flwr-nightly 1.23.0.dev20251007__py3-none-any.whl → 1.23.0.dev20251008__py3-none-any.whl

flwr/cli/auth_plugin/__init__.py

@@ -22,9 +22,13 @@ from .noop_auth_plugin import NoOpCliAuthPlugin
 from .oidc_cli_plugin import OidcCliPlugin
 
 
-def get_cli_auth_plugins() -> dict[str, type[CliAuthPlugin]]:
+def get_cli_plugin_class(authn_type: str) -> type[CliAuthPlugin]:
     """Return all CLI authentication plugins."""
-    return {AuthnType.NOOP: NoOpCliAuthPlugin, AuthnType.OIDC: OidcCliPlugin}
+    if authn_type == AuthnType.NOOP:
+        return NoOpCliAuthPlugin
+    if authn_type == AuthnType.OIDC:
+        return OidcCliPlugin
+    raise ValueError(f"Unsupported authentication type: {authn_type}")
 
 
 __all__ = [
@@ -32,5 +36,5 @@ __all__ = [
     "LoginError",
     "NoOpCliAuthPlugin",
     "OidcCliPlugin",
-    "get_cli_auth_plugins",
+    "get_cli_plugin_class",
 ]

flwr/cli/log.py

@@ -35,7 +35,7 @@ from flwr.common.logger import log as logger
 from flwr.proto.control_pb2 import StreamLogsRequest  # pylint: disable=E0611
 from flwr.proto.control_pb2_grpc import ControlStub
 
-from .utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from .utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 
 class AllLogsRetrieved(BaseException):
@@ -186,7 +186,7 @@ def _log_with_control_api(
     run_id: int,
     stream: bool,
 ) -> None:
-    auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+    auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
     channel = init_channel(app, federation_config, auth_plugin)
 
     if stream:

flwr/cli/login/login.py

@@ -20,7 +20,7 @@ from typing import Annotated, Optional
 
 import typer
 
-from flwr.cli.auth_plugin import LoginError
+from flwr.cli.auth_plugin import LoginError, NoOpCliAuthPlugin
 from flwr.cli.config_utils import (
     exit_if_no_address,
     get_insecure_flag,
@@ -40,7 +40,7 @@ from ..utils import (
     account_auth_enabled,
     flwr_cli_grpc_exc_handler,
     init_channel,
-    try_obtain_cli_auth_plugin,
+    load_cli_auth_plugin,
 )
 
 
@@ -95,7 +95,7 @@ def login(  # pylint: disable=R0914
         )
         raise typer.Exit(code=1)
 
-    channel = init_channel(app, federation_config, None)
+    channel = init_channel(app, federation_config, NoOpCliAuthPlugin(Path()))
     stub = ControlStub(channel)
 
     login_request = GetLoginDetailsRequest()
@@ -104,16 +104,7 @@ def login(  # pylint: disable=R0914
 
     # Get the auth plugin
     authn_type = login_response.authn_type
-    auth_plugin = try_obtain_cli_auth_plugin(
-        app, federation, federation_config, authn_type
-    )
-    if auth_plugin is None:
-        typer.secho(
-            f'❌ Authentication type "{authn_type}" not found',
-            fg=typer.colors.RED,
-            bold=True,
-        )
-        raise typer.Exit(code=1)
+    auth_plugin = load_cli_auth_plugin(app, federation, federation_config, authn_type)
 
     # Login
     details = AccountAuthLoginDetails(

flwr/cli/ls.py

@@ -44,7 +44,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
 )
 from flwr.proto.control_pb2_grpc import ControlStub
 
-from .utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from .utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 _RunListType = tuple[int, str, str, str, str, str, str, str, str]
 
@@ -127,7 +127,7 @@ def ls(  # pylint: disable=too-many-locals, too-many-branches, R0913, R0917
                 raise ValueError(
                     "The options '--runs' and '--run-id' are mutually exclusive."
                 )
-            auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+            auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
             channel = init_channel(app, federation_config, auth_plugin)
             stub = ControlStub(channel)
 

flwr/cli/pull.py

@@ -34,7 +34,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
 )
 from flwr.proto.control_pb2_grpc import ControlStub
 
-from .utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from .utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 
 def pull(  # pylint: disable=R0914
@@ -74,7 +74,7 @@ def pull(  # pylint: disable=R0914
     channel = None
     try:
 
-        auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+        auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
         channel = init_channel(app, federation_config, auth_plugin)
         stub = ControlStub(channel)
         with flwr_cli_grpc_exc_handler():

flwr/cli/run/run.py

@@ -45,7 +45,7 @@ from flwr.proto.control_pb2 import StartRunRequest  # pylint: disable=E0611
 from flwr.proto.control_pb2_grpc import ControlStub
 
 from ..log import start_stream
-from ..utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from ..utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 CONN_REFRESH_PERIOD = 60  # Connection refresh period for log streaming (seconds)
 
