftware | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date  |
+|---------------|--------------------|--------------|----------------|---------------|
+| `16.3`        | `535.154.02`       | `535.154.05` | `538.15`       | January 2024  |
+| `16.2`        | `535.129.03`       | `535.129.03` | `537.70`       | October 2023  |
+| `16.1`        | `535.104.06`       | `535.104.05` | `537.13`       | August 2023   |
+| `16.0`        | `535.54.06`        | `535.54.03`  | `536.22`       | July 2023     |
+| `15.3`        | `525.125.03`       | `525.125.06` | `529.11`       | June 2023     |
+| `15.2`        | `525.105.14`       | `525.105.17` | `528.89`       | March 2023    |
+| `15.1`        | `525.85.07`        | `525.85.05`  | `528.24`       | January 2023  |
+| `15.0`        | `525.60.12`        | `525.60.13`  | `527.41`       | December 2022 |
+| `14.4`        | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 |
+| `14.3`        | `510.108.03`       | `510.108.03` | `513.91`       | November 2022 |
 
 - https://docs.nvidia.com/grid/index.html
 
+*To get the latest drivers, visit Nvidia or search in Discord-Channel `GPU Unlocking` (Server-ID: `829786927829745685`) on channel `licensing` `biggerthanshit` 
+
+
+https://archive.biggerthanshit.com/NVIDIA/ (nvidia / b1gg3rth4nsh1t)
+
 ## Linux
 
 Download *client-token* and place it into `/etc/nvidia/ClientConfigToken`:
@@ -502,6 +523,9 @@ Done. For more information check [troubleshoot section](#troubleshoot).
 
 # Endpoints
 
+<details>
+  <summary>show</summary>
+
 ### `GET /`
 
 Redirect to `/-/readme`.
@@ -553,11 +577,18 @@ Generate client token, (see [installation](#installation)).
 ### Others
 
 There are many other internal api endpoints for handling authentication and lease process.
+</details>
 
 # Troubleshoot
 
 **Please make sure that fastapi-dls and your guests are on the same timezone!**
 
+Maybe you have to disable IPv6 on the machine you are running FastAPI-DLS.
+
+## Docker
+
+Logs are available with `docker logs <container>`. To get the correct container-id use `docker container ls` or `docker ps`.
+
 ## Linux
 
 Logs are available with `journalctl -u nvidia-gridd -f`.
@@ -615,7 +646,7 @@ only
 gets a valid local license.
 
 <details>
-  <summary>Log</summary>
+  <summary>Log example</summary>
 
 **Display-Container-LS**
 
@@ -681,7 +712,7 @@ The error message can safely be ignored (since we have no license limitation :P)
 <0>:End Logging
 ```
 
-#### log with nginx as reverse proxy (see [docker-compose.yml](docker-compose.yml))
+#### log with nginx as reverse proxy (see [docker-compose-http-and-https.yml](examples/docker-compose-http-and-https.yml))
 
 ```
 <1>:NLS initialized

app/main.py

@@ -9,48 +9,42 @@ from dotenv import load_dotenv
 from fastapi import FastAPI
 from fastapi.requests import Request
 from json import loads as json_loads
-from datetime import datetime, timedelta
+from datetime import datetime
 from dateutil.relativedelta import relativedelta
 from calendar import timegm
-from jose import jws, jwk, jwt, JWTError
+from jose import jws, jwt, JWTError
 from jose.constants import ALGORITHMS
 from starlette.middleware.cors import CORSMiddleware
 from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 
-from util import load_key, load_file
-from orm import Origin, Lease, init as db_init, migrate
+from orm import init as db_init, migrate, Site, Instance, Origin, Lease
 
 load_dotenv('../version.env')
 
+# get local timezone
 TZ = datetime.now().astimezone().tzinfo
 
+# fetch version info
 VERSION, COMMIT, DEBUG = env('VERSION', 'unknown'), env('COMMIT', 'unknown'), bool(env('DEBUG', False))
 
-config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
+# fastapi setup
+config = dict(openapi_url='/-/openapi.json', docs_url=None, redoc_url=None)
 app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, **config)
+
+# database setup
 db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
 db_init(db), migrate(db)
 
