test "X-NLS-Signature" upper/lowercase

ref. https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py

.gitlab-ci.yml

@@ -41,10 +41,11 @@ build:apt:
   interruptible: true
   stage: build
   rules:
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: $CI_COMMIT_TAG
       variables:
         VERSION: $CI_COMMIT_REF_NAME
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .DEBIAN/**/*
@@ -91,7 +92,7 @@ build:pacman:
     - if: $CI_COMMIT_TAG
       variables:
         VERSION: $CI_COMMIT_REF_NAME
-    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .PKGBUILD/**/*
@@ -120,12 +121,13 @@ build:pacman:
     paths:
       - "*.pkg.tar.zst"
 
-test:python:
+test:
-  image: $IMAGE
+  image: python:3.12-slim-bookworm
   stage: test
   interruptible: true
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
       changes:
@@ -135,20 +137,17 @@ test:python:
     DATABASE: sqlite:///../app/db.sqlite
   parallel:
     matrix:
-      - IMAGE:
+      - REQUIREMENTS:
-          # https://devguide.python.org/versions/#supported-versions
+          - 'requirements.txt'
-#          - python:3.14-rc-alpine  # EOL 2030-10 =>  uvicorn does not support 3.14 yet
+#          - '.DEBIAN/requirements-bookworm-12.txt'
-          - python:3.13-alpine  # EOL 2029-10
+#          - '.DEBIAN/requirements-ubuntu-24.04.txt'
-          - python:3.12-alpine  # EOL 2028-10
+#          - '.DEBIAN/requirements-ubuntu-24.10.txt'
-          - python:3.11-alpine  # EOL 2027-10
-#          - python:3.10-alpine  # EOL 2026-10 => ImportError: cannot import name 'UTC' from 'datetime'
-#          - python:3.9-alpine  # EOL 2025-10 => ImportError: cannot import name 'UTC' from 'datetime'
   before_script:
-    - apk --no-cache add openssl
+    - apt-get update && apt-get install -y python3-dev python3-pip python3-venv gcc
     - python3 -m venv venv
     - source venv/bin/activate
     - pip install --upgrade pip
-    - pip install -r requirements.txt
+    - pip install -r $REQUIREMENTS
     - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
     - openssl genrsa -out app/cert/instance.private.pem 2048
@@ -158,10 +157,10 @@ test:python:
     - python -m pytest main.py --junitxml=report.xml
   artifacts:
     reports:
+      dotenv: version.env
       junit: ['**/report.xml']
 
-test:apt:
+.test:apt:
-  image: $IMAGE
   stage: test
   rules:
     - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
@@ -169,15 +168,7 @@ test:apt:
       changes:
         - app/**/*
         - .DEBIAN/**/*
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+        - .gitlab-ci.yml
-  parallel:
-    matrix:
-      - IMAGE:
-          - debian:trixie-slim # EOL: t.b.a.
-          - debian:bookworm-slim # EOL: June 06, 2026
-          - debian:bookworm-slim # EOL: June 06, 2026
-          - ubuntu:24.04 # EOL: April 2036
-          - ubuntu:24.10
   needs:
     - job: build:apt
       artifacts: true
@@ -209,6 +200,16 @@ test:apt:
     - apt-get purge -qq -y fastapi-dls
     - apt-get autoremove -qq -y && apt-get clean -qq
 
+test:apt:
+  extends: .test:apt
+  image: $IMAGE
+  parallel:
+    matrix:
+      - IMAGE:
+          - debian:bookworm-slim # EOL: June 06, 2026
+          - ubuntu:24.04 # EOL: April 2036
+          - ubuntu:24.10
+
 test:pacman:archlinux:
   image: archlinux:base
   rules:
@@ -292,12 +293,15 @@ gemnasium-python-dependency_scanning:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
+.deploy:
+  rules:
+    - if: $CI_COMMIT_TAG
+
 deploy:docker:
+  extends: .deploy
   image: docker:dind
   stage: deploy
   tags: [ docker ]
-  rules:
-    - if: $CI_COMMIT_TAG
   before_script:
     - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
     - docker buildx inspect
@@ -316,10 +320,9 @@ deploy:docker:
 
