flwr 1.23.0__py3-none-any.whl → 1.24.0__py3-none-any.whl

flwr/superlink/federation/noop_federation_manager.py

@@ -0,0 +1,71 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""NoOp implementation of FederationManager."""
+
+
+from flwr.common.constant import NOOP_FLWR_AID
+from flwr.common.typing import Federation
+from flwr.supercore.constant import NOOP_FEDERATION
+
+from .federation_manager import FederationManager
+
+
+class NoOpFederationManager(FederationManager):
+    """No-Op FederationManager implementation."""
+
+    def exists(self, federation: str) -> bool:
+        """Check if a federation exists."""
+        return federation == NOOP_FEDERATION
+
+    def has_member(self, flwr_aid: str, federation: str) -> bool:
+        """Check if the given account is a member of the federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return flwr_aid == NOOP_FLWR_AID
+
+    def filter_nodes(self, node_ids: set[int], federation: str) -> set[int]:
+        """Given a list of node IDs, return sublist with nodes in federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return node_ids
+
+    def has_node(self, node_id: int, federation: str) -> bool:
+        """Given a node ID, check if it is in the federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return True
+
+    def get_federations(self, flwr_aid: str) -> list[str]:
+        """Get federations of which the account is a member."""
+        if flwr_aid != NOOP_FLWR_AID:
+            return []
+        return [NOOP_FEDERATION]
+
+    def get_details(self, federation: str) -> Federation:
+        """Get details of the federation."""
+        if federation != NOOP_FEDERATION:
+            raise ValueError(f"Federation '{federation}' does not exist.")
+
+        run_ids = self.linkstate.get_run_ids(flwr_aid=NOOP_FLWR_AID)
+        nodes = list(self.linkstate.get_node_info(owner_aids=[NOOP_FLWR_AID]))
+        runs = [
+            run for run_id in run_ids if (run := self.linkstate.get_run(run_id=run_id))
+        ]
+        return Federation(
+            name=NOOP_FEDERATION,
+            member_aids=[NOOP_FLWR_AID],
+            nodes=nodes,
+            runs=runs,
+        )

flwr/superlink/servicer/control/control_account_auth_interceptor.py

@@ -16,7 +16,8 @@
 
 
 import contextvars
-from typing import Any, Callable, Union
+from collections.abc import Callable
+from typing import Any
 
 import grpc
 
@@ -33,23 +34,31 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
 )
 from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 
-Request = Union[
-    StartRunRequest,
-    StreamLogsRequest,
-    GetLoginDetailsRequest,
-    GetAuthTokensRequest,
-]
+Request = (
+    StartRunRequest | StreamLogsRequest | GetLoginDetailsRequest | GetAuthTokensRequest
+)
 
-Response = Union[
-    StartRunResponse, StreamLogsResponse, GetLoginDetailsResponse, GetAuthTokensResponse
-]
+Response = (
+    StartRunResponse
+    | StreamLogsResponse
+    | GetLoginDetailsResponse
+    | GetAuthTokensResponse
+)
 
 
-shared_account_info: contextvars.ContextVar[AccountInfo] = contextvars.ContextVar(
-    "account_info", default=AccountInfo(flwr_aid=None, account_name=None)
+shared_account_info: contextvars.ContextVar[AccountInfo | None] = (
+    contextvars.ContextVar("account_info", default=None)
 )
 
 
+def get_current_account_info() -> AccountInfo:
+    """Get the current account info from context, or return a default if not set."""
+    account_info = shared_account_info.get()
+    if account_info is None:
+        return AccountInfo(flwr_aid=None, account_name=None)
+    return account_info
+
+
 class ControlAccountAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
     """Control API interceptor for account authentication."""
 
@@ -93,7 +102,7 @@ class ControlAccountAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
 
             # Intercept GetLoginDetails and GetAuthTokens requests, and return
             # the response without authentication
-            if isinstance(request, (GetLoginDetailsRequest, GetAuthTokensRequest)):
+            if isinstance(request, (GetLoginDetailsRequest | GetAuthTokensRequest)):
                 return call(request, context)  # type: ignore
 
             # For other requests, check if the account is authenticated

flwr/superlink/servicer/control/control_event_log_interceptor.py

@@ -15,8 +15,8 @@
 """Flower Control API event log interceptor."""
 
