x-nls-signature

test "x-nls-signature"
fixed missing code
2026-04-10 00:25:49 +03:00 · 2025-04-14 11:17:54 +02:00 · 2025-04-14 11:17:54 +02:00 · 2025-04-14 11:17:54 +02:00 · 2025-04-14 11:17:54 +02:00 · 2025-04-14 11:17:54 +02:00
8 changed files with 462 additions and 119 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -44,7 +44,7 @@ build:apt:
    - if: $CI_COMMIT_TAG
      variables:
        VERSION: $CI_COMMIT_REF_NAME
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        - app/**/*
        - .DEBIAN/**/*
@@ -91,7 +91,7 @@ build:pacman:
    - if: $CI_COMMIT_TAG
      variables:
        VERSION: $CI_COMMIT_REF_NAME
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        - app/**/*
        - .PKGBUILD/**/*
@@ -120,12 +120,13 @@ build:pacman:
    paths:
      - "*.pkg.tar.zst"
-test:python:
+test:
-  image: $IMAGE
+  image: python:3.12-slim-bookworm
  stage: test
  interruptible: true
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
@@ -135,20 +136,17 @@ test:python:
    DATABASE: sqlite:///../app/db.sqlite
  parallel:
    matrix:
-      - IMAGE:
+      - REQUIREMENTS:
-          # https://devguide.python.org/versions/#supported-versions
+          - 'requirements.txt'
-#          - python:3.14-rc-alpine  # EOL 2030-10 =>  uvicorn does not support 3.14 yet
+#          - '.DEBIAN/requirements-bookworm-12.txt'
-          - python:3.13-alpine  # EOL 2029-10
+#          - '.DEBIAN/requirements-ubuntu-24.04.txt'
-          - python:3.12-alpine  # EOL 2028-10
+#          - '.DEBIAN/requirements-ubuntu-24.10.txt'
          - python:3.11-alpine  # EOL 2027-10
 #          - python:3.10-alpine  # EOL 2026-10 => ImportError: cannot import name 'UTC' from 'datetime'
 #          - python:3.9-alpine  # EOL 2025-10 => ImportError: cannot import name 'UTC' from 'datetime'
  before_script:
-    - apk --no-cache add openssl
+    - apt-get update && apt-get install -y python3-dev python3-pip python3-venv gcc
    - python3 -m venv venv
    - source venv/bin/activate
    - pip install --upgrade pip
-    - pip install -r requirements.txt
+    - pip install -r $REQUIREMENTS
    - pip install pytest pytest-cov pytest-custom_exit_code httpx
    - mkdir -p app/cert
    - openssl genrsa -out app/cert/instance.private.pem 2048
@@ -158,26 +156,17 @@ test:python:
    - python -m pytest main.py --junitxml=report.xml
  artifacts:
    reports:
      dotenv: version.env
      junit: ['**/report.xml']
-test:apt:
+.test:apt:
  image: $IMAGE
  stage: test
  rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        - app/**/*
        - .DEBIAN/**/*
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  parallel:
    matrix:
      - IMAGE:
          - debian:trixie-slim # EOL: t.b.a.
