Merge branch 'dev' into 'main'

v0.3 See merge request oscar.krause/fastapi-dls!5
2022-12-20 18:35:41 +01:00 · 2022-12-20 18:35:41 +01:00 · 1173964643
commit 1173964643
parent a4c2ec6895 003570e0af
4 changed files with 151 additions and 69 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 .DS_Store
 venv/
 .idea/
 app/*.sqlite*
 app/cert/*.*
--- a/2
+++ b/2
@ -12,5 +12,5 @@ RUN apk update \
 COPY app /app
-HEALTHCHECK --start-period=30s --interval=10s --timeout=5s --retries=3 CMD curl --fail http://localhost/status || exit 1
+HEALTHCHECK --start-period=30s --interval=10s --timeout=5s --retries=3 CMD curl --insecure --fail https://localhost/status || exit 1
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "443", "--app-dir", "/app", "--proxy-headers", "--ssl-keyfile", "/app/cert/webserver.key", "--ssl-certfile", "/app/cert/webserver.crt"]
--- a/README.md
+++ b/README.md
@ -2,6 +2,24 @@
 Minimal Delegated License Service (DLS).
 ## Endpoints
 ### `GET /`
 Just a simple *hello world* endpoint.
 ### `GET /status`
 Status endpoint, used for *healthcheck*.
 ### `GET /-/origins`
 List registered origins.
 ### `GET /-/leases`
 List current leases.
 # Setup (Docker)
 **Run this on the Docker-Host**
@ -18,11 +36,12 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/
 # Configuration
-| Variable            | Default     | Usage                                                                     |
+| Variable            | Default               | Usage                                                                                 |
-|---------------------|-------------|---------------------------------------------------------------------------|
+|---------------------|-----------------------|---------------------------------------------------------------------------------------|
-| `DLS_URL`           | `localhost` | Used in client-token to tell guest driver where dls instance is reachable |
+| `DLS_URL`           | `localhost`           | Used in client-token to tell guest driver where dls instance is reachable             |
-| `DLS_PORT`          | `443`       | Used in client-token to tell guest driver where dls instance is reachable |
+| `DLS_PORT`          | `443`                 | Used in client-token to tell guest driver where dls instance is reachable             |
-| `LEASE_EXPIRE_DAYS` | `90`        | Lease time in days                                                        |
+| `LEASE_EXPIRE_DAYS` | `90`                  | Lease time in days                                                                    |
 | `DATABASE`          | `sqlite:///db.sqlite` | See [official dataset docs](https://dataset.readthedocs.io/en/latest/quickstart.html) |
 # Installation
@ -59,28 +78,60 @@ Currently, there are no known issues.
 ## Windows
-On Windows there is currently a problem returning the license. As you can see the license is installed successfully
+On Windows on some machines there are running two or more instances of `NVIDIA Display Container LS`. This causes a
-after
+problem on licensing flow. As you can see in the logs below, there are two lines with `NLS initialized`, each prefixed
-a few minutes. About the time of the first *lease period* the driver gets a *Mismatch between client and server with
+with `<1>` and `<2>`. So it is possible, that *daemon 1* fetches a valid license through dls-service, and *daemon 2*
-respect to licenses held*.
+only
 gets a valid local license.
 <details>
  <summary>Log</summary>
 **Display-Container-LS**
 ```
-Tue Dec 20 05:55:52 2022:<2>:NLS initialized
+Tue Dec 20 17:25:11 2022:<1>:NLS initialized
-Tue Dec 20 05:55:57 2022:<2>:Mismatch between client and server with respect to licenses held. Returning the licenses
+Tue Dec 20 17:25:12 2022:<2>:NLS initialized
-Tue Dec 20 05:55:58 2022:<2>:License returned successfully. (Info: 192.168.178.33)
+Tue Dec 20 17:25:16 2022:<1>:Valid GRID license not found. GPU features and performance will be restricted. To enable full functionality please configure licensing details.
-Tue Dec 20 05:56:20 2022:<2>:Mismatch between client and server with respect to licenses held. Returning the licenses
+Tue Dec 20 17:25:17 2022:<1>:License acquired successfully. (Info: 192.168.178.110, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-21 16:25:16 GMT)
-Tue Dec 20 05:56:21 2022:<2>:License returned successfully. (Info: 192.168.178.33)
+Tue Dec 20 17:25:17 2022:<2>:Valid GRID license not found. GPU features and performance will be restricted. To enable full functionality please configure licensing details.