@@ -148,7 +148,7 @@ def _run_with_control_api(
 ) -> None:
     channel = None
     try:
-        auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+        auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
         channel = init_channel(app, federation_config, auth_plugin)
         stub = ControlStub(channel)
 

flwr/cli/stop.py

@@ -38,7 +38,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
 )
 from flwr.proto.control_pb2_grpc import ControlStub
 
-from .utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from .utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 
 def stop(  # pylint: disable=R0914
@@ -89,7 +89,7 @@ def stop(  # pylint: disable=R0914
         exit_if_no_address(federation_config, "stop")
         channel = None
         try:
-            auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+            auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
             channel = init_channel(app, federation_config, auth_plugin)
             stub = ControlStub(channel)  # pylint: disable=unused-variable # noqa: F841
 

flwr/cli/supernode/ls.py

@@ -42,7 +42,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
 from flwr.proto.control_pb2_grpc import ControlStub
 from flwr.proto.node_pb2 import NodeInfo  # pylint: disable=E0611
 
-from ..utils import flwr_cli_grpc_exc_handler, init_channel, try_obtain_cli_auth_plugin
+from ..utils import flwr_cli_grpc_exc_handler, init_channel, load_cli_auth_plugin
 
 _NodeListType = tuple[int, str, str, str, str, str, str, str]
 
@@ -94,7 +94,7 @@ def ls(  # pylint: disable=R0914
         exit_if_no_address(federation_config, f"supernode {command_name}")
         channel = None
         try:
-            auth_plugin = try_obtain_cli_auth_plugin(app, federation, federation_config)
+            auth_plugin = load_cli_auth_plugin(app, federation, federation_config)
             channel = init_channel(app, federation_config, auth_plugin)
             stub = ControlStub(channel)
             typer.echo("📄 Listing all nodes...")

flwr/cli/utils.py

@@ -34,6 +34,7 @@ from flwr.common.constant import (
     NO_ARTIFACT_PROVIDER_MESSAGE,
     PULL_UNFINISHED_RUN_MESSAGE,
     RUN_ID_NOT_FOUND_MESSAGE,
+    AuthnType,
 )
 from flwr.common.grpc import (
     GRPC_MAX_MESSAGE_LENGTH,
@@ -41,7 +42,7 @@ from flwr.common.grpc import (
     on_channel_state_change,
 )
 
-from .auth_plugin import CliAuthPlugin, get_cli_auth_plugins
+from .auth_plugin import CliAuthPlugin, get_cli_plugin_class
 from .cli_account_auth_interceptor import CliAccountAuthInterceptor
 from .config_utils import validate_certificate_in_federation_config
 
@@ -230,71 +231,54 @@ def account_auth_enabled(federation_config: dict[str, Any]) -> bool:
     return enabled
 
 
-def try_obtain_cli_auth_plugin(
+def retrieve_authn_type(config_path: Path) -> str:
+    """Retrieve the auth type from the config file or return NOOP if not found."""
+    try:
+        with config_path.open("r", encoding="utf-8") as file:
+            json_file = json.load(file)
+        authn_type: str = json_file[AUTHN_TYPE_JSON_KEY]
+        return authn_type
+    except (FileNotFoundError, KeyError):
+        return AuthnType.NOOP
+
+
+def load_cli_auth_plugin(
     root_dir: Path,
     federation: str,
     federation_config: dict[str, Any],
     authn_type: Optional[str] = None,
-) -> Optional[CliAuthPlugin]:
+) -> CliAuthPlugin:
     """Load the CLI-side account auth plugin for the given authn type."""
-    # Check if account auth is enabled
-    if not account_auth_enabled(federation_config):
-        return None
-
+    # Find the path to the account auth config file
     config_path = get_account_auth_config_path(root_dir, federation)
 
-    # Get the authn type from the config if not provided
-    # authn_type will be None for all CLI commands except login
+    # Determine the auth type if not provided
+    # Only `flwr login` command can provide `authn_type` explicitly, as it can query the
+    # SuperLink for the auth type.
     if authn_type is None:
-        try:
-            with config_path.open("r", encoding="utf-8") as file:
-                json_file = json.load(file)
-            authn_type = json_file[AUTHN_TYPE_JSON_KEY]
-        except (FileNotFoundError, KeyError):
-            typer.secho(
-                "❌ Missing or invalid credentials for account authentication. "
-                "Please run `flwr login` to authenticate.",
-                fg=typer.colors.RED,
-                bold=True,
-            )
-            raise typer.Exit(code=1) from None
+        authn_type = AuthnType.NOOP
+        if account_auth_enabled(federation_config):
+            authn_type = retrieve_authn_type(config_path)
 
