diff --git a/crates/catalog/rest/public-api.txt b/crates/catalog/rest/public-api.txt index 776b11c40a..3196863549 100644 --- a/crates/catalog/rest/public-api.txt +++ b/crates/catalog/rest/public-api.txt @@ -175,6 +175,25 @@ impl serde_core::ser::Serialize for iceberg_catalog_rest::NamespaceResponse pub fn iceberg_catalog_rest::NamespaceResponse::serialize<__S>(&self, __serializer: __S) -> core::result::Result<<__S as serde_core::ser::Serializer>::Ok, <__S as serde_core::ser::Serializer>::Error> where __S: serde_core::ser::Serializer impl<'de> serde_core::de::Deserialize<'de> for iceberg_catalog_rest::NamespaceResponse pub fn iceberg_catalog_rest::NamespaceResponse::deserialize<__D>(__deserializer: __D) -> core::result::Result::Error> where __D: serde_core::de::Deserializer<'de> +pub struct iceberg_catalog_rest::NoopAuthManager +impl core::fmt::Debug for iceberg_catalog_rest::NoopAuthManager +pub fn iceberg_catalog_rest::NoopAuthManager::fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result +impl iceberg_catalog_rest::AuthManager for iceberg_catalog_rest::NoopAuthManager +pub fn iceberg_catalog_rest::NoopAuthManager::catalog_session<'life0, 'life1, 'async_trait>(&'life0 self, _props: &'life1 std::collections::hash::map::HashMap) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::NoopAuthManager::init_session<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait +pub struct iceberg_catalog_rest::OAuth2Manager +impl iceberg_catalog_rest::OAuth2Manager +pub fn iceberg_catalog_rest::OAuth2Manager::new(token_endpoint: impl core::convert::Into) -> Self +pub fn iceberg_catalog_rest::OAuth2Manager::with_client(self, client: reqwest::async_impl::client::Client) -> Self +pub fn iceberg_catalog_rest::OAuth2Manager::with_credential(self, client_id: core::option::Option, client_secret: alloc::string::String) -> Self +pub fn iceberg_catalog_rest::OAuth2Manager::with_extra_headers(self, headers: http::header::map::HeaderMap) -> Self +pub fn iceberg_catalog_rest::OAuth2Manager::with_extra_oauth_params(self, params: std::collections::hash::map::HashMap) -> Self +pub fn iceberg_catalog_rest::OAuth2Manager::with_token(self, token: impl core::convert::Into) -> Self +impl core::fmt::Debug for iceberg_catalog_rest::OAuth2Manager +pub fn iceberg_catalog_rest::OAuth2Manager::fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result +impl iceberg_catalog_rest::AuthManager for iceberg_catalog_rest::OAuth2Manager +pub fn iceberg_catalog_rest::OAuth2Manager::catalog_session<'life0, 'life1, 'async_trait>(&'life0 self, props: &'life1 std::collections::hash::map::HashMap) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::OAuth2Manager::init_session<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait pub struct iceberg_catalog_rest::RegisterTableRequest pub iceberg_catalog_rest::RegisterTableRequest::metadata_location: alloc::string::String pub iceberg_catalog_rest::RegisterTableRequest::name: alloc::string::String @@ -230,6 +249,7 @@ pub fn iceberg_catalog_rest::RestCatalog::update_namespace<'life0, 'life1, 'asyn pub fn iceberg_catalog_rest::RestCatalog::update_table<'life0, 'async_trait>(&'life0 self, commit: iceberg::catalog::TableCommit) -> core::pin::Pin> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait pub struct iceberg_catalog_rest::RestCatalogBuilder impl iceberg_catalog_rest::RestCatalogBuilder +pub fn iceberg_catalog_rest::RestCatalogBuilder::with_auth_manager(self, auth_manager: alloc::sync::Arc) -> Self pub fn iceberg_catalog_rest::RestCatalogBuilder::with_client(self, client: reqwest::async_impl::client::Client) -> Self impl core::default::Default for iceberg_catalog_rest::RestCatalogBuilder pub fn iceberg_catalog_rest::RestCatalogBuilder::default() -> Self @@ -287,6 +307,22 @@ impl serde_core::ser::Serialize for iceberg_catalog_rest::UpdateNamespacePropert pub fn iceberg_catalog_rest::UpdateNamespacePropertiesResponse::serialize<__S>(&self, __serializer: __S) -> core::result::Result<<__S as serde_core::ser::Serializer>::Ok, <__S as serde_core::ser::Serializer>::Error> where __S: serde_core::ser::Serializer impl<'de> serde_core::de::Deserialize<'de> for iceberg_catalog_rest::UpdateNamespacePropertiesResponse pub fn iceberg_catalog_rest::UpdateNamespacePropertiesResponse::deserialize<__D>(__deserializer: __D) -> core::result::Result::Error> where __D: serde_core::de::Deserializer<'de> +pub const iceberg_catalog_rest::AUTH_TYPE_NONE: &str +pub const iceberg_catalog_rest::AUTH_TYPE_OAUTH2: &str +pub const iceberg_catalog_rest::REST_CATALOG_PROP_AUTH_TYPE: &str pub const iceberg_catalog_rest::REST_CATALOG_PROP_DISABLE_HEADER_REDACTION: &str pub const iceberg_catalog_rest::REST_CATALOG_PROP_URI: &str pub const iceberg_catalog_rest::REST_CATALOG_PROP_WAREHOUSE: &str +pub trait iceberg_catalog_rest::AuthManager: core::fmt::Debug + core::marker::Send + core::marker::Sync +pub fn iceberg_catalog_rest::AuthManager::catalog_session<'life0, 'life1, 'async_trait>(&'life0 self, props: &'life1 std::collections::hash::map::HashMap) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::AuthManager::init_session<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait +impl iceberg_catalog_rest::AuthManager for iceberg_catalog_rest::NoopAuthManager +pub fn iceberg_catalog_rest::NoopAuthManager::catalog_session<'life0, 'life1, 'async_trait>(&'life0 self, _props: &'life1 std::collections::hash::map::HashMap) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::NoopAuthManager::init_session<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait +impl iceberg_catalog_rest::AuthManager for iceberg_catalog_rest::OAuth2Manager +pub fn iceberg_catalog_rest::OAuth2Manager::catalog_session<'life0, 'life1, 'async_trait>(&'life0 self, props: &'life1 std::collections::hash::map::HashMap) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::OAuth2Manager::init_session<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin>> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait +pub trait iceberg_catalog_rest::AuthSession: core::fmt::Debug + core::marker::Send + core::marker::Sync +pub fn iceberg_catalog_rest::AuthSession::authenticate<'life0, 'life1, 'async_trait>(&'life0 self, request: &'life1 mut reqwest::async_impl::request::Request) -> core::pin::Pin> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait +pub fn iceberg_catalog_rest::AuthSession::invalidate<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait +pub fn iceberg_catalog_rest::AuthSession::refresh<'life0, 'async_trait>(&'life0 self) -> core::pin::Pin> + core::marker::Send + 'async_trait)>> where Self: 'async_trait, 'life0: 'async_trait diff --git a/crates/catalog/rest/src/auth/mod.rs b/crates/catalog/rest/src/auth/mod.rs new file mode 100644 index 0000000000..db0de1f1f3 --- /dev/null +++ b/crates/catalog/rest/src/auth/mod.rs @@ -0,0 +1,111 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//! Pluggable authentication for the REST catalog, mirroring Iceberg Java's +//! `AuthManager`/`AuthSession` API. + +mod oauth2; + +use std::collections::HashMap; +use std::fmt::Debug; +use std::sync::Arc; + +use async_trait::async_trait; +use iceberg::Result; +pub use oauth2::OAuth2Manager; +use reqwest::Request; + +/// `rest.auth.type` value disabling authentication. +pub const AUTH_TYPE_NONE: &str = "none"; +/// `rest.auth.type` value selecting OAuth2 token authentication. +pub const AUTH_TYPE_OAUTH2: &str = "oauth2"; + +/// Creates the [`AuthSession`]s used to authenticate REST catalog requests. +/// +/// A manager is created once per catalog, either from the `rest.auth.type` +/// property or injected through `RestCatalogBuilder::with_auth_manager`, and +/// lives for the lifetime of the catalog. +#[async_trait] +pub trait AuthManager: Debug + Send + Sync { + /// Session used for the initial `/v1/config` handshake, built from the + /// user-supplied configuration. + async fn init_session(&self) -> Result>; + + /// Session used for all subsequent catalog requests, given the properties + /// merged from the user configuration and the server's config response. + /// + /// Implementations may carry state (e.g. a cached token) over from the + /// init session. + async fn catalog_session( + &self, + props: &HashMap, + ) -> Result>; +} + +/// Authenticates outgoing REST catalog requests. +#[async_trait] +pub trait AuthSession: Debug + Send + Sync { + /// Applies authentication to the request (adds headers, signs, ...). + async fn authenticate(&self, request: &mut Request) -> Result<()>; + + /// Drops any cached credentials so the next request re-authenticates. + async fn invalidate(&self) -> Result<()> { + Ok(()) + } + + /// Proactively refreshes cached credentials (e.g. re-exchanges an OAuth2 + /// client credential for a new token), leaving them intact on failure. + async fn refresh(&self) -> Result<()> { + Ok(()) + } + + /// The bearer token this session would attach, if any. Test-only: lets + /// tests observe the cached token without issuing a request. + #[cfg(test)] + async fn bearer_token(&self) -> Option { + None + } +} + +/// [`AuthManager`] that performs no authentication. +#[derive(Debug)] +pub struct NoopAuthManager; + +/// [`AuthSession`] that performs no authentication. +#[derive(Debug)] +struct NoopSession; + +#[async_trait] +impl AuthManager for NoopAuthManager { + async fn init_session(&self) -> Result> { + Ok(Arc::new(NoopSession)) + } + + async fn catalog_session( + &self, + _props: &HashMap, + ) -> Result> { + Ok(Arc::new(NoopSession)) + } +} + +#[async_trait] +impl AuthSession for NoopSession { + async fn authenticate(&self, _request: &mut Request) -> Result<()> { + Ok(()) + } +} diff --git