 
-from collections.abc import Iterator
-from typing import Any, Callable, Union, cast
+from collections.abc import Callable, Iterator
+from typing import Any, cast
 
 import grpc
 from google.protobuf.message import Message as GrpcMessage
@@ -24,7 +24,7 @@ from google.protobuf.message import Message as GrpcMessage
 from flwr.common.event_log_plugin.event_log_plugin import EventLogWriterPlugin
 from flwr.common.typing import LogEntry
 
-from .control_account_auth_interceptor import shared_account_info
+from .control_account_auth_interceptor import get_current_account_info
 
 
 class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
@@ -60,13 +60,13 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
         def _generic_method_handler(
             request: GrpcMessage,
             context: grpc.ServicerContext,
-        ) -> Union[GrpcMessage, Iterator[GrpcMessage], BaseException]:
+        ) -> GrpcMessage | Iterator[GrpcMessage] | BaseException:
             log_entry: LogEntry
             # Log before call
             log_entry = self.log_plugin.compose_log_before_event(
                 request=request,
                 context=context,
-                account_info=shared_account_info.get(),
+                account_info=get_current_account_info(),
                 method_name=method_name,
             )
             self.log_plugin.write_log(log_entry)
@@ -85,7 +85,7 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
                     log_entry = self.log_plugin.compose_log_after_event(
                         request=request,
                         context=context,
-                        account_info=shared_account_info.get(),
+                        account_info=get_current_account_info(),
                         method_name=method_name,
                         response=unary_response or error,
                     )
@@ -115,7 +115,7 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
                         log_entry = self.log_plugin.compose_log_after_event(
                             request=request,
                             context=context,
-                            account_info=shared_account_info.get(),
+                            account_info=get_current_account_info(),
                             method_name=method_name,
                             response=stream_response or error,
                         )

flwr/superlink/servicer/control/control_grpc.py

@@ -16,7 +16,6 @@
 
 
 from logging import INFO
-from typing import Optional
 
 import grpc
 
@@ -46,7 +45,7 @@ try:
     from flwr.ee import get_license_plugin
 except ImportError:
 
-    def get_license_plugin() -> Optional[LicensePlugin]:
+    def get_license_plugin() -> LicensePlugin | None:
         """Return the license plugin."""
 
 
@@ -56,15 +55,15 @@ def run_control_api_grpc(
     state_factory: LinkStateFactory,
     ffs_factory: FfsFactory,
     objectstore_factory: ObjectStoreFactory,
-    certificates: Optional[tuple[bytes, bytes, bytes]],
+    certificates: tuple[bytes, bytes, bytes] | None,
     is_simulation: bool,
     authn_plugin: ControlAuthnPlugin,
     authz_plugin: ControlAuthzPlugin,
-    event_log_plugin: Optional[EventLogWriterPlugin] = None,
-    artifact_provider: Optional[ArtifactProvider] = None,
+    event_log_plugin: EventLogWriterPlugin | None = None,
+    artifact_provider: ArtifactProvider | None = None,
 ) -> grpc.Server:
     """Run Control API (gRPC, request-response)."""
-    license_plugin: Optional[LicensePlugin] = get_license_plugin()
+    license_plugin: LicensePlugin | None = get_license_plugin()
     if license_plugin and not license_plugin.check_license():
         flwr_exit(ExitCode.SUPERLINK_LICENSE_INVALID)
 

flwr/superlink/servicer/control/control_license_interceptor.py

@@ -15,8 +15,8 @@
 """Flower Control API license interceptor."""
 
 
-from collections.abc import Iterator
-from typing import Any, Callable, Union
+from collections.abc import Callable, Iterator
+from typing import Any
 
 import grpc
 from google.protobuf.message import Message as GrpcMessage
@@ -57,7 +57,7 @@ class ControlLicenseInterceptor(grpc.ServerInterceptor):  # type: ignore
         def _generic_method_handler(
             request: GrpcMessage,
             context: grpc.ServicerContext,
-        ) -> Union[GrpcMessage, Iterator[GrpcMessage]]:
+        ) -> GrpcMessage | Iterator[GrpcMessage]:
             """Handle the method call with license checking."""
             call = method_handler.unary_unary or method_handler.unary_stream
 

flwr/superlink/servicer/control/control_servicer.py

@@ -19,7 +19,7 @@ import hashlib
 import time
 from collections.abc import Generator, Sequence
 from logging import ERROR, INFO
-from typing import Any, Optional, cast
+from typing import Any, cast
 
