nvflare.lighter.utils module

class Identity(name: str, org: str | None = None, role: str | None = None)

Bases: object

add_component_to_resources(resources_file: str, component: dict)

Add a component to the resources file, merging with existing components.

Parameters:

• resources_file – The name of the resource file

• component – The component to add

build_subject_alt_names(server_default_host=None, server_additional_hosts=None, fallback_subject_name=None)

cert_to_dict(cert)

generate_cert(subject: Identity, issuer: Identity, signing_pri_key, subject_pub_key, valid_days=360, ca=False, server_default_host=None, server_additional_hosts=None, not_valid_before=None, not_valid_after=None, extra_extensions=None)

generate_keys()

generate_password(passlen=16)

load_crt(path)

load_crt_bytes(data: bytes)

load_private_key(data: str)

load_private_key_file(file_path)

load_yaml(file)

load_yaml_include(root, yaml_data)

make_dirs(dirs)

serialize_cert(cert)

serialize_pri_key(pri_key, passphrase=None)

sh_replace(src, mapping_dict)

sign_all(content_folder, signing_pri_key)

sign_content(content, signing_pri_key, return_str=True)

sign_folders(folder, signing_pri_key, crt_path=None, max_depth=9999, signature_file='.__nvfl_sig.json')

update_participant_server_name(project_config, old_server_name, new_server_name)

update_project_server_name(project_file: str, old_server_name, server_name)

update_project_server_name_config(project_config: dict, old_server_name, server_name) → dict

update_server_default_host(project_config, default_host)

Update the default_host property of the Server in the project config. If a client does not explicitly specify “connect_to”, it will use the default_host to connect to server. This is mainly used for POC, where the default_host is set to localhost.

Parameters:

• project_config – the project config dict

• default_host – value of the default host

Returns: the updated project_config

update_storage_locations(local_dir: str, workspace: str, default_resource_name: str = 'resources.json.default', job_storage_name: str = 'jobs-storage', snapshot_storage_name: str = 'snapshot-storage')

Creates resources.json with snapshot-storage and jobs-storage set as folders directly under the workspace for the provided local_dir.

verify_cert(cert_to_be_verified, root_ca_public_key)

verify_content(content, signature, public_key)

verify_folder_signature(src_folder, root_ca_path, single_signer=False, signature_file='.__nvfl_sig.json')

Verify folder signatures and preserve the legacy boolean return contract.

verify_folder_signature_and_get_signers(src_folder, root_ca_path, single_signer=False, signature_file='.__nvfl_sig.json')

Verify the signature of each file in one folder recursively.

This function iterates over all files in one folder verifying its signature stored in the signature_file of that folder. The signature is generated either by the NVFLARE_SUBMITTER_CRT_FILE or root_ca_path.

When single_signer is True, signature is generated by root_ca_path, which exists in one place. When single_signer is False, every folder contains NVFLARE_SUBMITTER_CRT_FILE, whose subject generates the signatures. In this case, the certificate chain is also built and verified from NVFLARE_SUBMITTER_CRT_FILE to root CA.

Parameters:

• src_folder (str) – The folder to be verified.

• root_ca_path (str) – the path to root CA file.

• single_signer (bool) – True means all signatures are from root CA. False means from NVFLARE_SUBMITTER_CRT_FILE of each folder. Defaults to False.

• signature_file (str) – The file name to store signature. Defaults to NVFLARE_SIG_FILE.

Returns:

A tuple of (verified, signers). verified is True if all files have valid signatures. verified is False if any file fails signature check. signers contains unique (name, org, role) tuples from verified certificates.

write(file_full_path, content, mode, exe=False)

x509_name(cn_name, org_name=None, role=None)