          - debian:bookworm-slim # EOL: June 06, 2026
          - debian:bookworm-slim # EOL: June 06, 2026
          - ubuntu:24.04 # EOL: April 2036
          - ubuntu:24.10
  needs:
    - job: build:apt
      artifacts: true
@@ -209,15 +198,24 @@ test:apt:
    - apt-get purge -qq -y fastapi-dls
    - apt-get autoremove -qq -y && apt-get clean -qq
 test:apt:
  extends: .test:apt
  image: $IMAGE
  parallel:
    matrix:
      - IMAGE:
          - debian:bookworm-slim # EOL: June 06, 2026
          - ubuntu:24.04 # EOL: April 2036
          - ubuntu:24.10
 test:pacman:archlinux:
  image: archlinux:base
  rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        - app/**/*
        - .PKGBUILD/**/*
-        - .gitlab-ci.yml
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  needs:
    - job: build:pacman
      artifacts: true
@@ -292,12 +290,15 @@ gemnasium-python-dependency_scanning:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 .deploy:
  rules:
    - if: $CI_COMMIT_TAG
 deploy:docker:
  extends: .deploy
  image: docker:dind
  stage: deploy
  tags: [ docker ]
  rules:
    - if: $CI_COMMIT_TAG
  before_script:
    - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
    - docker buildx inspect
@@ -316,10 +317,9 @@ deploy:docker:
 deploy:apt:
  # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
  extends: .deploy
  image: debian:bookworm-slim
  stage: deploy
  rules:
    - if: $CI_COMMIT_TAG
  needs:
    - job: build:apt
      artifacts: true
@@ -356,10 +356,9 @@ deploy:apt:
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${EXPORT_NAME}"'
 deploy:pacman:
  extends: .deploy
  image: archlinux:base-devel
  stage: deploy
  rules:
    - if: $CI_COMMIT_TAG
  needs:
    - job: build:pacman
      artifacts: true
@@ -380,7 +379,7 @@ deploy:pacman:
 release:
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  stage: .post
-  needs: [ deploy:docker, deploy:apt, deploy:pacman ]
+  needs: [ test ]
  rules:
    - if: $CI_COMMIT_TAG
  script:
--- a/README.md
+++ b/README.md
@@ -795,13 +795,13 @@ Thanks to vGPU community and all who uses this project and report bugs.
 Special thanks to:
- `samicrusader` who created build file for **ArchLinux**
+- @samicrusader who created build file for **ArchLinux**
- `cyrus` who wrote the section for **openSUSE**
+- @cyrus who wrote the section for **openSUSE**
- `midi` who wrote the section for **unRAID**
+- @midi who wrote the section for **unRAID**
- `polloloco` who wrote the *[NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox)*
+- @polloloco who wrote the *[NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox)*
- `DualCoder` who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
+- @DualCoder who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
- `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
+- Krutav Shah who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
- `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
+- Wim van 't Hoog for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
- `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
+- @mrzenc who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
 And thanks to all people who contributed to all these libraries!
--- a/app/main.py
+++ b/app/main.py
@@ -6,7 +6,8 @@ from datetime import datetime, timedelta, UTC
 from hashlib import sha256
 from json import loads as json_loads
 from os import getenv as env
-from os.path import join, dirname
+from os.path import join, dirname, isfile
 from random import randbytes
 from uuid import uuid4
 from dateutil.relativedelta import relativedelta
@@ -21,7 +22,7 @@ from starlette.middleware.cors import CORSMiddleware
 from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from orm import Origin, Lease, init as db_init, migrate
-from util import PrivateKey, PublicKey, load_file
+from util import PrivateKey, PublicKey, load_file, Cert
 # Load variables
 load_dotenv('../version.env')
@@ -50,6 +51,7 @@ LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
 LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
 CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
 jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
 jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
@@ -248,6 +250,7 @@ async def _client_token():
        "iat": timegm(cur_time.timetuple()),
        "nbf": timegm(cur_time.timetuple()),
        "exp": timegm(exp_time.timetuple()),
        "protocol_version": "2.0",
        "update_mode": "ABSOLUTE",
        "scope_ref_list": [ALLOTMENT_REF],
        "fulfillment_class_ref_list": [],
@@ -298,14 +301,19 @@ async def auth_v1_origin(request: Request):
    Origin.create_or_update(db, data)
    environment = {
        'raw_env': j.get('environment')
    }
    environment.update(j.get('environment'))
    response = {
        "origin_ref": origin_ref,
-        "environment": j.get('environment'),
+        "environment": environment,
        "svc_port_set_list": None,
        "node_url_list": None,
        "node_query_order": None,
        "prompts": None,
-        "sync_timestamp": cur_time.isoformat()
+        "sync_timestamp": cur_time.strftime(DT_FORMAT)
    }
    return JSONr(response)
@@ -331,7 +339,7 @@ async def auth_v1_origin_update(request: Request):
    response = {
        "environment": j.get('environment'),
        "prompts": None,
-        "sync_timestamp": cur_time.isoformat()
