Merge branch 'dev' into 'main'

v0.5 See merge request oscar.krause/fastapi-dls!7
2022-12-21 11:10:18 +01:00
parent 5e6c014b2b 6afb121533
commit 8a7f5d9cbe
7 changed files with 118 additions and 37 deletions
@@ -8,6 +8,8 @@ build:
  rules:
    - if: $CI_COMMIT_BRANCH
  tags: [ docker ]
+  before_script:
+    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env  # COMMIT=`git rev-parse HEAD`
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${CI_BUILD_REF}
@@ -22,9 +24,13 @@ deploy:
  stage: deploy
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  before_script:
+    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
+    - source version.env
+    - Building docker image for commit "${COMMIT}" with version "${VERSION}"
  script:
    - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
-    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${CI_BUILD_REF}
+    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
-    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${CI_BUILD_REF}
+    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
@@ -11,6 +11,8 @@ RUN apk update \
 && apk del build-deps

 COPY app /app
+COPY version.env /version.env
+COPY README.md /README.md

 HEALTHCHECK --start-period=30s --interval=10s --timeout=5s --retries=3 CMD curl --insecure --fail https://localhost/status || exit 1
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "443", "--app-dir", "/app", "--proxy-headers", "--ssl-keyfile", "/app/cert/webserver.key", "--ssl-certfile", "/app/cert/webserver.crt"]
@@ -6,11 +6,15 @@ Minimal Delegated License Service (DLS).

 ### `GET /`

-Just a simple *hello world* endpoint.
+HTML rendered README.md.

 ### `GET /status`

-Status endpoint, used for *healthcheck*.
+Status endpoint, used for *healthcheck*. Shows also current version and commit hash.
+
+### `GET /docs`
+
+OpenAPI specifications rendered from `GET /openapi.json`.

 ### `GET /-/origins`

@@ -20,6 +24,14 @@ List registered origins.

 List current leases.

+### `GET /client-token`
+
+Generate client token, (see [installation](#installation)).
+
+### Others
+
+There are some more internal api endpoints for handling authentication and lease process.
+
 # Setup (Docker)