 import grpc
 
@@ -52,6 +52,8 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     GetAuthTokensResponse,
     GetLoginDetailsRequest,
     GetLoginDetailsResponse,
+    ListFederationsRequest,
+    ListFederationsResponse,
     ListNodesRequest,
     ListNodesResponse,
     ListRunsRequest,
@@ -60,6 +62,8 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     PullArtifactsResponse,
     RegisterNodeRequest,
     RegisterNodeResponse,
+    ShowFederationRequest,
+    ShowFederationResponse,
     StartRunRequest,
     StartRunResponse,
     StopRunRequest,
@@ -69,6 +73,7 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     UnregisterNodeRequest,
     UnregisterNodeResponse,
 )
+from flwr.proto.federation_pb2 import Federation  # pylint: disable=E0611
 from flwr.proto.node_pb2 import NodeInfo  # pylint: disable=E0611
 from flwr.server.superlink.linkstate import LinkState, LinkStateFactory
 from flwr.supercore.ffs import FfsFactory
@@ -77,7 +82,7 @@ from flwr.supercore.primitives.asymmetric import bytes_to_public_key, uses_nist_
 from flwr.superlink.artifact_provider import ArtifactProvider
 from flwr.superlink.auth_plugin import ControlAuthnPlugin
 
-from .control_account_auth_interceptor import shared_account_info
+from .control_account_auth_interceptor import get_current_account_info
 
 
 class ControlServicer(control_pb2_grpc.ControlServicer):
@@ -90,7 +95,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         objectstore_factory: ObjectStoreFactory,
         is_simulation: bool,
         authn_plugin: ControlAuthnPlugin,
-        artifact_provider: Optional[ArtifactProvider] = None,
+        artifact_provider: ArtifactProvider | None = None,
     ) -> None:
         self.linkstate_factory = linkstate_factory
         self.ffs_factory = ffs_factory
@@ -115,8 +120,8 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
             )
             return StartRunResponse()
 
-        flwr_aid = shared_account_info.get().flwr_aid
-        _check_flwr_aid_exists(flwr_aid, context)
+        flwr_aid = get_current_account_info().flwr_aid
+        flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
         override_config = user_config_from_proto(request.override_config)
         federation_options = config_record_from_proto(request.federation_options)
         fab_file = request.fab.content
@@ -128,6 +133,19 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
                     "Federation options doesn't contain key `num-supernodes`."
                 )
 
+            # Check (1) federation exists and (2) the flwr_aid is a member
+            federation = request.federation
+
+            if not state.federation_manager.exists(federation):
+                raise ValueError(f"Federation '{federation}' does not exist.")
+
+            if not state.federation_manager.has_member(flwr_aid, federation):
+                raise ValueError(
+                    f"Account with ID '{flwr_aid}' is not a member of the "
+                    f"federation '{federation}'. Please log in with another account "
+                    "or request access to this federation."
+                )
+
             # Create run
             fab = Fab(
                 hashlib.sha256(fab_file).hexdigest(),
@@ -146,6 +164,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
                 fab_version,
                 fab_hash,
                 override_config,
+                request.federation,
                 federation_options,
                 flwr_aid,
             )
@@ -174,7 +193,10 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         # pylint: disable-next=broad-except
         except Exception as e:
             log(ERROR, "Could not start run: %s", str(e))
-            return StartRunResponse()
+            context.abort(
+                grpc.StatusCode.FAILED_PRECONDITION,
+                str(e),
+            )
 
         log(INFO, "Created run %s", str(run_id))
         return StartRunResponse(run_id=run_id)
@@ -195,7 +217,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
             context.abort(grpc.StatusCode.NOT_FOUND, RUN_ID_NOT_FOUND_MESSAGE)
 
         # Check if `flwr_aid` matches the run's `flwr_aid`
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         _check_flwr_aid_in_run(flwr_aid=flwr_aid, run=cast(Run, run), context=context)
 
         after_timestamp = request.after_timestamp + 1e-6
@@ -234,7 +256,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         if not request.HasField("run_id"):
             # If no `run_id` is specified and account auth is enabled,
             # return run IDs for the authenticated account
-            flwr_aid = shared_account_info.get().flwr_aid
+            flwr_aid = get_current_account_info().flwr_aid
             _check_flwr_aid_exists(flwr_aid, context)
             run_ids = state.get_run_ids(flwr_aid=flwr_aid)
         # Build a set of run IDs for `flwr ls --run-id <run_id>`
@@ -249,7 +271,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
                 raise grpc.RpcError()  # This line is unreachable
 
             # Check if `flwr_aid` matches the run's `flwr_aid`
-            flwr_aid = shared_account_info.get().flwr_aid
+            flwr_aid = get_current_account_info().flwr_aid
             _check_flwr_aid_in_run(flwr_aid=flwr_aid, run=run, context=context)
 
             run_ids = {run_id}
@@ -275,7 +297,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
             raise grpc.RpcError()  # This line is unreachable
 