-Tue Dec 20 05:56:46 2022:<2>:Mismatch between client and server with respect to licenses held. Returning the licenses
+Tue Dec 20 17:25:38 2022:<2>:License acquired successfully from local trusted store. (Info: 192.168.178.110, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-21 16:25:16 GMT)
-Tue Dec 20 05:56:47 2022:<2>:License returned successfully. (Info: 192.168.178.33)
+```
-Tue Dec 20 05:56:54 2022:<1>:License renewed successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-20 5:11:54 GMT)
+
-Tue Dec 20 05:57:17 2022:<2>:Mismatch between client and server with respect to licenses held. Returning the licenses
+**fastapi-dls**
-Tue Dec 20 05:57:18 2022:<2>:License returned successfully. (Info: 192.168.178.33)
+
-Tue Dec 20 05:59:20 2022:<1>:License renewed successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-20 5:14:20 GMT)
+``` 
-Tue Dec 20 06:01:45 2022:<1>:License renewed successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-20 5:16:45 GMT)
+> [  origin  ]: 41720000-FA43-4000-9472-0000E8660000: {'candidate_origin_ref': '41720000-FA43-4000-9472-0000E8660000', 'environment': {'fingerprint': {'mac_address_list': ['5E:F0:79:E6:DE:E1']}, 'hostname': 'PC-Windows', 'ip_address_list': ['2003:a:142e:c800::1cc', 'fdfe:7fcd:e30f:40f5:ad5c:e67b:49a6:cfb3', 'fdfe:7fcd:e30f:40f5:6409:db1c:442b:f90b', 'fe80::a32e:f736:8988:fe45', '192.168.178.110'], 'guest_driver_version': '527.41', 'os_platform': 'Windows 10 Pro', 'os_version': '10.0.19045', 'host_driver_version': '525.60.12', 'gpu_id_list': ['1E3010DE-133210DE'], 'client_platform_id': '00000000-0000-0000-0000-000000000113', 'hv_platform': 'Unknown', 'cpu_sockets': 1, 'physical_cores': 8}, 'registration_pending': False, 'update_pending': False}
-Tue Dec 20 06:04:10 2022:<1>:License renewed successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-20 5:19:10 GMT)
+> [  origin  ]: 41720000-FA43-4000-9472-0000E8660000: {'candidate_origin_ref': '41720000-FA43-4000-9472-0000E8660000', 'environment': {'fingerprint': {'mac_address_list': ['5E:F0:79:E6:DE:E1']}, 'hostname': 'PC-Windows', 'ip_address_list': ['2003:a:142e:c800::1cc', 'fdfe:7fcd:e30f:40f5:ad5c:e67b:49a6:cfb3', 'fdfe:7fcd:e30f:40f5:6409:db1c:442b:f90b', 'fe80::a32e:f736:8988:fe45', '192.168.178.110'], 'guest_driver_version': '527.41', 'os_platform': 'Windows 10 Pro', 'os_version': '10.0.19045', 'host_driver_version': '525.60.12', 'gpu_id_list': ['1E3010DE-133210DE'], 'client_platform_id': '00000000-0000-0000-0000-000000000113', 'hv_platform': 'Unknown', 'cpu_sockets': 1, 'physical_cores': 8}, 'registration_pending': False, 'update_pending': False}
 > [   code   ]: 41720000-FA43-4000-9472-0000E8660000: {'code_challenge': 'bTwcOn17SD5mtwmFdKDgufnceGXeGYcnFfMHqmjtReo', 'origin_ref': '41720000-FA43-4000-9472-0000E8660000'}
