flwr 1.22.0__py3-none-any.whl → 1.23.0__py3-none-any.whl

flwr/server/app.py

@@ -16,30 +16,26 @@
 
 
 import argparse
-import csv
 import importlib.util
 import os
 import subprocess
 import sys
 import threading
 from collections.abc import Sequence
-from logging import DEBUG, INFO, WARN
+from logging import INFO, WARN
 from pathlib import Path
 from time import sleep
-from typing import Any, Callable, Optional, TypeVar
+from typing import Callable, Optional, TypeVar, cast
 
 import grpc
 import yaml
-from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.serialization import load_ssh_public_key
 
 from flwr.common import GRPC_MAX_MESSAGE_LENGTH, EventType, event
 from flwr.common.address import parse_address
 from flwr.common.args import try_obtain_server_certificates
-from flwr.common.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
 from flwr.common.config import get_flwr_dir
 from flwr.common.constant import (
-    AUTH_TYPE_YAML_KEY,
+    AUTHN_TYPE_YAML_KEY,
     AUTHZ_TYPE_YAML_KEY,
     CLIENT_OCTET,
     CONTROL_API_DEFAULT_SERVER_ADDRESS,
@@ -53,6 +49,8 @@ from flwr.common.constant import (
     TRANSPORT_TYPE_GRPC_ADAPTER,
     TRANSPORT_TYPE_GRPC_RERE,
     TRANSPORT_TYPE_REST,
+    AuthnType,
+    AuthzType,
     EventLogWriterType,
     ExecPluginType,
 )
@@ -60,37 +58,43 @@ from flwr.common.event_log_plugin import EventLogWriterPlugin
 from flwr.common.exit import ExitCode, flwr_exit, register_signal_handlers
 from flwr.common.grpc import generic_create_grpc_server
 from flwr.common.logger import log
-from flwr.common.secure_aggregation.crypto.symmetric_encryption import (
-    public_key_to_bytes,
-)
+from flwr.common.version import package_version
 from flwr.proto.fleet_pb2_grpc import (  # pylint: disable=E0611
     add_FleetServicer_to_server,
 )
 from flwr.proto.grpcadapter_pb2_grpc import add_GrpcAdapterServicer_to_server
 from flwr.server.fleet_event_log_interceptor import FleetEventLogInterceptor
+from flwr.supercore.constant import FLWR_IN_MEMORY_DB_NAME
 from flwr.supercore.ffs import FfsFactory
 from flwr.supercore.grpc_health import add_args_health, run_health_server_grpc_no_tls
 from flwr.supercore.object_store import ObjectStoreFactory
 from flwr.superlink.artifact_provider import ArtifactProvider
+from flwr.superlink.auth_plugin import (
+    ControlAuthnPlugin,
+    ControlAuthzPlugin,
+    NoOpControlAuthnPlugin,
+    NoOpControlAuthzPlugin,
+)
 from flwr.superlink.servicer.control import run_control_api_grpc
 
 from .superlink.fleet.grpc_adapter.grpc_adapter_servicer import GrpcAdapterServicer
 from .superlink.fleet.grpc_rere.fleet_servicer import FleetServicer
-from .superlink.fleet.grpc_rere.server_interceptor import AuthenticateServerInterceptor
+from .superlink.fleet.grpc_rere.node_auth_server_interceptor import (
+    NodeAuthServerInterceptor,
+)
 from .superlink.linkstate import LinkStateFactory
 from .superlink.serverappio.serverappio_grpc import run_serverappio_api_grpc
 from .superlink.simulation.simulationio_grpc import run_simulationio_api_grpc
 
-DATABASE = ":flwr-in-memory-state:"
 BASE_DIR = get_flwr_dir() / "superlink" / "ffs"
-P = TypeVar("P", ControlAuthPlugin, ControlAuthzPlugin)
+P = TypeVar("P", ControlAuthnPlugin, ControlAuthzPlugin)
 
 
 try:
     from flwr.ee import (
         add_ee_args_superlink,
-        get_control_auth_plugins,
-        get_control_authz_plugins,
+        get_control_authn_ee_plugins,
+        get_control_authz_ee_plugins,
         get_control_event_log_writer_plugins,
         get_ee_artifact_provider,
         get_fleet_event_log_writer_plugins,
@@ -101,14 +105,6 @@ except ImportError:
     def add_ee_args_superlink(parser: argparse.ArgumentParser) -> None:
         """Add EE-specific arguments to the parser."""
 
