Merge branch 'dev' into 'main'

v0.6

See merge request oscar.krause/fastapi-dls!9

.gitlab-ci.yml

@@ -6,7 +6,7 @@ build:
   interruptible: true
   stage: build
   rules:
-    - if: $CI_COMMIT_BRANCH
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
   tags: [ docker ]
   before_script:
     - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env  # COMMIT=`git rev-parse HEAD`
@@ -29,6 +29,13 @@ deploy:
     - source version.env
     - echo "Building docker image for commit ${COMMIT} with version ${VERSION}"
   script:
+    - echo "GitLab-Registry"
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
+    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
+    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
+    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
+    - echo "Docker-Hub"
     - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
     - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
     - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest

README.md

@@ -2,6 +2,9 @@
 
 Minimal Delegated License Service (DLS).
 
+This service can be used without internet connection.
+Only the clients need a connection to this service on configured port.
+
 ## Endpoints
 
 ### `GET /`
@@ -32,7 +35,14 @@ Generate client token, (see [installation](#installation)).
 
 There are some more internal api endpoints for handling authentication and lease process.
 
-# Setup (Docker)
+# Setup
+
+## Docker
+
+Docker-Images are available here:
+
+- [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
+- GitLab-Registry: `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
 
 **Run this on the Docker-Host**
 
@@ -81,6 +91,98 @@ volumes:
   dls-db:
 ```
 
+## Debian
+
+Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
+
+**Install requirements**
+
+```shell
+apt-get update && apt-get install git python3-venv python3-pip
+```
+
+**Install FastAPI-DLS**
+
+```shell
+WORKING_DIR=/opt/fastapi-dls
+mkdir -p $WORKING_DIR
+cd $WORKING_DIR
+git clone https://git.collinwebdesigns.de/oscar.krause/fastapi-dls .
+python3 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+deactivate
+```
+
+**Create keypair and webserver certificate**
+
+```shell
+WORKING_DIR=/opt/fastapi-dls/app/cert
+mkdir $WORKING_DIR
+cd $WORKING_DIR
+# create instance private and public key for singing JWT's
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
+```
+
+**Test Service**
+
+```shell
+cd /opt/fastapi-dls/app
+/opt/fastapi-dls/venv/bin/uvicorn main:app \
+  --host 127.0.0.1 --port 443 \
+  --app-dir /opt/fastapi-dls/app \
+  --ssl-keyfile /opt/fastapi-dls/app/cert/webserver.key \
+  --ssl-certfile /opt/fastapi-dls/app/cert/webserver.crt \
+  --proxy-headers
+```
+
+**Create config file**
+
+```shell
+cat <<EOF > /etc/fastapi-dls.env
+DLS_URL=127.0.0.1
+DLS_PORT=443
+LEASE_EXPIRE_DAYS=90
+DATABASE=sqlite:////opt/fastapi-dls/app/db.sqlite
+EOF 
+```
+
+**Create service**
+
+```shell
+cat <<EOF >/etc/systemd/system/fastapi-dls.service
+[Unit]
+Description=Service for fastapi-dls
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+WorkingDirectory=/opt/fastapi-dls/app
+ExecStart=/opt/fastapi-dls/venv/bin/uvicorn \
+  --host $DLS_URL --port $DLS_PORT \
+  --app-dir /opt/fastapi-dls/app \
+  --ssl-keyfile /opt/fastapi-dls/app/cert/webserver.key \
+  --ssl-certfile /opt/fastapi-dls/app/cert/webserver.crt \
+  --proxy-headers
+EnvironmentFile=/etc/fastapi-dls.env
+Restart=always
+KillSignal=SIGQUIT
+Type=notify
+StandardError=syslog
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
+EOF
+```
+
+Now you have to run `systemctl daemon-reload`. After that you can start service
+with `systemctl start fastapi-dls.service`.
+
 # Configuration
 
 | Variable            | Default               | Usage                                                                                 |

app/main.py

@@ -201,16 +201,13 @@ async def auth_v1_code(request: Request):
         'iat': timegm(cur_time.timetuple()),
         'exp': timegm(expires.timetuple()),
         'challenge': j['code_challenge'],