 > [   code   ]: 41720000-FA43-4000-9472-0000E8660000: {'code_challenge': 'FCVDfgKmgr+lyvSpOxr4fZnDZv8VrNtNEAZPUuLAr7A', 'origin_ref': '41720000-FA43-4000-9472-0000E8660000'}
 > [   auth   ]: 41720000-FA43-4000-9472-0000E8660000 (bTwcOn17SD5mtwmFdKDgufnceGXeGYcnFfMHqmjtReo): {'auth_code': 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NzE1NTcwMzMsImV4cCI6MTY3MTU1NzkzMywiY2hhbGxlbmdlIjoiYlR3Y09uMTdTRDVtdHdtRmRLRGd1Zm5jZUdYZUdZY25GZk1IcW1qdFJlbyIsIm9yaWdpbl9yZWYiOiJiVHdjT24xN1NENW10d21GZEtEZ3VmbmNlR1hlR1ljbkZmTUhxbWp0UmVvIiwia2V5X3JlZiI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9.m5M4h9HRYWkItHEdYGApJVM7TgBH0qyDXCxPkaG2-Km5SviRMk0_3er5Myjq3rYGlr88JBviA07Pc3cr7fV-tDAXaSGalxLNfFtVRcnzqbtgnkodep1PHRUXYkiQgfaJ36m02zZucu4qMyYfQTpZ_-x67eycFKyN9T9cRJ4PYFe5W_6_zjzz6D0qeLACDhXt4ns980URttKfn2vACE8gPP5-EC-7lSY1g1mAWJKB_X9OlYRFE2mkCxnde6z5I2qmCXE_awimkigjo5LYvDcjCz60QDsOD2Ojgz4Y9xgjPbKnup4c2orKTWLUfT8_o4toKbaSfuLzPtD-41b3E8NqHQ', 'code_verifier': 'NCkAAB0+AACEHAAAIAAAAEoWAACAGAAArGwAAOkkAABfTgAAK0oAADFiAAANXAAAHzwAAKg4AAC/GwAAkxsAAEJHAABiDwAAaC8AAFMYAAAOLAAAFUkAAEheAAALOwAAHmwAAIJtAABpKwAArmsAAGM8AABnVwAA5FkAAP8mAAA'}
 > [   auth   ]: 41720000-FA43-4000-9472-0000E8660000 (FCVDfgKmgr+lyvSpOxr4fZnDZv8VrNtNEAZPUuLAr7A): {'auth_code': 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NzE1NTcwMzQsImV4cCI6MTY3MTU1NzkzNCwiY2hhbGxlbmdlIjoiRkNWRGZnS21ncitseXZTcE94cjRmWm5EWnY4VnJOdE5FQVpQVXVMQXI3QSIsIm9yaWdpbl9yZWYiOiJGQ1ZEZmdLbWdyK2x5dlNwT3hyNGZabkRadjhWck50TkVBWlBVdUxBcjdBIiwia2V5X3JlZiI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9.it_UKCHLLd25g19zqryZ6_ePrkHljXJ3uX-hNdu-pcmnYD9ODOVl2u5bRxOrP6S2EUO4WLZIuvLOhbFBUHfZfXFRmmCv4NDJoZx36Qn6zszePK9Bngej40Qf8Wu3JGXMVrwfC6WNW6WFeUT-s9jos5e1glFk_E3ZhOYQjXljWOcfcNvZ-PVJFBi5OzyQqLuL43GQH_PSF66N2gq0OyKgxTvg2q6SzGD3YAxsbjy2mD0YOUv8pW8Dr_9L4hmnNHg2DdM_lCwmy4qIBaDkAQDq8VCw1-4RcXROiLlYwhvHRalsXnmREPXaOUiUrr8rrCX8jgc7Fcd1uhY5jnouWbwEAg', 'code_verifier': 'tFAAAKQSAAAqOQAAhykAANJxAAA9PQAAyFwAALNsAAB/VQAA4GQAAB5fAAA2JgAApWIAAKMeAAB3YwAAggQAAPsEAAAuAgAAblIAABR/AAAfAgAAenoAAKZ3AABUTQAA5CQAANkTAAC8JwAAvUQAAO0yAAA3awAAegIAAD1iAAA'}
 > [  leases  ]: 41720000-FA43-4000-9472-0000E8660000 (bTwcOn17SD5mtwmFdKDgufnceGXeGYcnFfMHqmjtReo): found 0 active leases
 > [  leases  ]: 41720000-FA43-4000-9472-0000E8660000 (FCVDfgKmgr+lyvSpOxr4fZnDZv8VrNtNEAZPUuLAr7A): found 0 active leases
 > [  create  ]: 41720000-FA43-4000-9472-0000E8660000 (bTwcOn17SD5mtwmFdKDgufnceGXeGYcnFfMHqmjtReo): create leases for scope_ref_list ['1e9335d0-049d-48b2-b719-e551c859f9f9']
 ```
 in comparison to linux
 **nvidia-grid.service**
 ```
 Dec 20 17:53:32 ubuntu-grid-server nvidia-gridd[10354]: vGPU Software package (0)
 Dec 20 17:53:32 ubuntu-grid-server nvidia-gridd[10354]: Ignore service provider and node-locked licensing
 Dec 20 17:53:32 ubuntu-grid-server nvidia-gridd[10354]: NLS initialized
 Dec 20 17:53:32 ubuntu-grid-server nvidia-gridd[10354]: Acquiring license. (Info: 192.168.178.110; NVIDIA RTX Virtual Workstation)