+        "sync_timestamp": cur_time.strftime(DT_FORMAT)
    }
    return JSONr(response)
@@ -362,7 +370,7 @@ async def auth_v1_code(request: Request):
    response = {
        "auth_code": auth_code,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
@@ -404,19 +412,266 @@ async def auth_v1_token(request: Request):
    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
    response = {
-        "expires": access_expires_on.isoformat(),
+        "expires": access_expires_on.strftime(DT_FORMAT),
        "auth_token": auth_token,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
    return JSONr(response)
 # NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py
@app.post('/leasing/v1/config-token', description='request to get config token for lease operations')
 async def leasing_v1_config_token(request: Request):
    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
    logger.debug(f'CALLED /leasing/v1/config-token')
    logger.debug(f'Headers: {request.headers}')
    logger.debug(f'Request: {j}')
    # todo: THIS IS A DEMO ONLY
    ###
    #
    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
    #
    ###
    root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem')
    root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem')
    ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem')
    ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem')
    si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem')
    si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem')
    def init_config_token_demo():
        from cryptography import x509
        from cryptography.hazmat._oid import NameOID
        from cryptography.hazmat.primitives import serialization, hashes
        from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key
        from cryptography.hazmat.primitives.serialization import Encoding
        """ Create Root Key and Certificate """
        # create root keypair
        my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
        my_root_public_key = my_root_private_key.public_key()
        # create root-certificate subject
        my_root_subject = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
        ])
        # create self-signed root-certificate
        my_root_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_root_subject)
            .issuer_name(my_root_subject)
            .public_key(my_root_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
            .sign(my_root_private_key, hashes.SHA256()))
        my_root_private_key_as_pem = my_root_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        with open(root_private_key_filename, 'wb') as f:
            f.write(my_root_private_key_as_pem)
        with open(root_certificate_filename, 'wb') as f:
            f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM))
        """ Create CA (Intermediate) Key and Certificate """
        # create ca keypair
        my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
        my_ca_public_key = my_ca_private_key.public_key()
        # create ca-certificate subject
        my_ca_subject = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
        ])
        # create self-signed ca-certificate
        my_ca_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_ca_subject)
            .issuer_name(my_root_subject)
            .public_key(my_ca_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True,
                                         key_agreement=False, content_commitment=False, data_encipherment=False,
                                         crl_sign=True, encipher_only=False, decipher_only=False), critical=True)
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
                my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
            ), critical=False)
            .sign(my_root_private_key, hashes.SHA256()))
        my_ca_private_key_as_pem = my_ca_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        with open(ca_private_key_filename, 'wb') as f:
            f.write(my_ca_private_key_as_pem)
        with open(ca_certificate_filename, 'wb') as f:
            f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
        """ Create Service-Instance Key and Certificate """
        # create si keypair
        my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
        my_si_public_key = my_si_private_key.public_key()
        my_si_private_key_as_pem = my_si_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        my_si_public_key_as_pem = my_si_public_key.public_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PublicFormat.SubjectPublicKeyInfo,
        )
        with open(si_private_key_filename, 'wb') as f:
            f.write(my_si_private_key_as_pem)
        # with open('instance.public.pem', 'wb') as f:
        #   f.write(my_si_public_key_as_pem)
        # create si-certificate subject
        my_si_subject = x509.Name([
            # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF),
            x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')),
        ])
        # create self-signed si-certificate
        my_si_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_si_subject)
            .issuer_name(my_ca_subject)
            .public_key(my_si_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