 **Run this on the Docker-Host**
@@ -28,20 +40,57 @@ List current leases.
 WORKING_DIR=/opt/docker/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
+# create instance private and public key for singing JWT's
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
 openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
-docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert collinwebdesigns/fastapi-dls:latest
+```
+
+**Start container**
+
+```shell
+docker volume create dls-db
+docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert -v dls-db:/app/database collinwebdesigns/fastapi-dls:latest
+```
+
+**Docker-Compose / Deploy stack**
+
+```yaml
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost # REQUIRED
+  DLS_PORT: 443
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    ports:
+      - "443:443"
+    volumes:
+      - /opt/docker/fastapi-dls/cert:/app/cert
+      - dls-db:/app/database
+
+volumes:
+  dls-db:
 ```

 # Configuration

 | Variable            | Default               | Usage                                                                                 |
 |---------------------|-----------------------|---------------------------------------------------------------------------------------|
+| `DEBUG`             | `false`               | Toggles `fastapi` debug mode                                                          |
 | `DLS_URL`           | `localhost`           | Used in client-token to tell guest driver where dls instance is reachable             |
 | `DLS_PORT`          | `443`                 | Used in client-token to tell guest driver where dls instance is reachable             |
 | `LEASE_EXPIRE_DAYS` | `90`                  | Lease time in days                                                                    |
 | `DATABASE`          | `sqlite:///db.sqlite` | See [official dataset docs](https://dataset.readthedocs.io/en/latest/quickstart.html) |
+| `CORS_ORIGINS`      | `https://{DLS_URL}`   | Sets `Access-Control-Allow-Origin` header (comma separated string)                    |

 # Installation

@@ -1,9 +0,0 @@
-# FastAPI-DLS Server
-
-
-## ToDo
-
- Create Client Token (`.tok`-file)
- Docker Image
- Create Certificates if not exist
- Keep track of clients and Leases
@@ -1,8 +1,11 @@
+import logging
 from base64 import b64encode as b64enc
 from hashlib import sha256
 from uuid import uuid4
 from os.path import join, dirname
 from os import getenv
+
+from dotenv import load_dotenv
 from fastapi import FastAPI, HTTPException
 from fastapi.requests import Request
 from fastapi.encoders import jsonable_encoder
@@ -12,11 +15,17 @@ from dateutil.relativedelta import relativedelta
 from calendar import timegm
 from jose import jws, jwk, jwt
 from jose.constants import ALGORITHMS
-from starlette.responses import StreamingResponse, JSONResponse
+from starlette.middleware.cors import CORSMiddleware
+from starlette.responses import StreamingResponse, JSONResponse, HTMLResponse
 import dataset
 from Crypto.PublicKey import RSA
 from Crypto.PublicKey.RSA import RsaKey

+logger = logging.getLogger()
+load_dotenv('../version.env')
+
+VERSION, COMMIT, DEBUG = getenv('VERSION', 'unknown'), getenv('COMMIT', 'unknown'), bool(getenv('DEBUG', False))
+

 def load_file(filename) -> bytes:
    with open(filename, 'rb') as file:
@@ -30,7 +39,13 @@ def load_key(filename) -> RsaKey:

 # todo: initialize certificate (or should be done by user, and passed through "volumes"?)

-app, db = FastAPI(), dataset.connect(str(getenv('DATABASE', 'sqlite:///db.sqlite')))
+__details = dict(
+    title='FastAPI-DLS',
+    description='Minimal Delegated License Service (DLS).',
+    version=VERSION,
+)
+
+app, db = FastAPI(**__details), dataset.connect(str(getenv('DATABASE', 'sqlite:///db.sqlite')))

 TOKEN_EXPIRE_DELTA = relativedelta(hours=1)  # days=1
 LEASE_EXPIRE_DELTA = relativedelta(days=int(getenv('LEASE_EXPIRE_DAYS', 90)))
@@ -41,24 +56,39 @@ SITE_KEY_XID = getenv('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000')
 INSTANCE_KEY_RSA = load_key(join(dirname(__file__), 'cert/instance.private.pem'))
 INSTANCE_KEY_PUB = load_key(join(dirname(__file__), 'cert/instance.public.pem'))

+CORS_ORIGINS = getenv('CORS_ORIGINS').split(',') if (getenv('CORS_ORIGINS')) else f'https://{DLS_URL}'  # todo: prevent static https
+
 jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
 jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS512)

+app.debug = DEBUG
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=CORS_ORIGINS,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)
+

 def get_token(request: Request) -> dict:
    authorization_header = request.headers['authorization']
    token = authorization_header.split(' ')[1]
-    return jwt.decode(token=token, key=jwt_decode_key, algorithms='RS256', options={'verify_aud': False})
+    return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})


@app.get('/')
 async def index():
-    return JSONResponse({'hello': 'world'})
+    from markdown import markdown
+    content = load_file('../README.md').decode('utf-8')
+    return HTMLResponse(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))


@app.get('/status')
 async def status(request: Request):
-    return JSONResponse({'status': 'up'})
+    return JSONResponse({'status': 'up', 'version': VERSION, 'commit': COMMIT, 'debug': DEBUG})


@app.get('/-/origins')
@@ -112,7 +142,7 @@ async def client_token():
        "service_instance_public_key_configuration": service_instance_public_key_configuration,
    }

-    content = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm='RS256')
+    content = jws.sign(payload, key=jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)

    response = StreamingResponse(iter([content]), media_type="text/plain")
    filename = f'client_configuration_token_{datetime.now().strftime("%d-%m-%y-%H-%M-%S")}'
@@ -124,11 +154,11 @@ async def client_token():
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
 # {"candidate_origin_ref":"00112233-4455-6677-8899-aabbccddeeff","environment":{"fingerprint":{"mac_address_list":["ff:ff:ff:ff:ff:ff"]},"hostname":"my-hostname","ip_address_list":["192.168.178.123","fe80::","fe80::1%enp6s18"],"guest_driver_version":"510.85.02","os_platform":"Debian GNU/Linux 11 (bullseye) 11","os_version":"11 (bullseye)"},"registration_pending":false,"update_pending":false}
@app.post('/auth/v1/origin')