 Dec 20 17:53:34 ubuntu-grid-server nvidia-gridd[10354]: License acquired successfully. (Info: 192.168.178.110, NVIDIA RTX Virtual Workstation; Expiry: 2022-12-21 16:53:33 GMT)
 ```
 **fastapi-dls**
 ```
 > [  origin  ]: B210CF72-FEC7-4440-9499-1156D1ACD13A: {'candidate_origin_ref': 'B210CF72-FEC7-4440-9499-1156D1ACD13A', 'environment': {'fingerprint': {'mac_address_list': ['d6:30:d8:de:46:a7']}, 'hostname': 'ubuntu-grid-server', 'ip_address_list': ['192.168.178.114', 'fdfe:7fcd:e30f:40f5:d430:d8ff:fede:46a7', '2003:a:142e:c800::642', 'fe80::d430:d8ff:fede:46a7%ens18'], 'guest_driver_version': '525.60.13', 'os_platform': 'Ubuntu 20.04', 'os_version': '20.04.5 LTS (Focal Fossa)', 'host_driver_version': '525.60.12', 'gpu_id_list': ['1E3010DE-133210DE'], 'client_platform_id': '00000000-0000-0000-0000-000000000105', 'hv_platform': 'LINUX_KVM', 'cpu_sockets': 1, 'physical_cores': 16}, 'registration_pending': False, 'update_pending': False}
 > [   code   ]: B210CF72-FEC7-4440-9499-1156D1ACD13A: {'code_challenge': 'hYSKI4kpZcWqPatM5Sc9RSCuzMeyz2piTmrRQKnnHro', 'origin_ref': 'B210CF72-FEC7-4440-9499-1156D1ACD13A'}
 > [   auth   ]: B210CF72-FEC7-4440-9499-1156D1ACD13A (hYSKI4kpZcWqPatM5Sc9RSCuzMeyz2piTmrRQKnnHro): {'auth_code': 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NzE1NTUyMTIsImV4cCI6MTY3MTU1NjExMiwiY2hhbGxlbmdlIjoiaFlTS0k0a3BaY1dxUGF0TTVTYzlSU0N1ek1leXoycGlUbXJSUUtubkhybyIsIm9yaWdpbl9yZWYiOiJoWVNLSTRrcFpjV3FQYXRNNVNjOVJTQ3V6TWV5ejJwaVRtclJRS25uSHJvIiwia2V5X3JlZiI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImtpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9.G5GvGEBNMUga25EeaJeAbDk9yZuLBLyj5e0OzVfIjS70UOvDb-SvLSEhBv9vZ_rxjTtaWGQGK0iK8VnLce8KfqsxZzael6B5WqfwyQiok3WWIaQarrZZXKihWhgF49zYAIZx_0js1iSjoF9-vNSj8zan7j-miOCOssfPzGgfJqvWNnhR6_2YkCQgJssHMjGT1QxaJBZDVOuvY0ND7r6jxlS_Xze1nWtau1mtC6bu2hM8cxbYUtM-XOC8welCZ8ZOCKkutmVix0weV3TVNfR5vuBUz1QS6B9YC8R-eVVBhN2hl4j7kGZLmZ4TpyLViYEUVZsqGBayVIPeN2BhtqTO9g', 'code_verifier': 'IDiWUb62sjsNYuU/YtZ5YJdvvxE70gR9vEPOQo9+lh/DjMt1c6egVQRyXB0FAaASNB4/ME8YQjGQ1xUOS7ZwI4tjHDBbUXFBvt2DVu8jOlkDmZsNeI2IfQx5HRkz1nRIUlpqUC/m01gAQRYAuR6dbUyrkW8bq9B9cOLSbWzjJ0E'}
 > [  leases  ]: B210CF72-FEC7-4440-9499-1156D1ACD13A (hYSKI4kpZcWqPatM5Sc9RSCuzMeyz2piTmrRQKnnHro): found 0 active leases
 > [  create  ]: B210CF72-FEC7-4440-9499-1156D1ACD13A (hYSKI4kpZcWqPatM5Sc9RSCuzMeyz2piTmrRQKnnHro): create leases for scope_ref_list ['f27e8e79-a662-4e35-a728-7ea14341f0cb']
 ```
 </details>
--- a/app/main.py
+++ b/app/main.py
@ -5,6 +5,7 @@ from os.path import join, dirname
 from os import getenv
 from fastapi import FastAPI, HTTPException
 from fastapi.requests import Request
 from fastapi.encoders import jsonable_encoder
 import json
 from datetime import datetime
 from dateutil.relativedelta import relativedelta
@ -29,8 +30,9 @@ def load_key(filename) -> RsaKey:
 # todo: initialize certificate (or should be done by user, and passed through "volumes"?)
-app, db = FastAPI(), dataset.connect('sqlite:///db.sqlite')
+app, db = FastAPI(), dataset.connect(str(getenv('DATABASE', 'sqlite:///db.sqlite')))
 TOKEN_EXPIRE_DELTA = relativedelta(hours=1)  # days=1
 LEASE_EXPIRE_DELTA = relativedelta(days=int(getenv('LEASE_EXPIRE_DAYS', 90)))
 DLS_URL = str(getenv('DLS_URL', 'localhost'))
@ -43,6 +45,12 @@ jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), al
 jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS512)
 def get_token(request: Request) -> dict:
    authorization_header = request.headers['authorization']
    token = authorization_header.split(' ')[1]
    return jwt.decode(token=token, key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
@app.get('/')
 async def index():
    return JSONResponse({'hello': 'world'})
@ -53,6 +61,18 @@ async def status(request: Request):
    return JSONResponse({'status': 'up'})
@app.get('/-/origins')
 async def _origins(request: Request):
    response = list(map(lambda x: jsonable_encoder(x), db['origin'].all()))
    return JSONResponse(response)
@app.get('/-/leases')
 async def _leases(request: Request):
    response = list(map(lambda x: jsonable_encoder(x), db['lease'].all()))
    return JSONResponse(response)
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
@app.get('/client-token')
 async def client_token():
@ -84,10 +104,7 @@ async def client_token():
                {
                    "idx": 0,
                    "d_name": "DLS",
-                    "svc_port_map": [
+                    "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}]
                        {"service": "auth", "port": DLS_PORT},
                        {"service": "lease", "port": DLS_PORT}
                    ]
                }
            ],
            "node_url_list": [{"idx": 0, "url": DLS_URL, "url_qr": DLS_URL, "svc_port_set_idx": 0}]
@ -95,11 +112,12 @@ async def client_token():
        "service_instance_public_key_configuration": service_instance_public_key_configuration,
    }
-    data = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm='RS256')
+    content = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm='RS256')
-    response = StreamingResponse(iter([data]), media_type="text/plain")
+    response = StreamingResponse(iter([content]), media_type="text/plain")
    filename = f'client_configuration_token_{datetime.now().strftime("%d-%m-%y-%H-%M-%S")}'
    response.headers["Content-Disposition"] = f'attachment; filename={filename}'
    return response
@ -109,20 +127,21 @@ async def client_token():
 async def auth_origin(request: Request):
    j = json.loads((await request.body()).decode('utf-8'))
-    candidate_origin_ref = j['candidate_origin_ref']
+    origin_ref = j['candidate_origin_ref']
-    print(f'> [  origin  ]: {candidate_origin_ref}: {j}')
+    print(f'> [  origin  ]: {origin_ref}: {j}')
    data = dict(
-        candidate_origin_ref=candidate_origin_ref,
+        origin_ref=origin_ref,
        hostname=j['environment']['hostname'],
        guest_driver_version=j['environment']['guest_driver_version'],
-        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version']
+        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version'],
    )
-    db['origin'].insert_ignore(data, ['candidate_origin_ref'])
+
    db['origin'].upsert(data, ['origin_ref'])
    cur_time = datetime.utcnow()
    response = {
-        "origin_ref": candidate_origin_ref,
+        "origin_ref": origin_ref,
        "environment": j['environment'],
        "svc_port_set_list": None,
        "node_url_list": None,
@ -130,6 +149,7 @@ async def auth_origin(request: Request):
        "prompts": None,
        "sync_timestamp": cur_time.isoformat()
    }
    return JSONResponse(response)
@ -144,7 +164,8 @@ async def auth_code(request: Request):
    print(f'> [   code   ]: {origin_ref}: {j}')
    cur_time = datetime.utcnow()
-    expires = cur_time + relativedelta(days=1)
