flwr-nightly 1.14.0.dev20241209__py3-none-any.whl → 1.14.0.dev20241211__py3-none-any.whl

flwr/cli/utils.py

@@ -15,12 +15,32 @@
 """Flower command line interface utils."""
 
 import hashlib
+import json
 import re
+from logging import DEBUG
 from pathlib import Path
-from typing import Callable, Optional, cast
+from typing import Any, Callable, Optional, cast
 
+import grpc
 import typer
 
+from flwr.cli.cli_user_auth_interceptor import CliUserAuthInterceptor
+from flwr.common.address import parse_address
+from flwr.common.auth_plugin import CliAuthPlugin
+from flwr.common.constant import AUTH_TYPE, CREDENTIALS_DIR, FLWR_DIR
+from flwr.common.grpc import GRPC_MAX_MESSAGE_LENGTH, create_channel
+from flwr.common.logger import log
+
+from .config_utils import validate_certificate_in_federation_config
+
+try:
+    from flwr.ee import get_cli_auth_plugins
+except ImportError:
+
+    def get_cli_auth_plugins() -> dict[str, type[CliAuthPlugin]]:
+        """Return all CLI authentication plugins."""
+        raise NotImplementedError("No authentication plugins are currently supported.")
+
 
 def prompt_text(
     text: str,
@@ -136,3 +156,90 @@ def get_sha256_hash(file_path: Path) -> str:
                 break
             sha256.update(data)
     return sha256.hexdigest()
+
+
+def get_user_auth_config_path(
+    root_dir: Path, federation: str, server_address: str
+) -> Path:
+    """Return the path to the user auth config file."""
+    # Parse the server address
+    parsed_addr = parse_address(server_address)
+    if parsed_addr is None:
+        raise ValueError(f"Invalid server address: {server_address}")
+    host, port, is_v6 = parsed_addr
+    formatted_addr = f"[{host}]_{port}" if is_v6 else f"{host}_{port}"
+
+    # Locate the credentials directory
+    credentials_dir = root_dir.absolute() / FLWR_DIR / CREDENTIALS_DIR
+    credentials_dir.mkdir(parents=True, exist_ok=True)
+    return credentials_dir / f"{federation}_{formatted_addr}.json"
+
+
+def try_obtain_cli_auth_plugin(
+    root_dir: Path,
+    federation: str,
+    federation_config: dict[str, Any],
+    auth_type: Optional[str] = None,
+) -> Optional[CliAuthPlugin]:
+    """Load the CLI-side user auth plugin for the given auth type."""
+    config_path = get_user_auth_config_path(
+        root_dir, federation, federation_config["address"]
+    )
+
+    # Load the config file if it exists
+    config: dict[str, Any] = {}
+    if config_path.exists():
+        with config_path.open("r", encoding="utf-8") as file:
+            config = json.load(file)
+    # This is the case when the user auth is not enabled
+    elif auth_type is None:
+        return None
+
+    # Get the auth type from the config if not provided
+    if auth_type is None:
+        if AUTH_TYPE not in config:
+            return None
+        auth_type = config[AUTH_TYPE]
+
+    # Retrieve auth plugin class and instantiate it
+    try:
+        all_plugins: dict[str, type[CliAuthPlugin]] = get_cli_auth_plugins()
+        auth_plugin_class = all_plugins[auth_type]
+        return auth_plugin_class(config_path)
+    except KeyError:
+        typer.echo(f"❌ Unknown user authentication type: {auth_type}")
+        raise typer.Exit(code=1) from None
+    except ImportError:
+        typer.echo("❌ No authentication plugins are currently supported.")
+        raise typer.Exit(code=1) from None
+
+
+def init_channel(
+    app: Path, federation_config: dict[str, Any], auth_plugin: Optional[CliAuthPlugin]
+) -> grpc.Channel:
+    """Initialize gRPC channel to the Exec API."""
+
+    def on_channel_state_change(channel_connectivity: str) -> None:
+        """Log channel connectivity."""
+        log(DEBUG, channel_connectivity)
+
+    insecure, root_certificates_bytes = validate_certificate_in_federation_config(
+        app, federation_config
+    )
+
+    # Initialize the CLI-side user auth interceptor
+    interceptors: list[grpc.UnaryUnaryClientInterceptor] = []
+    if auth_plugin is not None:
+        auth_plugin.load_tokens()
+        interceptors = CliUserAuthInterceptor(auth_plugin)
+
+    # Create the gRPC channel
+    channel = create_channel(
+        server_address=federation_config["address"],
+        insecure=insecure,
+        root_certificates=root_certificates_bytes,
+        max_message_length=GRPC_MAX_MESSAGE_LENGTH,
+        interceptors=interceptors or None,
+    )
+    channel.subscribe(on_channel_state_change)
+    return channel