-async def auth_origin(request: Request):
+async def auth_v1_origin(request: Request):
    j = json.loads((await request.body()).decode('utf-8'))

    origin_ref = j['candidate_origin_ref']
-    print(f'> [  origin  ]: {origin_ref}: {j}')
+    logging.info(f'> [  origin  ]: {origin_ref}: {j}')

    data = dict(
        origin_ref=origin_ref,
@@ -157,11 +187,11 @@ async def auth_origin(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - CodeResponse
 # {"code_challenge":"...","origin_ref":"00112233-4455-6677-8899-aabbccddeeff"}
@app.post('/auth/v1/code')
-async def auth_code(request: Request):
+async def auth_v1_code(request: Request):
    j = json.loads((await request.body()).decode('utf-8'))

    origin_ref = j['origin_ref']
-    print(f'> [   code   ]: {origin_ref}: {j}')
+    logging.info(f'> [   code   ]: {origin_ref}: {j}')

    cur_time = datetime.utcnow()
    delta = relativedelta(minutes=15)
@@ -176,7 +206,7 @@ async def auth_code(request: Request):
        'kid': SITE_KEY_XID
    }

-    auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256')
+    auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)

    db['auth'].delete(origin_ref=origin_ref, expires={'<=': cur_time - delta})
    db['auth'].insert(dict(origin_ref=origin_ref, code_challenge=j['code_challenge'], expires=expires))
@@ -194,14 +224,14 @@ async def auth_code(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - TokenResponse
 # {"auth_code":"...","code_verifier":"..."}
@app.post('/auth/v1/token')
-async def auth_token(request: Request):
+async def auth_v1_token(request: Request):
    j = json.loads((await request.body()).decode('utf-8'))
    payload = jwt.decode(token=j['auth_code'], key=jwt_decode_key)

    code_challenge = payload['origin_ref']

    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-    print(f'> [   auth   ]: {origin_ref} ({code_challenge}): {j}')
+    logging.info(f'> [   auth   ]: {origin_ref} ({code_challenge}): {j}')

    # validate the code challenge
    if payload['challenge'] != b64enc(sha256(j['code_verifier'].encode('utf-8')).digest()).rstrip(b'=').decode('utf-8'):
@@ -221,7 +251,7 @@ async def auth_token(request: Request):
        'kid': SITE_KEY_XID,
    }

-    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm='RS256')
+    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)

    response = {
        "expires": access_expires_on.isoformat(),
@@ -234,7 +264,7 @@ async def auth_token(request: Request):

 # {'fulfillment_context': {'fulfillment_class_ref_list': []}, 'lease_proposal_list': [{'license_type_qualifiers': {'count': 1}, 'product': {'name': 'NVIDIA RTX Virtual Workstation'}}], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': ['00112233-4455-6677-8899-aabbccddeeff']}
@app.post('/leasing/v1/lessor')
-async def leasing_lessor(request: Request):
+async def leasing_v1_lessor(request: Request):
    j, token = json.loads((await request.body()).decode('utf-8')), get_token(request)

    code_challenge = token['origin_ref']
@@ -242,7 +272,7 @@ async def leasing_lessor(request: Request):

    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']

-    print(f'> [  create  ]: {origin_ref} ({code_challenge}): create leases for scope_ref_list {scope_ref_list}')
+    logging.info(f'> [  create  ]: {origin_ref} ({code_challenge}): create leases for scope_ref_list {scope_ref_list}')

    cur_time = datetime.utcnow()
    lease_result_list = []
@@ -278,14 +308,14 @@ async def leasing_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
@app.get('/leasing/v1/lessor/leases')
-async def leasing_lessor_lease(request: Request):
+async def leasing_v1_lessor_lease(request: Request):
    token = get_token(request)

    code_challenge = token['origin_ref']

    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
    active_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
-    print(f'> [  leases  ]: {origin_ref} ({code_challenge}): found {len(active_lease_list)} active leases')
+    logging.info(f'> [  leases  ]: {origin_ref} ({code_challenge}): found {len(active_lease_list)} active leases')

    cur_time = datetime.utcnow()
    response = {
@@ -299,13 +329,13 @@ async def leasing_lessor_lease(request: Request):

 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
@app.put('/leasing/v1/lease/{lease_ref}')
-async def leasing_lease_renew(request: Request, lease_ref: str):
+async def leasing_v1_lease_renew(request: Request, lease_ref: str):
    token = get_token(request)

    code_challenge = token['origin_ref']

    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
-    print(f'> [  renew   ]: {origin_ref} ({code_challenge}): renew {lease_ref}')
+    logging.info(f'> [  renew   ]: {origin_ref} ({code_challenge}): renew {lease_ref}')

    if db['lease'].count(origin_ref=origin_ref, lease_ref=lease_ref) == 0:
        raise HTTPException(status_code=404, detail='requested lease not available')
@@ -328,7 +358,7 @@ async def leasing_lease_renew(request: Request, lease_ref: str):


@app.delete('/leasing/v1/lessor/leases')
-async def leasing_lessor_lease_remove(request: Request):
+async def leasing_v1_lessor_lease_remove(request: Request):
    token = get_token(request)

    code_challenge = token['origin_ref']
@@ -336,7 +366,7 @@ async def leasing_lessor_lease_remove(request: Request):
    origin_ref = db['auth'].find_one(code_challenge=code_challenge)['origin_ref']
    released_lease_list = list(map(lambda x: x['lease_ref'], db['lease'].find(origin_ref=origin_ref)))
    deletions = db['lease'].delete(origin_ref=origin_ref)
-    print(f'> [  remove  ]: {origin_ref} ({code_challenge}): removed {deletions} leases')
+    logging.info(f'> [  remove  ]: {origin_ref} ({code_challenge}): removed {deletions} leases')

    cur_time = datetime.utcnow()
    response = {
@@ -359,7 +389,7 @@ if __name__ == '__main__':
    #
    ###

-    print(f'> Starting dev-server ...')
+    logging.info(f'> Starting dev-server ...')

    ssl_keyfile = join(dirname(__file__), 'cert/webserver.key')
    ssl_certfile = join(dirname(__file__), 'cert/webserver.crt')
@@ -4,3 +4,5 @@ python-jose==3.3.0
 pycryptodome==3.16.0
 python-dateutil==2.8.2
 dataset==1.5.2
+markdown==3.4.1
+python-dotenv==0.21.0
@@ -0,0 +1 @@
+VERSION=0.5