 deploy:apt:
   # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
+  extends: .deploy
   image: debian:bookworm-slim
   stage: deploy
-  rules:
-    - if: $CI_COMMIT_TAG
   needs:
     - job: build:apt
       artifacts: true
@@ -356,10 +359,9 @@ deploy:apt:
     - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${EXPORT_NAME}"'
 
 deploy:pacman:
+  extends: .deploy
   image: archlinux:base-devel
   stage: deploy
-  rules:
-    - if: $CI_COMMIT_TAG
   needs:
     - job: build:pacman
       artifacts: true
@@ -380,7 +382,7 @@ deploy:pacman:
 release:
   image: registry.gitlab.com/gitlab-org/release-cli:latest
   stage: .post
-  needs: [ deploy:docker, deploy:apt, deploy:pacman ]
+  needs: [ test ]
   rules:
     - if: $CI_COMMIT_TAG
   script:

README.md

@@ -795,13 +795,13 @@ Thanks to vGPU community and all who uses this project and report bugs.
 
 Special thanks to:
 
-- `samicrusader` who created build file for **ArchLinux**
+- @samicrusader who created build file for **ArchLinux**
-- `cyrus` who wrote the section for **openSUSE**
+- @cyrus who wrote the section for **openSUSE**
-- `midi` who wrote the section for **unRAID**
+- @midi who wrote the section for **unRAID**
-- `polloloco` who wrote the *[NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox)*
+- @polloloco who wrote the *[NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox)*
-- `DualCoder` who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
+- @DualCoder who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
-- `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
+- Krutav Shah who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
-- `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
+- Wim van 't Hoog for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
-- `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
+- @mrzenc who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
 
 And thanks to all people who contributed to all these libraries!

app/main.py

@@ -6,7 +6,8 @@ from datetime import datetime, timedelta, UTC
 from hashlib import sha256
 from json import loads as json_loads
 from os import getenv as env
-from os.path import join, dirname
+from os.path import join, dirname, isfile
+from random import randbytes
 from uuid import uuid4
 
 from dateutil.relativedelta import relativedelta
@@ -21,7 +22,7 @@ from starlette.middleware.cors import CORSMiddleware
 from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 
 from orm import Origin, Lease, init as db_init, migrate
-from util import PrivateKey, PublicKey, load_file
+from util import PrivateKey, PublicKey, load_file, Cert
 
 # Load variables
 load_dotenv('../version.env')
@@ -50,6 +51,7 @@ LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
 LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
 CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
+DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
 
 jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
 jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
@@ -248,6 +250,7 @@ async def _client_token():
         "iat": timegm(cur_time.timetuple()),
         "nbf": timegm(cur_time.timetuple()),
         "exp": timegm(exp_time.timetuple()),
+        "protocol_version": "2.0",
         "update_mode": "ABSOLUTE",
         "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
@@ -298,14 +301,19 @@ async def auth_v1_origin(request: Request):
 
     Origin.create_or_update(db, data)
 
+    environment = {
+        'raw_env': j.get('environment')
+    }
+    environment.update(j.get('environment'))
+
     response = {
         "origin_ref": origin_ref,
-        "environment": j.get('environment'),
+        "environment": environment,
         "svc_port_set_list": None,
         "node_url_list": None,
         "node_query_order": None,
         "prompts": None,
-        "sync_timestamp": cur_time.isoformat()
+        "sync_timestamp": cur_time.strftime(DT_FORMAT)
     }
 
     return JSONr(response)
@@ -331,7 +339,7 @@ async def auth_v1_origin_update(request: Request):
     response = {
         "environment": j.get('environment'),
         "prompts": None,
-        "sync_timestamp": cur_time.isoformat()
+        "sync_timestamp": cur_time.strftime(DT_FORMAT)
     }
 
     return JSONr(response)
@@ -362,8 +370,8 @@ async def auth_v1_code(request: Request):
 
     response = {
         "auth_code": auth_code,
-        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None,
-        "prompts": None
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)
@@ -396,27 +404,274 @@ async def auth_v1_token(request: Request):
         'iss': 'https://cls.nvidia.org',
         'aud': 'https://cls.nvidia.org',
         'exp': timegm(access_expires_on.timetuple()),
-        'origin_ref': origin_ref,
         'key_ref': SITE_KEY_XID,
         'kid': SITE_KEY_XID,
+        'origin_ref': origin_ref,
     }
 
     auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
 
     response = {
-        "expires": access_expires_on.isoformat(),
         "auth_token": auth_token,
-        "sync_timestamp": cur_time.isoformat(),
+        "expires": access_expires_on.strftime(DT_FORMAT),
+        "prompts": None,
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)
 