-        'origin_ref': j['code_challenge'],
+        'origin_ref': j['origin_ref'],
         'key_ref': SITE_KEY_XID,
         'kid': SITE_KEY_XID
     }
 
     auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
 
-    db['auth'].delete(origin_ref=origin_ref, expires={'<=': cur_time - delta})
-    db['auth'].insert(dict(origin_ref=origin_ref, code_challenge=j['code_challenge'], expires=expires))
-
     response = {
         "auth_code": auth_code,
         "sync_timestamp": cur_time.isoformat(),
@@ -228,10 +225,8 @@ async def auth_v1_token(request: Request):
     j = json.loads((await request.body()).decode('utf-8'))
     payload = jwt.decode(token=j['auth_code'], key=jwt_decode_key)
 
-    code_challenge = payload['origin_ref']
-
-    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-    logging.info(f'> [   auth   ]: {origin_ref} ({code_challenge}): {j}')
+    origin_ref = payload['origin_ref']
+    logging.info(f'> [   auth   ]: {origin_ref}: {j}')
 
     # validate the code challenge
     if payload['challenge'] != b64enc(sha256(j['code_verifier'].encode('utf-8')).digest()).rstrip(b'=').decode('utf-8'):
@@ -246,7 +241,7 @@ async def auth_v1_token(request: Request):
         'iss': 'https://cls.nvidia.org',
         'aud': 'https://cls.nvidia.org',
         'exp': timegm(access_expires_on.timetuple()),
-        'origin_ref': payload['origin_ref'],
+        'origin_ref': origin_ref,
         'key_ref': SITE_KEY_XID,
         'kid': SITE_KEY_XID,
     }
@@ -267,12 +262,9 @@ async def auth_v1_token(request: Request):
 async def leasing_v1_lessor(request: Request):
     j, token = json.loads((await request.body()).decode('utf-8')), get_token(request)
 
-    code_challenge = token['origin_ref']
+    origin_ref = token['origin_ref']
     scope_ref_list = j['scope_ref_list']
-
-    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-
-    logging.info(f'> [  create  ]: {origin_ref} ({code_challenge}): create leases for scope_ref_list {scope_ref_list}')
+    logging.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
 
     cur_time = datetime.utcnow()
     lease_result_list = []
@@ -311,11 +303,10 @@ async def leasing_v1_lessor(request: Request):
 async def leasing_v1_lessor_lease(request: Request):
     token = get_token(request)
 
-    code_challenge = token['origin_ref']
+    origin_ref = token['origin_ref']
 
-    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
     active_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
-    logging.info(f'> [  leases  ]: {origin_ref} ({code_challenge}): found {len(active_lease_list)} active leases')
+    logging.info(f'> [  leases  ]: {origin_ref}: found {len(active_lease_list)} active leases')
 
     cur_time = datetime.utcnow()
     response = {
@@ -332,10 +323,8 @@ async def leasing_v1_lessor_lease(request: Request):
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
     token = get_token(request)
 
-    code_challenge = token['origin_ref']
-
-    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-    logging.info(f'> [  renew   ]: {origin_ref} ({code_challenge}): renew {lease_ref}')
+    origin_ref = token['origin_ref']
+    logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
 
     if db['lease'].count(origin_ref=origin_ref, lease_ref=lease_ref) == 0:
         raise HTTPException(status_code=404, detail='requested lease not available')
@@ -361,12 +350,11 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 async def leasing_v1_lessor_lease_remove(request: Request):
     token = get_token(request)
 
-    code_challenge = token['origin_ref']
+    origin_ref = token['origin_ref']
 
-    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
     released_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
     deletions = db['lease'].delete(origin_ref=origin_ref)
-    logging.info(f'> [  remove  ]: {origin_ref} ({code_challenge}): removed {deletions} leases')
+    logging.info(f'> [  remove  ]: {origin_ref}: removed {deletions} leases')
 
     cur_time = datetime.utcnow()
     response = {

version.env

@@ -1 +1 @@
-VERSION=0.5
+VERSION=0.6