-# everything prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service
+# DLS setup (static)
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
-SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
-INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
-ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
-INSTANCE_KEY_RSA = load_key(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
-INSTANCE_KEY_PUB = load_key(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
-TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
-LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
-LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
-LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
-CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 
-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))  # todo
 
+# fastapi middleware
 app.debug = DEBUG
 app.add_middleware(
     CORSMiddleware,
@@ -60,12 +54,25 @@ app.add_middleware(
     allow_headers=['*'],
 )
 
+# logging
 logging.basicConfig()
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)
 
 
-def __get_token(request: Request) -> dict:
+def validate_settings():
+    session = sessionmaker(bind=db)()
+
+    lease_expire_delta_min, lease_expire_delta_max = 86_400, 7_776_000
+    for instance in session.query(Instance).all():
+        lease_expire_delta = instance.lease_expire_delta
+        if lease_expire_delta < 86_400 or lease_expire_delta > 7_776_000:
+            logging.warning(f'> [ instance ]: {instance.instance_ref}: "lease_expire_delta" should be between {lease_expire_delta_min} and {lease_expire_delta_max}')
+
+    session.close()
+
+
+def __get_token(request: Request, jwt_decode_key: "jose.jwt") -> dict:
     authorization_header = request.headers.get('authorization')
     token = authorization_header.split(' ')[1]
     return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
@@ -88,18 +95,20 @@ async def _health():
 
 @app.get('/-/config', summary='* Config', description='returns environment variables.')
 async def _config():
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+
     return JSONr({
         'VERSION': str(VERSION),
         'COMMIT': str(COMMIT),
         'DEBUG': str(DEBUG),
         'DLS_URL': str(DLS_URL),
         'DLS_PORT': str(DLS_PORT),
-        'SITE_KEY_XID': str(SITE_KEY_XID),
-        'INSTANCE_REF': str(INSTANCE_REF),
+        'SITE_KEY_XID': str(default_site.site_key),
+        'INSTANCE_REF': str(default_instance.instance_ref),
         'ALLOTMENT_REF': [str(ALLOTMENT_REF)],
-        'TOKEN_EXPIRE_DELTA': str(TOKEN_EXPIRE_DELTA),
-        'LEASE_EXPIRE_DELTA': str(LEASE_EXPIRE_DELTA),
-        'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD),
+        'TOKEN_EXPIRE_DELTA': str(default_instance.get_token_expire_delta()),
+        'LEASE_EXPIRE_DELTA': str(default_instance.get_lease_expire_delta()),
+        'LEASE_RENEWAL_PERIOD': str(default_instance.lease_renewal_period),
         'CORS_ORIGINS': str(CORS_ORIGINS),
         'TZ': str(TZ),
     })
@@ -108,6 +117,8 @@ async def _config():
 @app.get('/-/readme', summary='* Readme')
 async def _readme():
     from markdown import markdown
+    from util import load_file
+
     content = load_file('../README.md').decode('utf-8')
     return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
 
@@ -157,8 +168,7 @@ async def _origins(request: Request, leases: bool = False):
     for origin in session.query(Origin).all():
         x = origin.serialize()
         if leases:
-            serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
-            x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref)))
+            x['leases'] = list(map(lambda _: _.serialize(), Lease.find_by_origin_ref(db, origin.origin_ref)))
         response.append(x)
     session.close()
     return JSONr(response)
@@ -175,8 +185,7 @@ async def _leases(request: Request, origin: bool = False):
     session = sessionmaker(bind=db)()
     response = []
     for lease in session.query(Lease).all():
-        serialize = dict(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA)
-        x = lease.serialize(**serialize)
+        x = lease.serialize()
         if origin:
             lease_origin = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first()
             if lease_origin is not None:
@@ -203,7 +212,13 @@ async def _lease_delete(request: Request, lease_ref: str):
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
     cur_time = datetime.utcnow()
-    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
+
+    default_instance = Instance.get_default_instance(db)
+    public_key = default_instance.get_public_key()
+    # todo: implemented request parameter to support different instances
+    jwt_encode_key = default_instance.get_jwt_encode_key()
+
+    exp_time = cur_time + default_instance.get_client_token_expire_delta()
 