     # Retrieve auth plugin class and instantiate it
     try:
-        all_plugins: dict[str, type[CliAuthPlugin]] = get_cli_auth_plugins()
-        auth_plugin_class = all_plugins[authn_type]
+        auth_plugin_class = get_cli_plugin_class(authn_type)
         return auth_plugin_class(config_path)
-    except KeyError:
+    except ValueError:
         typer.echo(f"❌ Unknown account authentication type: {authn_type}")
         raise typer.Exit(code=1) from None
-    except ImportError:
-        typer.echo("❌ No authentication plugins are currently supported.")
-        raise typer.Exit(code=1) from None
 
 
 def init_channel(
-    app: Path, federation_config: dict[str, Any], auth_plugin: Optional[CliAuthPlugin]
+    app: Path, federation_config: dict[str, Any], auth_plugin: CliAuthPlugin
 ) -> grpc.Channel:
     """Initialize gRPC channel to the Control API."""
     insecure, root_certificates_bytes = validate_certificate_in_federation_config(
         app, federation_config
     )
 
-    # Initialize the CLI-side account auth interceptor
-    interceptors: list[grpc.UnaryUnaryClientInterceptor] = []
-    if auth_plugin is not None:
-        # Check if TLS is enabled. If not, raise an error
-        if insecure:
-            typer.secho(
-                "❌ Account authentication requires TLS to be enabled. "
-                "Remove `insecure = true` from the federation configuration.",
-                fg=typer.colors.RED,
-                bold=True,
-            )
-            raise typer.Exit(code=1)
-
-        auth_plugin.load_tokens()
-        interceptors.append(CliAccountAuthInterceptor(auth_plugin))
+    # Load tokens
+    auth_plugin.load_tokens()
 
     # Create the gRPC channel
     channel = create_channel(
@@ -302,7 +286,7 @@ def init_channel(
         insecure=insecure,
         root_certificates=root_certificates_bytes,
         max_message_length=GRPC_MAX_MESSAGE_LENGTH,
-        interceptors=interceptors or None,
+        interceptors=[CliAccountAuthInterceptor(auth_plugin)],
     )
     channel.subscribe(on_channel_state_change)
     return channel

flwr/client/grpc_rere_client/connection.py

@@ -55,10 +55,10 @@ from flwr.proto.heartbeat_pb2 import (  # pylint: disable=E0611
 from flwr.proto.message_pb2 import ObjectTree  # pylint: disable=E0611
 from flwr.proto.node_pb2 import Node  # pylint: disable=E0611
 from flwr.proto.run_pb2 import GetRunRequest, GetRunResponse  # pylint: disable=E0611
-from flwr.supercore.primitives.asymmetric import generate_key_pairs
+from flwr.supercore.primitives.asymmetric import generate_key_pairs, public_key_to_bytes
 
-from .client_interceptor import AuthenticateClientInterceptor
 from .grpc_adapter import GrpcAdapter
+from .node_auth_client_interceptor import NodeAuthClientInterceptor
 
 
 @contextmanager
@@ -138,8 +138,9 @@ def grpc_request_response(  # pylint: disable=R0913,R0914,R0915,R0917
 
     # Always configure auth interceptor, with either user-provided or generated keys
     interceptors: Sequence[grpc.UnaryUnaryClientInterceptor] = [
-        AuthenticateClientInterceptor(*authentication_keys),
+        NodeAuthClientInterceptor(*authentication_keys),
     ]
+    node_pk = public_key_to_bytes(authentication_keys[1])
     channel = create_channel(
         server_address=server_address,
         insecure=insecure,
@@ -199,7 +200,8 @@ def grpc_request_response(  # pylint: disable=R0913,R0914,R0915,R0917
         """Set create_node."""
         # Call FleetAPI
         create_node_request = CreateNodeRequest(
-            heartbeat_interval=HEARTBEAT_DEFAULT_INTERVAL
+            public_key=node_pk,
+            heartbeat_interval=HEARTBEAT_DEFAULT_INTERVAL,
         )
         create_node_response = stub.CreateNode(request=create_node_request)
 

flwr/client/grpc_rere_client/{client_interceptor.py → node_auth_client_interceptor.py}

@@ -26,8 +26,8 @@ from flwr.common.constant import PUBLIC_KEY_HEADER, SIGNATURE_HEADER, TIMESTAMP_
 from flwr.supercore.primitives.asymmetric import public_key_to_bytes, sign_message
 
 
-class AuthenticateClientInterceptor(grpc.UnaryUnaryClientInterceptor):  # type: ignore
-    """Client interceptor for client authentication."""
+class NodeAuthClientInterceptor(grpc.UnaryUnaryClientInterceptor):  # type: ignore
+    """Client interceptor for node authentication."""
 
     def __init__(
         self,

flwr/client/rest_client/connection.py

@@ -15,6 +15,7 @@
 """Contextmanager for a REST request-response channel to the Flower server."""
 
