TLS must be enabled by default... (#20)

* TLS must be enabled by default (also in development)

blossomtune_gradio/config.py

@@ -42,10 +42,13 @@ PROJECT_PATH = os.path.realpath(
 # BlossomTune cert - To be distributed to the participants (supernodes).
 BLOSSOMTUNE_TLS_CERT_PATH = os.getenv(
     "BLOSSOMTUNE_TLS_CERT_PATH",
-    "/data/certs/server.crt"
+    "/data/certs"
     if os.path.isdir("/data/certs")
-    else os.path.join(PROJECT_PATH, "./data/certs/server.crt"),
+    else os.path.join(PROJECT_PATH, "./data/certs"),
 )
+BLOSSOMTUNE_TLS_CA_CERTFILE = os.path.join(BLOSSOMTUNE_TLS_CERT_PATH, "ca.crt")
+BLOSSOMTUNE_TLS_CERTFILE = os.path.join(BLOSSOMTUNE_TLS_CERT_PATH, "server.pem")
+BLOSSOMTUNE_TLS_KEYFILE = os.path.join(BLOSSOMTUNE_TLS_CERT_PATH, "server.key")
 
 # Flower Apps
 FLOWER_APPS = os.getenv("FLOWER_APPS", ["flower_apps.quickstart_huggingface"])

blossomtune_gradio/federation.py

@@ -103,7 +103,7 @@ def check_participant_status(pid_to_check: str, email: str, activation_code: str
                 num_partitions=num_partitions,
             )
             # The user is fully approved. Return success and the cert path.
-            return (True, connection_string, cfg.BLOSSOMTUNE_TLS_CERT_PATH)
+            return (True, connection_string, cfg.BLOSSOMTUNE_TLS_CA_CERTFILE)
         elif request.status == "pending":
             return (False, settings.get_text("status_pending_md"), None)
         else:  # Denied

blossomtune_gradio/processing.py

@@ -46,8 +46,15 @@ def start_superlink():
     if process_store["superlink"] and process_store["superlink"].poll() is None:
         return False, "Superlink process is already running."
 
-    # The command needs to be adapted for TLS if it's not insecure
-    command = [shutil.which("flower-superlink"), "--insecure"]  # Placeholder
+    command = [
+        shutil.which("flower-superlink"),
+        "--ssl-ca-certfile",
+        cfg.BLOSSOMTUNE_TLS_CA_CERTFILE,
+        "--ssl-certfile",
+        cfg.BLOSSOMTUNE_TLS_CERTFILE,
+        "--ssl-keyfile",
+        cfg.BLOSSOMTUNE_TLS_KEYFILE,
+    ]  # Placeholder
     threading.Thread(
         target=run_process, args=(command, "superlink"), daemon=True
     ).start()
@@ -97,7 +104,7 @@ def start_runner(
         runner_app_path,
         "local-deployment",
         "--federation-config",
-        f'address="{cfg.SUPERLINK_HOST}:{cfg.SUPERLINK_CONTROL_API_PORT}" root-certificates="{cfg.BLOSSOMTUNE_TLS_CERT_PATH}"',
+        f'address="{cfg.SUPERLINK_HOST}:{cfg.SUPERLINK_CONTROL_API_PORT}" root-certificates="{cfg.BLOSSOMTUNE_TLS_CA_CERTFILE}"',
         "--stream",
     ]
     threading.Thread(target=run_process, args=(command, "runner"), daemon=True).start()

flower_apps/quickstart_huggingface/pyproject.toml

@@ -60,4 +60,4 @@ options.backend.client-resources.num-gpus = 0.0 # at most 4 ClientApp will run i
 [tool.flwr.federations.local-deployment]
 address = "0.0.0.0:9093"
 insecure = true
-root-certificate = ""
+root-certificates = ""

tests/test_processing.py

@@ -30,7 +30,8 @@ def test_start_superlink_success(mock_which, mock_thread):
     mock_thread.assert_called_once()
     call_args = mock_thread.call_args
     assert call_args.kwargs["target"] == processing.run_process
-    assert call_args.kwargs["args"][0] == ["/fake/path/flower-superlink", "--insecure"]
+    assert call_args.kwargs["args"][0][0] == "/fake/path/flower-superlink"
+    assert call_args.kwargs["args"][0][1] == "--ssl-ca-certfile"
 
 
 def test_start_superlink_already_running(mocker):