 
+# NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py
+@app.post('/leasing/v1/config-token', description='request to get config token for lease operations')
+async def leasing_v1_config_token(request: Request):
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
+
+    logger.debug(f'CALLED /leasing/v1/config-token')
+    logger.debug(f'Headers: {request.headers}')
+    logger.debug(f'Request: {j}')
+
+    # todo: THIS IS A DEMO ONLY
+
+    ###
+    #
+    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
+    #
+    ###
+
+    root_private_key_filename = join(dirname(__file__), 'cert/my_demo_root_private_key.pem')
+    root_certificate_filename = join(dirname(__file__), 'cert/my_demo_root_certificate.pem')
+    ca_private_key_filename = join(dirname(__file__), 'cert/my_demo_ca_private_key.pem')
+    ca_certificate_filename = join(dirname(__file__), 'cert/my_demo_ca_certificate.pem')
+    si_private_key_filename = join(dirname(__file__), 'cert/my_demo_si_private_key.pem')
+    si_certificate_filename = join(dirname(__file__), 'cert/my_demo_si_certificate.pem')
+
+    def init_config_token_demo():
+        from cryptography import x509
+        from cryptography.hazmat._oid import NameOID
+        from cryptography.hazmat.primitives import serialization, hashes
+        from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key
+        from cryptography.hazmat.primitives.serialization import Encoding
+
+        """ Create Root Key and Certificate """
+
+        # create root keypair
+        my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
+        my_root_public_key = my_root_private_key.public_key()
+
+        # create root-certificate subject
+        my_root_subject = x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
+            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
+            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
+        ])
+
+        # create self-signed root-certificate
+        my_root_certificate = (
+            x509.CertificateBuilder()
+            .subject_name(my_root_subject)
+            .issuer_name(my_root_subject)
+            .public_key(my_root_public_key)
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
+            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
+            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
+            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
+            .sign(my_root_private_key, hashes.SHA256()))
+
+        my_root_private_key_as_pem = my_root_private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        with open(root_private_key_filename, 'wb') as f:
+            f.write(my_root_private_key_as_pem)
+
+        with open(root_certificate_filename, 'wb') as f:
+            f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM))
+
+        """ Create CA (Intermediate) Key and Certificate """
+
+        # create ca keypair
+        my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
+        my_ca_public_key = my_ca_private_key.public_key()
+
+        # create ca-certificate subject
+        my_ca_subject = x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
+            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
+            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
+        ])
+
+        # create self-signed ca-certificate
+        my_ca_certificate = (
+            x509.CertificateBuilder()
+            .subject_name(my_ca_subject)
+            .issuer_name(my_root_subject)
+            .public_key(my_ca_public_key)
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
+            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
+            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
+            .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True,
+                                         key_agreement=False, content_commitment=False, data_encipherment=False,
+                                         crl_sign=True, encipher_only=False, decipher_only=False), critical=True)
+            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
+            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
+            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+                my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
+            ), critical=False)
+            .sign(my_root_private_key, hashes.SHA256()))
+
+        my_ca_private_key_as_pem = my_ca_private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        with open(ca_private_key_filename, 'wb') as f:
+            f.write(my_ca_private_key_as_pem)
+
+        with open(ca_certificate_filename, 'wb') as f:
+            f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
+
+        """ Create Service-Instance Key and Certificate """
+
+        # create si keypair
+        my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
+        my_si_public_key = my_si_private_key.public_key()
