ssl-provisioning 1.0.0__py3-none-any.whl

ssl_provisioning-1.0.0.dist-info/METADATA

@@ -0,0 +1,172 @@
+Metadata-Version: 2.4
+Name: ssl-provisioning
+Version: 1.0.0
+Summary: SSL certificate provisioning tool: a FastAPI server distributes fullchain/privkey to one-shot CLI clients over an authenticated, end-to-end encrypted channel.
+License: MIT
+Requires-Python: >=3.10
+Requires-Dist: cryptography>=42.0
+Requires-Dist: fastapi>=0.110
+Requires-Dist: prompt-toolkit>=3.0
+Requires-Dist: uvicorn>=0.27
+Description-Content-Type: text/markdown
+
+# sslpv
+
+`sslpv` is an SSL certificate provisioning tool. A long-running FastAPI server holds
+the paths to a `fullchain`/`privkey` pair and a set of API keys. A one-shot CLI client
+authenticates with an API key and pulls the current certificate and private key over an
+authenticated, end-to-end encrypted channel, writing them atomically to local paths.
+
+---
+
+## Installation
+
+The distribution is published on PyPI as `ssl-provisioning`; the installed command
+and import package are both named `sslpv`.
+
+**From PyPI:**
+
+```sh
+pip install ssl-provisioning
+# or, one-shot without a permanent install:
+uvx --from ssl-provisioning sslpv --help
+```
+
+**From a local checkout:**
+
+```sh
+uv pip install .   # or: pip install .
+```
+
+---
+
+## Server
+
+### Starting the server
+
+```sh
+sslpv server --config /path/to/config.json
+```
+
+The server blocks until interrupted (Ctrl-C).
+
+### config.json reference
+
+```json
+{
+  "fullchain": "/etc/letsencrypt/live/example.com/fullchain.pem",
+  "privkey": "/etc/letsencrypt/live/example.com/privkey.pem",
+  "apikeys": ["replace-with-a-long-random-secret", "another-client-key"],
+  "host": "0.0.0.0",
+  "port": 1243,
+  "server_certfile": null,
+  "server_keyfile": null,
+  "trusted_proxies": []
+}
+```
+
+| Field | Type | Required | Description |
+|---|---|---|---|
+| `fullchain` | string | yes | Path to the PEM fullchain certificate to distribute to clients. |
+| `privkey` | string | yes | Path to the PEM private key to distribute to clients. |
+| `apikeys` | list of strings | yes | One or more API keys that clients may authenticate with. |
+| `host` | string | no | Bind address. Defaults to `"0.0.0.0"`. |
+| `port` | int | no | TCP port to listen on. Defaults to `1243`. |
+| `server_certfile` | string or null | no | TLS certificate for the server itself. Falls back to `fullchain` when null. |
+| `server_keyfile` | string or null | no | TLS private key for the server itself. Falls back to `privkey` when null. |
+| `trusted_proxies` | list of strings | no | IP addresses of trusted reverse proxies whose `X-Forwarded-For` header is used to determine the real client IP for rate limiting. |
+
+### File permissions
+
+The server hard-errors on startup if the config file is readable by group or other.
+Restrict permissions before starting:
+
+```sh
+chmod 600 /path/to/config.json
+chmod 600 /path/to/privkey.pem
+```
+
+---
+
+## Client
+
+```sh
+sslpv client \
+  --server https://example.com:1243 \
+  --key /path/to/apikey.txt \
+  --cert /path/to/fullchain.pem \
+  --privkey /path/to/privkey.pem
+```
+
+### Client flags
+
+| Flag | Required | Description |
+|---|---|---|
+| `--server URL` | yes | Server base URL. Must use `https`. |