                                         key_agreement=True, content_commitment=False, data_encipherment=False,
                                         crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
            .add_extension(x509.ExtendedKeyUsage([
                x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
                x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
            ), critical=False)
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
                my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
            ), critical=False)
            .add_extension(x509.SubjectAlternativeName([
                # x509.DNSName(INSTANCE_REF)
                x509.DNSName(j.get('service_instance_ref'))
            ]), critical=False)
            .sign(my_ca_private_key, hashes.SHA256()))
        my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e
        my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}'  # hex value without "0x" prefix
        with open(si_certificate_filename, 'wb') as f:
            f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
    if not (isfile(root_private_key_filename)
            and isfile(ca_private_key_filename)
            and isfile(ca_certificate_filename)
            and isfile(si_private_key_filename)
            and isfile(si_certificate_filename)):
        init_config_token_demo()
    my_ca_certificate = Cert.from_file(ca_certificate_filename)
    my_si_certificate = Cert.from_file(si_certificate_filename)
    my_si_private_key = PrivateKey.from_file(si_private_key_filename)
    my_si_private_key_as_pem = my_si_private_key.pem()
    my_si_public_key = my_si_private_key.public_key().raw()
    my_si_public_key_as_pem = my_si_private_key.public_key().pem()
    """ build out payload """
    cur_time = datetime.now(UTC)
    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
    payload = {
        "iss": "NLS Service Instance",
        "aud": "NLS Licensed Client",
        "iat": timegm(cur_time.timetuple()),
        "nbf": timegm(cur_time.timetuple()),
        "exp": timegm(exp_time.timetuple()),
        "protocol_version": "2.0",
        "d_name": "DLS",
        "service_instance_ref": j.get('service_instance_ref'),
        "service_instance_public_key_configuration": {
            "service_instance_public_key_me": {
                "mod": hex(my_si_public_key.public_numbers().n)[2:],
                "exp": int(my_si_public_key.public_numbers().e),
            },
            # 64 chars per line (pem default)
            "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(),
            "key_retention_mode": "LATEST_ONLY"
        },
    }
    my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
    config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
    response_ca_chain = my_ca_certificate.pem().decode('utf-8')
    response_si_certificate = my_si_certificate.pem().decode('utf-8')
    response = {
        "certificateConfiguration": {
            # 76 chars per line
            "caChain": [response_ca_chain],
            # 76 chars per line
            "publicCert": response_si_certificate,
            "publicKey": {
                "exp": int(my_si_certificate.raw().public_key().public_numbers().e),
                "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]],
            },
        },
        "configToken": config_token,
    }
    logging.debug(response)
    return JSONr(response, status_code=200)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
    logger.debug(j)
    logger.debug(request.headers)
    try:
        token = __get_token(request)
    except JWTError:
@@ -427,6 +682,7 @@ async def leasing_v1_lessor(request: Request):
    logger.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
    lease_result_list = []
    # todo: for lease_proposal in lease_proposal_list
    for scope_ref in scope_ref_list:
        # if scope_ref not in [ALLOTMENT_REF]:
        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
@@ -434,15 +690,20 @@ async def leasing_v1_lessor(request: Request):
        lease_ref = str(uuid4())
        expires = cur_time + LEASE_EXPIRE_DELTA
        lease_result_list.append({
-            "ordinal": 0,
+            "ordinal": None,
            "error": None,
            # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
            "lease": {
                "ref": lease_ref,
-                "created": cur_time.isoformat(),
+                "created": cur_time.strftime(DT_FORMAT),
-                "expires": expires.isoformat(),
+                "expires": expires.strftime(DT_FORMAT),
                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
-                "offline_lease": "true",
+                "offline_lease": "false",  # todo
-                "license_type": "CONCURRENT_COUNTED_SINGLE"
+                "license_type": "CONCURRENT_COUNTED_SINGLE",
                "lease_intent_id": None,
                "metadata": None,
                "feature_name": "GRID-Virtual-WS",  # todo
                "product_name": "NVIDIA RTX Virtual Workstation",  # todo
            }
        })
@@ -450,13 +711,17 @@ async def leasing_v1_lessor(request: Request):
        Lease.create_or_update(db, data)
    response = {
        "client_challenge": j.get('client_challenge'),
        "lease_result_list": lease_result_list,
-        "result_code": "SUCCESS",