+
+        my_si_private_key_as_pem = my_si_private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+        my_si_public_key_as_pem = my_si_public_key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+
+        with open(si_private_key_filename, 'wb') as f:
+            f.write(my_si_private_key_as_pem)
+
+        # with open('instance.public.pem', 'wb') as f:
+        #   f.write(my_si_public_key_as_pem)
+
+        # create si-certificate subject
+        my_si_subject = x509.Name([
+            # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF),
+            x509.NameAttribute(NameOID.COMMON_NAME, j.get('service_instance_ref')),
+        ])
+
+        # create self-signed si-certificate
+        my_si_certificate = (
+            x509.CertificateBuilder()
+            .subject_name(my_si_subject)
+            .issuer_name(my_ca_subject)
+            .public_key(my_si_public_key)
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
+            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
+            .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
+                                         key_agreement=True, content_commitment=False, data_encipherment=False,
+                                         crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
+            .add_extension(x509.ExtendedKeyUsage([
+                x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
+                x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
+            ), critical=False)
+            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
+            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
+            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+                my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
+            ), critical=False)
+            .add_extension(x509.SubjectAlternativeName([
+                # x509.DNSName(INSTANCE_REF)
+                x509.DNSName(j.get('service_instance_ref'))
+            ]), critical=False)
+            .sign(my_ca_private_key, hashes.SHA256()))
+
+        my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e
+        my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}'  # hex value without "0x" prefix
+
+        with open(si_certificate_filename, 'wb') as f:
+            f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
+
+    if not (isfile(root_private_key_filename)
+            and isfile(ca_private_key_filename)
+            and isfile(ca_certificate_filename)
+            and isfile(si_private_key_filename)
+            and isfile(si_certificate_filename)):
+        init_config_token_demo()
+
+    my_ca_certificate = Cert.from_file(ca_certificate_filename)
+    my_si_certificate = Cert.from_file(si_certificate_filename)
+    my_si_private_key = PrivateKey.from_file(si_private_key_filename)
+    my_si_private_key_as_pem = my_si_private_key.pem()
+    my_si_public_key = my_si_private_key.public_key().raw()
+    my_si_public_key_as_pem = my_si_private_key.public_key().pem()
+
+    """ build out payload """
+
+    cur_time = datetime.now(UTC)
+    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
+
+    payload = {
+        "iss": "NLS Service Instance",
+        "aud": "NLS Licensed Client",
+        "iat": timegm(cur_time.timetuple()),
+        "nbf": timegm(cur_time.timetuple()),
+        "exp": timegm(exp_time.timetuple()),
+        "protocol_version": "2.0",
+        "d_name": "DLS",
+        "service_instance_ref": j.get('service_instance_ref'),
+        "service_instance_public_key_configuration": {
+            "service_instance_public_key_me": {
+                "mod": hex(my_si_public_key.public_numbers().n)[2:],
+                "exp": int(my_si_public_key.public_numbers().e),
+            },
+            # 64 chars per line (pem default)
+            "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(),
+            "key_retention_mode": "LATEST_ONLY"
+        },
+    }
+
+    my_jwt_encode_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
+    config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
+
+    response_ca_chain = my_ca_certificate.pem().decode('utf-8')
+    response_si_certificate = my_si_certificate.pem().decode('utf-8')
+
+    response = {
+        "certificateConfiguration": {
+            # 76 chars per line
+            "caChain": [response_ca_chain],
+            # 76 chars per line
+            "publicCert": response_si_certificate,
+            "publicKey": {
+                "exp": int(my_si_certificate.raw().public_key().public_numbers().e),
+                "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]],
+            },
+        },
+        "configToken": config_token,
+    }
+
+    logging.debug(response)
+
+    return JSONr(response, status_code=200)
+
+
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
     j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
 