 
+import secrets
 from collections.abc import Iterator
 from contextlib import contextmanager
 from logging import ERROR, WARN
@@ -292,7 +293,12 @@ def http_request_response(  # pylint: disable=R0913,R0914,R0915,R0917
 
     def create_node() -> Optional[int]:
         """Set create_node."""
-        req = CreateNodeRequest(heartbeat_interval=HEARTBEAT_DEFAULT_INTERVAL)
+        req = CreateNodeRequest(
+            # REST does not support node authentication;
+            # random bytes are used instead
+            public_key=secrets.token_bytes(32),
+            heartbeat_interval=HEARTBEAT_DEFAULT_INTERVAL,
+        )
 
         # Send the request
         res = _request(req, CreateNodeResponse, PATH_CREATE_NODE)

flwr/common/constant.py

@@ -256,6 +256,16 @@ class AuthnType:
         raise TypeError(f"{cls.__name__} cannot be instantiated.")
 
 
+class AuthzType:
+    """Account authorization types."""
+
+    NOOP = "noop"
+
+    def __new__(cls) -> AuthzType:
+        """Prevent instantiation."""
+        raise TypeError(f"{cls.__name__} cannot be instantiated.")
+
+
 class EventLogWriterType:
     """Event log writer types."""
 

flwr/proto/fleet_pb2.py

@@ -19,7 +19,7 @@ from flwr.proto import fab_pb2 as flwr_dot_proto_dot_fab__pb2
 from flwr.proto import message_pb2 as flwr_dot_proto_dot_message__pb2
 