+        "result_code": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
-    return JSONr(response)
+    logger.debug(response)
    signature = f'b\'{randbytes(256).hex()}\''
    return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature})
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@@ -472,7 +737,7 @@ async def leasing_v1_lessor_lease(request: Request):
    response = {
        "active_lease_list": active_lease_list,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
@@ -483,7 +748,7 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
@app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.now(UTC)
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
    origin_ref = token.get('origin_ref')
    logger.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
@@ -494,17 +759,19 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
    expires = cur_time + LEASE_EXPIRE_DELTA
    response = {
        "client_challenge": j.get('client_challenge'),
        "lease_ref": lease_ref,
-        "expires": expires.isoformat(),
+        "expires": expires.strftime(DT_FORMAT),
        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
        "offline_lease": True,
        "prompts": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
    }
    Lease.renew(db, entity, expires, cur_time)
-    return JSONr(response)
+    signature = f'b\'{randbytes(256).hex()}\''
    return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'x-nls-signature': signature})
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
@@ -525,9 +792,10 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
        return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
    response = {
        "client_challenge": None,
        "lease_ref": lease_ref,
        "prompts": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
    }
    return JSONr(response)
@@ -547,7 +815,7 @@ async def leasing_v1_lessor_lease_remove(request: Request):
    response = {
        "released_lease_list": released_lease_list,
        "release_failure_list": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
@@ -569,7 +837,7 @@ async def leasing_v1_lessor_shutdown(request: Request):
    response = {
        "released_lease_list": released_lease_list,
        "release_failure_list": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
        "prompts": None
    }
--- a/app/orm.py
+++ b/app/orm.py
@@ -5,7 +5,7 @@ from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_
 from sqlalchemy.engine import Engine
 from sqlalchemy.orm import sessionmaker, declarative_base
-from util import DriverMatrix
+from util import NV
 Base = declarative_base()
@@ -25,7 +25,7 @@ class Origin(Base):
        return f'Origin(origin_ref={self.origin_ref}, hostname={self.hostname})'
    def serialize(self) -> dict:
-        _ = DriverMatrix().find(self.guest_driver_version)
+        _ = NV().find(self.guest_driver_version)
        return {
            'origin_ref': self.origin_ref,
--- a/app/util.py
+++ b/app/util.py
@@ -1,21 +1,13 @@
 import logging
 from json import load as json_load
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
 from cryptography.x509 import load_pem_x509_certificate, Certificate
 logging.basicConfig()
 def load_file(filename: str) -> bytes:
    log = logging.getLogger(f'{__name__}')
    log.debug(f'Loading contents of file "{filename}')
    with open(filename, 'rb') as file:
        content = file.read()
    return content
 class PrivateKey:
    def __init__(self, data: bytes):
@@ -86,31 +78,62 @@ class PublicKey:
        )
-class DriverMatrix:
+class Cert:
    def __init__(self, data: bytes):
        self.__cert = load_pem_x509_certificate(data)
    @staticmethod
    def from_file(filename: str) -> "Cert":
        log = logging.getLogger(__name__)
        log.debug(f'Importing Certificate from "{filename}"')
        with open(filename, 'rb') as f:
            data = f.read()
        return Cert(data=data.strip())
    def raw(self) -> Certificate:
        return self.__cert
    def pem(self) -> bytes:
        return self.__cert.public_bytes(encoding=serialization.Encoding.PEM)
    def signature(self) -> bytes:
        return self.__cert.signature
 def load_file(filename: str) -> bytes:
    log = logging.getLogger(f'{__name__}')
    log.debug(f'Loading contents of file "{filename}')
    with open(filename, 'rb') as file:
        content = file.read()
    return content
 class NV:
    __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json'
    __DRIVER_MATRIX: None | dict = None  # https://docs.nvidia.com/grid/ => "Driver Versions"
    def __init__(self):
        self.log = logging.getLogger(self.__class__.__name__)
-        if DriverMatrix.__DRIVER_MATRIX is None:
+        if NV.__DRIVER_MATRIX is None:
-            self.__load()
+            from json import load as json_load
-
+            try:
-    def __load(self):
+                file = open(NV.__DRIVER_MATRIX_FILENAME)
-        try:
+                NV.__DRIVER_MATRIX = json_load(file)
-            file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME)
+                file.close()
-            DriverMatrix.__DRIVER_MATRIX = json_load(file)
+                self.log.debug(f'Successfully loaded "{NV.__DRIVER_MATRIX_FILENAME}".')
-            file.close()
+            except Exception as e:
-            self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".')