a/crates/catalog/rest/src/auth/oauth2.rs b/crates/catalog/rest/src/auth/oauth2.rs new file mode 100644 index 0000000000..95340484f3 --- /dev/null +++ b/crates/catalog/rest/src/auth/oauth2.rs @@ -0,0 +1,358 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +use std::collections::HashMap; +use std::fmt::{Debug, Formatter}; +use std::sync::Arc; + +use async_trait::async_trait; +use http::StatusCode; +use iceberg::{Error, ErrorKind, Result}; +use reqwest::header::HeaderMap; +use reqwest::{Client, Method, Request}; +use tokio::sync::Mutex; + +use super::{AuthManager, AuthSession}; +use crate::catalog::{ + REST_CATALOG_PROP_URI, RestCatalogConfig, credential_from_props, default_token_endpoint, + explicit_headers_from_props, +}; +use crate::types::{ErrorResponse, TokenResponse}; + +/// Per-phase OAuth2 parameters (init vs. post-handshake catalog phase). +#[derive(Clone)] +struct OAuth2Params { + extra_headers: HeaderMap, + token_endpoint: String, + credential: Option<(Option, String)>, + extra_oauth_params: HashMap, +} + +/// [`AuthManager`] implementing the OAuth2 client-credentials flow used by +/// Iceberg REST catalogs. +/// +/// A configured `token` is used directly; otherwise `credential` is exchanged +/// for a token at the token endpoint and cached. The cached token is shared +/// across sessions so it survives the config handshake. +pub struct OAuth2Manager { + client: Client, + token: Arc>>, + init_params: OAuth2Params, + /// True when the token endpoint was derived from the catalog URI (not + /// explicitly configured): it is then recomputed from the merged URI in + /// [`Self::catalog_session`], since `/v1/config` may override the URI. + endpoint_is_default: bool, +} + +impl OAuth2Manager { + /// Creates a manager exchanging credentials at `token_endpoint`, with no + /// token or credential configured. Combine with the `with_*` methods: + /// + /// ```rust,ignore + /// let manager = OAuth2Manager::new("https://auth.example.com/v1/oauth/tokens") + /// .with_credential(Some("client-id".into()), "client-secret".into()); + /// ``` + pub fn new(token_endpoint: impl Into) -> Self { + Self { + client: Client::default(), + token: Arc::new(Mutex::new(None)), + init_params: OAuth2Params { + extra_headers: HeaderMap::new(), + token_endpoint: token_endpoint.into(), + credential: None, + // Same default as the configuration path (and the + // pre-AuthManager client): the Iceberg catalog scope. + extra_oauth_params: HashMap::from([("scope".to_string(), "catalog".to_string())]), + }, + endpoint_is_default: false, + } + } + + /// Sets a bearer token used directly (takes precedence over `credential`). + pub fn with_token(mut self, token: impl Into) -> Self { + self.token = Arc::new(Mutex::new(Some(token.into()))); + self + } + + /// Sets the client credential exchanged for a token at the token endpoint. + pub fn with_credential(mut self, client_id: Option, client_secret: String) -> Self { + self.init_params.credential = Some((client_id, client_secret)); + self + } + + /// Sets the HTTP client used for token requests. + pub fn with_client(mut self, client: Client) -> Self { + self.client = client; + self + } + + /// Sets extra headers sent with token requests. + pub fn with_extra_headers(mut self, headers: HeaderMap) -> Self { + self.init_params.extra_headers = headers; + self + } + + /// Adds extra OAuth2 form parameters (e.g. `scope`, `audience`), merged + /// onto the defaults: provide a `scope` entry to replace the default + /// `catalog` scope. + pub fn with_extra_oauth_params(mut self, params: HashMap) -> Self { + self.init_params.extra_oauth_params.extend(params); + self + } + + pub(crate) fn from_config(cfg: &RestCatalogConfig) -> Result { + Ok(Self { + client: cfg.client(), + token: Arc::new(Mutex::new(cfg.token())), + init_params: OAuth2Params { + extra_headers: cfg.extra_headers()?, + token_endpoint: cfg.get_token_endpoint(), + credential: cfg.credential(), + extra_oauth_params: cfg.extra_oauth_params(), + }, + endpoint_is_default: cfg.explicit_oauth2_server_uri().is_none(), + }) + } +} + +impl Debug for OAuth2Manager { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + f.debug_struct("OAuth2Manager") + .field("token_endpoint", &self.init_params.token_endpoint) + .finish_non_exhaustive() + } +} + +#[async_trait] +impl AuthManager for OAuth2Manager { + async fn init_session(&self) -> Result> { + Ok(Arc::new(OAuth2Session { + client: self.client.clone(), + token: self.token.clone(), + params: self.init_params.clone(), + })) + } + + async fn catalog_session( + &self, + props: &HashMap, + ) -> Result> { + // The server config may carry a new token (or restate the user's). + if let Some(token) = props.get("token") { + *self.token.lock().await = Some(token.clone()); + } + + // Explicit property overrides are merged ONTO the manager's configured + // options: an injected manager keeps its token endpoint, extra headers + // and OAuth params unless a property explicitly overrides them. + let mut extra_headers = self.init_params.extra_headers.clone(); + extra_headers.extend(explicit_headers_from_props(props)?); + + let mut extra_oauth_params = self.init_params.extra_oauth_params.clone(); + for key in ["scope", "audience", "resource"] { + if let Some(value) = props.get(key) { + extra_oauth_params.insert(key.to_string(), value.to_string()); + } + } + + let token_endpoint = match props.get("oauth2-server-uri") { + Some(uri) if !uri.is_empty() => uri.clone(), + // The built-in manager's default endpoint follows the merged + // catalog URI (a `/v1/config` override may have changed it); + // injected managers keep their explicitly configured endpoint. + _ if self.endpoint_is_default => props + .get(REST_CATALOG_PROP_URI) + .map(|uri| default_token_endpoint(uri)) + .unwrap_or_else(|| self.init_params.token_endpoint.clone()), + _ => self.init_params.token_endpoint.clone(), + }; + + Ok(Arc::new(OAuth2Session { + client: self.client.clone(), + token: self.token.clone(), + params: OAuth2Params { + extra_headers, + token_endpoint, + credential: credential_from_props(props) + .or_else(|| self.init_params.credential.clone()), + extra_oauth_params, + }, + })) + } +} + +/// [`AuthSession`] adding a `Authorization: Bearer ` header. +struct OAuth2Session { + client: Client, + /// Cached bearer token, shared with the owning [`OAuth2Manager`]. + token: Arc>>, + params: OAuth2Params, +} + +impl Debug for OAuth2Session { + fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + f.debug_struct("OAuth2Session") + .field("token_endpoint", &self.params.token_endpoint) + .finish_non_exhaustive() + } +} + +impl OAuth2Session { + async fn exchange_credential_for_token(&self) -> Result { + // Credential must exist here. + let (client_id, client_secret) = self.params.credential.as_ref().ok_or_else(|| { + Error::new( + ErrorKind::DataInvalid, + "Credential must be provided for authentication", + ) + })?; + + let mut params = HashMap::with_capacity(4); + params.insert("grant_type", "client_credentials"); + if let Some(client_id) = client_id { + params.insert("client_id", client_id); + } + params.insert("client_secret", client_secret); + params.extend( + self.params + .extra_oauth_params + .iter() + .map(|(k, v)| (k.as_str(), v.as_str())), + ); + + let mut auth_req = self + .client + .request(Method::POST, &self.params.token_endpoint) + .headers(self.params.extra_headers.clone()) + .form(¶ms) + .build()?; + // extra headers add content-type application/json header it's necessary to override it with proper type + // note that form call doesn't add content-type header if already present + auth_req.headers_mut().insert( + http::header::CONTENT_TYPE, + http::HeaderValue::from_static("application/x-www-form-urlencoded"), + ); + let auth_url = auth_req.url().clone(); + let auth_resp = self.client.execute(auth_req).await?; + + let auth_res: TokenResponse = if auth_resp.status() == StatusCode::OK { + let text = auth_resp + .bytes() + .await + .map_err(|err| err.with_url(auth_url.clone()))?; + Ok(serde_json::from_slice(&text).map_err(|e| { + Error::new( + ErrorKind::Unexpected, + "Failed to parse response from rest catalog server!", + ) + .with_context("operation", "auth") + .with_context("url", auth_url.to_string()) + .with_context("json", String::from_utf8_lossy(&text)) + .with_source(e) + })?) + } else { + let code = auth_resp.status(); + let text = auth_resp + .bytes() + .await + .map_err(|err| err.with_url(auth_url.clone()))?; + let e: ErrorResponse = serde_json::from_slice(&text).map_err(|e| { + Error::new(ErrorKind::Unexpected, "Received unexpected response") + .with_context("code", code.to_string()) + .with_context("operation", "auth") + .with_context("url", auth_url.to_string()) + .with_context("json", String::from_utf8_lossy(&text)) + .with_source(e) + })?; + Err(Error::from(e)) + }?; + Ok(auth_res.access_token) + } +} + +#[async_trait] +impl AuthSession for OAuth2Session { + /// Adds a bearer token to the authorization header. + /// + /// Three modes: + /// + /// 1. **No authentication** - Skip when both `credential` and `token` are missing. + /// 2. **Token authentication** - Use the provided `token` directly. + /// 3. **OAuth authentication** - Exchange `credential` for a token, cache it, then use it. + /// + /// When both `credential` and `token` are present, `token` takes precedence. + /// + /// # TODO: Support automatic token refreshing. + async fn authenticate(&self, req: &mut Request) -> Result<()> { + // Clone the token from lock without holding the lock for entire function. + let token = self.token.lock().await.clone(); + + if self.params.credential.is_none() && token.is_none() { + return Ok(()); + } + + // Either use the provided token or exchange credential for token, cache and use that + let token = match token { + Some(token) => token, + None => { + let token = self.exchange_credential_for_token().await?; + // Update token so that we use it for next request instead of + // exchanging credential for token from the server again + *self.token.lock().await = Some(token.clone()); + token + } + }; + + // Insert token in request. + req.headers_mut().insert( + http::header::AUTHORIZATION, + format!