+| `--key PATH` | yes | File containing the API key. |
+| `--cert PATH` | yes | Destination path for the retrieved PEM certificate. |
+| `--privkey PATH` | yes | Destination path for the retrieved PEM private key. |
+| `--insecure` | no | Disable TLS certificate verification. Dangerous; see note below. |
+| `--ca-cert PATH` | no | Path to a custom PEM CA bundle for TLS verification. |
+| `--pin-sha256 HEX` | no | Expected SHA-256 hex fingerprint of the server leaf certificate. |
+| `--timeout SECONDS` | no | Per-request timeout in seconds. Default: `30.0`. |
+
+### TLS for self-signed or IP-addressed servers
+
+For servers with self-signed certificates or no matching DNS name, use `--ca-cert` or
+`--pin-sha256` instead of `--insecure`:
+
+```sh
+# Trust a custom CA bundle
+sslpv client --server https://192.0.2.1:1243 --ca-cert /path/to/ca.pem ...
+
+# Pin by SHA-256 fingerprint (colons optional, case-insensitive)
+sslpv client --server https://192.0.2.1:1243 --pin-sha256 ab:cd:ef:... ...
+```
+
+`--insecure` disables all chain and hostname verification and leaves the connection
+vulnerable to MITM attacks. The end-to-end encryption described below still protects
+the payload content, but the identity of the server is not verified.
+
+---
+
+## How it works
+
+### Stateless signed challenge-response authentication
+
+1. The client fetches a signed one-time nonce from `/challenge`.
+2. The client computes an HMAC proof that binds the API key, HTTP method, endpoint path,
+   nonce, issue timestamp, and an ephemeral X25519 public key. The raw API key is never
+   sent over the wire.
+3. The server verifies the proof, checks the nonce has not been spent, and marks the
+   nonce as spent immediately (one-time use).
+
+### End-to-end AES-256-GCM payload encryption
+
+Each response payload (certificate or private key) is encrypted with AES-256-GCM. The
+symmetric key is derived from an X25519 ECDH exchange between a server-side ephemeral
+key and the client's ephemeral key, with the API key mixed in as additional key
+material. Even if the TLS layer is broken or bypassed (e.g. by an on-path attacker
+under `--insecure`), the payload cannot be decrypted or forged without knowledge of the
+API key.
+
+### TLS transport
+
+The server uses uvicorn with `ssl.PROTOCOL_TLS_SERVER` (TLS 1.2 or higher) and a
+modern cipher suite (`ECDHE+AESGCM:ECDHE+CHACHA20`). Use `--ca-cert` or `--pin-sha256`
+on the client when the server certificate is not trusted by the system CA store.
+
+---
+
+## Security model and limitations
+
+- **Availability / DoS**: Protection against on-path denial-of-service is out of scope.
+  Rate limiting is implemented per-IP but an on-path attacker can still disrupt
+  availability.
+- **Single-process requirement**: The server must run with `workers=1` (the default).
+  Nonce deduplication and the rate limiter use in-memory state; multiple workers would
+  allow nonce replay across process boundaries.
+- **API key confidentiality**: Keep API key files restricted to `0600`. A key with group
+  or other read permission will trigger a warning from the client.
+- **Config file confidentiality**: The server rejects a config file with group or other
+  read bits set. Always `chmod 600` the config.