         # Check if `flwr_aid` matches the run's `flwr_aid`
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         _check_flwr_aid_in_run(flwr_aid=flwr_aid, run=run, context=context)
 
         run_status = state.get_run_status({run_id})[run_id]
@@ -285,11 +307,15 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
                 f"Run ID {run_id} is already finished",
             )
 
+        # Update run status to finished:stopped
         update_success = state.update_run_status(
             run_id=run_id,
             new_status=RunStatus(Status.FINISHED, SubStatus.STOPPED, ""),
         )
 
+        # Delete the token associated with the run to stop further operations
+        state.delete_token(run_id)
+
         if update_success:
             message_ids: set[str] = state.get_message_ids_from_run_id(run_id)
 
@@ -385,7 +411,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
             )
 
         # Check if `flwr_aid` matches the run's `flwr_aid`
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         _check_flwr_aid_in_run(flwr_aid=flwr_aid, run=run, context=context)
 
         # Call artifact provider
@@ -415,11 +441,14 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         state = self.linkstate_factory.state()
         node_id = 0
 
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
+        # Account name exists if `flwr_aid` exists
+        account_name = cast(str, get_current_account_info().account_name)
         try:
             node_id = state.create_node(
                 owner_aid=flwr_aid,
+                owner_name=account_name,
                 public_key=request.public_key,
                 heartbeat_interval=HEARTBEAT_DEFAULT_INTERVAL,
             )
@@ -443,7 +472,7 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         # Init link state
         state = self.linkstate_factory.state()
 
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
         try:
             state.delete_node(owner_aid=flwr_aid, node_id=request.node_id)
@@ -471,13 +500,70 @@ class ControlServicer(control_pb2_grpc.ControlServicer):
         # Init link state
         state = self.linkstate_factory.state()
 
-        flwr_aid = shared_account_info.get().flwr_aid
+        flwr_aid = get_current_account_info().flwr_aid
         flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
         # Retrieve all nodes for the account
         nodes_info = state.get_node_info(owner_aids=[flwr_aid])
 
         return ListNodesResponse(nodes_info=nodes_info, now=now().isoformat())
 
+    def ListFederations(
+        self, request: ListFederationsRequest, context: grpc.ServicerContext
+    ) -> ListFederationsResponse:
+        """List all SuperNodes."""
+        log(INFO, "ControlServicer.ListFederations")
+
+        # Init link state
+        state = self.linkstate_factory.state()
+
+        flwr_aid = get_current_account_info().flwr_aid
+        flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
+
+        # Get federations the account is a member of
+        federations = state.federation_manager.get_federations(flwr_aid=flwr_aid)
+
+        return ListFederationsResponse(
+            federations=[Federation(name=fed) for fed in federations]
+        )
+
+    def ShowFederation(
+        self, request: ShowFederationRequest, context: grpc.ServicerContext
+    ) -> ShowFederationResponse:
+        """Show details of a specific Federation."""
+        log(INFO, "ControlServicer.ShowFederation")
+
+        # Init link state
+        state = self.linkstate_factory.state()
+
+        flwr_aid = get_current_account_info().flwr_aid
+        flwr_aid = _check_flwr_aid_exists(flwr_aid, context)
+
+        # Get federations the account is a member of
+        federations = state.federation_manager.get_federations(flwr_aid=flwr_aid)
+
+        # Ensure flwr_aid is a member of the requested federation
+        federation = request.federation_name
+        if federation not in federations:
+            context.abort(
+                grpc.StatusCode.FAILED_PRECONDITION,
+                f"Federation '{federation}' does not exist or you are "
+                "not a member of it.",
+            )
+
+        # Fetch federation details
+        details = state.federation_manager.get_details(federation)
+
+        # Build Federation proto object
+        federation_proto = Federation(
+            name=federation,
+            member_aids=details.member_aids,
+            nodes=details.nodes,
+            runs=[run_to_proto(run) for run in details.runs],
+        )
+        return ShowFederationResponse(
+            federation=federation_proto, now=now().isoformat()
+        )
+
 
 def _create_list_runs_response(
     run_ids: set[int], state: LinkState, store: ObjectStore
@@ -496,9 +582,7 @@ def _create_list_runs_response(
     )
 
 
-def _check_flwr_aid_exists(
-    flwr_aid: Optional[str], context: grpc.ServicerContext
-) -> str:
+def _check_flwr_aid_exists(flwr_aid: str | None, context: grpc.ServicerContext) -> str:
     """Guard clause to check if `flwr_aid` exists."""
     if flwr_aid is None:
         context.abort(
@@ -510,7 +594,7 @@ def _check_flwr_aid_exists(
 
 
 def _check_flwr_aid_in_run(
-    flwr_aid: Optional[str], run: Run, context: grpc.ServicerContext
+    flwr_aid: str | None, run: Run, context: grpc.ServicerContext
 ) -> None:
     """Guard clause to check if `flwr_aid` matches the run's `flwr_aid`."""
     _check_flwr_aid_exists(flwr_aid, context)

flwr/supernode/cli/flower_supernode.py

@@ -18,11 +18,12 @@
 import argparse
 from logging import DEBUG, INFO, WARN
 from pathlib import Path
-from typing import Optional
 