+    logger.debug(j)
+    logger.debug(request.headers)
+
     try:
         token = __get_token(request)
     except JWTError:
@@ -427,6 +682,7 @@ async def leasing_v1_lessor(request: Request):
     logger.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
 
     lease_result_list = []
+    # todo: for lease_proposal in lease_proposal_list
     for scope_ref in scope_ref_list:
         # if scope_ref not in [ALLOTMENT_REF]:
         #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
@@ -434,29 +690,38 @@ async def leasing_v1_lessor(request: Request):
         lease_ref = str(uuid4())
         expires = cur_time + LEASE_EXPIRE_DELTA
         lease_result_list.append({
-            "ordinal": 0,
+            "error": None,
             # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
             "lease": {
-                "ref": lease_ref,
+                "created": cur_time.strftime(DT_FORMAT),
-                "created": cur_time.isoformat(),
+                "expires": expires.strftime(DT_FORMAT),
-                "expires": expires.isoformat(),
+                "feature_name": "GRID-Virtual-WS",  # todo
+                "lease_intent_id": None,
+                "license_type": "CONCURRENT_COUNTED_SINGLE",
+                "metadata": None,
+                "offline_lease": False,  # todo
+                "product_name": "NVIDIA RTX Virtual Workstation",  # todo
                 "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
-                "offline_lease": "true",
+                "ref": lease_ref,
-                "license_type": "CONCURRENT_COUNTED_SINGLE"
+            },
-            }
+            "ordinal": None,
         })
 
         data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
         Lease.create_or_update(db, data)
 
     response = {
+        "client_challenge": j.get('client_challenge'),
         "lease_result_list": lease_result_list,
-        "result_code": "SUCCESS",
+        "prompts": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "result_code": None,
-        "prompts": None
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
-    return JSONr(response)
+    logger.debug(response)
+
+    signature = f'b\'{randbytes(256).hex()}\''
+    return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature})
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@@ -472,8 +737,8 @@ async def leasing_v1_lessor_lease(request: Request):
 
     response = {
         "active_lease_list": active_lease_list,
-        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None,
-        "prompts": None
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)
@@ -483,7 +748,7 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.now(UTC)
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
     logger.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
@@ -494,17 +759,21 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 
     expires = cur_time + LEASE_EXPIRE_DELTA
     response = {
+        "client_challenge": j.get('client_challenge'),
+        "expires": expires.strftime(DT_FORMAT),
+        "feature_expired": False,
         "lease_ref": lease_ref,
-        "expires": expires.isoformat(),
+        "metadata": None,
-        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
         "offline_lease": True,
         "prompts": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     Lease.renew(db, entity, expires, cur_time)
 
-    return JSONr(response)
+    signature = f'b\'{randbytes(256).hex()}\''
+    return JSONr(response, headers={'access-control-expose-headers': 'X-NLS-Signature', 'X-NLS-Signature': signature})
 
 
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
@@ -525,9 +794,10 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
         return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
 
     response = {
+        "client_challenge": None,
         "lease_ref": lease_ref,
         "prompts": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)
@@ -547,8 +817,8 @@ async def leasing_v1_lessor_lease_remove(request: Request):
     response = {
         "released_lease_list": released_lease_list,
         "release_failure_list": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None,
-        "prompts": None
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)
@@ -569,8 +839,8 @@ async def leasing_v1_lessor_shutdown(request: Request):
     response = {
         "released_lease_list": released_lease_list,
         "release_failure_list": None,
-        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None,
-        "prompts": None
+        "sync_timestamp": cur_time.strftime(DT_FORMAT),
     }
 
     return JSONr(response)

app/orm.py

@@ -5,7 +5,7 @@ from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_
 from sqlalchemy.engine import Engine
 from sqlalchemy.orm import sessionmaker, declarative_base
 
-from util import DriverMatrix
+from util import NV
 
 Base = declarative_base()
 
@@ -25,7 +25,7 @@ class Origin(Base):
         return f'Origin(origin_ref={self.origin_ref}, hostname={self.hostname})'
 
     def serialize(self) -> dict:
-        _ = DriverMatrix().find(self.guest_driver_version)
+        _ = NV().find(self.guest_driver_version)
 
         return {
             'origin_ref': self.origin_ref,

app/util.py

@@ -1,21 +1,13 @@
 import logging
-from json import load as json_load
 
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
+from cryptography.x509 import load_pem_x509_certificate, Certificate
 
 logging.basicConfig()
 
