Add HTTPS to REST API

.gitignore

@@ -50,6 +50,7 @@ share/python-wheels/
 .installed.cfg
 *.egg
 MANIFEST
+.srl
 
 # PyInstaller
 #  Usually these files are written by a python script from a template

src/py/flwr/client/app.py

@@ -88,10 +88,10 @@ def start_client(
     server_address: str,
     client: Client,
     grpc_max_message_length: int = GRPC_MAX_MESSAGE_LENGTH,
-    root_certificates: Optional[bytes] = None,
+    root_certificates: Optional[Union[bytes, str]] = None,
     rest: bool = False,
 ) -> None:
-    """Start a Flower Client which connects to a gRPC server.
+    """Start a Flower client node which connects to a Flower server.
 
     Parameters
     ----------
@@ -109,25 +109,25 @@ class `flwr.client.Client`.
         value. Note that the Flower server needs to be started with the
         same value (see `flwr.server.start_server`), otherwise it will not
         know about the increased limit and block larger messages.
-    root_certificates : bytes (default: None)
-        The PEM-encoded root certificates as a byte string. If provided, a secure
-        connection using the certificates will be established to a
-        SSL-enabled Flower server.
+    root_certificates : Optional[Union[bytes, str]] (default: None)
+        The PEM-encoded root certificates as a byte string or a path string.
+        If provided, a secure connection using the certificates will be
+        established to an SSL-enabled Flower server.
     rest : bool (default: False)
         Defines whether or not the client is interacting with the server using the
         experimental REST API. This feature is experimental, it might change
         considerably in future versions of Flower.
 
     Examples
     --------
-    Starting a client with insecure server connection:
+    Starting a gRPC client with an insecure server connection:
 
     >>> start_client(
     >>>     server_address=localhost:8080,
     >>>     client=FlowerClient(),
     >>> )
 
-    Starting a SSL-enabled client:
+    Starting an SSL-enabled gRPC client:
 
     >>> from pathlib import Path
     >>> start_client(
@@ -155,6 +155,11 @@ class `flwr.client.Client`.
                 "To use the REST API you must install the "
                 "extra dependencies by running `pip install flwr['rest']`."
             ) from missing_dep
+        if server_address[:4] != "http":
+            sys.exit(
+                "When using the REST API, please provide `https://` or "
+                "`http://` before the server address (e.g. `http://127.0.0.1:8080`)"
+            )
         connection = http_request_response
     else:
         connection = grpc_connection
@@ -218,9 +223,9 @@ def start_numpy_client(
         same value (see `flwr.server.start_server`), otherwise it will not
         know about the increased limit and block larger messages.
     root_certificates : bytes (default: None)
-        The PEM-encoded root certificates a byte string. If provided, a secure
-        connection using the certificates will be established to a
-        SSL-enabled Flower server.
+        The PEM-encoded root certificates as a byte string or a path string.
+        If provided, a secure connection using the certificates will be
+        established to an SSL-enabled Flower server.
     rest : bool (default: False)
         Defines whether or not the client is interacting with the server using the
         experimental REST API. This feature is experimental, it might be change

src/py/flwr/client/grpc_client/connection.py

@@ -17,8 +17,9 @@
 
 from contextlib import contextmanager
 from logging import DEBUG
+from pathlib import Path
 from queue import Queue
-from typing import Callable, Iterator, Optional, Tuple
+from typing import Callable, Iterator, Optional, Tuple, Union
 
 from flwr.common import GRPC_MAX_MESSAGE_LENGTH
 from flwr.common.grpc import create_channel
@@ -42,7 +43,7 @@ def on_channel_state_change(channel_connectivity: str) -> None:
 def grpc_connection(
     server_address: str,
     max_message_length: int = GRPC_MAX_MESSAGE_LENGTH,
-    root_certificates: Optional[bytes] = None,
+    root_certificates: Optional[Union[bytes, str]] = None,
 ) -> Iterator[Tuple[Callable[[], ServerMessage], Callable[[ClientMessage], None]]]:
     """Establish a gRPC connection to a gRPC server.
 