+                NV.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
-        except Exception as e:
+                # self.log.warning(f'Failed to load "{NV.__DRIVER_MATRIX_FILENAME}": {e}')
            DriverMatrix.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
            # self.log.warning(f'Failed to load "{NV.__DRIVER_MATRIX_FILENAME}": {e}')
    @staticmethod
    def find(version: str) -> dict | None:
-        if DriverMatrix.__DRIVER_MATRIX is None:
+        if NV.__DRIVER_MATRIX is None:
            return None
-        for idx, (key, branch) in enumerate(DriverMatrix.__DRIVER_MATRIX.items()):
+        for idx, (key, branch) in enumerate(NV.__DRIVER_MATRIX.items()):
            for release in branch.get('$releases'):
                linux_driver = release.get('Linux Driver')
                windows_driver = release.get('Windows Driver')
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,8 +1,8 @@
 fastapi==0.115.12
-uvicorn[standard]==0.34.1
+uvicorn[standard]==0.34.0
 python-jose[cryptography]==3.4.0
 cryptography==44.0.2
 python-dateutil==2.9.0
 sqlalchemy==2.0.40
-markdown==3.8
+markdown==3.7
 python-dotenv==1.1.0
--- a/test/create_driver_matrix_json.py
+++ b/test/create_driver_matrix_json.py
@@ -6,7 +6,7 @@ logger.setLevel(logging.INFO)
 URL = 'https://docs.nvidia.com/vgpu/index.html'
-BRANCH_STATUS_KEY = 'vGPU Branch Status'
+BRANCH_STATUS_KEY, SOFTWARE_BRANCH_KEY, = 'vGPU Branch Status', 'vGPU Software Branch'
 VGPU_KEY, GRID_KEY, DRIVER_BRANCH_KEY = 'vGPU Software', 'vGPU Software', 'Driver Branch'
 LINUX_VGPU_MANAGER_KEY, LINUX_DRIVER_KEY = 'Linux vGPU Manager', 'Linux Driver'
 WINDOWS_VGPU_MANAGER_KEY, WINDOWS_DRIVER_KEY = 'Windows vGPU Manager', 'Windows Driver'
@@ -26,15 +26,12 @@ def __driver_versions(html: 'BeautifulSoup'):
    # find wrapper for "DriverVersions" and find tables
    data = html.find('div', {'id': 'driver-versions'})
-    items = data.find_all('bsp-accordion', {'class': 'Accordion-items-item'})
+    items = data.findAll('bsp-accordion', {'class': 'Accordion-items-item'})
    for item in items:
        software_branch = item.find('div', {'class': 'Accordion-items-item-title'}).text.strip()
        software_branch = software_branch.replace(' Releases', '')
        matrix_key = software_branch.lower()
        branch_status = item.find('a', href=True, string='Branch status')
        branch_status = branch_status.next_sibling.replace(':', '').strip()
        # driver version info from table-heads (ths) and table-rows (trs)
        table = item.find('table')
        ths, trs = table.find_all('th'), table.find_all('tr')
@@ -45,20 +42,48 @@ def __driver_versions(html: 'BeautifulSoup'):
                continue
            # create dict with table-heads as key and cell content as value
            x = {headers[i]: __strip(cell.text) for i, cell in enumerate(tds)}
            x.setdefault(BRANCH_STATUS_KEY, branch_status)
            releases.append(x)
        # add to matrix
        MATRIX.update({matrix_key: {JSON_RELEASES_KEY: releases}})
 def __release_branches(html: 'BeautifulSoup'):
    # find wrapper for "AllReleaseBranches" and find table
    data = html.find('div', {'id': 'all-release-branches'})
    table = data.find('table')
    # branch releases info from table-heads (ths) and table-rows (trs)
    ths, trs = table.find_all('th'), table.find_all('tr')
    headers = [header.text.strip() for header in ths]
    for trs in trs:
        tds = trs.find_all('td')
        if len(tds) == 0:  # skip empty
            continue
        # create dict with table-heads as key and cell content as value
        x = {headers[i]: cell.text.strip() for i, cell in enumerate(tds)}
        # get matrix_key
        software_branch = x.get(SOFTWARE_BRANCH_KEY)
        matrix_key = software_branch.lower()
        # add to matrix
        MATRIX.update({matrix_key: MATRIX.get(matrix_key) | x})
 def __debug():
    # print table head
-    s = f'{VGPU_KEY:^13} | {LINUX_VGPU_MANAGER_KEY:^21} | {LINUX_DRIVER_KEY:^21} | {WINDOWS_VGPU_MANAGER_KEY:^21} | {WINDOWS_DRIVER_KEY:^21} | {RELEASE_DATE_KEY:>21} | {BRANCH_STATUS_KEY:^21}'
+    s = f'{SOFTWARE_BRANCH_KEY:^21} | {BRANCH_STATUS_KEY:^21} | {VGPU_KEY:^13} | {LINUX_VGPU_MANAGER_KEY:^21} | {LINUX_DRIVER_KEY:^21} | {WINDOWS_VGPU_MANAGER_KEY:^21} | {WINDOWS_DRIVER_KEY:^21} | {RELEASE_DATE_KEY:>21} | {EOL_KEY:>21}'
    print(s)
    # iterate over dict & format some variables to not overload table
    for idx, (key, branch) in enumerate(MATRIX.items()):
        branch_status = branch.get(BRANCH_STATUS_KEY)
        branch_status = branch_status.replace('Branch ', '')
        branch_status = branch_status.replace('Long-Term Support', 'LTS')
        branch_status = branch_status.replace('Production', 'Prod.')