("Bearer {token}").parse().map_err(|e| { + Error::new( + ErrorKind::DataInvalid, + "Invalid token received from catalog server!", + ) + .with_source(e) + })?, + ); + + Ok(()) + } + + /// Invalidate the current token without generating a new one. On the next + /// request, the session will attempt to generate a new token. + async fn invalidate(&self) -> Result<()> { + *self.token.lock().await = None; + Ok(()) + } + + /// Invalidate the current token and set a new one. Generates a new token + /// before invalidating the current one, meaning the old token will be used + /// until this function acquires the lock and overwrites the token. + /// + /// If credential is invalid, or the request fails, this method will return + /// an error and leave the current token unchanged. + async fn refresh(&self) -> Result<()> { + let new_token = self.exchange_credential_for_token().await?; + *self.token.lock().await = Some(new_token); + Ok(()) + } + + #[cfg(test)] + async fn bearer_token(&self) -> Option { + self.token.lock().await.clone() + } +} diff --git a/crates/catalog/rest/src/catalog.rs b/crates/catalog/rest/src/catalog.rs index da05fc7e3b..e10a5c1552 100644 --- a/crates/catalog/rest/src/catalog.rs +++ b/crates/catalog/rest/src/catalog.rs @@ -20,7 +20,7 @@ use std::collections::HashMap; use std::future::Future; use std::str::FromStr; -use std::sync::Arc; +use std::sync::{Arc, OnceLock}; use async_trait::async_trait; use iceberg::encryption::kms::{KeyManagementClient, KmsClientFactory}; @@ -38,6 +38,7 @@ use reqwest::{Client, Method, StatusCode, Url}; use tokio::sync::OnceCell; use typed_builder::TypedBuilder; +use crate::auth::{AUTH_TYPE_NONE, AUTH_TYPE_OAUTH2, AuthManager, NoopAuthManager, OAuth2Manager}; use crate::client::{ HttpClient, deserialize_catalog_response, deserialize_unexpected_catalog_error, }; @@ -53,6 +54,8 @@ pub const REST_CATALOG_PROP_URI: &str = "uri"; pub const REST_CATALOG_PROP_WAREHOUSE: &str = "warehouse"; /// Disable header redaction in error logs (defaults to false for security) pub const REST_CATALOG_PROP_DISABLE_HEADER_REDACTION: &str = "disable-header-redaction"; +/// Authentication scheme: `none` or `oauth2` (default). +pub const REST_CATALOG_PROP_AUTH_TYPE: &str = "rest.auth.type"; const ICEBERG_REST_SPEC_VERSION: &str = "0.14.1"; const CARGO_PKG_VERSION: &str = env!("CARGO_PKG_VERSION"); @@ -76,6 +79,8 @@ impl Default for RestCatalogBuilder { warehouse: None, props: HashMap::new(), client: None, + default_client: Arc::new(OnceLock::new()), + auth_manager: None, }, storage_factory: None, kms_client_factory: None, @@ -160,6 +165,12 @@ impl RestCatalogBuilder { self.config.client = Some(client); self } + + /// Injects a custom auth manager, overriding the `rest.auth.type` configuration. + pub fn with_auth_manager(mut self, auth_manager: Arc) -> Self { + self.config.auth_manager = Some(auth_manager); + self + } } /// Rest catalog configuration. @@ -178,6 +189,15 @@ pub(crate) struct RestCatalogConfig { #[builder(default)] client: Option, + + /// Lazily-created default HTTP client, shared through clones of this + /// config so OAuth and catalog traffic reuse one connection pool + /// (matching the single-client behavior before the AuthManager refactor). + #[builder(default)] + default_client: Arc>, + + #[builder(default)] + auth_manager: Option>, } impl RestCatalogConfig { @@ -194,11 +214,13 @@ impl RestCatalogConfig { } pub(crate) fn get_token_endpoint(&self) -> String { - if let Some(oauth2_uri) = self.props.get("oauth2-server-uri") { - oauth2_uri.to_string() - } else { - [&self.uri, PATH_V1, "oauth", "tokens"].join("/") - } + self.explicit_oauth2_server_uri() + .unwrap_or_else(|| default_token_endpoint(&self.uri)) + } + + /// The `oauth2-server-uri` property, only when explicitly configured. + pub(crate) fn explicit_oauth2_server_uri(&self) -> Option { + self.props.get("oauth2-server-uri").cloned() } fn namespaces_endpoint(&self) -> String { @@ -230,9 +252,13 @@ impl RestCatalogConfig { ]) } - /// Get the client from the config. - pub(crate) fn client(&self) -> Option { - self.client.clone() + /// The HTTP client: the configured one, or a lazily-created default that + /// is shared across every user of this config (and its clones), so token + /// and catalog requests keep sharing one connection pool. + pub(crate) fn client(&self) -> Client { + self.client + .clone() + .unwrap_or_else(|| self.default_client.get_or_init(Client::default).clone()) } /// Get the token from the config. @@ -244,89 +270,32 @@ impl RestCatalogConfig { /// Get the credentials from the config. The client can use these credentials to fetch a new /// token. - /// - /// ## Output - /// - /// - `None`: No credential is set. - /// - `Some(None, client_secret)`: No client_id is set, use client_secret directly. - /// - `Some(Some(client_id), client_secret)`: Both client_id and client_secret are set. pub(crate) fn credential(&self) -> Option<(Option, String)> { - let cred = self.props.get("credential")?; - - match cred.split_once(':') { - Some((client_id, client_secret)) => { - Some((Some(client_id.to_string()), client_secret.to_string())) - } - None => Some((None, cred.to_string())), - } + credential_from_props(&self.props) } - /// Get the extra headers from config, which includes: - /// - /// - `content-type` - /// - `x-client-version` - /// - `user-agent` - /// - All headers specified by `header.xxx` in props. + /// Get the extra headers from config, see [`extra_headers_from_props`]. pub(crate) fn extra_headers(&self) -> Result { - let mut headers = HeaderMap::from_iter([ - ( - header::CONTENT_TYPE, - HeaderValue::from_static("application/json"), - ), - ( - HeaderName::from_static("x-client-version"), - HeaderValue::from_static(ICEBERG_REST_SPEC_VERSION), - ), - ( - header::USER_AGENT, - HeaderValue::from_str(&format!("iceberg-rs/{CARGO_PKG_VERSION}")).unwrap(), - ), - ]); - - for (key, value) in self - .props - .iter() - .filter_map(|(k, v)| k.strip_prefix("header.").map(|k| (k, v))) - { - headers.insert( - HeaderName::from_str(key).map_err(|e| { - Error::new( - ErrorKind::DataInvalid, - format!("Invalid header name: {key}"), - ) - .with_source(e) - })?, - HeaderValue::from_str(value).map_err(|e| { - Error::new( - ErrorKind::DataInvalid, - format!("Invalid header value: {value}"), - ) - .with_source(e) - })?, - ); - } - - Ok(headers) + extra_headers_from_props(&self.props) } /// Get the optional OAuth headers from the config. pub(crate) fn extra_oauth_params(&self) -> HashMap { - let mut params = HashMap::new(); - - if let Some(scope) = self.props.get("scope") { - params.insert("scope".to_string(), scope.to_string()); - } else { - params.insert("scope".to_string(), "catalog".to_string()); - } - - let optional_params = ["audience", "resource"]; - for param_name in optional_params { - if let Some(value) = self.props.get(param_name) { - params.insert(param_name.to_string(), value.to_string()); - } - } + oauth_params_from_props(&self.props) + } - params + /// The properties handed to [`AuthManager::catalog_session`], with the + /// resolved token endpoint made explicit. + pub(crate) fn auth_props(&self) -> HashMap { + // `oauth2-server-uri` stays absent unless explicitly configured, so an + // injected manager keeps its own token endpoint instead of having a + // synthesized `/v1/oauth/tokens` forced onto it (posting a + // client secret to the wrong host). The resolved catalog `uri` (which + // a `/v1/config` override may have changed) IS passed, so the built-in + // manager can recompute its default endpoint from it. + let mut props = self.props.clone(); + props.insert(REST_CATALOG_PROP_URI.to_string(), self.uri.clone()); + props } /// Check if header redaction is disabled in error logs. @@ -340,6 +309,32 @@ impl RestCatalogConfig { .unwrap_or(false) } + /// The configured auth scheme: explicit `rest.auth.type` or the default + /// `oauth2` (which behaves as no auth when neither `token` nor + /// `credential` is set). + fn auth_type(&self) -> String { + self.props + .get(REST_CATALOG_PROP_AUTH_TYPE) + .cloned() + .unwrap_or_else(|| AUTH_TYPE_OAUTH2.to_string()) + } + + /// Resolves the auth manager: a `with_auth_manager` override wins, + /// otherwise one is built from the `rest.auth.type` configuration. + pub(crate) fn resolve_auth_manager(&self) -> Result> { + if let Some(auth_manager) = &self.auth_manager { + return Ok(auth_manager.clone()); + } + match self.auth_type().as_str() { + AUTH_TYPE_NONE => Ok(Arc::new(NoopAuthManager)), + AUTH_TYPE_OAUTH2 => Ok(Arc::new(OAuth2Manager::from_config(self)?)), + other => Err(Error::new( + ErrorKind::DataInvalid, + format!