-    def get_control_auth_plugins() -> dict[str, type[ControlAuthPlugin]]:
-        """Return all Control API authentication plugins."""
-        raise NotImplementedError("No authentication plugins are currently supported.")
-
-    def get_control_authz_plugins() -> dict[str, type[ControlAuthzPlugin]]:
-        """Return all Control API authorization plugins."""
-        raise NotImplementedError("No authorization plugins are currently supported.")
-
     def get_control_event_log_writer_plugins() -> dict[str, type[EventLogWriterPlugin]]:
         """Return all Control API event log writer plugins."""
         raise NotImplementedError(
@@ -125,6 +121,26 @@ except ImportError:
             "No event log writer plugins are currently supported."
         )
 
+    def get_control_authn_ee_plugins() -> dict[str, type[ControlAuthnPlugin]]:
+        """Return all Control API authentication plugins for EE."""
+        return {}
+
+    def get_control_authz_ee_plugins() -> dict[str, type[ControlAuthzPlugin]]:
+        """Return all Control API authorization plugins for EE."""
+        return {}
+
+
+def get_control_authn_plugins() -> dict[str, type[ControlAuthnPlugin]]:
+    """Return all Control API authentication plugins."""
+    ee_dict: dict[str, type[ControlAuthnPlugin]] = get_control_authn_ee_plugins()
+    return ee_dict | {AuthnType.NOOP: NoOpControlAuthnPlugin}
+
+
+def get_control_authz_plugins() -> dict[str, type[ControlAuthzPlugin]]:
+    """Return all Control API authorization plugins."""
+    ee_dict: dict[str, type[ControlAuthzPlugin]] = get_control_authz_ee_plugins()
+    return ee_dict | {AuthzType.NOOP: NoOpControlAuthzPlugin}
+
 
 # pylint: disable=too-many-branches, too-many-locals, too-many-statements
 def run_superlink() -> None:
@@ -189,18 +205,24 @@ def run_superlink() -> None:
     # Obtain certificates
     certificates = try_obtain_server_certificates(args)
 
-    # Disable the user auth TLS check if args.disable_oidc_tls_cert_verification is
+    # Disable the account auth TLS check if args.disable_oidc_tls_cert_verification is
     # provided
     verify_tls_cert = not getattr(args, "disable_oidc_tls_cert_verification", None)
 
-    auth_plugin: Optional[ControlAuthPlugin] = None
+    authn_plugin: Optional[ControlAuthnPlugin] = None
     authz_plugin: Optional[ControlAuthzPlugin] = None
     event_log_plugin: Optional[EventLogWriterPlugin] = None
-    # Load the auth plugin if the args.user_auth_config is provided
+    # Load the auth plugin if the args.account_auth_config is provided
     if cfg_path := getattr(args, "user_auth_config", None):
-        auth_plugin, authz_plugin = _try_obtain_control_auth_plugins(
-            Path(cfg_path), verify_tls_cert
+        log(
+            WARN,
+            "The `--user-auth-config` flag is deprecated and will be removed in a "
+            "future release. Please use `--account-auth-config` instead.",
         )
+        args.account_auth_config = cfg_path
+    cfg_path = getattr(args, "account_auth_config", None)
+    authn_plugin, authz_plugin = _load_control_auth_plugins(cfg_path, verify_tls_cert)
+    if cfg_path is not None:
         # Enable event logging if the args.enable_event_log is True
         if args.enable_event_log:
             event_log_plugin = _try_obtain_control_event_log_writer_plugin()
@@ -211,6 +233,54 @@ def run_superlink() -> None:
         log(WARN, "The `--artifact-provider-config` flag is highly experimental.")
         artifact_provider = get_ee_artifact_provider(cfg_path)
 