flwr/common/auth_plugin/__init__.py

@@ -0,0 +1,24 @@
+# Copyright 2024 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Auth plugin components."""
+
+
+from .auth_plugin import CliAuthPlugin as CliAuthPlugin
+from .auth_plugin import ExecAuthPlugin as ExecAuthPlugin
+
+__all__ = [
+    "CliAuthPlugin",
+    "ExecAuthPlugin",
+]

flwr/common/auth_plugin/auth_plugin.py

@@ -0,0 +1,111 @@
+# Copyright 2024 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Abstract classes for Flower User Auth Plugin."""
+
+
+from abc import ABC, abstractmethod
+from collections.abc import Sequence
+from pathlib import Path
+from typing import Any, Optional, Union
+
+from flwr.proto.exec_pb2_grpc import ExecStub
+
+
+class ExecAuthPlugin(ABC):
+    """Abstract Flower Auth Plugin class for ExecServicer.
+
+    Parameters
+    ----------
+    config : dict[str, Any]
+        The authentication configuration loaded from a YAML file.
+    """
+
+    @abstractmethod
+    def __init__(self, config: dict[str, Any]):
+        """Abstract constructor."""
+
+    @abstractmethod
+    def get_login_details(self) -> dict[str, str]:
+        """Get the login details."""
+
+    @abstractmethod
+    def validate_tokens_in_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> bool:
+        """Validate authentication tokens in the provided metadata."""
+
+    @abstractmethod
+    def get_auth_tokens(self, auth_details: dict[str, str]) -> dict[str, str]:
+        """Get authentication tokens."""
+
+    @abstractmethod
+    def refresh_tokens(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> Optional[Sequence[tuple[str, Union[str, bytes]]]]:
+        """Refresh authentication tokens in the provided metadata."""
+
+
+class CliAuthPlugin(ABC):
+    """Abstract Flower Auth Plugin class for CLI.
+
+    Parameters
+    ----------
+    user_auth_config_path : Path
+        The path to the user's authentication configuration file.
+    """
+
+    @staticmethod
+    @abstractmethod
+    def login(
+        login_details: dict[str, str],
+        exec_stub: ExecStub,
+    ) -> dict[str, Any]:
+        """Authenticate the user with the SuperLink.
+
+        Parameters
+        ----------
+        login_details : dict[str, str]
+            A dictionary containing the user's login details.
+        exec_stub : ExecStub
+            An instance of `ExecStub` used for communication with the SuperLink.
+
+        Returns
+        -------
+        user_auth_config : dict[str, Any]
+            A dictionary containing the user's authentication configuration
+            in JSON format.
+        """
+
+    @abstractmethod
+    def __init__(self, user_auth_config_path: Path):
+        """Abstract constructor."""
+
+    @abstractmethod
+    def store_tokens(self, user_auth_config: dict[str, Any]) -> None:
+        """Store authentication tokens from the provided user_auth_config.
+
+        The configuration, including tokens, will be saved as a JSON file
+        at `user_auth_config_path`.
+        """
+
+    @abstractmethod
+    def load_tokens(self) -> None:
+        """Load authentication tokens from the user_auth_config_path."""
+
+    @abstractmethod
+    def write_tokens_to_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> Sequence[tuple[str, Union[str, bytes]]]:
+        """Write authentication tokens to the provided metadata."""

flwr/common/config.py

@@ -27,6 +27,7 @@ from flwr.common.constant import (
     APP_DIR,
     FAB_CONFIG_FILE,
     FAB_HASH_TRUNCATION,
+    FLWR_DIR,
     FLWR_HOME,
 )
 from flwr.common.typing import Run, UserConfig, UserConfigValue
@@ -38,7 +39,7 @@ def get_flwr_dir(provided_path: Optional[str] = None) -> Path:
         return Path(
             os.getenv(
                 FLWR_HOME,
-                Path(f"{os.getenv('XDG_DATA_HOME', os.getenv('HOME'))}") / ".flwr",
+                Path(f"{os.getenv('XDG_DATA_HOME', os.getenv('HOME'))}") / FLWR_DIR,
             )
         )
     return Path(provided_path).absolute()