@@ -61,9 +62,9 @@ def grpc_connection(
         increased limit and block larger messages.
         (default: 536_870_912, this equals 512MB)
     root_certificates : Optional[bytes] (default: None)
-        The PEM-encoded root certificates as a byte string. If provided, a secure
-        connection using the certificates will be established to a SSL-enabled
-        Flower server.
+        The PEM-encoded root certificates as a byte string or a path string.
+        If provided, a secure connection using the certificates will be
+        established to an SSL-enabled Flower server.
 
     Returns
     -------
@@ -84,6 +85,9 @@ def grpc_connection(
     >>>     # do something here
     >>>     send(client_message)
     """
+    if isinstance(root_certificates, str):
+        root_certificates = Path(root_certificates).read_bytes()
+
     channel = create_channel(
         server_address=server_address,
         root_certificates=root_certificates,

src/py/flwr/client/rest_client/connection.py

@@ -17,7 +17,7 @@
 
 from contextlib import contextmanager
 from logging import ERROR, INFO, WARN
-from typing import Callable, Dict, Iterator, Optional, Tuple
+from typing import Callable, Dict, Iterator, Optional, Tuple, Union
 
 try:
     import requests
@@ -48,7 +48,9 @@
 def http_request_response(
     server_address: str,
     max_message_length: int = GRPC_MAX_MESSAGE_LENGTH,  # pylint: disable=W0613
-    root_certificates: Optional[bytes] = None,  # pylint: disable=unused-argument
+    root_certificates: Optional[
+        Union[bytes, str]
+    ] = None,  # pylint: disable=unused-argument
 ) -> Iterator[
     Tuple[Callable[[], Optional[ServerMessage]], Callable[[ClientMessage], None]]
 ]:
@@ -60,12 +62,15 @@ def http_request_response(
     Parameters
     ----------
     server_address : str
-        The IPv6 address of the server. If the Flower server runs on the same machine
-        on port 8080, then `server_address` would be `"[::]:8080"`.
+        The IPv6 address of the server with `http://` or `https://`.
+        If the Flower server runs on the same machine
+        on port 8080, then `server_address` would be `"http://[::]:8080"`.
     max_message_length : int
         Ignored, only present to preserve API-compatibility.
-    root_certificates : Optional[bytes] (default: None)
-        Ignored, for now.
+    root_certificates : Optional[Union[bytes, str]] (default: None)
+        Path of the root certificate. If provided, a secure
+        connection using the certificates will be established to an SSL-enabled
+        Flower server. Bytes won't work for the REST API.
 
     Returns
     -------
@@ -80,7 +85,21 @@ def http_request_response(
         """,
     )
 
-    base_url = f"http://{server_address}"
+    base_url = server_address
+
+    # NEVER SET VERIFY TO FALSE
+    # Otherwise any server can fake its identity
+    # Please refer to:
+    # https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification
+    verify: Union[bool, str] = True
+    if isinstance(root_certificates, str):
+        verify = root_certificates
+    elif isinstance(root_certificates, bytes):
+        log(
+            ERROR,
+            "For the REST API, the root certificates "
+            "must be provided as a string path to the client.",
+        )
 
     # Necessary state to link TaskRes to TaskIns
     state: Dict[str, Optional[TaskIns]] = {"current_task_ins": None}
@@ -106,6 +125,7 @@ def receive() -> Optional[ServerMessage]:
                 "Content-Type": "application/protobuf",
             },
             data=pull_task_ins_req_bytes,
+            verify=verify,
         )
 