("unknown '{REST_CATALOG_PROP_AUTH_TYPE}': {other}"), + )), + } + } + /// Merge the `RestCatalogConfig` with the a [`CatalogConfig`] (fetched from the REST server). pub(crate) fn merge_with_config(mut self, mut config: CatalogConfig) -> Self { if let Some(uri) = config.overrides.remove("uri") { @@ -348,6 +343,13 @@ impl RestCatalogConfig { let mut props = config.defaults; props.extend(self.props); + // The client-side warehouse was moved off the props by the builder; + // restore it between defaults and overrides so managers receive the + // resolved value via `auth_props` with the standard precedence + // (server default < client < server override). + if let Some(warehouse) = &self.warehouse { + props.insert(REST_CATALOG_PROP_WAREHOUSE.to_string(), warehouse.clone()); + } props.extend(config.overrides); self.props = props; @@ -355,6 +357,106 @@ impl RestCatalogConfig { } } +/// Parses the `credential` property. +/// +/// ## Output +/// +/// - `None`: No credential is set. +/// - `Some(None, client_secret)`: No client_id is set, use client_secret directly. +/// - `Some(Some(client_id), client_secret)`: Both client_id and client_secret are set. +pub(crate) fn credential_from_props( + props: &HashMap, +) -> Option<(Option, String)> { + let cred = props.get("credential")?; + + match cred.split_once(':') { + Some((client_id, client_secret)) => { + Some((Some(client_id.to_string()), client_secret.to_string())) + } + None => Some((None, cred.to_string())), + } +} + +/// The extra headers added to each request, which include: +/// +/// - `content-type` +/// - `x-client-version` +/// - `user-agent` +/// - All headers specified by `header.xxx` in props. +pub(crate) fn extra_headers_from_props(props: &HashMap) -> Result { + let mut headers = HeaderMap::from_iter([ + ( + header::CONTENT_TYPE, + HeaderValue::from_static("application/json"), + ), + ( + HeaderName::from_static("x-client-version"), + HeaderValue::from_static(ICEBERG_REST_SPEC_VERSION), + ), + ( + header::USER_AGENT, + HeaderValue::from_str(&format!("iceberg-rs/{CARGO_PKG_VERSION}")).unwrap(), + ), + ]); + + headers.extend(explicit_headers_from_props(props)?); + + Ok(headers) +} + +/// The default OAuth2 token endpoint for a catalog `uri`. +pub(crate) fn default_token_endpoint(uri: &str) -> String { + [uri, PATH_V1, "oauth", "tokens"].join("/") +} + +/// Only the headers explicitly configured via `header.xxx` props (no defaults). +pub(crate) fn explicit_headers_from_props(props: &HashMap) -> Result { + let mut headers = HeaderMap::new(); + for (key, value) in props + .iter() + .filter_map(|(k, v)| k.strip_prefix("header.").map(|k| (k, v))) + { + headers.insert( + HeaderName::from_str(key).map_err(|e| { + Error::new( + ErrorKind::DataInvalid, + format!("Invalid header name: {key}"), + ) + .with_source(e) + })?, + HeaderValue::from_str(value).map_err(|e| { + Error::new( + ErrorKind::DataInvalid, + format!("Invalid header value: {value}"), + ) + .with_source(e) + })?, + ); + } + + Ok(headers) +} + +/// The optional OAuth parameters added to each authentication request. +pub(crate) fn oauth_params_from_props(props: &HashMap) -> HashMap { + let mut params = HashMap::new(); + + if let Some(scope) = props.get("scope") { + params.insert("scope".to_string(), scope.to_string()); + } else { + params.insert("scope".to_string(), "catalog".to_string()); + } + + let optional_params = ["audience", "resource"]; + for param_name in optional_params { + if let Some(value) = props.get(param_name) { + params.insert(param_name.to_string(), value.to_string()); + } + } + + params +} + #[derive(Debug)] struct RestContext { client: HttpClient, @@ -429,10 +531,10 @@ impl RestCatalog { async fn context(&self) -> Result<&RestContext> { self.ctx .get_or_try_init(|| async { - let client = HttpClient::new(&self.user_config)?; + let client = HttpClient::new(&self.user_config).await?; let catalog_config = RestCatalog::load_config(&client, &self.user_config).await?; let config = self.user_config.clone().merge_with_config(catalog_config); - let client = client.update_with(&config)?; + let client = client.update_with(&config).await?; Ok(RestContext { config, client }) }) @@ -510,7 +612,7 @@ impl RestCatalog { /// Invalidate the current token without generating a new one. On the next request, the client /// will attempt to generate a new token. pub async fn invalidate_token(&self) -> Result<()> { - self.context().await?.client.invalidate_token().await + self.context().await?.client.session().invalidate().await } /// Invalidate the current token and set a new one. Generates a new token before invalidating @@ -520,7 +622,7 @@ impl RestCatalog { /// If credential is invalid, or the request fails, this method will return an error and leave /// the current token unchanged. pub async fn regenerate_token(&self) -> Result<()> { - self.context().await?.client.regenerate_token().await + self.context().await?.client.session().refresh().await } } @@ -1312,9 +1414,18 @@ mod tests { let oauth_mock = create_oauth_mock_with_path(&mut server, "/v1/oauth/tokens", "ey000000000001", 200) .await; + // The next request re-exchanges the credential and sends the new token. + let ns_mock = server + .mock("GET", "/v1/namespaces") + .match_header("authorization", "Bearer ey000000000001") + .with_body(r#"{"namespaces": []}"#) + .create_async() + .await; catalog.invalidate_token().await.unwrap(); - let token = catalog.context().await.unwrap().client.token().await; + catalog.list_namespaces(None).await.unwrap(); oauth_mock.assert_async().await; + ns_mock.assert_async().await; + let token = catalog.context().await.unwrap().client.token().await; assert_eq!