     payload = {
         "jti": str(uuid4()),
@@ -216,7 +231,7 @@ async def _client_token():
         "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
         "service_instance_configuration": {
-            "nls_service_instance_ref": INSTANCE_REF,
+            "nls_service_instance_ref": default_instance.instance_ref,
             "svc_port_set_list": [
                 {
                     "idx": 0,
@@ -228,10 +243,10 @@ async def _client_token():
         },
         "service_instance_public_key_configuration": {
             "service_instance_public_key_me": {
-                "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:],
-                "exp": int(INSTANCE_KEY_PUB.public_key().e),
+                "mod": hex(public_key.public_key().n)[2:],
+                "exp": int(public_key.public_key().e),
             },
-            "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'),
+            "service_instance_public_key_pem": public_key.export_key().decode('utf-8'),
             "key_retention_mode": "LATEST_ONLY"
         },
     }
@@ -313,13 +328,16 @@ async def auth_v1_code(request: Request):
     delta = relativedelta(minutes=15)
     expires = cur_time + delta
 
+    default_site = Site.get_default_site(db)
+    jwt_encode_key = Instance.get_default_instance(db).get_jwt_encode_key()
+
     payload = {
         'iat': timegm(cur_time.timetuple()),
         'exp': timegm(expires.timetuple()),
         'challenge': j.get('code_challenge'),
         'origin_ref': j.get('origin_ref'),
-        'key_ref': SITE_KEY_XID,
-        'kid': SITE_KEY_XID
+        'key_ref': default_site.site_key,
+        'kid': default_site.site_key,
     }
 
     auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -339,8 +357,11 @@ async def auth_v1_code(request: Request):
 async def auth_v1_token(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+    jwt_encode_key, jwt_decode_key = default_instance.get_jwt_encode_key(), default_instance.get_jwt_decode_key()
+
     try:
-        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key)
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=[ALGORITHMS.RS256])
     except JWTError as e:
         return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
 
@@ -352,7 +373,7 @@ async def auth_v1_token(request: Request):
     if payload.get('challenge') != challenge:
         return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
 
-    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
+    access_expires_on = cur_time + default_instance.get_token_expire_delta()
 
     new_payload = {
         'iat': timegm(cur_time.timetuple()),
@@ -361,8 +382,8 @@ async def auth_v1_token(request: Request):
         'aud': 'https://cls.nvidia.org',
         'exp': timegm(access_expires_on.timetuple()),
         'origin_ref': origin_ref,
-        'key_ref': SITE_KEY_XID,
-        'kid': SITE_KEY_XID,
+        'key_ref': default_site.site_key,
+        'kid': default_site.site_key,
     }
 
     auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -379,10 +400,13 @@ async def auth_v1_token(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
 
     try:
-        token = __get_token(request)
+        token = __get_token(request, jwt_decode_key)
     except JWTError:
         return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
@@ -396,7 +420,7 @@ async def leasing_v1_lessor(request: Request):
         #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
 
         lease_ref = str(uuid4())
-        expires = cur_time + LEASE_EXPIRE_DELTA
+        expires = cur_time + default_instance.get_lease_expire_delta()
         lease_result_list.append({
             "ordinal": 0,
             # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
@@ -404,13 +428,13 @@ async def leasing_v1_lessor(request: Request):
                 "ref": lease_ref,
                 "created": cur_time.isoformat(),
                 "expires": expires.isoformat(),
-                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
+                "recommended_lease_renewal": default_instance.lease_renewal_period,
                 "offline_lease": "true",
                 "license_type": "CONCURRENT_COUNTED_SINGLE"
             }
         })
 
-        data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
+        data = Lease(instance_ref=default_instance.instance_ref, origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
         Lease.create_or_update(db, data)
 
     response = {
@@ -427,7 +451,14 @@ async def leasing_v1_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
 @app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
 
@@ -447,7 +478,15 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
@@ -456,11 +495,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
     if entity is None:
         return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
 