         # Check status code and headers
@@ -177,6 +197,7 @@ def send(client_message_proto: ClientMessage) -> None:
                 "Content-Type": "application/protobuf",
             },
             data=push_task_res_request_bytes,
+            verify=verify,
         )
 
         state["current_task_ins"] = None

src/py/flwr/server/app.py

@@ -19,7 +19,8 @@
 import sys
 import threading
 from dataclasses import dataclass
-from logging import INFO, WARN
+from logging import ERROR, INFO, WARN
+from os.path import isfile
 from signal import SIGINT, SIGTERM, signal
 from types import FrameType
 from typing import List, Optional, Tuple
@@ -348,7 +349,12 @@ def run_server() -> None:
         host, port, _ = parsed_address
         fleet_thread = threading.Thread(
             target=_run_fleet_api_rest,
-            args=(host, port, state_factory),
+            args=(
+                args.rest_fleet_api_address,
+                args.ssl_keyfile,
+                args.ssl_certfile,
+                state_factory,
+            ),
         )
         fleet_thread.start()
         bckg_threads.append(fleet_thread)
@@ -485,8 +491,9 @@ def _run_fleet_api_grpc_bidi(
 
 # pylint: disable=import-outside-toplevel
 def _run_fleet_api_rest(
-    host: str,
-    port: int,
+    address: str,
+    ssl_keyfile: Optional[str],
+    ssl_certfile: Optional[str],
     state_factory: StateFactory,
 ) -> None:
     """Run Driver API (REST-based)."""
@@ -505,6 +512,17 @@ def _run_fleet_api_rest(
     # See: https://www.starlette.io/applications/#accessing-the-app-instance
     fast_api_app.state.STATE_FACTORY = state_factory
 
+    host, port_str = address.split(":")
+    port = int(port_str)
+
+    validation_exceptions = _validate_ssl_files(
+        ssl_certfile=ssl_certfile, ssl_keyfile=ssl_keyfile
+    )
+    if any(validation_exceptions):
+        # Starting with 3.11 we can use ExceptionGroup but for now
+        # this seems to be the reasonable approach.
+        raise ValueError(validation_exceptions)
+
     uvicorn.run(
         # "flwr.server.rest_server.rest_api:app",
         app=fast_api_app,
@@ -513,9 +531,37 @@ def _run_fleet_api_rest(
         reload=False,
         access_log=True,
         workers=1,
+        ssl_keyfile=ssl_keyfile,
+        ssl_certfile=ssl_certfile,
     )
 
 
+def _validate_ssl_files(
+    ssl_keyfile: Optional[str], ssl_certfile: Optional[str]
+) -> List[ValueError]:
+    validation_exceptions = []
+
+    if ssl_keyfile is not None and not isfile(ssl_keyfile):
+        msg = "Path argument `--ssl-keyfile` does not point to a file."
+        log(ERROR, msg)
+        validation_exceptions.append(ValueError(msg))
+
+    if ssl_certfile is not None and not isfile(ssl_certfile):
+        msg = "Path argument `--ssl-certfile` does not point to a file."
+        log(ERROR, msg)
+        validation_exceptions.append(ValueError(msg))
+
+    if not bool(ssl_keyfile) == bool(ssl_certfile):
+        msg = (
+            "When setting one of `--ssl-keyfile` and "
+            + "`--ssl-certfile`, both have to be used."
+        )
+        log(ERROR, msg)
+        validation_exceptions.append(ValueError(msg))
+
+    return validation_exceptions
+
+
 def _parse_args_driver() -> argparse.ArgumentParser:
     """Parse command line arguments for Driver API."""
     parser = argparse.ArgumentParser(
@@ -603,3 +649,13 @@ def _add_args_fleet_api(parser: argparse.ArgumentParser) -> None:
         help=f"Fleet API REST server address. Default:'{ADDRESS_FLEET_API_REST}'",
         default=ADDRESS_FLEET_API_REST,
     )
+    rest_group.add_argument(
+        "--ssl-certfile",
+        help="Fleet API REST SSL certificate file (as a path str). Default:None",
+        default=None,
+    )
+    rest_group.add_argument(
+        "--ssl-keyfile",
+        help="Fleet API REST SSL private key file (as a path str). Default:None",
+        default=None,
+    )