 
-def load_file(filename: str) -> bytes:
-    log = logging.getLogger(f'{__name__}')
-    log.debug(f'Loading contents of file "{filename}')
-    with open(filename, 'rb') as file:
-        content = file.read()
-    return content
-
-
 class PrivateKey:
 
     def __init__(self, data: bytes):
@@ -86,31 +78,62 @@ class PublicKey:
         )
 
 
-class DriverMatrix:
+class Cert:
+
+    def __init__(self, data: bytes):
+        self.__cert = load_pem_x509_certificate(data)
+
+    @staticmethod
+    def from_file(filename: str) -> "Cert":
+        log = logging.getLogger(__name__)
+        log.debug(f'Importing Certificate from "{filename}"')
+
+        with open(filename, 'rb') as f:
+            data = f.read()
+
+        return Cert(data=data.strip())
+
+    def raw(self) -> Certificate:
+        return self.__cert
+
+    def pem(self) -> bytes:
+        return self.__cert.public_bytes(encoding=serialization.Encoding.PEM)
+
+    def signature(self) -> bytes:
+        return self.__cert.signature
+
+
+def load_file(filename: str) -> bytes:
+    log = logging.getLogger(f'{__name__}')
+    log.debug(f'Loading contents of file "{filename}')
+    with open(filename, 'rb') as file:
+        content = file.read()
+    return content
+
+
+class NV:
     __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json'
     __DRIVER_MATRIX: None | dict = None  # https://docs.nvidia.com/grid/ => "Driver Versions"
 
     def __init__(self):
         self.log = logging.getLogger(self.__class__.__name__)
 
-        if DriverMatrix.__DRIVER_MATRIX is None:
+        if NV.__DRIVER_MATRIX is None:
-            self.__load()
+            from json import load as json_load
-
-    def __load(self):
             try:
-            file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME)
+                file = open(NV.__DRIVER_MATRIX_FILENAME)
-            DriverMatrix.__DRIVER_MATRIX = json_load(file)
+                NV.__DRIVER_MATRIX = json_load(file)
                 file.close()
-            self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".')
+                self.log.debug(f'Successfully loaded "{NV.__DRIVER_MATRIX_FILENAME}".')
             except Exception as e:
-            DriverMatrix.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
+                NV.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
                 # self.log.warning(f'Failed to load "{NV.__DRIVER_MATRIX_FILENAME}": {e}')
 
     @staticmethod
     def find(version: str) -> dict | None:
-        if DriverMatrix.__DRIVER_MATRIX is None:
+        if NV.__DRIVER_MATRIX is None:
             return None
-        for idx, (key, branch) in enumerate(DriverMatrix.__DRIVER_MATRIX.items()):
+        for idx, (key, branch) in enumerate(NV.__DRIVER_MATRIX.items()):
             for release in branch.get('$releases'):
                 linux_driver = release.get('Linux Driver')
                 windows_driver = release.get('Windows Driver')

requirements.txt

@@ -1,8 +1,8 @@
 fastapi==0.115.12
-uvicorn[standard]==0.34.1
+uvicorn[standard]==0.34.0
 python-jose[cryptography]==3.4.0
 cryptography==44.0.2
 python-dateutil==2.9.0
 sqlalchemy==2.0.40
-markdown==3.8
+markdown==3.7
 python-dotenv==1.1.0

test/create_driver_matrix_json.py

@@ -6,7 +6,7 @@ logger.setLevel(logging.INFO)
 
 URL = 'https://docs.nvidia.com/vgpu/index.html'
 
-BRANCH_STATUS_KEY = 'vGPU Branch Status'
+BRANCH_STATUS_KEY, SOFTWARE_BRANCH_KEY, = 'vGPU Branch Status', 'vGPU Software Branch'
 VGPU_KEY, GRID_KEY, DRIVER_BRANCH_KEY = 'vGPU Software', 'vGPU Software', 'Driver Branch'
 LINUX_VGPU_MANAGER_KEY, LINUX_DRIVER_KEY = 'Linux vGPU Manager', 'Linux Driver'
 WINDOWS_VGPU_MANAGER_KEY, WINDOWS_DRIVER_KEY = 'Windows vGPU Manager', 'Windows Driver'
@@ -26,15 +26,12 @@ def __driver_versions(html: 'BeautifulSoup'):
 