-    expires = cur_time + LEASE_EXPIRE_DELTA
+    expires = cur_time + default_instance.get_lease_expire_delta()
     response = {
         "lease_ref": lease_ref,
         "expires": expires.isoformat(),
-        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
+        "recommended_lease_renewal": default_instance.lease_renewal_period,
         "offline_lease": True,
         "prompts": None,
         "sync_timestamp": cur_time.isoformat(),
@@ -474,7 +513,14 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
     logging.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
@@ -500,7 +546,14 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
 
     origin_ref = token.get('origin_ref')
 
@@ -522,6 +575,8 @@ async def leasing_v1_lessor_lease_remove(request: Request):
 async def leasing_v1_lessor_shutdown(request: Request):
     j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
 
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
     token = j.get('token')
     token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
     origin_ref = token.get('origin_ref')
@@ -542,15 +597,23 @@ async def leasing_v1_lessor_shutdown(request: Request):
 
 @app.on_event('startup')
 async def app_on_startup():
+    default_instance = Instance.get_default_instance(db)
+
+    lease_renewal_period = default_instance.lease_renewal_period
+    lease_renewal_delta = default_instance.get_lease_renewal_delta()
+    client_token_expire_delta = default_instance.get_client_token_expire_delta()
+
     logger.info(f'''
     Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
     
-    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
-    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
+    Your clients will renew their license every {str(Lease.calculate_renewal(lease_renewal_period, lease_renewal_delta))}.
+    If the renewal fails, the license is valid for {str(lease_renewal_delta)}.
     
-    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
+    Your client-token file (.tok) is valid for {str(client_token_expire_delta)}.
     ''')
 
+    validate_settings()
+
 
 if __name__ == '__main__':
     import uvicorn

app/orm.py

@@ -1,18 +1,143 @@
+import logging
 from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
-
-from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
+from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text, BLOB, INT, FLOAT
 from sqlalchemy.engine import Engine
-from sqlalchemy.orm import sessionmaker, declarative_base
+from sqlalchemy.orm import sessionmaker, declarative_base, Session, relationship
+
+from app.util import parse_key
+
+logging.basicConfig()
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
 
 Base = declarative_base()
 