+    delta = relativedelta(minutes=15)
    expires = cur_time + delta
    payload = {
        'iat': timegm(cur_time.timetuple()),
@ -157,11 +178,15 @@ async def auth_code(request: Request):
    auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256')
    db['auth'].delete(origin_ref=origin_ref, expires={'<=': cur_time - delta})
    db['auth'].insert(dict(origin_ref=origin_ref, code_challenge=j['code_challenge'], expires=expires))
    response = {
        "auth_code": auth_code,
        "sync_timestamp": cur_time.isoformat(),
        "prompts": None
    }
    return JSONResponse(response)
@ -173,15 +198,17 @@ async def auth_token(request: Request):
    j = json.loads((await request.body()).decode('utf-8'))
    payload = jwt.decode(token=j['auth_code'], key=jwt_decode_key)
-    origin_ref = payload['origin_ref']
+    code_challenge = payload['origin_ref']
-    print(f'> [   auth   ]: {origin_ref}: {j}')
+
    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
    print(f'> [   auth   ]: {origin_ref} ({code_challenge}): {j}')
    # validate the code challenge
    if payload['challenge'] != b64enc(sha256(j['code_verifier'].encode('utf-8')).digest()).rstrip(b'=').decode('utf-8'):
-        raise HTTPException(status_code=403, detail='expected challenge did not match verifier')
+        raise HTTPException(status_code=401, detail='expected challenge did not match verifier')
    cur_time = datetime.utcnow()
-    access_expires_on = cur_time + relativedelta(days=1)
+    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
    new_payload = {
        'iat': timegm(cur_time.timetuple()),
@ -208,30 +235,35 @@ async def auth_token(request: Request):
 # {'fulfillment_context': {'fulfillment_class_ref_list': []}, 'lease_proposal_list': [{'license_type_qualifiers': {'count': 1}, 'product': {'name': 'NVIDIA RTX Virtual Workstation'}}], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': ['00112233-4455-6677-8899-aabbccddeeff']}
@app.post('/leasing/v1/lessor')
 async def leasing_lessor(request: Request):
-    j = json.loads((await request.body()).decode('utf-8'))
+    j, token = json.loads((await request.body()).decode('utf-8')), get_token(request)
    token = jwt.decode(request.headers['authorization'].split(' ')[1], key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
    code_challenge = token['origin_ref']
    scope_ref_list = j['scope_ref_list']
-    print(f'> [  lessor  ]: {code_challenge}: {j}')
+
-    print(f'> {code_challenge}: create leases for scope_ref_list {scope_ref_list}')
+    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
    print(f'> [  create  ]: {origin_ref} ({code_challenge}): create leases for scope_ref_list {scope_ref_list}')
    cur_time = datetime.utcnow()
    lease_result_list = []
    for scope_ref in scope_ref_list:
        expires = cur_time + LEASE_EXPIRE_DELTA
        lease_result_list.append({
            "ordinal": 0,
            # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
            "lease": {
                "ref": scope_ref,
                "created": cur_time.isoformat(),
-                "expires": (cur_time + LEASE_EXPIRE_DELTA).isoformat(),
+                "expires": expires.isoformat(),
                # The percentage of the lease period that must elapse before a licensed client can renew a license
                "recommended_lease_renewal": 0.15,
                "offline_lease": "true",
                "license_type": "CONCURRENT_COUNTED_SINGLE"
            }
        })
-        data = dict(origin_ref=code_challenge, lease_ref=scope_ref, expires=None, last_update=None)
+
-        db['leases'].insert_ignore(data, ['origin_ref', 'lease_ref'])
+        data = dict(origin_ref=origin_ref, lease_ref=scope_ref, lease_created=cur_time, lease_expires=expires)
        db['lease'].insert_ignore(data, ['origin_ref', 'lease_ref'])  # todo: handle update
    response = {
        "lease_result_list": lease_result_list,
@ -244,24 +276,19 @@ async def leasing_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
