fixed debian dependencies

fixed pacman dependencies
finished migration
2026-04-09 18:05:49 +03:00 · 2025-05-15 10:18:09 +02:00 · 2025-05-15 10:16:01 +02:00 · 2025-05-15 10:14:10 +02:00 · 2025-05-15 10:11:45 +02:00 · 2025-05-15 09:24:35 +02:00
14 changed files with 78 additions and 54 deletions
--- a/.DEBIAN/control
+++ b/.DEBIAN/control
@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-josepy, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jwt, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
--- a/.DEBIAN/env.default
+++ b/.DEBIAN/env.default
@@ -1,6 +1,9 @@
 # Toggle debug mode
 #DEBUG=false

+# Cert Path
+CERT_PATH="/etc/fastapi-dls/cert"
+
 # Where the client can find the DLS server
 DLS_URL=127.0.0.1
 DLS_PORT=443
--- a/.DEBIAN/postinst
+++ b/.DEBIAN/postinst
@@ -3,6 +3,8 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls

+source $CONFIG_DIR/env
+
 while true; do
  [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
  [ $default_answer == "Y" ] && V="Y/n" || V="y/N"
@@ -25,27 +27,32 @@ if [ -f $CONFIG_DIR/webserver.key ]; then

  if [ -x "$(command -v curl)" ]; then
    echo "> Testing API ..."
-    source $CONFIG_DIR/env
    curl --insecure -X GET https://$DLS_URL:$DLS_PORT/-/health
  else
    echo "> Testing API failed, curl not available. Please test manually!"
  fi
 fi

+echo "> Create Certificate-Chain folder ..."
+mkdir -p $CERT_PATH
+
+echo "> Set permissions ..."
 chown -R www-data:www-data $CONFIG_DIR
 chown -R www-data:www-data $WORKING_DIR

+echo "> Done."
+
 cat <<EOF

 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #                                                                             #
 #    fastapi-dls is now installed.                                            #
 #                                                                             #
-#    Service should be up and running.                                        #
-#      Webservice is listen to https://localhost                              #
-#                                                                             #
-#    Configuration is stored in /etc/fastapi-dls/env.                         #
+#    Service should be up and running (if you choose to auto-generate         #
+#     self-signed webserver certificate).                                     #
 #                                                                             #
+#    - Webservice is listen to https://localhost                              #                                                                       #
+#    - Configuration is stored in /etc/fastapi-dls/env                        #
 #                                                                             #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

--- a/.DEBIAN/requirements-bookworm-12.txt
+++ b/.DEBIAN/requirements-bookworm-12.txt
@@ -1,7 +1,7 @@
 # https://packages.debian.org/hu/
 fastapi==0.92.0
 uvicorn[standard]==0.17.6
-python-jose[cryptography]==3.3.0
+pyjwt==2.10.1
 cryptography==38.0.4
 python-dateutil==2.8.2
 sqlalchemy==1.4.46
--- a/.DEBIAN/requirements-ubuntu-24.04.txt
+++ b/.DEBIAN/requirements-ubuntu-24.04.txt
@@ -1,7 +1,7 @@
 # https://packages.ubuntu.com
 fastapi==0.101.0
 uvicorn[standard]==0.27.1
-python-jose[cryptography]==3.3.0
+pyjwt==2.10.1
 cryptography==41.0.7
 python-dateutil==2.8.2
 sqlalchemy==1.4.50
--- a/.DEBIAN/requirements-ubuntu-24.10.txt
+++ b/.DEBIAN/requirements-ubuntu-24.10.txt
@@ -1,7 +1,7 @@
 # https://packages.ubuntu.com
 fastapi==0.110.3
 uvicorn[standard]==0.30.3
-python-jose[cryptography]==3.3.0
+pyjwt==2.10.1
 cryptography==42.0.5
 python-dateutil==2.9.0
 sqlalchemy==2.0.32
--- a/.PKGBUILD/PKGBUILD
+++ b/.PKGBUILD/PKGBUILD
@@ -8,7 +8,7 @@ pkgdesc='NVIDIA DLS server implementation with FastAPI'
 arch=('any')
 url='https://git.collinwebdesigns.de/oscar.krause/fastapi-dls'
 license=('MIT')
-depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-cryptography' 'uvicorn' 'python-markdown' 'openssl')
+depends=('python' 'python-pyjwt' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-cryptography' 'uvicorn' 'python-markdown' 'openssl')
 provider=("$pkgname")
 install="$pkgname.install"
 backup=('etc/default/fastapi-dls')
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -162,7 +162,6 @@ test:apt:
  image: $IMAGE
  stage: test
  rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
      changes:
        - app/**/*
@@ -173,11 +172,12 @@ test:apt:
  parallel:
    matrix:
      - IMAGE:
-          - debian:trixie-slim # EOL: t.b.a.
-          - debian:bookworm-slim # EOL: June 06, 2026
+          - debian:trixie-slim # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy" or "python3-jwt"
          - debian:bookworm-slim # EOL: June 06, 2026
+          - debian:bullseye-slim # EOL: June 06, 2026
          - ubuntu:24.04 # EOL: April 2036
-          - ubuntu:24.10
+          - ubuntu:24.10 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy" or "python3-jwt"
+          - ubuntu:25.04 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy" or "python3-jwt"
  needs:
    - job: build:apt
      artifacts: true
@@ -212,8 +212,7 @@ test:apt:
 test:pacman:archlinux:
  image: archlinux:base
  rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
      changes:
        - app/**/*
        - .PKGBUILD/**/*
@@ -393,4 +392,4 @@ release:
        - name: 'Package Registry'
          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages'
        - name: 'Container Registry'
-          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/40'
+          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/70'
--- a/README.md
+++ b/README.md
@@ -334,11 +334,9 @@ Successful tested with (**LTS Version**):
 - *Ubuntu 23.04 (Lunar Lobster)* (EOL: January 2024)
 - *Ubuntu 23.10 (Mantic Minotaur)* (EOL: July 2024)
 - **Ubuntu 24.04 (Noble Numbat)** (EOL: Apr 2029)
- *Ubuntu 24.10 (Oracular Oriole)* (EOL: Jul 2025)