+    # Check for incompatible args with SuperNode authentication
+    enable_supernode_auth: bool = args.enable_supernode_auth
+    if enable_supernode_auth:
+        if args.insecure:
+            url_v = f"https://flower.ai/docs/framework/v{package_version}/en/"
+            page = "how-to-authenticate-supernodes.html"
+            flwr_exit(
+                ExitCode.SUPERLINK_INVALID_ARGS,
+                "The `--enable-supernode-auth` flag requires encrypted TLS "
+                "communications. Please provide TLS certificates using the "
+                "`--ssl-certfile`, `--ssl-keyfile` and `--ssl-ca-certfile` "
+                "arguments to your SuperLink. Please refer to the Flower "
+                f"documentation for more information: {url_v}{page}",
+            )
+        if args.fleet_api_type != TRANSPORT_TYPE_GRPC_RERE:
+            flwr_exit(
+                ExitCode.SUPERLINK_INVALID_ARGS,
+                "The `--enable-supernode-auth` flag is only supported "
+                "with the gRPC-rere Fleet API transport. Please set "
+                f"`--fleet-api-type` to `{TRANSPORT_TYPE_GRPC_RERE}`.",
+            )
+        if args.simulation:
+            log(
+                WARN,
+                "SuperNode authentication is not applicable with the simulation, "
+                "runtime as no SuperNodes can connect to this SuperLink. "
+                "Proceeding...",
+            )
+    # If supernode authentication is disabled, warn users
+    else:
+        log(
+            WARN,
+            "SuperNode authentication is disabled. The SuperLink will accept "
+            "connections from any SuperNode.",
+        )
+
+    if args.auth_list_public_keys:
+        url_v = f"https://flower.ai/docs/framework/v{package_version}/en/"
+        page = "how-to-authenticate-supernodes.html"
+        flwr_exit(
+            ExitCode.SUPERLINK_INVALID_ARGS,
+            "The `--auth-list-public-keys` "
+            "argument is no longer supported. To enable SuperNode authentication,  "
+            "use the `--enable-supernode-auth` flag and use the Flower CLI to register "
+            "SuperNodes by supplying their public keys. Please refer"
+            f" to the Flower documentation for more information: {url_v}{page}",
+        )
+
     # Initialize StateFactory
     state_factory = LinkStateFactory(args.database)
 
@@ -218,7 +288,7 @@ def run_superlink() -> None:
     ffs_factory = FfsFactory(args.storage_dir)
 
     # Initialize ObjectStoreFactory
-    objectstore_factory = ObjectStoreFactory()
+    objectstore_factory = ObjectStoreFactory(args.database)
 
     # Start Control API
     is_simulation = args.simulation
@@ -229,7 +299,7 @@ def run_superlink() -> None:
         objectstore_factory=objectstore_factory,
         certificates=certificates,
         is_simulation=is_simulation,
-        auth_plugin=auth_plugin,
+        authn_plugin=authn_plugin,
         authz_plugin=authz_plugin,
         event_log_plugin=event_log_plugin,
         artifact_provider=artifact_provider,
@@ -306,22 +376,8 @@ def run_superlink() -> None:
             fleet_thread.start()
             bckg_threads.append(fleet_thread)
         elif args.fleet_api_type == TRANSPORT_TYPE_GRPC_RERE:
-            node_public_keys = _try_load_public_keys_node_authentication(args)
-            auto_auth = True
-            if node_public_keys is not None:
-                auto_auth = False
-                state = state_factory.state()
-                state.clear_supernode_auth_keys()
-                state.store_node_public_keys(node_public_keys)
-                log(
-                    INFO,
-                    "Node authentication enabled with %d known public keys",
-                    len(node_public_keys),
-                )
-            else:
-                log(DEBUG, "Automatic node authentication enabled")
 
-            interceptors = [AuthenticateServerInterceptor(state_factory, auto_auth)]
+            interceptors = [NodeAuthServerInterceptor(state_factory)]
             if getattr(args, "enable_event_log", None):
                 fleet_log_plugin = _try_obtain_fleet_event_log_writer_plugin()
                 if fleet_log_plugin is not None:
@@ -333,6 +389,7 @@ def run_superlink() -> None:
                 state_factory=state_factory,
                 ffs_factory=ffs_factory,
                 objectstore_factory=objectstore_factory,
+                enable_supernode_auth=enable_supernode_auth,
                 certificates=certificates,
                 interceptors=interceptors,
             )
@@ -400,55 +457,21 @@ def _format_address(address: str) -> tuple[str, str, int]:
     return (f"[{host}]:{port}" if is_v6 else f"{host}:{port}", host, port)
 