ssl_provisioning-1.0.0.dist-info/RECORD

@@ -0,0 +1,19 @@
+sslpv/__init__.py,sha256=ypRf1GUxSlkDMpH-HzLU26s2XSgVo1qiy-RkpfrdK9c,84
+sslpv/dependencies.py,sha256=vESbqjM0YVagRVBV2DM1P7oOMZjtwS7ELmU29wICPE0,5809
+sslpv/main.py,sha256=GN5osK5akagFcTGsCcBs1yXFR3m-zY6pKFWoyGd9etc,4949
+sslpv/response.py,sha256=5EDwgnPty54lDbINm8e-_63mSUEDdAlzneZxdifzXbM,1109
+sslpv/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sslpv/models/config.py,sha256=sW_XBad0yXI0jHh5HmXywLIKLoHN2lKLBLH03pexJSg,2320
+sslpv/routers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sslpv/routers/certs.py,sha256=brrzuDTFsfrZ3m175-Qv26t0i1Yyy6HO78W4BuHalT8,10053
+sslpv/services/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sslpv/services/client.py,sha256=B4E7fUhbM23a67o3Rva5ZzHBcFmMQByhmIC6DuUpEBs,18385
+sslpv/services/config.py,sha256=ofenFk5viml8Dtk63QOE9NEFYPCf8b5AJCdpKwpK9yM,3998
+sslpv/services/server.py,sha256=kUPmERQhxK0d1HK3Ue--quX-HSNPRi1SoyXwYyc7SaU,7486
+sslpv/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sslpv/utils/crypto.py,sha256=G14KMCdFoyM5nFDVpM4Ln0KhPxzx5qcViVBh2863_UQ,9337
+sslpv/utils/logging.py,sha256=7LDinL6YtIo6eKiGO-PVk-HLicEJ38oc3n1C5DZDlJQ,3486
+ssl_provisioning-1.0.0.dist-info/METADATA,sha256=7wPLjxDobOTt6-YaMMkoIjrdBPBCUBj8N1_EgJAfR6w,6262
+ssl_provisioning-1.0.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+ssl_provisioning-1.0.0.dist-info/entry_points.txt,sha256=3Zfy1xTI7P5pr9wRhZHaPVfSVCHPcF22KRCT0-Cubyg,42
+ssl_provisioning-1.0.0.dist-info/RECORD,,

