flwr 1.21.0__py3-none-any.whl → 1.23.0__py3-none-any.whl

flwr/superlink/auth_plugin/auth_plugin.py

@@ -0,0 +1,91 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Abstract classes for Flower account auth plugins."""
+
+
+from abc import ABC, abstractmethod
+from collections.abc import Sequence
+from pathlib import Path
+from typing import Optional, Union
+
+from flwr.common.typing import (
+    AccountAuthCredentials,
+    AccountAuthLoginDetails,
+    AccountInfo,
+)
+
+
+class ControlAuthnPlugin(ABC):
+    """Abstract Flower Authentication Plugin class for ControlServicer.
+
+    Parameters
+    ----------
+    account_auth_config_path : Path
+        Path to the YAML file containing the authentication configuration.
+    verify_tls_cert : bool
+        Boolean indicating whether to verify the TLS certificate
+        when making requests to the server.
+    """
+
+    @abstractmethod
+    def __init__(
+        self,
+        account_auth_config_path: Path,
+        verify_tls_cert: bool,
+    ):
+        """Abstract constructor."""
+
+    @abstractmethod
+    def get_login_details(self) -> Optional[AccountAuthLoginDetails]:
+        """Get the login details."""
+
+    @abstractmethod
+    def validate_tokens_in_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[bool, Optional[AccountInfo]]:
+        """Validate authentication tokens in the provided metadata."""
+
+    @abstractmethod
+    def get_auth_tokens(self, device_code: str) -> Optional[AccountAuthCredentials]:
+        """Get authentication tokens."""
+
+    @abstractmethod
+    def refresh_tokens(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[
+        Optional[Sequence[tuple[str, Union[str, bytes]]]], Optional[AccountInfo]
+    ]:
+        """Refresh authentication tokens in the provided metadata."""
+
+
+class ControlAuthzPlugin(ABC):  # pylint: disable=too-few-public-methods
+    """Abstract Flower Authorization Plugin class for ControlServicer.
+
+    Parameters
+    ----------
+    account_auth_config_path : Path
+        Path to the YAML file containing the authorization configuration.
+    verify_tls_cert : bool
+        Boolean indicating whether to verify the TLS certificate
+        when making requests to the server.
+    """
+
+    @abstractmethod
+    def __init__(self, account_auth_config_path: Path, verify_tls_cert: bool):
+        """Abstract constructor."""
+
+    @abstractmethod
+    def authorize(self, account_info: AccountInfo) -> bool:
+        """Verify account authorization request."""

flwr/superlink/auth_plugin/noop_auth_plugin.py

@@ -0,0 +1,87 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Concrete NoOp implementation for Servicer-side account authentication and
+authorization plugins."""
+
+
+from collections.abc import Sequence
+from pathlib import Path
+from typing import Optional, Union
+
+from flwr.common.constant import NOOP_ACCOUNT_NAME, NOOP_FLWR_AID, AuthnType
+from flwr.common.typing import (
+    AccountAuthCredentials,
+    AccountAuthLoginDetails,
+    AccountInfo,
+)
+
+from .auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
+
+NOOP_ACCOUNT_INFO = AccountInfo(
+    flwr_aid=NOOP_FLWR_AID,
+    account_name=NOOP_ACCOUNT_NAME,
+)
+
+
+class NoOpControlAuthnPlugin(ControlAuthnPlugin):
+    """No-operation implementation of ControlAuthnPlugin."""
+
+    def __init__(
+        self,
+        account_auth_config_path: Path,
+        verify_tls_cert: bool,
+    ):
+        pass
+
+    def get_login_details(self) -> Optional[AccountAuthLoginDetails]:
+        """Get the login details."""
+        # This allows the `flwr login` command to load the NoOp plugin accordingly,
+        # which then raises a LoginError when attempting to login.
+        return AccountAuthLoginDetails(
+            authn_type=AuthnType.NOOP,  # No operation authn type
+            device_code="",
+            verification_uri_complete="",
+            expires_in=0,
+            interval=0,
+        )
+
+    def validate_tokens_in_metadata(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[bool, Optional[AccountInfo]]:
+        """Return valid for no-op plugin."""
+        return True, NOOP_ACCOUNT_INFO
+
+    def get_auth_tokens(self, device_code: str) -> Optional[AccountAuthCredentials]:
+        """Get authentication tokens."""
+        raise RuntimeError("NoOp plugin does not support getting auth tokens.")
+
+    def refresh_tokens(
+        self, metadata: Sequence[tuple[str, Union[str, bytes]]]
+    ) -> tuple[
+        Optional[Sequence[tuple[str, Union[str, bytes]]]], Optional[AccountInfo]
+    ]:
+        """Refresh authentication tokens in the provided metadata."""
+        return metadata, NOOP_ACCOUNT_INFO
+
+
+class NoOpControlAuthzPlugin(ControlAuthzPlugin):
+    """No-operation implementation of ControlAuthzPlugin."""
+
+    def __init__(self, account_auth_config_path: Path, verify_tls_cert: bool):
+        pass
+
+    def authorize(self, account_info: AccountInfo) -> bool:
+        """Return True for no-op plugin."""
+        return True

flwr/superlink/servicer/control/{control_user_auth_interceptor.py → control_account_auth_interceptor.py}

@@ -20,7 +20,6 @@ from typing import Any, Callable, Union
 
 import grpc
 
-from flwr.common.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
 from flwr.common.typing import AccountInfo
 from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     GetAuthTokensRequest,
@@ -32,6 +31,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     StreamLogsRequest,
     StreamLogsResponse,
 )
+from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 
 Request = Union[
     StartRunRequest,
@@ -50,15 +50,15 @@ shared_account_info: contextvars.ContextVar[AccountInfo] = contextvars.ContextVa
 )
 