flwr/common/constant.py

@@ -80,7 +80,8 @@ FAB_ALLOWED_EXTENSIONS = {".py", ".toml", ".md"}
 FAB_CONFIG_FILE = "pyproject.toml"
 FAB_DATE = (2024, 10, 1, 0, 0, 0)
 FAB_HASH_TRUNCATION = 8
-FLWR_HOME = "FLWR_HOME"
+FLWR_DIR = ".flwr"  # The default Flower directory: ~/.flwr/
+FLWR_HOME = "FLWR_HOME"  # If set, override the default Flower directory
 
 # Constants entries in Node config for Simulation
 PARTITION_ID_KEY = "partition-id"
@@ -110,6 +111,10 @@ LOG_UPLOAD_INTERVAL = 0.2  # Minimum interval between two log uploads
 # Retry configurations
 MAX_RETRY_DELAY = 20  # Maximum delay duration between two consecutive retries.
 
+# Constants for user authentication
+CREDENTIALS_DIR = ".credentials"
+AUTH_TYPE = "auth_type"
+
 
 class MessageType:
     """Message type."""

flwr/common/secure_aggregation/secaggplus_utils.py

@@ -93,8 +93,8 @@ def pseudo_rand_gen(
     output = []
     for dimension in dimensions_list:
         if len(dimension) == 0:
-            arr = np.array(gen.randint(0, num_range - 1), dtype=int)
+            arr = np.array(gen.randint(0, num_range - 1), dtype=np.int64)
         else:
-            arr = gen.randint(0, num_range - 1, dimension)
+            arr = gen.randint(0, num_range - 1, dimension, dtype=np.int64)
         output.append(arr)
     return output

flwr/common/telemetry.py

@@ -27,6 +27,7 @@ from enum import Enum, auto
 from pathlib import Path
 from typing import Any, Optional, Union, cast
 
+from flwr.common.constant import FLWR_DIR
 from flwr.common.version import package_name, package_version
 
 FLWR_TELEMETRY_ENABLED = os.getenv("FLWR_TELEMETRY_ENABLED", "1")
@@ -86,7 +87,7 @@ def _get_source_id() -> str:
         # If the home directory can’t be resolved, RuntimeError is raised.
         return source_id
 
-    flwr_dir = home.joinpath(".flwr")
+    flwr_dir = home.joinpath(FLWR_DIR)
     # Create .flwr directory if it does not exist yet.
     try:
         flwr_dir.mkdir(parents=True, exist_ok=True)

flwr/proto/serverappio_pb2.py

@@ -20,7 +20,7 @@ from flwr.proto import run_pb2 as flwr_dot_proto_dot_run__pb2
 from flwr.proto import fab_pb2 as flwr_dot_proto_dot_fab__pb2
 