 
-def _try_load_public_keys_node_authentication(
-    args: argparse.Namespace,
-) -> Optional[set[bytes]]:
-    """Return a set of node public keys."""
-    if args.auth_superlink_private_key or args.auth_superlink_public_key:
-        log(
-            WARN,
-            "The `--auth-superlink-private-key` and `--auth-superlink-public-key` "
-            "arguments are deprecated and will be removed in a future release. Node "
-            "authentication no longer requires these arguments.",
-        )
-
-    if not args.auth_list_public_keys:
-        return None
-
-    node_keys_file_path = Path(args.auth_list_public_keys)
-    if not node_keys_file_path.exists():
-        sys.exit(
-            "The provided path to the known public keys CSV file does not exist: "
-            f"{node_keys_file_path}. "
-            "Please provide the CSV file path containing known public keys "
-            "to '--auth-list-public-keys'."
-        )
-
-    node_public_keys: set[bytes] = set()
-
-    with open(node_keys_file_path, newline="", encoding="utf-8") as csvfile:
-        reader = csv.reader(csvfile)
-        for row in reader:
-            for element in row:
-                public_key = load_ssh_public_key(element.encode())
-                if isinstance(public_key, ec.EllipticCurvePublicKey):
-                    node_public_keys.add(public_key_to_bytes(public_key))
-                else:
-                    sys.exit(
-                        "Error: Unable to parse the public keys in the CSV "
-                        "file. Please ensure that the CSV file path points to a valid "
-                        "known SSH public keys files and try again."
-                    )
-    return node_public_keys
-
-
-def _try_obtain_control_auth_plugins(
-    config_path: Path, verify_tls_cert: bool
-) -> tuple[ControlAuthPlugin, ControlAuthzPlugin]:
+def _load_control_auth_plugins(
+    config_path: Optional[str], verify_tls_cert: bool
+) -> tuple[ControlAuthnPlugin, ControlAuthzPlugin]:
     """Obtain Control API authentication and authorization plugins."""
+    # Load NoOp plugins if no config path is provided
+    if config_path is None:
+        config_path = ""
+        config = {
+            "authentication": {AUTHN_TYPE_YAML_KEY: AuthnType.NOOP},
+            "authorization": {AUTHZ_TYPE_YAML_KEY: AuthzType.NOOP},
+        }
     # Load YAML file
-    with config_path.open("r", encoding="utf-8") as file:
-        config: dict[str, Any] = yaml.safe_load(file)
+    else:
+        with Path(config_path).open("r", encoding="utf-8") as file:
+            config = yaml.safe_load(file)
 
     def _load_plugin(
         section: str, yaml_key: str, loader: Callable[[], dict[str, type[P]]]
@@ -458,9 +481,7 @@ def _try_obtain_control_auth_plugins(
         try:
             plugins: dict[str, type[P]] = loader()
             plugin_cls: type[P] = plugins[auth_plugin_name]
-            return plugin_cls(
-                user_auth_config_path=config_path, verify_tls_cert=verify_tls_cert
-            )
+            return plugin_cls(Path(cast(str, config_path)), verify_tls_cert)
         except KeyError:
             if auth_plugin_name:
                 sys.exit(
@@ -468,14 +489,22 @@ def _try_obtain_control_auth_plugins(
                     f"Please provide a valid {section} type in the configuration."
                 )
             sys.exit(f"No {section} type is provided in the configuration.")
-        except NotImplementedError:
-            sys.exit(f"No {section} plugins are currently supported.")
+
+    # Warn deprecated auth_type key
+    if authn_type := config["authentication"].pop("auth_type", None):
+        log(
+            WARN,
+            "The `auth_type` key in the authentication configuration is deprecated. "
+            "Use `%s` instead.",
+            AUTHN_TYPE_YAML_KEY,
+        )
+        config["authentication"][AUTHN_TYPE_YAML_KEY] = authn_type
 
     # Load authentication plugin
-    auth_plugin = _load_plugin(
+    authn_plugin = _load_plugin(
         section="authentication",
-        yaml_key=AUTH_TYPE_YAML_KEY,
-        loader=get_control_auth_plugins,
+        yaml_key=AUTHN_TYPE_YAML_KEY,
+        loader=get_control_authn_plugins,
     )
 
     # Load authorization plugin
@@ -485,7 +514,7 @@ def _try_obtain_control_auth_plugins(
         loader=get_control_authz_plugins,
     )
 
-    return auth_plugin, authz_plugin
+    return authn_plugin, authz_plugin
 
 
 def _try_obtain_control_event_log_writer_plugin() -> Optional[EventLogWriterPlugin]:
@@ -521,6 +550,7 @@ def _run_fleet_api_grpc_rere(  # pylint: disable=R0913, R0917
     state_factory: LinkStateFactory,
     ffs_factory: FfsFactory,
     objectstore_factory: ObjectStoreFactory,
+    enable_supernode_auth: bool,
     certificates: Optional[tuple[bytes, bytes, bytes]],
     interceptors: Optional[Sequence[grpc.ServerInterceptor]] = None,
 ) -> grpc.Server:
@@ -530,6 +560,7 @@ def _run_fleet_api_grpc_rere(  # pylint: disable=R0913, R0917
         state_factory=state_factory,
         ffs_factory=ffs_factory,
         objectstore_factory=objectstore_factory,
+        enable_supernode_auth=enable_supernode_auth,
     )
     fleet_add_servicer_to_server_fn = add_FleetServicer_to_server
     fleet_grpc_server = generic_create_grpc_server(
@@ -548,6 +579,7 @@ def _run_fleet_api_grpc_rere(  # pylint: disable=R0913, R0917
     return fleet_grpc_server
 