ssl_provisioning-1.0.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

ssl_provisioning-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sslpv = sslpv.main:main

sslpv/__init__.py

@@ -0,0 +1,3 @@
+"""sslpv: SSL certificate provisioning server and client."""
+
+__version__ = "1.0.0"

sslpv/dependencies.py

@@ -0,0 +1,176 @@
+"""FastAPI dependencies: authentication and rate limiting."""
+
+import base64
+import time
+from typing import Any
+
+from cryptography.hazmat.primitives.asymmetric import x25519
+from fastapi import Depends, HTTPException, Request
+
+from sslpv.utils.crypto import verify_challenge, verify_proof
+
+# Challenge TTL in seconds
+TTL = 60
+
+# Maximum allowed clock skew between client and server
+_CLOCK_SKEW = 5
+
+
+def _parse_auth_header(authorization: str) -> tuple[str, int, str, str]:
+    """Parse a Bearer token of the form ``Bearer v1.<nonce>.<ts>.<sig>.<proof>``.
+
+    Args:
+        authorization(str): Raw Authorization header value.
+
+    Return:
+        parts(tuple): ``(nonce_b64, issue_ts, sig_b64, proof_b64)``.
+
+    Raises:
+        HTTPException: 401 if the header is missing, malformed, or wrong version.
+    """
+    if not authorization or not authorization.startswith("Bearer "):
+        raise HTTPException(401, "unauthorized")
+
+    token = authorization[len("Bearer "):]
+
+    if not token.startswith("v1."):
+        raise HTTPException(401, "unauthorized")
+
+    body = token[len("v1."):]
+    # nonce_b64, issue_ts, sig_b64, proof_b64 — base64 segments never contain '.'
+    parts = body.split(".")
+    if len(parts) != 4:
+        raise HTTPException(401, "unauthorized")
+
+    nonce_b64, ts_str, sig_b64, proof_b64 = parts
+
+    try:
+        issue_ts = int(ts_str)
+    except ValueError:
+        raise HTTPException(401, "unauthorized")
+
+    return nonce_b64, issue_ts, sig_b64, proof_b64
+
+
+def _parse_client_pubkey(header_value: str) -> tuple[bytes, str]:
+    """Decode and validate the X-Client-Pubkey header.
+
+    Args:
+        header_value(str): Base64-encoded 32-byte X25519 public key.
+
+    Return:
+        result(tuple): ``(raw_bytes, b64_string)``.
+
+    Raises:
+        HTTPException: 400 if the header is missing, not valid base64, or not 32 bytes.
+    """
+    try:
+        raw = base64.b64decode(header_value, validate=True)
+    except Exception:
+        raise HTTPException(400, "invalid X-Client-Pubkey header")
+
+    if len(raw) != 32:
+        raise HTTPException(400, "invalid X-Client-Pubkey header")
+
+    try:
+        x25519.X25519PublicKey.from_public_bytes(raw)
+    except Exception:
+        raise HTTPException(400, "invalid X-Client-Pubkey header")
+
+    return raw, header_value
+
+
+def _get_client_ip(request: Request, trusted_proxies: list[str]) -> str:
+    """Determine the real client IP, honouring trusted proxy forwarding.
+
+    Args:
+        request(Request): The incoming FastAPI request.
+        trusted_proxies(list[str]): IP addresses of trusted reverse proxies.
+
+    Return:
+        ip(str): The effective client IP address.
+    """
+    direct_ip = request.client.host if request.client else "unknown"
+    if direct_ip in trusted_proxies:
+        forwarded = request.headers.get("X-Forwarded-For", "")
+        first = forwarded.split(",")[0].strip()
+        if first:
+            return first
+    return direct_ip
+
+
+async def verify_auth(request: Request) -> dict[str, Any]:
+    """FastAPI dependency that authenticates and rate-limits every protected request.
+
+    Authentication steps (order is security-critical):
+    1. Determine real client IP; apply rate limiting.
+    2. Parse Authorization header (Bearer v1 token) and X-Client-Pubkey header.
+    3. Verify challenge signature.
+    4. Verify token freshness (TTL and clock skew).
+    5. Check nonce has not been spent.
+    6. Verify API-key proof (bound to method, path, nonce, pubkey).
+    7. Mark nonce as spent; return auth context.
+
+    All 401 failures return the same message ("unauthorized") to avoid oracles.
+
+    Args:
+        request(Request): The incoming FastAPI request.
+
+    Return:
+        auth(dict): ``{"apikey": str, "client_pubkey": bytes}``.
+
+    Raises:
+        HTTPException: 401 for auth failures, 429 for rate limiting, 400 for bad headers.
+    """
+    config = request.app.state.config
+    server_secret: bytes = request.app.state.server_secret
+    spent_nonces = request.app.state.spent_nonces
+    rate_limiter = request.app.state.rate_limiter
+
+    # Step a: rate limiting
+    ip = _get_client_ip(request, config.trusted_proxies)
+    if not rate_limiter.allow(ip):
+        raise HTTPException(429, "rate limited")
+
+    # Step b: parse Authorization header
+    authorization = request.headers.get("Authorization", "")
+    nonce_b64, issue_ts, sig_b64, proof_b64 = _parse_auth_header(authorization)
+
+    client_pubkey_header = request.headers.get("X-Client-Pubkey", "")
+    if not client_pubkey_header:
+        raise HTTPException(400, "invalid X-Client-Pubkey header")
+    client_pubkey_raw, client_pubkey_b64 = _parse_client_pubkey(client_pubkey_header)
+
+    # Step c: verify challenge signature
+    if not verify_challenge(server_secret, nonce_b64, issue_ts, sig_b64):
+        raise HTTPException(401, "unauthorized")
+
+    # Step d: check expiry and clock skew
+    now = int(time.time())
+    if now - issue_ts > TTL:
+        raise HTTPException(401, "unauthorized")
+    if issue_ts > now + _CLOCK_SKEW:
+        raise HTTPException(401, "unauthorized")
+
+    # Step e: check spent nonce
+    if spent_nonces.contains(nonce_b64):
+        raise HTTPException(401, "unauthorized")
+
+    # Step f: verify proof (bound to method, path, nonce, pubkey, apikey)
+    matched_apikey = verify_proof(
+        proof_b64,
+        config.apikeys,
+        request.method,
+        request.url.path,
+        nonce_b64,
+        issue_ts,
+        client_pubkey_b64,
+    )
+    if matched_apikey is None:
+        # Do NOT mark the nonce as spent — the attacker has not authenticated
+        raise HTTPException(401, "unauthorized")
+
+    # Step g: mark nonce spent and return auth context
+    spent_nonces.add(nonce_b64, expiry=issue_ts + TTL)
+
+    return {"apikey": matched_apikey, "client_pubkey": client_pubkey_raw}