 
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1c\x66lwr/proto/serverappio.proto\x12\nflwr.proto\x1a\x14\x66lwr/proto/log.proto\x1a\x15\x66lwr/proto/node.proto\x1a\x18\x66lwr/proto/message.proto\x1a\x15\x66lwr/proto/task.proto\x1a\x14\x66lwr/proto/run.proto\x1a\x14\x66lwr/proto/fab.proto\"!\n\x0fGetNodesRequest\x12\x0e\n\x06run_id\x18\x01 \x01(\x04\"3\n\x10GetNodesResponse\x12\x1f\n\x05nodes\x18\x01 \x03(\x0b\x32\x10.flwr.proto.Node\"@\n\x12PushTaskInsRequest\x12*\n\rtask_ins_list\x18\x01 \x03(\x0b\x32\x13.flwr.proto.TaskIns\"\'\n\x13PushTaskInsResponse\x12\x10\n\x08task_ids\x18\x02 \x03(\t\"F\n\x12PullTaskResRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12\x10\n\x08task_ids\x18\x02 \x03(\t\"A\n\x13PullTaskResResponse\x12*\n\rtask_res_list\x18\x01 \x03(\x0b\x32\x13.flwr.proto.TaskRes\"\x1c\n\x1aPullServerAppInputsRequest\"\x7f\n\x1bPullServerAppInputsResponse\x12$\n\x07\x63ontext\x18\x01 \x01(\x0b\x32\x13.flwr.proto.Context\x12\x1c\n\x03run\x18\x02 \x01(\x0b\x32\x0f.flwr.proto.Run\x12\x1c\n\x03\x66\x61\x62\x18\x03 \x01(\x0b\x32\x0f.flwr.proto.Fab\"S\n\x1bPushServerAppOutputsRequest\x12\x0e\n\x06run_id\x18\x01 \x01(\x04\x12$\n\x07\x63ontext\x18\x02 \x01(\x0b\x32\x13.flwr.proto.Context\"\x1e\n\x1cPushServerAppOutputsResponse2\xca\x06\n\x0bServerAppIo\x12J\n\tCreateRun\x12\x1c.flwr.proto.CreateRunRequest\x1a\x1d.flwr.proto.CreateRunResponse\"\x00\x12G\n\x08GetNodes\x12\x1b.flwr.proto.GetNodesRequest\x1a\x1c.flwr.proto.GetNodesResponse\"\x00\x12P\n\x0bPushTaskIns\x12\x1e.flwr.proto.PushTaskInsRequest\x1a\x1f.flwr.proto.PushTaskInsResponse\"\x00\x12P\n\x0bPullTaskRes\x12\x1e.flwr.proto.PullTaskResRequest\x1a\x1f.flwr.proto.PullTaskResResponse\"\x00\x12\x41\n\x06GetRun\x12\x19.flwr.proto.GetRunRequest\x1a\x1a.flwr.proto.GetRunResponse\"\x00\x12\x41\n\x06GetFab\x12\x19.flwr.proto.GetFabRequest\x1a\x1a.flwr.proto.GetFabResponse\"\x00\x12h\n\x13PullServerAppInputs\x12&.flwr.proto.PullServerAppInputsRequest\x1a\'.flwr.proto.PullServerAppInputsResponse\"\x00\x12k\n\x14PushServerAppOutputs\x12\'.flwr.proto.PushServerAppOutputsRequest\x1a(.flwr.proto.PushServerAppOutputsResponse\"\x00\x12\\\n\x0fUpdateRunStatus\x12\".flwr.proto.UpdateRunStatusRequest\x1a#.flwr.proto.UpdateRunStatusResponse\"\x00\x12G\n\x08PushLogs\x12\x1b.flwr.proto.PushLogsRequest\x1a\x1c.flwr.proto.PushLogsResponse\"\x00\x62\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1c\x66lwr/proto/serverappio.proto\x12\nflwr.proto\x1a\x14\x66lwr/proto/log.proto\x1a\x15\x66lwr/proto/node.proto\x1a\x18\x66lwr/proto/message.proto\x1a\x15\x66lwr/proto/task.proto\x1a\x14\x66lwr/proto/run.proto\x1a\x14\x66lwr/proto/fab.proto\"!\n\x0fGetNodesRequest\x12\x0e\n\x06run_id\x18\x01 \x01(\x04\"3\n\x10GetNodesResponse\x12\x1f\n\x05nodes\x18\x01 \x03(\x0b\x32\x10.flwr.proto.Node\"P\n\x12PushTaskInsRequest\x12*\n\rtask_ins_list\x18\x01 \x03(\x0b\x32\x13.flwr.proto.TaskIns\x12\x0e\n\x06run_id\x18\x02 \x01(\x04\"\'\n\x13PushTaskInsResponse\x12\x10\n\x08task_ids\x18\x02 \x03(\t\"V\n\x12PullTaskResRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12\x10\n\x08task_ids\x18\x02 \x03(\t\x12\x0e\n\x06run_id\x18\x03 \x01(\x04\"A\n\x13PullTaskResResponse\x12*\n\rtask_res_list\x18\x01 \x03(\x0b\x32\x13.flwr.proto.TaskRes\"\x1c\n\x1aPullServerAppInputsRequest\"\x7f\n\x1bPullServerAppInputsResponse\x12$\n\x07\x63ontext\x18\x01 \x01(\x0b\x32\x13.flwr.proto.Context\x12\x1c\n\x03run\x18\x02 \x01(\x0b\x32\x0f.flwr.proto.Run\x12\x1c\n\x03\x66\x61\x62\x18\x03 \x01(\x0b\x32\x0f.flwr.proto.Fab\"S\n\x1bPushServerAppOutputsRequest\x12\x0e\n\x06run_id\x18\x01 \x01(\x04\x12$\n\x07\x63ontext\x18\x02 \x01(\x0b\x32\x13.flwr.proto.Context\"\x1e\n\x1cPushServerAppOutputsResponse2\x9f\x07\n\x0bServerAppIo\x12J\n\tCreateRun\x12\x1c.flwr.proto.CreateRunRequest\x1a\x1d.flwr.proto.CreateRunResponse\"\x00\x12G\n\x08GetNodes\x12\x1b.flwr.proto.GetNodesRequest\x1a\x1c.flwr.proto.GetNodesResponse\"\x00\x12P\n\x0bPushTaskIns\x12\x1e.flwr.proto.PushTaskInsRequest\x1a\x1f.flwr.proto.PushTaskInsResponse\"\x00\x12P\n\x0bPullTaskRes\x12\x1e.flwr.proto.PullTaskResRequest\x1a\x1f.flwr.proto.PullTaskResResponse\"\x00\x12\x41\n\x06GetRun\x12\x19.flwr.proto.GetRunRequest\x1a\x1a.flwr.proto.GetRunResponse\"\x00\x12\x41\n\x06GetFab\x12\x19.flwr.proto.GetFabRequest\x1a\x1a.flwr.proto.GetFabResponse\"\x00\x12h\n\x13PullServerAppInputs\x12&.flwr.proto.PullServerAppInputsRequest\x1a\'.flwr.proto.PullServerAppInputsResponse\"\x00\x12k\n\x14PushServerAppOutputs\x12\'.flwr.proto.PushServerAppOutputsRequest\x1a(.flwr.proto.PushServerAppOutputsResponse\"\x00\x12\\\n\x0fUpdateRunStatus\x12\".flwr.proto.UpdateRunStatusRequest\x1a#.flwr.proto.UpdateRunStatusResponse\"\x00\x12S\n\x0cGetRunStatus\x12\x1f.flwr.proto.GetRunStatusRequest\x1a .flwr.proto.GetRunStatusResponse\"\x00\x12G\n\x08PushLogs\x12\x1b.flwr.proto.PushLogsRequest\x1a\x1c.flwr.proto.PushLogsResponse\"\x00\x62\x06proto3')
 