 Not working with:

- Debian 11 (Bullseye) and lower (missing `python-jose` dependency)
 - Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to [fastapi - uvicorn version missmatch](https://bugs.launchpad.net/ubuntu/+source/fastapi/+bug/1970557))

 **Run this on your server instance**
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -2,6 +2,17 @@

 I am planning to implement the following features in the future.

+## Patching Endpoint
+
+A (optional) Path-Variable to `gridd-unlock-patcher` which enables an additional endpoint.
+Here you can upload your `nvidia-gridd` binary or `nvxdapix.dll` which then will be patched and responded.
+
+## All-In-One Installer Script Endpoint
+
+A new all-in-one installer endpoint
+(here a script is returned for linux or windows which then could be called like
+curl https://<fastapi-dls>/-/install/deb | sh which then
+download and place a client-token in the right directory, patch your girdd / dll and restart nvidia-gridd service)

 ## HA - High Availability

--- a/app/main.py
+++ b/app/main.py
@@ -15,8 +15,7 @@ from dotenv import load_dotenv
 from fastapi import FastAPI
 from fastapi.requests import Request
 from fastapi.responses import Response, RedirectResponse, StreamingResponse
-from jose import jws, jwk, jwt, JWTError
-from jose.constants import ALGORITHMS
+import jwt
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 from starlette.middleware.cors import CORSMiddleware
@@ -63,8 +62,8 @@ my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename)
 my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename)
 my_si_public_key = my_si_private_key.public_key()

-jwt_encode_key = jwk.construct(my_si_private_key.pem(), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(my_si_private_key.public_key().pem(), algorithm=ALGORITHMS.RS256)
+jwt_encode_key = my_si_private_key.pem()  # todo: replace directly in code
+jwt_decode_key = my_si_private_key.public_key().pem()  # todo: replace directly in code

 # Logging
 LOG_LEVEL = logging.DEBUG if DEBUG else logging.INFO
@@ -114,7 +113,9 @@ app.add_middleware(
 def __get_token(request: Request) -> dict:
    authorization_header = request.headers.get('authorization')
    token = authorization_header.split(' ')[1]
-    return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+
+    # return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+    return jwt.decode(jwt=token, key=jwt_decode_key, algorithms=['RS256'], options={'verify_aud': False})


 # Endpoints
@@ -295,9 +296,11 @@ async def _client_token():
        },
    }

-    content = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
+    # content = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
+    content = jwt.encode(payload=payload, key=jwt_encode_key, headers=None, algorithm='RS256')

