.DEBIAN/env.default

@@ -1,27 +0,0 @@
-# Toggle debug mode
-#DEBUG=false
-
-# Where the client can find the DLS server
-DLS_URL=127.0.0.1
-DLS_PORT=443
-
-# CORS configuration
-## comma separated list without spaces
-#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
-
-# Lease expiration in days
-LEASE_EXPIRE_DAYS=90
-LEASE_RENEWAL_PERIOD=0.2
-
-# Database location
-## https://docs.sqlalchemy.org/en/14/core/engines.html
-DATABASE=sqlite:////etc/fastapi-dls/db.sqlite
-
-# UUIDs for identifying the instance
-#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
-#INSTANCE_REF="10000000-0000-0000-0000-000000000001"
-#ALLOTMENT_REF="20000000-0000-0000-0000-000000000001"
-
-# Site-wide signing keys
-INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem
-INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem

.DEBIAN/fastapi-dls.service

@@ -1,25 +0,0 @@
-[Unit]
-Description=Service for fastapi-dls
-Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
-After=network.target
-
-[Service]
-User=www-data
-Group=www-data
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-WorkingDirectory=/usr/share/fastapi-dls/app
-EnvironmentFile=/etc/fastapi-dls/env
-ExecStart=uvicorn main:app \
-  --env-file /etc/fastapi-dls/env \
-  --host $DLS_URL --port $DLS_PORT \
-  --app-dir /usr/share/fastapi-dls/app \
-  --ssl-keyfile /etc/fastapi-dls/webserver.key \
-  --ssl-certfile /etc/fastapi-dls/webserver.crt \
-  --proxy-headers
-Restart=always
-KillSignal=SIGQUIT
-Type=simple
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target

.DEBIAN/postinst

@@ -3,26 +3,89 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 
-if [[ ! -f $CONFIG_DIR/instance.private.pem ]]; then
+echo "> Create config directory ..."
+mkdir -p $CONFIG_DIR
+
+# normally we would define services in `conffiles` and as separate file, but we like to keep thinks simple.
+echo "> Install service ..."
+cat <<EOF >/etc/systemd/system/fastapi-dls.service
+[Unit]
+Description=Service for fastapi-dls
+Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+WorkingDirectory=$WORKING_DIR/app
+EnvironmentFile=$CONFIG_DIR/env
+ExecStart=uvicorn main:app \\
+  --env-file /etc/fastapi-dls/env \\
+  --host \$DLS_URL --port \$DLS_PORT \\
+  --app-dir $WORKING_DIR/app \\
+  --ssl-keyfile /etc/fastapi-dls/webserver.key \\
+  --ssl-certfile /etc/fastapi-dls/webserver.crt \\
+  --proxy-headers
+Restart=always
+KillSignal=SIGQUIT
+Type=simple
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+
+systemctl daemon-reload
+
+# normally we would define configfiles in `conffiles` and as separate file, but we like to keep thinks simple.
+if [[ ! -f $CONFIG_DIR/env ]]; then
+  echo "> Writing initial config ..."
+  touch $CONFIG_DIR/env
+  cat <<EOF >$CONFIG_DIR/env
+# Toggle debug mode
+#DEBUG=false
+
+# Where the client can find the DLS server
+DLS_URL=127.0.0.1
+DLS_PORT=443
+
+# CORS configuration
+## comma separated list without spaces
+#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
+
+# Lease expiration in days
+LEASE_EXPIRE_DAYS=90
+
+# Database location
+## https://docs.sqlalchemy.org/en/14/core/engines.html
+DATABASE=sqlite:///$CONFIG_DIR/db.sqlite
+
+# UUIDs for identifying the instance
+#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
+#INSTANCE_REF="00000000-0000-0000-0000-000000000000"
+
+# Site-wide signing keys
+INSTANCE_KEY_RSA=$CONFIG_DIR/instance.private.pem
+INSTANCE_KEY_PUB=$CONFIG_DIR/instance.public.pem
+
+EOF
+fi
+
 echo "> Create dls-instance keypair ..."
 openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
 openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
-else
-  echo "> Create dls-instance keypair skipped! (exists)"
-fi
 
 while true; do
-  [[ -f $CONFIG_DIR/webserver.key ]] && default_answer="N" || default_answer="Y"
+  read -p "> Do you wish to create self-signed webserver certificate? [Y/n]" yn
-  [[ $default_answer == "Y" ]] && V="Y/n" || V="y/N"
+  yn=${yn:-y} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
-  read -p "> Do you wish to create self-signed webserver certificate? [${V}]" yn
-  yn=${yn:-$default_answer} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
   case $yn in
   [Yy]*)
-    echo "> Generating keypair ..."
     openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $CONFIG_DIR/webserver.key -out $CONFIG_DIR/webserver.crt
     break
     ;;
-  [Nn]*) echo "> Generating keypair skipped! (exists)"; break ;;
+  [Nn]*) break ;;
   *) echo "Please answer [y] or [n]." ;;
   esac
 done

.gitlab-ci.yml

@@ -46,10 +46,7 @@ build:apt:
     - cp README.md version.env build/usr/share/fastapi-dls
     # create conf file
     - mkdir -p build/etc/fastapi-dls
-    - cp .DEBIAN/env.default build/etc/fastapi-dls/env
+    - touch build/etc/fastapi-dls/env
-    # create service file
-    - mkdir -p build/etc/systemd/system
-    - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system
     # cd into "build/"
     - cd build/
   script:
@@ -145,7 +142,6 @@ test:
       --proxy-headers &
     - FASTAPI_DLS_PID=$!
     - echo "Started service with pid $FASTAPI_DLS_PID"
-    - cat /etc/fastapi-dls/env
     # testing service
     - if [ "`curl --insecure -s https://127.0.0.1/-/health | jq .status`" != "up" ]; then echo "Success"; else "Error"; fi
     # cleanup

app/main.py

@@ -331,7 +331,7 @@ async def auth_v1_token(request: Request):
     # validate the code challenge
     challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
     if payload.get('challenge') != challenge:
-        return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
+        raise JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
 
     access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
 
@@ -374,7 +374,7 @@ async def leasing_v1_lessor(request: Request):
     lease_result_list = []
     for scope_ref in scope_ref_list:
         # if scope_ref not in [ALLOTMENT_REF]:
-        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
+        #     raise JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
 
         lease_ref = str(uuid4())
         expires = cur_time + LEASE_EXPIRE_DELTA