sslpv/main.py

@@ -0,0 +1,185 @@
+"""CLI entry point for sslpv.
+
+Provides two subcommands:
+  sslpv server --config /path/to/config.json
+  sslpv client --server URL --key PATH --cert PATH --privkey PATH [options]
+"""
+
+import argparse
+import sys
+from typing import Optional
+
+from sslpv import __version__
+from sslpv.services.client import run_client
+from sslpv.services.server import run_server
+from sslpv.utils.logging import print_message, setup_logging
+
+
+def build_parser() -> argparse.ArgumentParser:
+    """Build and return the top-level argument parser.
+
+    Return:
+        parser(argparse.ArgumentParser): Configured argument parser with
+            server and client subcommands.
+    """
+    parser = argparse.ArgumentParser(
+        prog="sslpv",
+        description="SSL certificate provisioning tool.",
+    )
+    parser.add_argument(
+        "--version",
+        action="store_true",
+        default=False,
+        help="Print version and exit.",
+    )
+
+    subparsers = parser.add_subparsers(dest="subcommand")
+
+    # server subcommand
+    server_parser = subparsers.add_parser(
+        "server",
+        help="Run the sslpv provisioning server.",
+    )
+    server_parser.add_argument(
+        "--config",
+        required=True,
+        metavar="PATH",
+        help="Path to the JSON server config file.",
+    )
+
+    # client subcommand
+    client_parser = subparsers.add_parser(
+        "client",
+        help="Fetch a certificate and private key from a running sslpv server.",
+    )
+    client_parser.add_argument(
+        "--server",
+        required=True,
+        metavar="URL",
+        help="Server base URL (must be https, e.g. https://example.com:1243).",
+    )
+    client_parser.add_argument(
+        "--key",
+        required=True,
+        metavar="PATH",
+        help="Path to a file containing the API key.",
+    )
+    client_parser.add_argument(
+        "--cert",
+        required=True,
+        metavar="PATH",
+        help="Destination path for the retrieved PEM certificate.",
+    )
+    client_parser.add_argument(
+        "--privkey",
+        required=True,
+        metavar="PATH",
+        help="Destination path for the retrieved PEM private key.",
+    )
+    client_parser.add_argument(
+        "--insecure",
+        action="store_true",
+        default=False,
+        help="Disable TLS certificate verification (dangerous; not recommended).",
+    )
+    client_parser.add_argument(
+        "--ca-cert",
+        metavar="PATH",
+        default=None,
+        help="Path to a PEM CA bundle to use for TLS verification.",
+    )
+    client_parser.add_argument(
+        "--pin-sha256",
+        metavar="HEX",
+        default=None,
+        help="Expected SHA-256 hex fingerprint of the server leaf certificate.",
+    )
+    client_parser.add_argument(
+        "--timeout",
+        type=float,
+        default=30.0,
+        metavar="SECONDS",
+        help="Per-request timeout in seconds (default: 30.0).",
+    )
+
+    return parser
+
+
+def _run_server_subcommand(args: argparse.Namespace) -> int:
+    """Handle the 'server' subcommand.
+
+    Args:
+        args(argparse.Namespace): Parsed arguments containing config path.
+
+    Return:
+        exit_code(int): 0 on clean exit, 1 on error.
+    """
+    try:
+        run_server(args.config)
+        return 0
+    except KeyboardInterrupt:
+        print_message("Server stopped.", "fg:ansigreen")
+        return 0
+    except Exception as exc:
+        print_message(f"Error: {exc}", "fg:ansired")
+        return 1
+
+
+def _run_client_subcommand(args: argparse.Namespace) -> int:
+    """Handle the 'client' subcommand.
+
+    Args:
+        args(argparse.Namespace): Parsed arguments for the client.
+
+    Return:
+        exit_code(int): Exit code returned by run_client (0 = success).
+    """
+    return run_client(
+        server=args.server,
+        key_path=args.key,
+        cert_path=args.cert,
+        privkey_path=args.privkey,
+        insecure=args.insecure,
+        ca_cert=args.ca_cert,
+        pin_sha256=args.pin_sha256,
+        timeout=args.timeout,
+    )
+
+
+def main(argv: Optional[list[str]] = None) -> int:
+    """CLI entry point for sslpv.
+
+    Parses arguments, sets up logging, and dispatches to the appropriate
+    subcommand handler. Returns an integer exit code suitable for
+    sys.exit().
+
+    Args:
+        argv(list[str], optional): Argument list; uses sys.argv[1:] when None.
+
+    Return:
+        exit_code(int): 0 on success, 1 on error, 2 when no subcommand given.
+    """
+    setup_logging()
+    parser = build_parser()
+    args = parser.parse_args(argv)
+
+    if args.version:
+        print_message(f"sslpv {__version__}")
+        return 0
+
+    if args.subcommand is None:
+        parser.print_help()
+        return 2
+
+    if args.subcommand == "server":
+        return _run_server_subcommand(args)
+
+    if args.subcommand == "client":
+        return _run_client_subcommand(args)
+
+    # Unreachable, but satisfies exhaustiveness.
+    return 2
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