 
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x16\x66lwr/proto/fleet.proto\x12\nflwr.proto\x1a\x1a\x66lwr/proto/heartbeat.proto\x1a\x15\x66lwr/proto/node.proto\x1a\x14\x66lwr/proto/run.proto\x1a\x14\x66lwr/proto/fab.proto\x1a\x18\x66lwr/proto/message.proto\"/\n\x11\x43reateNodeRequest\x12\x1a\n\x12heartbeat_interval\x18\x01 \x01(\x01\"4\n\x12\x43reateNodeResponse\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\"3\n\x11\x44\x65leteNodeRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\"\x14\n\x12\x44\x65leteNodeResponse\"J\n\x13PullMessagesRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12\x13\n\x0bmessage_ids\x18\x02 \x03(\t\"\xa2\x01\n\x14PullMessagesResponse\x12(\n\treconnect\x18\x01 \x01(\x0b\x32\x15.flwr.proto.Reconnect\x12*\n\rmessages_list\x18\x02 \x03(\x0b\x32\x13.flwr.proto.Message\x12\x34\n\x14message_object_trees\x18\x03 \x03(\x0b\x32\x16.flwr.proto.ObjectTree\"\x97\x01\n\x13PushMessagesRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12*\n\rmessages_list\x18\x02 \x03(\x0b\x32\x13.flwr.proto.Message\x12\x34\n\x14message_object_trees\x18\x03 \x03(\x0b\x32\x16.flwr.proto.ObjectTree\"\xc9\x01\n\x14PushMessagesResponse\x12(\n\treconnect\x18\x01 \x01(\x0b\x32\x15.flwr.proto.Reconnect\x12>\n\x07results\x18\x02 \x03(\x0b\x32-.flwr.proto.PushMessagesResponse.ResultsEntry\x12\x17\n\x0fobjects_to_push\x18\x03 \x03(\t\x1a.\n\x0cResultsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\"\x1e\n\tReconnect\x12\x11\n\treconnect\x18\x01 \x01(\x04\x32\xca\x06\n\x05\x46leet\x12M\n\nCreateNode\x12\x1d.flwr.proto.CreateNodeRequest\x1a\x1e.flwr.proto.CreateNodeResponse\"\x00\x12M\n\nDeleteNode\x12\x1d.flwr.proto.DeleteNodeRequest\x1a\x1e.flwr.proto.DeleteNodeResponse\"\x00\x12\x62\n\x11SendNodeHeartbeat\x12$.flwr.proto.SendNodeHeartbeatRequest\x1a%.flwr.proto.SendNodeHeartbeatResponse\"\x00\x12S\n\x0cPullMessages\x12\x1f.flwr.proto.PullMessagesRequest\x1a .flwr.proto.PullMessagesResponse\"\x00\x12S\n\x0cPushMessages\x12\x1f.flwr.proto.PushMessagesRequest\x1a .flwr.proto.PushMessagesResponse\"\x00\x12\x41\n\x06GetRun\x12\x19.flwr.proto.GetRunRequest\x1a\x1a.flwr.proto.GetRunResponse\"\x00\x12\x41\n\x06GetFab\x12\x19.flwr.proto.GetFabRequest\x1a\x1a.flwr.proto.GetFabResponse\"\x00\x12M\n\nPushObject\x12\x1d.flwr.proto.PushObjectRequest\x1a\x1e.flwr.proto.PushObjectResponse\"\x00\x12M\n\nPullObject\x12\x1d.flwr.proto.PullObjectRequest\x1a\x1e.flwr.proto.PullObjectResponse\"\x00\x12q\n\x16\x43onfirmMessageReceived\x12).flwr.proto.ConfirmMessageReceivedRequest\x1a*.flwr.proto.ConfirmMessageReceivedResponse\"\x00\x62\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x16\x66lwr/proto/fleet.proto\x12\nflwr.proto\x1a\x1a\x66lwr/proto/heartbeat.proto\x1a\x15\x66lwr/proto/node.proto\x1a\x14\x66lwr/proto/run.proto\x1a\x14\x66lwr/proto/fab.proto\x1a\x18\x66lwr/proto/message.proto\"C\n\x11\x43reateNodeRequest\x12\x12\n\npublic_key\x18\x01 \x01(\x0c\x12\x1a\n\x12heartbeat_interval\x18\x02 \x01(\x01\"4\n\x12\x43reateNodeResponse\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\"3\n\x11\x44\x65leteNodeRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\"\x14\n\x12\x44\x65leteNodeResponse\"J\n\x13PullMessagesRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12\x13\n\x0bmessage_ids\x18\x02 \x03(\t\"\xa2\x01\n\x14PullMessagesResponse\x12(\n\treconnect\x18\x01 \x01(\x0b\x32\x15.flwr.proto.Reconnect\x12*\n\rmessages_list\x18\x02 \x03(\x0b\x32\x13.flwr.proto.Message\x12\x34\n\x14message_object_trees\x18\x03 \x03(\x0b\x32\x16.flwr.proto.ObjectTree\"\x97\x01\n\x13PushMessagesRequest\x12\x1e\n\x04node\x18\x01 \x01(\x0b\x32\x10.flwr.proto.Node\x12*\n\rmessages_list\x18\x02 \x03(\x0b\x32\x13.flwr.proto.Message\x12\x34\n\x14message_object_trees\x18\x03 \x03(\x0b\x32\x16.flwr.proto.ObjectTree\"\xc9\x01\n\x14PushMessagesResponse\x12(\n\treconnect\x18\x01 \x01(\x0b\x32\x15.flwr.proto.Reconnect\x12>\n\x07results\x18\x02 \x03(\x0b\x32-.flwr.proto.PushMessagesResponse.ResultsEntry\x12\x17\n\x0fobjects_to_push\x18\x03 \x03(\t\x1a.\n\x0cResultsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\"\x1e\n\tReconnect\x12\x11\n\treconnect\x18\x01 \x01(\x04\x32\xca\x06\n\x05\x46leet\x12M\n\nCreateNode\x12\x1d.flwr.proto.CreateNodeRequest\x1a\x1e.flwr.proto.CreateNodeResponse\"\x00\x12M\n\nDeleteNode\x12\x1d.flwr.proto.DeleteNodeRequest\x1a\x1e.flwr.proto.DeleteNodeResponse\"\x00\x12\x62\n\x11SendNodeHeartbeat\x12$.flwr.proto.SendNodeHeartbeatRequest\x1a%.flwr.proto.SendNodeHeartbeatResponse\"\x00\x12S\n\x0cPullMessages\x12\x1f.flwr.proto.PullMessagesRequest\x1a .flwr.proto.PullMessagesResponse\"\x00\x12S\n\x0cPushMessages\x12\x1f.flwr.proto.PushMessagesRequest\x1a .flwr.proto.PushMessagesResponse\"\x00\x12\x41\n\x06GetRun\x12\x19.flwr.proto.GetRunRequest\x1a\x1a.flwr.proto.GetRunResponse\"\x00\x12\x41\n\x06GetFab\x12\x19.flwr.proto.GetFabRequest\x1a\x1a.flwr.proto.GetFabResponse\"\x00\x12M\n\nPushObject\x12\x1d.flwr.proto.PushObjectRequest\x1a\x1e.flwr.proto.PushObjectResponse\"\x00\x12M\n\nPullObject\x12\x1d.flwr.proto.PullObjectRequest\x1a\x1e.flwr.proto.PullObjectResponse\"\x00\x12q\n\x16\x43onfirmMessageReceived\x12).flwr.proto.ConfirmMessageReceivedRequest\x1a*.flwr.proto.ConfirmMessageReceivedResponse\"\x00\x62\x06proto3')
 