@app.get('/leasing/v1/lessor/leases')
 async def leasing_lessor_lease(request: Request):
-    token = jwt.decode(request.headers['authorization'].split(' ')[1], key=key, algorithms='RS256', options={'verify_aud': False})
+    token = get_token(request)
    code_challenge = token['origin_ref']
    active_lease_list = list(map(lambda x: x['lease_ref'], db['leases'].find(origin_ref=code_challenge)))
    print(f'> {code_challenge}: found {len(active_lease_list)} active leases')
-    if len(active_lease_list) == 0:
+    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-        raise HTTPException(status_code=400, detail="No leases available")
+    active_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
    print(f'> [  leases  ]: {origin_ref} ({code_challenge}): found {len(active_lease_list)} active leases')
    cur_time = datetime.utcnow()
    # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
    response = {
        # "active_lease_list": [
        #    # "BE276D7B-2CDB-11EC-9838-061A22468B59"  # (works on Linux) GRID-Virtual-WS 2.0 CONCURRENT_COUNTED_SINGLE // 'NVIDIA Virtual PC','NVIDIA Virtual PC'
        #    "BE276EFE-2CDB-11EC-9838-061A22468B59"  # GRID-Virtual-WS 2.0 CONCURRENT_COUNTED_SINGLE // 'NVIDIA RTX Virtual Workstation','NVIDIA RTX Virtual Workstation
        # ],
        "active_lease_list": active_lease_list,
        "sync_timestamp": cur_time.isoformat(),
        "prompts": None
@ -273,13 +300,15 @@ async def leasing_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
@app.put('/leasing/v1/lease/{lease_ref}')
 async def leasing_lease_renew(request: Request, lease_ref: str):
-    token = jwt.decode(request.headers['authorization'].split(' ')[1], key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
+    token = get_token(request)
    code_challenge = token['origin_ref']
    print(f'> {code_challenge}: renew {lease_ref}')
-    if db['leases'].count(lease_ref=lease_ref) == 0:
+    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-        raise HTTPException(status_code=400, detail="No leases available")
+    print(f'> [  renew   ]: {origin_ref} ({code_challenge}): renew {lease_ref}')
    if db['lease'].count(origin_ref=origin_ref, lease_ref=lease_ref) == 0:
        raise HTTPException(status_code=404, detail='requested lease not available')
    cur_time = datetime.utcnow()
    expires = cur_time + LEASE_EXPIRE_DELTA
@ -287,26 +316,27 @@ async def leasing_lease_renew(request: Request, lease_ref: str):
        "lease_ref": lease_ref,
        "expires": expires.isoformat(),
        "recommended_lease_renewal": 0.16,
        # 0.16 = 10 min, 0.25 = 15 min, 0.33 = 20 min, 0.5 = 30 min (should be lower than "LEASE_EXPIRE_DELTA")
        "offline_lease": True,
        "prompts": None,
        "sync_timestamp": cur_time.isoformat(),
    }
-    data = dict(lease_ref=lease_ref, origin_ref=code_challenge, expires=expires, last_update=cur_time)
+    data = dict(origin_ref=origin_ref, lease_ref=lease_ref, lease_expires=expires, lease_last_update=cur_time)
-    db['leases'].update(data, ['lease_ref'])
+    db['lease'].update(data, ['origin_ref', 'lease_ref'])
    return JSONResponse(response)
@app.delete('/leasing/v1/lessor/leases')
 async def leasing_lessor_lease_remove(request: Request):
-    token = jwt.decode(request.headers['authorization'].split(' ')[1], key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
+    token = get_token(request)
    code_challenge = token['origin_ref']
-    released_lease_list = list(map(lambda x: x['lease_ref'], db['leases'].find(origin_ref=code_challenge)))
+
-    deletions = db['leases'].delete(origin_ref=code_challenge)
+    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-    print(f'> {code_challenge}: removed {deletions} leases')
+    released_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
    deletions = db['lease'].delete(origin_ref=origin_ref)
    print(f'> [  remove  ]: {origin_ref} ({code_challenge}): removed {deletions} leases')
    cur_time = datetime.utcnow()
    response = {