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -32,21 +32,21 @@ if _descriptor._USE_C_DESCRIPTORS == False:
   _globals['_GETNODESRESPONSE']._serialized_start=217
   _globals['_GETNODESRESPONSE']._serialized_end=268
   _globals['_PUSHTASKINSREQUEST']._serialized_start=270
-  _globals['_PUSHTASKINSREQUEST']._serialized_end=334
-  _globals['_PUSHTASKINSRESPONSE']._serialized_start=336
-  _globals['_PUSHTASKINSRESPONSE']._serialized_end=375
-  _globals['_PULLTASKRESREQUEST']._serialized_start=377
-  _globals['_PULLTASKRESREQUEST']._serialized_end=447
-  _globals['_PULLTASKRESRESPONSE']._serialized_start=449
-  _globals['_PULLTASKRESRESPONSE']._serialized_end=514
-  _globals['_PULLSERVERAPPINPUTSREQUEST']._serialized_start=516
-  _globals['_PULLSERVERAPPINPUTSREQUEST']._serialized_end=544
-  _globals['_PULLSERVERAPPINPUTSRESPONSE']._serialized_start=546
-  _globals['_PULLSERVERAPPINPUTSRESPONSE']._serialized_end=673
-  _globals['_PUSHSERVERAPPOUTPUTSREQUEST']._serialized_start=675
-  _globals['_PUSHSERVERAPPOUTPUTSREQUEST']._serialized_end=758
-  _globals['_PUSHSERVERAPPOUTPUTSRESPONSE']._serialized_start=760
-  _globals['_PUSHSERVERAPPOUTPUTSRESPONSE']._serialized_end=790
-  _globals['_SERVERAPPIO']._serialized_start=793
-  _globals['_SERVERAPPIO']._serialized_end=1635
+  _globals['_PUSHTASKINSREQUEST']._serialized_end=350
+  _globals['_PUSHTASKINSRESPONSE']._serialized_start=352
+  _globals['_PUSHTASKINSRESPONSE']._serialized_end=391
+  _globals['_PULLTASKRESREQUEST']._serialized_start=393
+  _globals['_PULLTASKRESREQUEST']._serialized_end=479
+  _globals['_PULLTASKRESRESPONSE']._serialized_start=481
+  _globals['_PULLTASKRESRESPONSE']._serialized_end=546
+  _globals['_PULLSERVERAPPINPUTSREQUEST']._serialized_start=548
+  _globals['_PULLSERVERAPPINPUTSREQUEST']._serialized_end=576
+  _globals['_PULLSERVERAPPINPUTSRESPONSE']._serialized_start=578
+  _globals['_PULLSERVERAPPINPUTSRESPONSE']._serialized_end=705
+  _globals['_PUSHSERVERAPPOUTPUTSREQUEST']._serialized_start=707
+  _globals['_PUSHSERVERAPPOUTPUTSREQUEST']._serialized_end=790
+  _globals['_PUSHSERVERAPPOUTPUTSRESPONSE']._serialized_start=792
+  _globals['_PUSHSERVERAPPOUTPUTSRESPONSE']._serialized_end=822
+  _globals['_SERVERAPPIO']._serialized_start=825
+  _globals['_SERVERAPPIO']._serialized_end=1752
 # @@protoc_insertion_point(module_scope)