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@@ -29,25 +29,25 @@ if _descriptor._USE_C_DESCRIPTORS == False:
   _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._options = None
   _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._serialized_options = b'8\001'
   _globals['_CREATENODEREQUEST']._serialized_start=159
-  _globals['_CREATENODEREQUEST']._serialized_end=206
-  _globals['_CREATENODERESPONSE']._serialized_start=208
-  _globals['_CREATENODERESPONSE']._serialized_end=260
-  _globals['_DELETENODEREQUEST']._serialized_start=262
-  _globals['_DELETENODEREQUEST']._serialized_end=313
-  _globals['_DELETENODERESPONSE']._serialized_start=315
-  _globals['_DELETENODERESPONSE']._serialized_end=335
-  _globals['_PULLMESSAGESREQUEST']._serialized_start=337
-  _globals['_PULLMESSAGESREQUEST']._serialized_end=411
-  _globals['_PULLMESSAGESRESPONSE']._serialized_start=414
-  _globals['_PULLMESSAGESRESPONSE']._serialized_end=576
-  _globals['_PUSHMESSAGESREQUEST']._serialized_start=579
-  _globals['_PUSHMESSAGESREQUEST']._serialized_end=730
-  _globals['_PUSHMESSAGESRESPONSE']._serialized_start=733
-  _globals['_PUSHMESSAGESRESPONSE']._serialized_end=934
-  _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._serialized_start=888
-  _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._serialized_end=934
-  _globals['_RECONNECT']._serialized_start=936
-  _globals['_RECONNECT']._serialized_end=966
-  _globals['_FLEET']._serialized_start=969
-  _globals['_FLEET']._serialized_end=1811
+  _globals['_CREATENODEREQUEST']._serialized_end=226
+  _globals['_CREATENODERESPONSE']._serialized_start=228
+  _globals['_CREATENODERESPONSE']._serialized_end=280
+  _globals['_DELETENODEREQUEST']._serialized_start=282
+  _globals['_DELETENODEREQUEST']._serialized_end=333
+  _globals['_DELETENODERESPONSE']._serialized_start=335
+  _globals['_DELETENODERESPONSE']._serialized_end=355
+  _globals['_PULLMESSAGESREQUEST']._serialized_start=357
+  _globals['_PULLMESSAGESREQUEST']._serialized_end=431
+  _globals['_PULLMESSAGESRESPONSE']._serialized_start=434
+  _globals['_PULLMESSAGESRESPONSE']._serialized_end=596
+  _globals['_PUSHMESSAGESREQUEST']._serialized_start=599
+  _globals['_PUSHMESSAGESREQUEST']._serialized_end=750
+  _globals['_PUSHMESSAGESRESPONSE']._serialized_start=753
+  _globals['_PUSHMESSAGESRESPONSE']._serialized_end=954
+  _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._serialized_start=908
+  _globals['_PUSHMESSAGESRESPONSE_RESULTSENTRY']._serialized_end=954
+  _globals['_RECONNECT']._serialized_start=956
+  _globals['_RECONNECT']._serialized_end=986
+  _globals['_FLEET']._serialized_start=989
+  _globals['_FLEET']._serialized_end=1831
 # @@protoc_insertion_point(module_scope)

flwr/proto/fleet_pb2.pyi

@@ -16,13 +16,16 @@ DESCRIPTOR: google.protobuf.descriptor.FileDescriptor
 class CreateNodeRequest(google.protobuf.message.Message):
     """CreateNode messages"""
     DESCRIPTOR: google.protobuf.descriptor.Descriptor
+    PUBLIC_KEY_FIELD_NUMBER: builtins.int
     HEARTBEAT_INTERVAL_FIELD_NUMBER: builtins.int
+    public_key: builtins.bytes
     heartbeat_interval: builtins.float
     def __init__(self,
         *,
+        public_key: builtins.bytes = ...,
         heartbeat_interval: builtins.float = ...,
         ) -> None: ...
-    def ClearField(self, field_name: typing_extensions.Literal["heartbeat_interval",b"heartbeat_interval"]) -> None: ...
+    def ClearField(self, field_name: typing_extensions.Literal["heartbeat_interval",b"heartbeat_interval","public_key",b"public_key"]) -> None: ...
 global___CreateNodeRequest = CreateNodeRequest
 
 class CreateNodeResponse(google.protobuf.message.Message):

flwr/proto/node_pb2.py

@@ -14,7 +14,7 @@ _sym_db = _symbol_database.Default()
 