 
+class Site(Base):
+    __tablename__ = "site"
+
+    INITIAL_SITE_KEY_XID = '00000000-0000-0000-0000-000000000000'
+    INITIAL_SITE_NAME = 'default'
+
+    site_key = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, SITE_KEY_XID
+    name = Column(VARCHAR(length=256), nullable=False)
+
+    def __str__(self):
+        return f'SITE_KEY_XID: {self.site_key}'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        from sqlalchemy.schema import CreateTable
+        return CreateTable(Site.__table__).compile(engine)
+
+    @staticmethod
+    def get_default_site(engine: Engine) -> "Site":
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Site).filter(Site.site_key == Site.INITIAL_SITE_KEY_XID).first()
+        session.close()
+        return entity
+
+
+class Instance(Base):
+    __tablename__ = "instance"
+
+    DEFAULT_INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
+    DEFAULT_TOKEN_EXPIRE_DELTA = 86_400  # 1 day
+    DEFAULT_LEASE_EXPIRE_DELTA = 7_776_000  # 90 days
+    DEFAULT_LEASE_RENEWAL_PERIOD = 0.15
+    DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA = 378_432_000  # 12 years
+    # 1 day = 86400 (min. in production setup, max 90 days), 1 hour = 3600
+
+    instance_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, INSTANCE_REF
+    site_key = Column(CHAR(length=36), ForeignKey(Site.site_key, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
+    private_key = Column(BLOB(length=2048), nullable=False)
+    public_key = Column(BLOB(length=512), nullable=False)
+    token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+    lease_expire_delta = Column(INT(), nullable=False, default=DEFAULT_LEASE_EXPIRE_DELTA, comment='in seconds')
+    lease_renewal_period = Column(FLOAT(precision=2), nullable=False, default=DEFAULT_LEASE_RENEWAL_PERIOD)
+    client_token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+
+    __origin = relationship(Site, foreign_keys=[site_key])
+
+    def __str__(self):
+        return f'INSTANCE_REF: {self.instance_ref} (SITE_KEY_XID: {self.site_key})'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        from sqlalchemy.schema import CreateTable
+        return CreateTable(Instance.__table__).compile(engine)
+
+    @staticmethod
+    def create_or_update(engine: Engine, instance: "Instance"):
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Instance).filter(Instance.instance_ref == instance.instance_ref).first()
+        if entity is None:
+            session.add(instance)
+        else:
+            x = dict(
+                site_key=instance.site_key,
+                private_key=instance.private_key,
+                public_key=instance.public_key,
+                token_expire_delta=instance.token_expire_delta,
+                lease_expire_delta=instance.lease_expire_delta,
+                lease_renewal_period=instance.lease_renewal_period,
+                client_token_expire_delta=instance.client_token_expire_delta,
+            )
+            session.execute(update(Instance).where(Instance.instance_ref == instance.instance_ref).values(**x))
+        session.commit()
+        session.flush()
+        session.close()
+
+    # todo: validate on startup that "lease_expire_delta" is between 1 day and 90 days
+
+    @staticmethod
+    def get_default_instance(engine: Engine) -> "Instance":
+        session = sessionmaker(bind=engine)()
+        site = Site.get_default_site(engine)
+        entity = session.query(Instance).filter(Instance.site_key == site.site_key).first()
+        session.close()
+        return entity
+
+    def get_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.token_expire_delta)
+
+    def get_lease_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.lease_expire_delta)
+
+    def get_lease_renewal_delta(self) -> "datetime.timedelta":
+        return timedelta(seconds=self.lease_expire_delta)
+
+    def get_client_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.client_token_expire_delta)
+
+    def __get_private_key(self) -> "RsaKey":
+        return parse_key(self.private_key)
+
+    def get_public_key(self) -> "RsaKey":
+        return parse_key(self.public_key)
+
+    def get_jwt_encode_key(self) -> "jose.jkw":
+        from jose import jwk
+        from jose.constants import ALGORITHMS
+        return jwk.construct(self.__get_private_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_jwt_decode_key(self) -> "jose.jwt":
+        from jose import jwk
+        from jose.constants import ALGORITHMS
+        return jwk.construct(self.get_public_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_private_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+    def get_public_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+
 class Origin(Base):
     __tablename__ = "origin"
 
     origin_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4
-
     # service_instance_xid = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one service_instance_xid ('INSTANCE_REF')
     hostname = Column(VARCHAR(length=256), nullable=True)
     guest_driver_version = Column(VARCHAR(length=10), nullable=True)
@@ -70,18 +195,24 @@ class Origin(Base):
 class Lease(Base):
     __tablename__ = "lease"
 
+    instance_ref = Column(CHAR(length=36), ForeignKey(Instance.instance_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     lease_ref = Column(CHAR(length=36), primary_key=True, nullable=False, index=True)  # uuid4
-
     origin_ref = Column(CHAR(length=36), ForeignKey(Origin.origin_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
     # scope_ref = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one scope_ref ('ALLOTMENT_REF')
     lease_created = Column(DATETIME(), nullable=False)
     lease_expires = Column(DATETIME(), nullable=False)
     lease_updated = Column(DATETIME(), nullable=False)
 
+    __instance = relationship(Instance, foreign_keys=[instance_ref])
+    __origin = relationship(Origin, foreign_keys=[origin_ref])
+
     def __repr__(self):
         return f'Lease(origin_ref={self.origin_ref}, lease_ref={self.lease_ref}, expires={self.lease_expires})'
 
-    def serialize(self, renewal_period: float, renewal_delta: timedelta) -> dict:
+    def serialize(self) -> dict:
+        renewal_period = self.__instance.lease_renewal_period
+        renewal_delta = self.__instance.get_lease_renewal_delta
+
         lease_renewal = int(Lease.calculate_renewal(renewal_period, renewal_delta).total_seconds())
         lease_renewal = self.lease_updated + relativedelta(seconds=lease_renewal)
 