flwr/proto/serverappio_pb2.pyi

@@ -44,13 +44,16 @@ class PushTaskInsRequest(google.protobuf.message.Message):
     """PushTaskIns messages"""
     DESCRIPTOR: google.protobuf.descriptor.Descriptor
     TASK_INS_LIST_FIELD_NUMBER: builtins.int
+    RUN_ID_FIELD_NUMBER: builtins.int
     @property
     def task_ins_list(self) -> google.protobuf.internal.containers.RepeatedCompositeFieldContainer[flwr.proto.task_pb2.TaskIns]: ...
+    run_id: builtins.int
     def __init__(self,
         *,
         task_ins_list: typing.Optional[typing.Iterable[flwr.proto.task_pb2.TaskIns]] = ...,
+        run_id: builtins.int = ...,
         ) -> None: ...
-    def ClearField(self, field_name: typing_extensions.Literal["task_ins_list",b"task_ins_list"]) -> None: ...
+    def ClearField(self, field_name: typing_extensions.Literal["run_id",b"run_id","task_ins_list",b"task_ins_list"]) -> None: ...
 global___PushTaskInsRequest = PushTaskInsRequest
 
 class PushTaskInsResponse(google.protobuf.message.Message):
@@ -70,17 +73,20 @@ class PullTaskResRequest(google.protobuf.message.Message):
     DESCRIPTOR: google.protobuf.descriptor.Descriptor
     NODE_FIELD_NUMBER: builtins.int
     TASK_IDS_FIELD_NUMBER: builtins.int
+    RUN_ID_FIELD_NUMBER: builtins.int
     @property
     def node(self) -> flwr.proto.node_pb2.Node: ...
     @property
     def task_ids(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[typing.Text]: ...
+    run_id: builtins.int
     def __init__(self,
         *,
         node: typing.Optional[flwr.proto.node_pb2.Node] = ...,
         task_ids: typing.Optional[typing.Iterable[typing.Text]] = ...,
+        run_id: builtins.int = ...,
         ) -> None: ...
     def HasField(self, field_name: typing_extensions.Literal["node",b"node"]) -> builtins.bool: ...
-    def ClearField(self, field_name: typing_extensions.Literal["node",b"node","task_ids",b"task_ids"]) -> None: ...
+    def ClearField(self, field_name: typing_extensions.Literal["node",b"node","run_id",b"run_id","task_ids",b"task_ids"]) -> None: ...
 global___PullTaskResRequest = PullTaskResRequest
 
 class PullTaskResResponse(google.protobuf.message.Message):

flwr/proto/serverappio_pb2_grpc.py

@@ -62,6 +62,11 @@ class ServerAppIoStub(object):
                 request_serializer=flwr_dot_proto_dot_run__pb2.UpdateRunStatusRequest.SerializeToString,
                 response_deserializer=flwr_dot_proto_dot_run__pb2.UpdateRunStatusResponse.FromString,
                 )
+        self.GetRunStatus = channel.unary_unary(
+                '/flwr.proto.ServerAppIo/GetRunStatus',
+                request_serializer=flwr_dot_proto_dot_run__pb2.GetRunStatusRequest.SerializeToString,
+                response_deserializer=flwr_dot_proto_dot_run__pb2.GetRunStatusResponse.FromString,
+                )
         self.PushLogs = channel.unary_unary(
                 '/flwr.proto.ServerAppIo/PushLogs',
                 request_serializer=flwr_dot_proto_dot_log__pb2.PushLogsRequest.SerializeToString,
@@ -135,6 +140,13 @@ class ServerAppIoServicer(object):
         context.set_details('Method not implemented!')
         raise NotImplementedError('Method not implemented!')
 