        software_branch = branch.get(SOFTWARE_BRANCH_KEY).replace('NVIDIA ', '')
        for release in branch.get(JSON_RELEASES_KEY):
            version = release.get(VGPU_KEY, release.get(GRID_KEY, ''))
            linux_manager = release.get(LINUX_VGPU_MANAGER_KEY, release.get(ALT_VGPU_MANAGER_KEY, ''))
@@ -67,25 +92,13 @@ def __debug():
            windows_driver = release.get(WINDOWS_DRIVER_KEY)
            release_date = release.get(RELEASE_DATE_KEY)
            is_latest = release.get(VGPU_KEY) == branch.get(LATEST_KEY)
            branch_status = __parse_branch_status(release.get(BRANCH_STATUS_KEY, ''))
            version = f'{version} *' if is_latest else version
-            s = f'{version:<13} | {linux_manager:<21} | {linux_driver:<21} | {windows_manager:<21} | {windows_driver:<21} | {release_date:>21} | {branch_status:^21}'
+            eol = branch.get(EOL_KEY) if is_latest else ''
            s = f'{software_branch:^21} | {branch_status:^21} | {version:<13} | {linux_manager:<21} | {linux_driver:<21} | {windows_manager:<21} | {windows_driver:<21} | {release_date:>21} | {eol:>21}'
            print(s)
 def __parse_branch_status(string: str) -> str:
    string = string.replace('Production Branch', 'Prod. -')
    string = string.replace('Long-Term Support Branch', 'LTS -')
    string = string.replace('supported until', '')
    string = string.replace('EOL since', 'EOL - ')
    string = string.replace('EOL from', 'EOL -')
    return string
 def __dump(filename: str):
    import json
@@ -115,6 +128,7 @@ if __name__ == '__main__':
    # build matrix
    __driver_versions(soup)
    __release_branches(soup)
    # debug output
    __debug()
--- a/test/main.py
+++ b/test/main.py
@@ -1,3 +1,4 @@
 import json
 import sys
 from base64 import b64encode as b64enc
 from calendar import timegm
@@ -7,7 +8,7 @@ from os.path import dirname, join
 from uuid import uuid4, UUID
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk
+from jose import jwt, jwk, jws
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
@@ -20,6 +21,7 @@ from util import PrivateKey, PublicKey
 client = TestClient(main.app)
 INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 # INSTANCE_KEY_RSA = generate_key()
@@ -69,6 +71,31 @@ def test_client_token():
    assert response.status_code == 200
 def test_config_token():  # todo: /leasing/v1/config-token
    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
    response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF})
    assert response.status_code == 200
    nv_response_certificate_configuration = response.json().get('certificateConfiguration')
    nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8')
    nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)
    nv_response_config_token = response.json().get('configToken')
    payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
    payload = json.loads(payload)
    assert payload.get('iss') == 'NLS Service Instance'
    assert payload.get('aud') == 'NLS Licensed Client'
    assert payload.get('service_instance_ref') == INSTANCE_REF
    nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration')
    nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me')
    # assert nv_si_public_key_me.get('mod') == 1  #nv_si_public_key_mod
    assert len(nv_si_public_key_me.get('mod')) == 512