 
+# pylint: disable=R0913, R0917
 def _run_fleet_api_grpc_adapter(
     address: str,
     state_factory: LinkStateFactory,
@@ -561,6 +593,7 @@ def _run_fleet_api_grpc_adapter(
         state_factory=state_factory,
         ffs_factory=ffs_factory,
         objectstore_factory=objectstore_factory,
+        enable_supernode_auth=False,
     )
     fleet_add_servicer_to_server_fn = add_GrpcAdapterServicer_to_server
     fleet_grpc_server = generic_create_grpc_server(
@@ -691,11 +724,9 @@ def _add_args_common(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--database",
         help="A string representing the path to the database "
-        "file that will be opened. Note that passing ':memory:' "
-        "will open a connection to a database that is in RAM, "
-        "instead of on disk. If nothing is provided, "
+        "file that will be opened. If nothing is provided, "
         "Flower will just create a state in memory.",
-        default=DATABASE,
+        default=FLWR_IN_MEMORY_DB_NAME,
     )
     parser.add_argument(
         "--storage-dir",
@@ -705,18 +736,12 @@ def _add_args_common(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--auth-list-public-keys",
         type=str,
-        help="A CSV file (as a path str) containing a list of known public "
-        "keys to enable authentication.",
-    )
-    parser.add_argument(
-        "--auth-superlink-private-key",
-        type=str,
         help="This argument is deprecated and will be removed in a future release.",
     )
     parser.add_argument(
-        "--auth-superlink-public-key",
-        type=str,
-        help="This argument is deprecated and will be removed in a future release.",
+        "--enable-supernode-auth",
+        action="store_true",
+        help="Enable supernode authentication.",
     )
 
 

flwr/server/superlink/fleet/grpc_adapter/grpc_adapter_servicer.py

@@ -33,10 +33,12 @@ from flwr.common.version import package_name, package_version
 from flwr.proto import grpcadapter_pb2_grpc  # pylint: disable=E0611
 from flwr.proto.fab_pb2 import GetFabRequest  # pylint: disable=E0611
 from flwr.proto.fleet_pb2 import (  # pylint: disable=E0611
-    CreateNodeRequest,
-    DeleteNodeRequest,
+    ActivateNodeRequest,
+    DeactivateNodeRequest,
     PullMessagesRequest,
     PushMessagesRequest,
+    RegisterNodeFleetRequest,
+    UnregisterNodeFleetRequest,
 )
 from flwr.proto.grpcadapter_pb2 import MessageContainer  # pylint: disable=E0611
 from flwr.proto.heartbeat_pb2 import SendNodeHeartbeatRequest  # pylint: disable=E0611
@@ -77,15 +79,23 @@ def _handle(
 class GrpcAdapterServicer(grpcadapter_pb2_grpc.GrpcAdapterServicer, FleetServicer):
     """Fleet API via GrpcAdapter servicer."""
 
-    def SendReceive(  # pylint: disable=too-many-return-statements
+    def SendReceive(  # pylint: disable=too-many-return-statements, too-many-branches
         self, request: MessageContainer, context: grpc.ServicerContext
     ) -> MessageContainer:
         """."""
         log(DEBUG, "GrpcAdapterServicer.SendReceive")
-        if request.grpc_message_name == CreateNodeRequest.__qualname__:
-            return _handle(request, context, CreateNodeRequest, self.CreateNode)
-        if request.grpc_message_name == DeleteNodeRequest.__qualname__:
-            return _handle(request, context, DeleteNodeRequest, self.DeleteNode)
+        if request.grpc_message_name == RegisterNodeFleetRequest.__qualname__:
+            return _handle(
+                request, context, RegisterNodeFleetRequest, self.RegisterNode
+            )
+        if request.grpc_message_name == ActivateNodeRequest.__qualname__:
+            return _handle(request, context, ActivateNodeRequest, self.ActivateNode)
+        if request.grpc_message_name == DeactivateNodeRequest.__qualname__:
+            return _handle(request, context, DeactivateNodeRequest, self.DeactivateNode)
+        if request.grpc_message_name == UnregisterNodeFleetRequest.__qualname__:
+            return _handle(
+                request, context, UnregisterNodeFleetRequest, self.UnregisterNode
+            )
         if request.grpc_message_name == SendNodeHeartbeatRequest.__qualname__:
             return _handle(
                 request, context, SendNodeHeartbeatRequest, self.SendNodeHeartbeat