 
 
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x15\x66lwr/proto/node.proto\x12\nflwr.proto\"\x17\n\x04Node\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\"\xd0\x01\n\x08NodeInfo\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\x12\x11\n\towner_aid\x18\x02 \x01(\t\x12\x0e\n\x06status\x18\x03 \x01(\t\x12\x12\n\ncreated_at\x18\x04 \x01(\t\x12\x19\n\x11last_activated_at\x18\x05 \x01(\t\x12\x1b\n\x13last_deactivated_at\x18\x06 \x01(\t\x12\x12\n\ndeleted_at\x18\x07 \x01(\t\x12\x14\n\x0conline_until\x18\x08 \x01(\x02\x12\x1a\n\x12heartbeat_interval\x18\t \x01(\x02\x62\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x15\x66lwr/proto/node.proto\x12\nflwr.proto\"\x17\n\x04Node\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\"\xd0\x01\n\x08NodeInfo\x12\x0f\n\x07node_id\x18\x01 \x01(\x04\x12\x11\n\towner_aid\x18\x02 \x01(\t\x12\x0e\n\x06status\x18\x03 \x01(\t\x12\x12\n\ncreated_at\x18\x04 \x01(\t\x12\x19\n\x11last_activated_at\x18\x05 \x01(\t\x12\x1b\n\x13last_deactivated_at\x18\x06 \x01(\t\x12\x12\n\ndeleted_at\x18\x07 \x01(\t\x12\x14\n\x0conline_until\x18\x08 \x01(\x01\x12\x1a\n\x12heartbeat_interval\x18\t \x01(\x01\x62\x06proto3')
 
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)

flwr/server/app.py

@@ -26,7 +26,7 @@ from collections.abc import Sequence
 from logging import DEBUG, INFO, WARN
 from pathlib import Path
 from time import sleep
-from typing import Any, Callable, Optional, TypeVar
+from typing import Callable, Optional, TypeVar, cast
 
 import grpc
 import yaml
@@ -52,6 +52,8 @@ from flwr.common.constant import (
     TRANSPORT_TYPE_GRPC_ADAPTER,
     TRANSPORT_TYPE_GRPC_RERE,
     TRANSPORT_TYPE_REST,
+    AuthnType,
+    AuthzType,
     EventLogWriterType,
     ExecPluginType,
 )
@@ -69,12 +71,19 @@ from flwr.supercore.grpc_health import add_args_health, run_health_server_grpc_n
 from flwr.supercore.object_store import ObjectStoreFactory
 from flwr.supercore.primitives.asymmetric import public_key_to_bytes
 from flwr.superlink.artifact_provider import ArtifactProvider
-from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import (
+    ControlAuthnPlugin,
+    ControlAuthzPlugin,
+    get_control_authn_plugins,
+    get_control_authz_plugins,
+)
 from flwr.superlink.servicer.control import run_control_api_grpc
 
 from .superlink.fleet.grpc_adapter.grpc_adapter_servicer import GrpcAdapterServicer
 from .superlink.fleet.grpc_rere.fleet_servicer import FleetServicer
-from .superlink.fleet.grpc_rere.server_interceptor import AuthenticateServerInterceptor
+from .superlink.fleet.grpc_rere.node_auth_server_interceptor import (
+    NodeAuthServerInterceptor,
+)
 from .superlink.linkstate import LinkStateFactory
 from .superlink.serverappio.serverappio_grpc import run_serverappio_api_grpc
 from .superlink.simulation.simulationio_grpc import run_simulationio_api_grpc
@@ -87,8 +96,6 @@ P = TypeVar("P", ControlAuthnPlugin, ControlAuthzPlugin)
 try:
     from flwr.ee import (
         add_ee_args_superlink,
-        get_control_authn_plugins,
-        get_control_authz_plugins,
         get_control_event_log_writer_plugins,
         get_ee_artifact_provider,
         get_fleet_event_log_writer_plugins,
@@ -99,14 +106,6 @@ except ImportError:
     def add_ee_args_superlink(parser: argparse.ArgumentParser) -> None:
         """Add EE-specific arguments to the parser."""
 