+    def GetRunStatus(self, request, context):
+        """Get the status of a given run
+        """
+        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
+        context.set_details('Method not implemented!')
+        raise NotImplementedError('Method not implemented!')
+
     def PushLogs(self, request, context):
         """Push ServerApp logs
         """
@@ -190,6 +202,11 @@ def add_ServerAppIoServicer_to_server(servicer, server):
                     request_deserializer=flwr_dot_proto_dot_run__pb2.UpdateRunStatusRequest.FromString,
                     response_serializer=flwr_dot_proto_dot_run__pb2.UpdateRunStatusResponse.SerializeToString,
             ),
+            'GetRunStatus': grpc.unary_unary_rpc_method_handler(
+                    servicer.GetRunStatus,
+                    request_deserializer=flwr_dot_proto_dot_run__pb2.GetRunStatusRequest.FromString,
+                    response_serializer=flwr_dot_proto_dot_run__pb2.GetRunStatusResponse.SerializeToString,
+            ),
             'PushLogs': grpc.unary_unary_rpc_method_handler(
                     servicer.PushLogs,
                     request_deserializer=flwr_dot_proto_dot_log__pb2.PushLogsRequest.FromString,
@@ -358,6 +375,23 @@ class ServerAppIo(object):
             options, channel_credentials,
             insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
 
+    @staticmethod
+    def GetRunStatus(request,
+            target,
+            options=(),
+            channel_credentials=None,
+            call_credentials=None,
+            insecure=False,
+            compression=None,
+            wait_for_ready=None,
+            timeout=None,
+            metadata=None):
+        return grpc.experimental.unary_unary(request, target, '/flwr.proto.ServerAppIo/GetRunStatus',
+            flwr_dot_proto_dot_run__pb2.GetRunStatusRequest.SerializeToString,
+            flwr_dot_proto_dot_run__pb2.GetRunStatusResponse.FromString,
+            options, channel_credentials,
+            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
+
     @staticmethod
     def PushLogs(request,
             target,

flwr/proto/serverappio_pb2_grpc.pyi

@@ -56,6 +56,11 @@ class ServerAppIoStub:
         flwr.proto.run_pb2.UpdateRunStatusResponse]
     """Update the status of a given run"""
 
+    GetRunStatus: grpc.UnaryUnaryMultiCallable[
+        flwr.proto.run_pb2.GetRunStatusRequest,
+        flwr.proto.run_pb2.GetRunStatusResponse]
+    """Get the status of a given run"""
+
     PushLogs: grpc.UnaryUnaryMultiCallable[
         flwr.proto.log_pb2.PushLogsRequest,
         flwr.proto.log_pb2.PushLogsResponse]
@@ -135,6 +140,14 @@ class ServerAppIoServicer(metaclass=abc.ABCMeta):
         """Update the status of a given run"""
         pass
 
+    @abc.abstractmethod
+    def GetRunStatus(self,
+        request: flwr.proto.run_pb2.GetRunStatusRequest,
+        context: grpc.ServicerContext,
+    ) -> flwr.proto.run_pb2.GetRunStatusResponse:
+        """Get the status of a given run"""
+        pass
+
     @abc.abstractmethod
     def PushLogs(self,
         request: flwr.proto.log_pb2.PushLogsRequest,

flwr/server/app.py

@@ -24,9 +24,10 @@ from collections.abc import Sequence
 from logging import DEBUG, INFO, WARN
 from pathlib import Path
 from time import sleep
-from typing import Optional
+from typing import Any, Optional
 
 import grpc
+import yaml
 from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.serialization import (
@@ -37,8 +38,10 @@ from cryptography.hazmat.primitives.serialization import (
 from flwr.common import GRPC_MAX_MESSAGE_LENGTH, EventType, event
 from flwr.common.address import parse_address
 from flwr.common.args import try_obtain_server_certificates
+from flwr.common.auth_plugin import ExecAuthPlugin
 from flwr.common.config import get_flwr_dir, parse_config_args
 from flwr.common.constant import (
+    AUTH_TYPE,
     CLIENT_OCTET,
     EXEC_API_DEFAULT_SERVER_ADDRESS,
     FLEET_API_GRPC_BIDI_DEFAULT_ADDRESS,
@@ -88,6 +91,15 @@ DATABASE = ":flwr-in-memory-state:"
 BASE_DIR = get_flwr_dir() / "superlink" / "ffs"
 