     # find wrapper for "DriverVersions" and find tables
     data = html.find('div', {'id': 'driver-versions'})
-    items = data.find_all('bsp-accordion', {'class': 'Accordion-items-item'})
+    items = data.findAll('bsp-accordion', {'class': 'Accordion-items-item'})
     for item in items:
         software_branch = item.find('div', {'class': 'Accordion-items-item-title'}).text.strip()
         software_branch = software_branch.replace(' Releases', '')
         matrix_key = software_branch.lower()
 
-        branch_status = item.find('a', href=True, string='Branch status')
-        branch_status = branch_status.next_sibling.replace(':', '').strip()
-
         # driver version info from table-heads (ths) and table-rows (trs)
         table = item.find('table')
         ths, trs = table.find_all('th'), table.find_all('tr')
@@ -45,20 +42,48 @@ def __driver_versions(html: 'BeautifulSoup'):
                 continue
             # create dict with table-heads as key and cell content as value
             x = {headers[i]: __strip(cell.text) for i, cell in enumerate(tds)}
-            x.setdefault(BRANCH_STATUS_KEY, branch_status)
             releases.append(x)
 
         # add to matrix
         MATRIX.update({matrix_key: {JSON_RELEASES_KEY: releases}})
 
 
+def __release_branches(html: 'BeautifulSoup'):
+    # find wrapper for "AllReleaseBranches" and find table
+    data = html.find('div', {'id': 'all-release-branches'})
+    table = data.find('table')
+
+    # branch releases info from table-heads (ths) and table-rows (trs)
+    ths, trs = table.find_all('th'), table.find_all('tr')
+    headers = [header.text.strip() for header in ths]
+    for trs in trs:
+        tds = trs.find_all('td')
+        if len(tds) == 0:  # skip empty
+            continue
+        # create dict with table-heads as key and cell content as value
+        x = {headers[i]: cell.text.strip() for i, cell in enumerate(tds)}
+
+        # get matrix_key
+        software_branch = x.get(SOFTWARE_BRANCH_KEY)
+        matrix_key = software_branch.lower()
+
+        # add to matrix
+        MATRIX.update({matrix_key: MATRIX.get(matrix_key) | x})
+
+
 def __debug():
     # print table head
-    s = f'{VGPU_KEY:^13} | {LINUX_VGPU_MANAGER_KEY:^21} | {LINUX_DRIVER_KEY:^21} | {WINDOWS_VGPU_MANAGER_KEY:^21} | {WINDOWS_DRIVER_KEY:^21} | {RELEASE_DATE_KEY:>21} | {BRANCH_STATUS_KEY:^21}'
+    s = f'{SOFTWARE_BRANCH_KEY:^21} | {BRANCH_STATUS_KEY:^21} | {VGPU_KEY:^13} | {LINUX_VGPU_MANAGER_KEY:^21} | {LINUX_DRIVER_KEY:^21} | {WINDOWS_VGPU_MANAGER_KEY:^21} | {WINDOWS_DRIVER_KEY:^21} | {RELEASE_DATE_KEY:>21} | {EOL_KEY:>21}'
     print(s)
 
     # iterate over dict & format some variables to not overload table
     for idx, (key, branch) in enumerate(MATRIX.items()):
+        branch_status = branch.get(BRANCH_STATUS_KEY)
+        branch_status = branch_status.replace('Branch ', '')
+        branch_status = branch_status.replace('Long-Term Support', 'LTS')
+        branch_status = branch_status.replace('Production', 'Prod.')
+
+        software_branch = branch.get(SOFTWARE_BRANCH_KEY).replace('NVIDIA ', '')
         for release in branch.get(JSON_RELEASES_KEY):
             version = release.get(VGPU_KEY, release.get(GRID_KEY, ''))
             linux_manager = release.get(LINUX_VGPU_MANAGER_KEY, release.get(ALT_VGPU_MANAGER_KEY, ''))
@@ -67,25 +92,13 @@ def __debug():
             windows_driver = release.get(WINDOWS_DRIVER_KEY)
             release_date = release.get(RELEASE_DATE_KEY)
             is_latest = release.get(VGPU_KEY) == branch.get(LATEST_KEY)
-            branch_status = __parse_branch_status(release.get(BRANCH_STATUS_KEY, ''))
 