sslpv/models/config.py

@@ -0,0 +1,67 @@
+"""Server configuration model."""
+
+from typing import Optional
+
+from pydantic import BaseModel
+
+
+class ServerConfig(BaseModel):
+    """Server configuration loaded from a JSON config file.
+
+    Args:
+        fullchain(str): Path to the PEM fullchain certificate file served to clients.
+        privkey(str): Path to the PEM private key file served to clients.
+        apikeys(list[str]): List of authorized API keys.
+        host(str): Host address to bind. Defaults to "0.0.0.0".
+        port(int): Port to bind. Defaults to 1243.
+        server_certfile(Optional[str]): Path to the TLS certificate for the server
+            itself. Falls back to ``fullchain`` when not set.
+        server_keyfile(Optional[str]): Path to the TLS private key for the server
+            itself. Falls back to ``privkey`` when not set.
+        trusted_proxies(list[str]): IP addresses of trusted reverse proxies whose
+            X-Forwarded-For header is used to determine the real client IP.
+    """
+
+    fullchain: str
+    privkey: str
+    apikeys: list[str]
+    host: str = "0.0.0.0"
+    port: int = 1243
+    server_certfile: Optional[str] = None
+    server_keyfile: Optional[str] = None
+    trusted_proxies: list[str] = []
+
+    model_config = {
+        "json_schema_extra": {
+            "examples": [
+                {
+                    "fullchain": "/etc/ssl/certs/fullchain.pem",
+                    "privkey": "/etc/ssl/private/privkey.pem",
+                    "apikeys": ["changeme-replace-with-a-strong-random-key"],
+                    "host": "0.0.0.0",
+                    "port": 1243,
+                    "server_certfile": None,
+                    "server_keyfile": None,
+                    "trusted_proxies": ["127.0.0.1"],
+                }
+            ]
+        }
+    }
+
+    @property
+    def tls_certfile(self) -> str:
+        """Return the TLS certificate path for the server (server_certfile or fullchain).
+
+        Return:
+            path(str): Effective TLS certificate file path.
+        """
+        return self.server_certfile or self.fullchain
+
+    @property
+    def tls_keyfile(self) -> str:
+        """Return the TLS key path for the server (server_keyfile or privkey).
+
+        Return:
+            path(str): Effective TLS key file path.
+        """
+        return self.server_keyfile or self.privkey

sslpv/response.py

@@ -0,0 +1,41 @@
+"""Standard API response envelope and helper.
+
+Every endpoint returns the unified ``{"status", "message", "data"}`` envelope through
+:func:`make_response`. No endpoint returns a raw value or a bare model.
+"""
+
+from typing import Any, Optional
+
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel
+
+
+class APIResponse(BaseModel):
+    """Standard API response envelope.
+
+    Args:
+        status(int): HTTP status code.
+        message(str): Human-readable message.
+        data(Any): Response payload (dict, list, or None).
+    """
+
+    status: int
+    message: str
+    data: Optional[Any] = None
+
+
+def make_response(status: int, message: str, data: Any = None) -> JSONResponse:
+    """Build a standard JSON response.
+
+    Args:
+        status(int): HTTP status code.
+        message(str): Human-readable message.
+        data(Any, optional): Response payload.
+
+    Return:
+        response(JSONResponse): FastAPI JSONResponse with the unified format.
+    """
+    return JSONResponse(
+        status_code=status,
+        content={"status": status, "message": message, "data": data},
+    )