 
+try:
+    from flwr.ee import get_exec_auth_plugins
+except ImportError:
+
+    def get_exec_auth_plugins() -> dict[str, type[ExecAuthPlugin]]:
+        """Return all Exec API authentication plugins."""
+        raise NotImplementedError("No authentication plugins are currently supported.")
+
+
 def start_server(  # pylint: disable=too-many-arguments,too-many-locals
     *,
     server_address: str = FLEET_API_GRPC_BIDI_DEFAULT_ADDRESS,
@@ -246,6 +258,12 @@ def run_superlink() -> None:
     # Obtain certificates
     certificates = try_obtain_server_certificates(args, args.fleet_api_type)
 
+    user_auth_config = _try_obtain_user_auth_config(args)
+    auth_plugin: Optional[ExecAuthPlugin] = None
+    # user_auth_config is None only if the args.user_auth_config is not provided
+    if user_auth_config is not None:
+        auth_plugin = _try_obtain_exec_auth_plugin(user_auth_config)
+
     # Initialize StateFactory
     state_factory = LinkStateFactory(args.database)
 
@@ -263,6 +281,7 @@ def run_superlink() -> None:
         config=parse_config_args(
             [args.executor_config] if args.executor_config else args.executor_config
         ),
+        auth_plugin=auth_plugin,
     )
     grpc_servers = [exec_server]
 
@@ -559,6 +578,32 @@ def _try_setup_node_authentication(
         )
 
 
+def _try_obtain_user_auth_config(args: argparse.Namespace) -> Optional[dict[str, Any]]:
+    if args.user_auth_config is not None:
+        with open(args.user_auth_config, encoding="utf-8") as file:
+            config: dict[str, Any] = yaml.safe_load(file)
+            return config
+    return None
+
+
+def _try_obtain_exec_auth_plugin(config: dict[str, Any]) -> Optional[ExecAuthPlugin]:
+    auth_config: dict[str, Any] = config.get("authentication", {})
+    auth_type: str = auth_config.get(AUTH_TYPE, "")
+    try:
+        all_plugins: dict[str, type[ExecAuthPlugin]] = get_exec_auth_plugins()
+        auth_plugin_class = all_plugins[auth_type]
+        return auth_plugin_class(config=auth_config)
+    except KeyError:
+        if auth_type != "":
+            sys.exit(
+                f'Authentication type "{auth_type}" is not supported. '
+                "Please provide a valid authentication type in the configuration."
+            )
+        sys.exit("No authentication type is provided in the configuration.")
+    except NotImplementedError:
+        sys.exit("No authentication plugins are currently supported.")
+
+
 def _run_fleet_api_grpc_rere(
     address: str,
     state_factory: LinkStateFactory,
@@ -746,6 +791,12 @@ def _add_args_common(parser: argparse.ArgumentParser) -> None:
         type=str,
         help="The SuperLink's public key (as a path str) to enable authentication.",
     )
+    parser.add_argument(
+        "--user-auth-config",
+        help="The path to the user authentication configuration YAML file.",
+        type=str,
+        default=None,
+    )
 
 
 def _add_args_serverappio_api(parser: argparse.ArgumentParser) -> None:

flwr/server/driver/grpc_driver.py

@@ -203,7 +203,9 @@ class GrpcDriver(Driver):
             task_ins_list.append(taskins)
         # Call GrpcDriverStub method
         res: PushTaskInsResponse = self._stub.PushTaskIns(
-            PushTaskInsRequest(task_ins_list=task_ins_list)
+            PushTaskInsRequest(
+                task_ins_list=task_ins_list, run_id=cast(Run, self._run).run_id
+            )
         )
         return list(res.task_ids)
 
@@ -215,7 +217,9 @@ class GrpcDriver(Driver):
         """
         # Pull TaskRes
         res: PullTaskResResponse = self._stub.PullTaskRes(
-            PullTaskResRequest(node=self.node, task_ids=message_ids)
+            PullTaskResRequest(
+                node=self.node, task_ids=message_ids, run_id=cast(Run, self._run).run_id
+            )
         )
         # Convert TaskRes to Message
         msgs = [message_from_taskres(taskres) for taskres in res.task_res_list]