             version = f'{version} *' if is_latest else version
-            s = f'{version:<13} | {linux_manager:<21} | {linux_driver:<21} | {windows_manager:<21} | {windows_driver:<21} | {release_date:>21} | {branch_status:^21}'
+            eol = branch.get(EOL_KEY) if is_latest else ''
+            s = f'{software_branch:^21} | {branch_status:^21} | {version:<13} | {linux_manager:<21} | {linux_driver:<21} | {windows_manager:<21} | {windows_driver:<21} | {release_date:>21} | {eol:>21}'
             print(s)
 
 
-def __parse_branch_status(string: str) -> str:
-    string = string.replace('Production Branch', 'Prod. -')
-    string = string.replace('Long-Term Support Branch', 'LTS -')
-
-    string = string.replace('supported until', '')
-
-    string = string.replace('EOL since', 'EOL - ')
-    string = string.replace('EOL from', 'EOL -')
-
-    return string
-
-
 def __dump(filename: str):
     import json
 
@@ -115,6 +128,7 @@ if __name__ == '__main__':
 
     # build matrix
     __driver_versions(soup)
+    __release_branches(soup)
 
     # debug output
     __debug()

test/main.py

@@ -1,3 +1,4 @@
+import json
 import sys
 from base64 import b64encode as b64enc
 from calendar import timegm
@@ -7,7 +8,7 @@ from os.path import dirname, join
 from uuid import uuid4, UUID
 
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk
+from jose import jwt, jwk, jws
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
 
@@ -20,6 +21,7 @@ from util import PrivateKey, PublicKey
 
 client = TestClient(main.app)
 
+INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
 
 # INSTANCE_KEY_RSA = generate_key()
@@ -69,6 +71,31 @@ def test_client_token():
     assert response.status_code == 200
 
 
+def test_config_token():  # todo: /leasing/v1/config-token
+    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
+
+    response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF})
+    assert response.status_code == 200
+
+    nv_response_certificate_configuration = response.json().get('certificateConfiguration')
+    nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8')
+    nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)
+
+    nv_response_config_token = response.json().get('configToken')
+
+    payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
+    payload = json.loads(payload)
+    assert payload.get('iss') == 'NLS Service Instance'
+    assert payload.get('aud') == 'NLS Licensed Client'
+    assert payload.get('service_instance_ref') == INSTANCE_REF
+
+    nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration')
+    nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me')
+    # assert nv_si_public_key_me.get('mod') == 1  #nv_si_public_key_mod
+    assert len(nv_si_public_key_me.get('mod')) == 512
+    assert nv_si_public_key_me.get('exp') == 65537  # nv_si_public_key_exp
+
+
 def test_origins():
     pass
 
@@ -168,6 +195,7 @@ def test_auth_v1_token():
 
 def test_leasing_v1_lessor():
     payload = {
+        'client_challenge': 'my_unique_string',
         'fulfillment_context': {
             'fulfillment_class_ref_list': []
         },
@@ -182,6 +210,11 @@ def test_leasing_v1_lessor():
     response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
+    client_challenge = response.json().get('client_challenge')
+    assert client_challenge == payload.get('client_challenge')
+    signature = eval(response.headers.get('X-NLS-Signature'))
+    assert len(signature) == 512
+
     lease_result_list = response.json().get('lease_result_list')
     assert len(lease_result_list) == 1
     assert len(lease_result_list[0]['lease']['ref']) == 36
@@ -205,9 +238,15 @@ def test_leasing_v1_lease_renew():
 
     ###
 
-    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    payload = {'client_challenge': 'my_unique_string'}
+    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200
 
+    client_challenge = response.json().get('client_challenge')
+    assert client_challenge == payload.get('client_challenge')
+    signature = eval(response.headers.get('X-NLS-Signature'))
+    assert len(signature) == 512
+
     lease_ref = response.json().get('lease_ref')
     assert len(lease_ref) == 36
     assert lease_ref == active_lease_ref