 
-class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
-    """Control API interceptor for user authentication."""
+class ControlAccountAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
+    """Control API interceptor for account authentication."""
 
     def __init__(
         self,
-        auth_plugin: ControlAuthPlugin,
+        authn_plugin: ControlAuthnPlugin,
         authz_plugin: ControlAuthzPlugin,
     ):
-        self.auth_plugin = auth_plugin
+        self.authn_plugin = authn_plugin
         self.authz_plugin = authz_plugin
 
     def intercept_service(
@@ -96,45 +96,45 @@ class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
             if isinstance(request, (GetLoginDetailsRequest, GetAuthTokensRequest)):
                 return call(request, context)  # type: ignore
 
-            # For other requests, check if the user is authenticated
-            valid_tokens, account_info = self.auth_plugin.validate_tokens_in_metadata(
+            # For other requests, check if the account is authenticated
+            valid_tokens, account_info = self.authn_plugin.validate_tokens_in_metadata(
                 metadata
             )
             if valid_tokens:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens validated, but user info not found",
+                        "Tokens validated, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()
                 return call(request, context)  # type: ignore
 
-            # If the user is not authenticated, refresh tokens
-            tokens, account_info = self.auth_plugin.refresh_tokens(metadata)
+            # If the account is not authenticated, refresh tokens
+            tokens, account_info = self.authn_plugin.refresh_tokens(metadata)
             if tokens is not None:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens refreshed, but user info not found",
+                        "Tokens refreshed, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()

flwr/superlink/servicer/control/control_event_log_interceptor.py

@@ -24,7 +24,7 @@ from google.protobuf.message import Message as GrpcMessage
 from flwr.common.event_log_plugin.event_log_plugin import EventLogWriterPlugin
 from flwr.common.typing import LogEntry
 
-from .control_user_auth_interceptor import shared_account_info
+from .control_account_auth_interceptor import shared_account_info
 
 
 class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore

flwr/superlink/servicer/control/control_grpc.py

@@ -21,7 +21,6 @@ from typing import Optional
 import grpc
 
 from flwr.common import GRPC_MAX_MESSAGE_LENGTH
-from flwr.common.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
 from flwr.common.event_log_plugin import EventLogWriterPlugin
 from flwr.common.exit import ExitCode, flwr_exit
 from flwr.common.grpc import generic_create_grpc_server
@@ -31,11 +30,17 @@ from flwr.server.superlink.linkstate import LinkStateFactory
 from flwr.supercore.ffs import FfsFactory
 from flwr.supercore.license_plugin import LicensePlugin
 from flwr.supercore.object_store import ObjectStoreFactory
+from flwr.superlink.artifact_provider import ArtifactProvider
+from flwr.superlink.auth_plugin import (
+    ControlAuthnPlugin,
+    ControlAuthzPlugin,
+    NoOpControlAuthnPlugin,
+)
 
+from .control_account_auth_interceptor import ControlAccountAuthInterceptor
 from .control_event_log_interceptor import ControlEventLogInterceptor
 from .control_license_interceptor import ControlLicenseInterceptor
 from .control_servicer import ControlServicer
-from .control_user_auth_interceptor import ControlUserAuthInterceptor
 
 try:
     from flwr.ee import get_license_plugin
@@ -53,9 +58,10 @@ def run_control_api_grpc(
     objectstore_factory: ObjectStoreFactory,
     certificates: Optional[tuple[bytes, bytes, bytes]],
     is_simulation: bool,
-    auth_plugin: Optional[ControlAuthPlugin] = None,
-    authz_plugin: Optional[ControlAuthzPlugin] = None,
+    authn_plugin: ControlAuthnPlugin,
+    authz_plugin: ControlAuthzPlugin,
     event_log_plugin: Optional[EventLogWriterPlugin] = None,
+    artifact_provider: Optional[ArtifactProvider] = None,
 ) -> grpc.Server:
     """Run Control API (gRPC, request-response)."""
     license_plugin: Optional[LicensePlugin] = get_license_plugin()
@@ -67,14 +73,13 @@ def run_control_api_grpc(
         ffs_factory=ffs_factory,
         objectstore_factory=objectstore_factory,
         is_simulation=is_simulation,
-        auth_plugin=auth_plugin,
+        authn_plugin=authn_plugin,
+        artifact_provider=artifact_provider,
     )
-    interceptors: list[grpc.ServerInterceptor] = []
+    interceptors = [ControlAccountAuthInterceptor(authn_plugin, authz_plugin)]
     if license_plugin is not None:
         interceptors.append(ControlLicenseInterceptor(license_plugin))
-    if auth_plugin is not None and authz_plugin is not None:
-        interceptors.append(ControlUserAuthInterceptor(auth_plugin, authz_plugin))
-    # Event log interceptor must be added after user auth interceptor
+    # Event log interceptor must be added after account auth interceptor
     if event_log_plugin is not None:
         interceptors.append(ControlEventLogInterceptor(event_log_plugin))
         log(INFO, "Flower event logging enabled")
@@ -87,12 +92,12 @@ def run_control_api_grpc(
         interceptors=interceptors or None,
     )
 
-    if auth_plugin is None:
+    if isinstance(authn_plugin, NoOpControlAuthnPlugin):
         log(INFO, "Flower Deployment Runtime: Starting Control API on %s", address)
     else:
         log(
             INFO,
-            "Flower Deployment Runtime: Starting Control API with user "
+            "Flower Deployment Runtime: Starting Control API with account "
             "authentication on %s",
             address,
         )