-    response = StreamingResponse(iter([content]), media_type="text/plain")
+    # response = StreamingResponse(iter([content]), media_type="text/plain")
+    response = StreamingResponse(iter(content), media_type="text/plain")
    filename = f'client_configuration_token_{datetime.now().strftime("%d-%m-%y-%H-%M-%S")}.tok'
    response.headers["Content-Disposition"] = f'attachment; filename={filename}'

@@ -386,7 +389,8 @@ async def auth_v1_code(request: Request):
        'kid': SITE_KEY_XID
    }

-    auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
+    # auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
+    auth_code = jwt.encode(payload=payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256')

    response = {
        "auth_code": auth_code,
@@ -404,8 +408,9 @@ async def auth_v1_token(request: Request):
    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)

    try:
-        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
-    except JWTError as e:
+        #payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
+        payload = jwt.decode(jwt=j.get('auth_code'), key=jwt_decode_key, algorithms=['RS256'])
+    except jwt.PyJWTError as e:
        response = {'status': 400, 'title': 'invalid token', 'detail': str(e)}
        return Response(content=json_dumps(response), media_type='application/json', status_code=400)

@@ -431,7 +436,7 @@ async def auth_v1_token(request: Request):
        'origin_ref': origin_ref,
    }

-    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
+    auth_token = jwt.encode(payload=new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256')

    response = {
        "auth_token": auth_token,
@@ -470,8 +475,9 @@ async def leasing_v1_config_token(request: Request):
        },
    }

-    my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-    config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
+    # my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+    # config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
+    config_token = jwt.encode(payload=payload, key=jwt_encode_key, headers=None, algorithm='RS256')

    response_ca_chain = my_ca_certificate.pem().decode('utf-8').strip()

@@ -702,7 +708,7 @@ async def leasing_v1_lessor_shutdown(request: Request):
    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)

    token = j.get('token')
-    token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+    token = jwt.decode(jwt=token, key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
    origin_ref = token.get('origin_ref')

    released_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
--- a/app/util.py
+++ b/app/util.py
@@ -45,11 +45,11 @@ class CASetup:

        self.service_instance_ref = service_instance_ref
        self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME)
-        self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME)
-        self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME)
-        self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)
-        self.si_private_key_filename = join(dirname(__file__), 'cert', CASetup.SI_PRIVATE_KEY_FILENAME)
-        self.si_certificate_filename = join(dirname(__file__), 'cert', CASetup.SI_CERTIFICATE_FILENAME)
+        self.root_certificate_filename = join(cert_path_prefix, CASetup.ROOT_CERTIFICATE_FILENAME)
+        self.ca_private_key_filename = join(cert_path_prefix, CASetup.CA_PRIVATE_KEY_FILENAME)
+        self.ca_certificate_filename = join(cert_path_prefix, CASetup.CA_CERTIFICATE_FILENAME)
+        self.si_private_key_filename = join(cert_path_prefix, CASetup.SI_PRIVATE_KEY_FILENAME)
+        self.si_certificate_filename = join(cert_path_prefix, CASetup.SI_CERTIFICATE_FILENAME)

        if not (isfile(self.root_private_key_filename)
                and isfile(self.root_certificate_filename)
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,8 +1,8 @@
 fastapi==0.115.12
-uvicorn[standard]==0.34.1
-python-jose[cryptography]==3.4.0
-cryptography==44.0.2
+uvicorn[standard]==0.34.2
+pyjwt==2.10.1
+cryptography==44.0.3
 python-dateutil==2.9.0
-sqlalchemy==2.0.40
+sqlalchemy==2.0.41
 markdown==3.8
 python-dotenv==1.1.0
--- a/test/main.py
+++ b/test/main.py
@@ -4,13 +4,13 @@ from base64 import b64encode as b64enc
 from calendar import timegm
 from datetime import datetime, UTC
 from hashlib import sha256
+from json import loads as json_loads, dumps as json_dumps
 from uuid import uuid4, UUID

 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.hazmat.primitives.hashes import SHA256
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk, jws
-from jose.constants import ALGORITHMS
+import jwt
 from starlette.testclient import TestClient

 # add relative path to use packages as they were in the app/ dir
@@ -38,12 +38,12 @@ my_si_public_key = my_si_private_key.public_key()
 my_si_public_key_as_pem = my_si_private_key.public_key().pem()
 my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename)