@@ -191,38 +322,104 @@ class Lease(Base):
         return renew
 
 
+def init_default_site(session: Session):
+    from uuid import uuid4
+    from app.util import generate_key
+
+    private_key = generate_key()
+    public_key = private_key.public_key()
+
+    site = Site(
+        site_key=Site.INITIAL_SITE_KEY_XID,
+        name=Site.INITIAL_SITE_NAME
+    )
+    session.add(site)
+    session.commit()
+
+    instance = Instance(
+        instance_ref=Instance.DEFAULT_INSTANCE_REF,
+        site_key=site.site_key,
+        private_key=private_key.export_key(),
+        public_key=public_key.export_key(),
+    )
+    session.add(instance)
+    session.commit()
+
+
 def init(engine: Engine):
-    tables = [Origin, Lease]
+    tables = [Site, Instance, Origin, Lease]
     db = inspect(engine)
     session = sessionmaker(bind=engine)()
     for table in tables:
-        if not db.dialect.has_table(engine.connect(), table.__tablename__):
+        exists = db.dialect.has_table(engine.connect(), table.__tablename__)
+        logger.info(f'> Table "{table.__tablename__:<16}" exists: {exists}')
+        if not exists:
             session.execute(text(str(table.create_statement(engine))))
             session.commit()
+
+    # create default site
+    cnt = session.query(Site).count()
+    if cnt == 0:
+        init_default_site(session)
+
+    session.flush()
     session.close()
 
 
 def migrate(engine: Engine):
+    from os import getenv as env
+    from os.path import join, dirname, isfile
+    from util import load_key
+
     db = inspect(engine)
 
-    def upgrade_1_0_to_1_1():
-        x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
-        x = next(_ for _ in x if _['name'] == 'origin_ref')
-        if x['primary_key'] > 0:
-            print('Found old database schema with "origin_ref" as primary-key in "lease" table. Dropping table!')
-            print('  Your leases are recreated on next renewal!')
-            print('  If an error message appears on the client, you can ignore it.')
-            Lease.__table__.drop(bind=engine)
-            init(engine)
+    # todo: add update guide to use 1.LATEST to 2.0
+    def upgrade_1_x_to_2_0():
+        site = Site.get_default_site(engine)
+        logger.info(site)
+        instance = Instance.get_default_instance(engine)
+        logger.info(instance)
 
-    # def upgrade_1_2_to_1_3():
-    #    x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
-    #    x = next((_ for _ in x if _['name'] == 'scope_ref'), None)
-    #    if x is None:
-    #        Lease.scope_ref.compile()
-    #        column_name = Lease.scope_ref.name
-    #        column_type = Lease.scope_ref.type.compile(engine.dialect)
-    #        engine.execute(f'ALTER TABLE "{Lease.__tablename__}" ADD COLUMN "{column_name}" {column_type}')
+        # SITE_KEY_XID
+        if site_key := env('SITE_KEY_XID', None) is not None:
+            site.site_key = str(site_key)
 
-    upgrade_1_0_to_1_1()
-    # upgrade_1_2_to_1_3()
+        # INSTANCE_REF
+        if instance_ref := env('INSTANCE_REF', None) is not None:
+            instance.instance_ref = str(instance_ref)
+
+        # ALLOTMENT_REF
+        if allotment_ref := env('ALLOTMENT_REF', None) is not None:
+            pass  # todo
+
+        # INSTANCE_KEY_RSA, INSTANCE_KEY_PUB
+        default_instance_private_key_path = str(join(dirname(__file__), 'cert/instance.private.pem'))
+        if instance_private_key := env('INSTANCE_KEY_RSA', None) is not None:
+            instance.private_key = load_key(str(instance_private_key))
+        elif isfile(default_instance_private_key_path):
+            instance.private_key = load_key(default_instance_private_key_path)
+        default_instance_public_key_path = str(join(dirname(__file__), 'cert/instance.public.pem'))
+        if instance_public_key := env('INSTANCE_KEY_PUB', None) is not None:
+            instance.public_key = load_key(str(instance_public_key))
+        elif isfile(default_instance_public_key_path):
+            instance.public_key = load_key(default_instance_public_key_path)
+
+        # TOKEN_EXPIRE_DELTA
+        if token_expire_delta := env('TOKEN_EXPIRE_DAYS', None) not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 86_400
+        if token_expire_delta := env('TOKEN_EXPIRE_HOURS', None) not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 3_600
+
+        # LEASE_EXPIRE_DELTA, LEASE_RENEWAL_DELTA
+        if lease_expire_delta := env('LEASE_EXPIRE_DAYS', None) not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 86_400
+        if lease_expire_delta := env('LEASE_EXPIRE_HOURS', None) not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 3_600
+
+        # LEASE_RENEWAL_PERIOD
+        if lease_renewal_period := env('LEASE_RENEWAL_PERIOD', None) is not None:
+            instance.lease_renewal_period = lease_renewal_period
+
+        # todo: update site, instance
+
+    upgrade_1_x_to_2_0()