-    def get_control_authn_plugins() -> dict[str, type[ControlAuthnPlugin]]:
-        """Return all Control API authentication plugins."""
-        raise NotImplementedError("No authentication plugins are currently supported.")
-
-    def get_control_authz_plugins() -> dict[str, type[ControlAuthzPlugin]]:
-        """Return all Control API authorization plugins."""
-        raise NotImplementedError("No authorization plugins are currently supported.")
-
     def get_control_event_log_writer_plugins() -> dict[str, type[EventLogWriterPlugin]]:
         """Return all Control API event log writer plugins."""
         raise NotImplementedError(
@@ -202,10 +201,9 @@ def run_superlink() -> None:
             "future release. Please use `--account-auth-config` instead.",
         )
         args.account_auth_config = cfg_path
-    if cfg_path := getattr(args, "account_auth_config", None):
-        authn_plugin, authz_plugin = _try_obtain_control_auth_plugins(
-            Path(cfg_path), verify_tls_cert
-        )
+    cfg_path = getattr(args, "account_auth_config", None)
+    authn_plugin, authz_plugin = _load_control_auth_plugins(cfg_path, verify_tls_cert)
+    if cfg_path is not None:
         # Enable event logging if the args.enable_event_log is True
         if args.enable_event_log:
             event_log_plugin = _try_obtain_control_event_log_writer_plugin()
@@ -326,7 +324,7 @@ def run_superlink() -> None:
             else:
                 log(DEBUG, "Automatic node authentication enabled")
 
-            interceptors = [AuthenticateServerInterceptor(state_factory, auto_auth)]
+            interceptors = [NodeAuthServerInterceptor(state_factory, auto_auth)]
             if getattr(args, "enable_event_log", None):
                 fleet_log_plugin = _try_obtain_fleet_event_log_writer_plugin()
                 if fleet_log_plugin is not None:
@@ -447,13 +445,21 @@ def _try_load_public_keys_node_authentication(
     return node_public_keys
 
 
-def _try_obtain_control_auth_plugins(
-    config_path: Path, verify_tls_cert: bool
+def _load_control_auth_plugins(
+    config_path: Optional[str], verify_tls_cert: bool
 ) -> tuple[ControlAuthnPlugin, ControlAuthzPlugin]:
     """Obtain Control API authentication and authorization plugins."""
+    # Load NoOp plugins if no config path is provided
+    if config_path is None:
+        config_path = ""
+        config = {
+            "authentication": {AUTHN_TYPE_YAML_KEY: AuthnType.NOOP},
+            "authorization": {AUTHZ_TYPE_YAML_KEY: AuthzType.NOOP},
+        }
     # Load YAML file
-    with config_path.open("r", encoding="utf-8") as file:
-        config: dict[str, Any] = yaml.safe_load(file)
+    else:
+        with Path(config_path).open("r", encoding="utf-8") as file:
+            config = yaml.safe_load(file)
 
     def _load_plugin(
         section: str, yaml_key: str, loader: Callable[[], dict[str, type[P]]]
@@ -463,9 +469,7 @@ def _try_obtain_control_auth_plugins(
         try:
             plugins: dict[str, type[P]] = loader()
             plugin_cls: type[P] = plugins[auth_plugin_name]
-            return plugin_cls(
-                account_auth_config_path=config_path, verify_tls_cert=verify_tls_cert
-            )
+            return plugin_cls(Path(cast(str, config_path)), verify_tls_cert)
         except KeyError:
             if auth_plugin_name:
                 sys.exit(
@@ -473,18 +477,15 @@ def _try_obtain_control_auth_plugins(
                     f"Please provide a valid {section} type in the configuration."
                 )
             sys.exit(f"No {section} type is provided in the configuration.")
-        except NotImplementedError:
-            sys.exit(f"No {section} plugins are currently supported.")
 
-    # Warn deprecated authn_type key
-    if "authn_type" in config["authentication"]:
+    # Warn deprecated auth_type key
+    if authn_type := config["authentication"].pop("auth_type", None):
         log(
             WARN,
-            "The `authn_type` key in the authentication configuration is deprecated. "
+            "The `auth_type` key in the authentication configuration is deprecated. "
             "Use `%s` instead.",
             AUTHN_TYPE_YAML_KEY,
         )
-        authn_type = config["authentication"].pop("authn_type")
         config["authentication"][AUTHN_TYPE_YAML_KEY] = authn_type
 
     # Load authentication plugin

flwr/server/superlink/fleet/grpc_rere/fleet_servicer.py

@@ -78,10 +78,14 @@ class FleetServicer(fleet_pb2_grpc.FleetServicer):
             request.heartbeat_interval,
         )
         log(DEBUG, "[Fleet.CreateNode] Request: %s", MessageToDict(request))
-        response = message_handler.create_node(
-            request=request,
-            state=self.state_factory.state(),
-        )
+        try:
+            response = message_handler.create_node(
+                request=request,
+                state=self.state_factory.state(),
+            )
+        except ValueError as e:
+            # Public key already in use
+            context.abort(grpc.StatusCode.FAILED_PRECONDITION, str(e))
         log(INFO, "[Fleet.CreateNode] Created node_id=%s", response.node.node_id)
         log(DEBUG, "[Fleet.CreateNode] Response: %s", MessageToDict(response))
         return response