-jwt_encode_key = jwk.construct(my_si_private_key_as_pem, algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(my_si_public_key_as_pem, algorithm=ALGORITHMS.RS256)
-
+jwt_encode_key = my_si_private_key.pem()
+jwt_decode_key = my_si_private_key.public_key().pem()

 def __bearer_token(origin_ref: str) -> str:
-    token = jwt.encode({"origin_ref": origin_ref}, key=jwt_encode_key, algorithm=ALGORITHMS.RS256)
+    # token = jwt.encode({"origin_ref": origin_ref}, key=jwt_encode_key, algorithm=ALGORITHMS.RS256)
+    token = jwt.encode(payload={"origin_ref": origin_ref}, key=jwt_encode_key, algorithm='RS256')
    token = f'Bearer {token}'
    return token

@@ -145,12 +145,12 @@ def test_config_token():
    assert nv_si_certificate.public_key().mod() == nv_response_public_key.get('mod')[0]
    assert nv_si_certificate.authority_key_identifier() == nv_ca_chain.subject_key_identifier()

-    nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)
+    # nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)

    nv_response_config_token = response.json().get('configToken')

-    payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
-    payload = json.loads(payload)
+    #payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
+    payload = jwt.decode(jwt=nv_response_config_token, key=nv_si_certificate.public_key().pem(), algorithms=['RS256'], options={'verify_signature': False})
    assert payload.get('iss') == 'NLS Service Instance'
    assert payload.get('aud') == 'NLS Licensed Client'
    assert payload.get('service_instance_ref') == INSTANCE_REF
@@ -230,7 +230,7 @@ def test_auth_v1_code():
    response = client.post('/auth/v1/code', json=payload)
    assert response.status_code == 200

-    payload = jwt.get_unverified_claims(token=response.json().get('auth_code'))
+    payload = jwt.decode(response.json().get('auth_code'), key=my_si_public_key_as_pem, algorithms=['RS256'])
    assert payload.get('origin_ref') == ORIGIN_REF


@@ -247,7 +247,7 @@ def test_auth_v1_token():
        "kid": "00000000-0000-0000-0000-000000000000"
    }
    payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256'),
        "code_verifier": SECRET,
    }

@@ -255,7 +255,7 @@ def test_auth_v1_token():
    assert response.status_code == 200

    token = response.json().get('auth_token')
-    payload = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+    payload = jwt.decode(token, key=jwt_decode_key, algorithms=['RS256'], options={'verify_signature': False})
    assert payload.get('origin_ref') == ORIGIN_REF
Author	SHA1	Message	Date
Oscar Krause	8f5f6b8341	fixed debian dependencies	2025-05-15 10:18:09 +02:00
Oscar Krause	de63b32825	fixed pacman dependencies	2025-05-15 10:16:01 +02:00
Oscar Krause	5781029893	finished migration	2025-05-15 10:14:10 +02:00
Oscar Krause	ff8dd3f694	fixes	2025-05-15 10:11:45 +02:00
Oscar Krause	c083acb7ff	moved from josepy to pyjwt	2025-05-15 09:24:35 +02:00
Oscar Krause	59bcbd6008	fixed pacman dependency	2025-05-15 08:01:55 +02:00
Oscar Krause	3c239da307	migrate from "python-jose" to "python3-josepy" since it is no longer supported on future releases of debian/ubuntu	2025-05-15 07:59:18 +02:00
Oscar Krause	52a1834817	requirements.txt updated	2025-05-15 07:32:44 +02:00
Oscar Krause	dd0042b850	updated roadmap	2025-05-15 07:32:44 +02:00
Oscar Krause	eded286c89	improved debian installation	2025-05-15 07:32:44 +02:00
Oscar Krause	764e012fb7	fixed cert_path_prefix	2025-05-13 17:53:23 +02:00
Oscar Krause	52e9f2cae9	ci fixes	2025-05-13 09:53:15 +02:00
Oscar Krause	09fe2a605c	requirements.txt updated	2025-05-13 09:51:07 +02:00
Oscar Krause	8ec87a8859	updated compatibility	2025-05-13 09:51:02 +02:00
Oscar Krause	18f577b4f6	ci fixes	2025-05-13 09:48:30 +02:00
Oscar Krause	eab3b21d60	ci fixes	2025-04-30 14:24:54 +02:00
Oscar Krause	2157394dfa	fixed debian dependency	2025-04-30 14:20:09 +02:00
Oscar Krause	b577edcf67	release registry url updated	2025-04-23 22:19:27 +02:00