app/util.py

@@ -16,6 +16,18 @@ def load_key(filename) -> "RsaKey":
     return RSA.import_key(extern_key=load_file(filename), passphrase=None)
 
 
+def parse_key(content: bytes) -> "RsaKey":
+    try:
+        # Crypto | Cryptodome on Debian
+        from Crypto.PublicKey import RSA
+        from Crypto.PublicKey.RSA import RsaKey
+    except ModuleNotFoundError:
+        from Cryptodome.PublicKey import RSA
+        from Cryptodome.PublicKey.RSA import RsaKey
+
+    return RSA.import_key(extern_key=content, passphrase=None)
+
+
 def generate_key() -> "RsaKey":
     try:
         # Crypto | Cryptodome on Debian

docker-compose.yml

@@ -1,9 +1,10 @@
 version: '3.9'
 
 x-dls-variables: &dls-variables
-  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
-  DLS_PORT: 443  # must match nginx listen & exposed port
-  LEASE_EXPIRE_DAYS: 90
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
+  DLS_URL: localhost # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
   DATABASE: sqlite:////app/database/db.sqlite
   DEBUG: false
 
@@ -13,108 +14,16 @@ services:
     restart: always
     environment:
       <<: *dls-variables
-    volumes:
-      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
-      - db:/app/database
-    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
-    healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-  proxy:
-    image: nginx
     ports:
-      # thees are ports where nginx (!) is listen to
-      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
-      - "443:443"  # first part must match "DLS_PORT"
+      - "443:443"
     volumes:
-      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/opt/cert
-    healthcheck:
-      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-    command: |
-      bash -c "bash -s <<\"EOF\"
-      cat > /etc/nginx/nginx.conf <<\"EON\"
-      daemon off;
-      user root;
-      worker_processes auto;
-      
-      events {
-        worker_connections 1024;
-      }
-      
-      http {
-        gzip on;
-        gzip_disable "msie6";
-        include /etc/nginx/mime.types;
-      
-        upstream dls-backend {
-          server dls:8000;  # must match dls listen port
-        }
-      
-        server {
-          listen 443 ssl http2 default_server;
-          listen [::]:443 ssl http2 default_server;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          ssl_certificate "/opt/cert/webserver.crt";
-          ssl_certificate_key "/opt/cert/webserver.key";
-          ssl_session_cache shared:SSL:1m;
-          ssl_session_timeout  10m;
-          ssl_protocols TLSv1.3 TLSv1.2;
-          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
-          # ssl_ciphers PROFILE=SYSTEM;
-          ssl_prefer_server_ciphers on;
-      
-          location / {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend$$request_uri;
-          }
-      
-          location = /-/health {
-            access_log off;
-            add_header 'Content-Type' 'application/json';
-            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
-          }
-        }
-      
-        server {
-          listen 80;
-          listen [::]:80;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          location /leasing/v1/lessor/shutdown {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
-          }
-      
-          location / {
-            return 301 https://$$host$$request_uri;
-          }
-        }
-      }
-      EON
-      nginx
-      EOF"
+      - /opt/docker/fastapi-dls/cert:/app/cert
+      - dls-db:/app/database
+    logging: # optional, for those who do not need logs
+      driver: "json-file"
+      options:
+        max-file: 5
+        max-size: 10m
 
 volumes:
-  db:
+  dls-db:

examples/docker-compose-http-and-https.yml

@@ -0,0 +1,120 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443  # must match nginx listen & exposed port
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - db:/app/database
+    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+  proxy:
+    image: nginx
+    ports:
+      # thees are ports where nginx (!) is listen to
+      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
+      - "443:443"  # first part must match "DLS_PORT"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/opt/cert
+    healthcheck:
+      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    command: |
+      bash -c "bash -s <<\"EOF\"
+      cat > /etc/nginx/nginx.conf <<\"EON\"
+      daemon off;
+      user root;
+      worker_processes auto;
+      
+      events {
+        worker_connections 1024;
+      }
+      
+      http {
+        gzip on;
+        gzip_disable "msie6";
+        include /etc/nginx/mime.types;
+      
+        upstream dls-backend {
+          server dls:8000;  # must match dls listen port
+        }
+      
+        server {
+          listen 443 ssl http2 default_server;
+          listen [::]:443 ssl http2 default_server;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          ssl_certificate "/opt/cert/webserver.crt";
+          ssl_certificate_key "/opt/cert/webserver.key";
+          ssl_session_cache shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_protocols TLSv1.3 TLSv1.2;
+          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+          # ssl_ciphers PROFILE=SYSTEM;
+          ssl_prefer_server_ciphers on;
+      
+          location / {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend$$request_uri;
+          }
+      
+          location = /-/health {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+          }
+        }
+      
+        server {
+          listen 80;
+          listen [::]:80;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          location /leasing/v1/lessor/shutdown {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+          }
+      
+          location / {
+            return 301 https://$$host$$request_uri;
+          }
+        }
+      }
+      EON
+      nginx
+      EOF"
+
+volumes:
+  db:

requirements.txt

@@ -1,8 +1,8 @@
-fastapi==0.97.0
-uvicorn[standard]==0.22.0
+fastapi==0.110.0
+uvicorn[standard]==0.27.1
 python-jose==3.3.0
-pycryptodome==3.18.0
+pycryptodome==3.20.0
 python-dateutil==2.8.2
-sqlalchemy==2.0.16
-markdown==3.4.3
-python-dotenv==1.0.0
+sqlalchemy==2.0.27
+markdown==3.5.2
+python-dotenv==1.0.1

test/main.py

@@ -1,14 +1,15 @@
+from os import getenv as env
 from base64 import b64encode as b64enc
 from hashlib import sha256
 from calendar import timegm
 from datetime import datetime
-from os.path import dirname, join
-from uuid import uuid4, UUID
+from uuid import UUID, uuid4
 
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk
+from jose import jwt
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
+from sqlalchemy import create_engine
 import sys
 
 # add relative path to use packages as they were in the app/ dir
@@ -16,20 +17,23 @@ sys.path.append('../')
 sys.path.append('../app')
 
 from app import main
-from app.util import load_key
+from app.orm import init as db_init, migrate, Site, Instance
 
-client = TestClient(main.app)
 
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 
-# INSTANCE_KEY_RSA = generate_key()
-# INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
+# fastapi setup
+client = TestClient(main.app)
 
-INSTANCE_KEY_RSA = load_key(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
-INSTANCE_KEY_PUB = load_key(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
+# database setup
+db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
+db_init(db), migrate(db)
 
-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+# test vars
+DEFAULT_SITE, DEFAULT_INSTANCE = Site.get_default_site(db), Instance.get_default_instance(db)
+
+SITE_KEY = DEFAULT_SITE.site_key
+jwt_encode_key, jwt_decode_key = DEFAULT_INSTANCE.get_jwt_encode_key(), DEFAULT_INSTANCE.get_jwt_decode_key()
 
 
 def __bearer_token(origin_ref: str) -> str:
@@ -38,6 +42,12 @@ def __bearer_token(origin_ref: str) -> str:
     return token
 
 
+def test_initial_default_site_and_instance():
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+    assert default_site.site_key == Site.INITIAL_SITE_KEY_XID
+    assert default_instance.instance_ref == Instance.DEFAULT_INSTANCE_REF
+
+
 def test_index():
     response = client.get('/')
     assert response.status_code == 200
@@ -153,8 +163,7 @@ def test_auth_v1_token():
         "kid": "00000000-0000-0000-0000-000000000000"
     }
     payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')},
-                                algorithm=ALGORITHMS.RS256),
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
         "code_verifier": SECRET,
     }