    assert nv_si_public_key_me.get('exp') == 65537  # nv_si_public_key_exp
 def test_origins():
    pass
@@ -168,6 +195,7 @@ def test_auth_v1_token():
 def test_leasing_v1_lessor():
    payload = {
        'client_challenge': 'my_unique_string',
        'fulfillment_context': {
            'fulfillment_class_ref_list': []
        },
@@ -182,6 +210,11 @@ def test_leasing_v1_lessor():
    response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200
    client_challenge = response.json().get('client_challenge')
    assert client_challenge == payload.get('client_challenge')
    signature = eval(response.headers.get('x-nls-signature'))
    assert len(signature) == 512
    lease_result_list = response.json().get('lease_result_list')
    assert len(lease_result_list) == 1
    assert len(lease_result_list[0]['lease']['ref']) == 36
@@ -205,9 +238,15 @@ def test_leasing_v1_lease_renew():
    ###
-    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    payload = {'client_challenge': 'my_unique_string'}
    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200
    client_challenge = response.json().get('client_challenge')
    assert client_challenge == payload.get('client_challenge')
    signature = eval(response.headers.get('x-nls-signature'))
    assert len(signature) == 512
    lease_ref = response.json().get('lease_ref')
    assert len(lease_ref) == 36
    assert lease_ref == active_lease_ref
Author	SHA1	Message	Date
Oscar Krause	5db399a6a2	x-nls-signature	2025-04-14 11:17:54 +02:00
Oscar Krause	1bac8dda50	test "x-nls-signature"	2025-04-14 11:17:54 +02:00
Oscar Krause	8289db7c19	fixed missing code	2025-04-14 11:17:54 +02:00
Oscar Krause	d462faf184	test with "X-NLS-Signature"	2025-04-14 11:17:54 +02:00
Oscar Krause	ae98e19aa5	implemented client_challenge on lease apis	2025-04-14 11:17:54 +02:00
Oscar Krause	4de214d58d	set "offline_lease" to false	2025-04-14 11:17:54 +02:00
Oscar Krause	95f6d1cabc	added EMPTY (!!!) X-NLS-Signature response header	2025-04-14 11:17:54 +02:00
Oscar Krause	eb9d72f0da	added debug headers	2025-04-14 11:17:54 +02:00
Oscar Krause	029d91bc5a	code styling	2025-04-14 11:17:54 +02:00
Oscar Krause	db2e945567	added new "protocol_version" to client-token	2025-04-14 11:17:54 +02:00
Oscar Krause	feba605834	fixes	2025-04-14 11:17:54 +02:00
Oscar Krause	8cb3523e8b	also debug response	2025-04-14 11:17:54 +02:00
Oscar Krause	232fedeff5	fixed datetime format	2025-04-14 11:17:54 +02:00
Oscar Krause	f5d720a989	added missing lessor attributes	2025-04-14 11:17:54 +02:00
Oscar Krause	4c237bfbd7	fixes	2025-04-14 11:17:54 +02:00
Oscar Krause	3e89e2ec8d	added debugging	2025-04-14 11:17:54 +02:00
Oscar Krause	a45b78f379	updated new responses for 18.x drivers	2025-04-14 11:17:54 +02:00
Oscar Krause	231fa6016b	created "init_config_token_demo"	2025-04-14 11:17:54 +02:00
Oscar Krause	990a952901	added test and code for /leasing/v1/config-token ref. https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py	2025-04-14 11:17:54 +02:00
Oscar Krause	8ecf7dc977	implemented initial endpoint for /leasing/v1/config-token	2025-04-14 11:17:54 +02:00
Oscar Krause	aff66e0e25	added logging	2025-04-14 11:17:54 +02:00
Oscar Krause	413d8c4090	added debugging	2025-04-14 11:17:54 +02:00
Oscar Krause	9ad8f54f1b	added endpoint '/leasing/v1/config-token'	2025-04-14 11:17:54 +02:00