+import yaml
 from cryptography.exceptions import UnsupportedAlgorithm
-from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import ec, ed25519
 from cryptography.hazmat.primitives.serialization import load_ssh_private_key
+from cryptography.hazmat.primitives.serialization.ssh import load_ssh_public_key
 
 from flwr.common import EventType, event
 from flwr.common.args import try_obtain_root_certificates
@@ -58,6 +59,9 @@ def flower_supernode() -> None:
             "Ignoring `--flwr-dir`.",
         )
 
+    trusted_entities = _try_obtain_trusted_entities(args.trusted_entities)
+    if trusted_entities:
+        _validate_public_keys_ed25519(trusted_entities)
     root_certificates = try_obtain_root_certificates(args, args.superlink)
     authentication_keys = _try_setup_client_authentication(args)
 
@@ -85,6 +89,7 @@ def flower_supernode() -> None:
         isolation=args.isolation,
         clientappio_api_address=args.clientappio_api_address,
         health_server_address=args.health_server_address,
+        trusted_entities=trusted_entities,
     )
 
 
@@ -124,6 +129,18 @@ def _parse_args_run_supernode() -> argparse.ArgumentParser:
         help="ClientAppIo API (gRPC) server address (IPv4, IPv6, or a domain name). "
         f"By default, it is set to {CLIENTAPPIO_API_DEFAULT_SERVER_ADDRESS}.",
     )
+    parser.add_argument(
+        "--trusted-entities",
+        type=Path,
+        default=None,
+        metavar="YAML_FILE",
+        help=(
+            "Path to a YAML file defining trusted entities. "
+            "The file must map public key IDs to public keys. "
+            "Example: { fpk_UUID1: 'ssh-ed25519 <key1> [comment1]', "
+            "fpk_UUID2: 'ssh-ed25519 <key2> [comment2]' }"
+        ),
+    )
     add_args_health(parser)
 
     return parser
@@ -210,7 +227,7 @@ def _parse_args_common(parser: argparse.ArgumentParser) -> None:
 
 def _try_setup_client_authentication(
     args: argparse.Namespace,
-) -> Optional[tuple[ec.EllipticCurvePrivateKey, ec.EllipticCurvePublicKey]]:
+) -> tuple[ec.EllipticCurvePrivateKey, ec.EllipticCurvePublicKey] | None:
     if not args.auth_supernode_private_key:
         return None
 
@@ -235,3 +252,41 @@ def _try_setup_client_authentication(
             "private key provided by `--auth-supernode-private-key`.",
         )
     return ssh_private_key, ssh_private_key.public_key()
+
+
+def _try_obtain_trusted_entities(
+    trusted_entities_path: Path | None,
+) -> dict[str, str] | None:
+    """Validate and return the trust entities."""
+    if not trusted_entities_path:
+        return None
+    if not trusted_entities_path.is_file():
+        flwr_exit(
+            ExitCode.SUPERNODE_INVALID_TRUSTED_ENTITIES,
+            "Path argument `--trusted-entities` does not point to a file.",
+        )
+    try:
+        with trusted_entities_path.open("r", encoding="utf-8") as f:
+            trusted_entities = yaml.safe_load(f)
+        if not isinstance(trusted_entities, dict):
+            raise ValueError("Invalid trusted entities format.")
+    except (yaml.YAMLError, ValueError) as e:
+        flwr_exit(
+            ExitCode.SUPERNODE_INVALID_TRUSTED_ENTITIES,
+            f"Failed to read YAML file '{trusted_entities_path}': {e}",
+        )
+    return trusted_entities
+
+
+def _validate_public_keys_ed25519(trusted_entities: dict[str, str]) -> None:
+    """Validate public keys for the trust entities are Ed25519."""
+    for public_key_id in trusted_entities.keys():
+        verifier_public_key = load_ssh_public_key(
+            trusted_entities[public_key_id].encode("utf-8")
+        )
+        if not isinstance(verifier_public_key, ed25519.Ed25519PublicKey):
+            flwr_exit(
+                ExitCode.SUPERNODE_INVALID_TRUSTED_ENTITIES,
+                "The provided public key associated with "
+                f"trusted entity {public_key_id} is not Ed25519.",
+            )