(token, Some("ey000000000001".to_string())); } @@ -1346,8 +1457,10 @@ mod tests { create_oauth_mock_with_path(&mut server, "/v1/oauth/tokens", "ey000000000001", 500) .await; catalog.invalidate_token().await.unwrap(); - let token = catalog.context().await.unwrap().client.token().await; + // The failed re-exchange surfaces as an error and no token is cached. + assert!(catalog.list_namespaces(None).await.is_err()); oauth_mock.assert_async().await; + let token = catalog.context().await.unwrap().client.token().await; assert_eq!(token, None); } @@ -1612,6 +1725,392 @@ mod tests { list_ns_mock.assert_async().await; } + #[tokio::test] + async fn test_auth_type_none_disables_auth() { + // An explicit `rest.auth.type=none` wins over a configured token. + let props = HashMap::from([ + (REST_CATALOG_PROP_AUTH_TYPE.to_string(), "none".to_string()), + ("token".to_string(), "some-oauth-token".to_string()), + ]); + let config = RestCatalogConfig::builder() + .uri("http://localhost".to_string()) + .props(props) + .build(); + + let session = config + .resolve_auth_manager() + .unwrap() + .init_session() + .await + .unwrap(); + let mut req = Client::new() + .get("https://rest.example.com/v1/config") + .build() + .unwrap(); + session.authenticate(&mut req).await.unwrap(); + assert!(req.headers().get("authorization").is_none()); + } + + #[tokio::test] + async fn test_header_prop_overrides_token_on_the_wire() { + // Pre-AuthManager behavior, preserved: extra headers are applied after + // authentication, so a user-configured `header.authorization` wins + // over a configured token. + let mut server = Server::new_async().await; + let config_mock = create_config_mock(&mut server).await; + let list_ns_mock = server + .mock("GET", "/v1/namespaces") + .match_header("authorization", "Basic xyz") + .with_body(r#"{"namespaces": []}"#) + .create_async() + .await; + + let props = HashMap::from([ + ("token".to_string(), "some-oauth-token".to_string()), + ("header.authorization".to_string(), "Basic xyz".to_string()), + ]); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(server.url()) + .props(props) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + + catalog.list_namespaces(None).await.unwrap(); + config_mock.assert_async().await; + list_ns_mock.assert_async().await; + } + + #[tokio::test] + async fn test_builtin_oauth_endpoint_follows_uri_override() { + // When `/v1/config` overrides `uri` (and no explicit `oauth2-server-uri` + // is set), the built-in manager's default token endpoint must follow + // the merged URI: a refresh after the handshake posts to the new host. + let mut bootstrap = Server::new_async().await; + let mut overridden = Server::new_async().await; + + let config_mock = bootstrap + .mock("GET", "/v1/config") + .with_status(200) + .with_body(format!( + r#"{{"overrides": {{"uri": "{}"}}, "defaults": {{}}}}"#, + overridden.url() + )) + .create_async() + .await; + // Handshake exchange still uses the bootstrap-derived default. + let bootstrap_oauth_mock = + create_oauth_mock_with_path(&mut bootstrap, "/v1/oauth/tokens", "tok-boot", 200).await; + // The refresh must follow the overridden URI. + let overridden_oauth_mock = + create_oauth_mock_with_path(&mut overridden, "/v1/oauth/tokens", "tok-new", 200).await; + + let props = HashMap::from([("credential".to_string(), "client1:secret1".to_string())]); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(bootstrap.url()) + .props(props) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + + catalog.context().await.unwrap(); + catalog.regenerate_token().await.unwrap(); + + config_mock.assert_async().await; + bootstrap_oauth_mock.assert_async().await; + overridden_oauth_mock.assert_async().await; + let token = catalog.context().await.unwrap().client.token().await; + assert_eq!(token, Some("tok-new".to_string())); + } + + #[tokio::test] + async fn test_injected_oauth_manager_keeps_endpoint_and_options() { + // An injected OAuth2Manager must keep its own token endpoint, extra + // headers and OAuth params across the config handshake: only explicit + // properties may override them, never synthesized defaults. + let mut server = Server::new_async().await; + let config_mock = create_config_mock(&mut server).await; + + // The catalog-host default endpoint must never see the credential. + let default_endpoint_mock = server + .mock("POST", "/v1/oauth/tokens") + .expect(0) + .create_async() + .await; + // Both exchanges (handshake + regenerate) hit the injected endpoint, + // carrying the injected header and OAuth param. + let custom_endpoint_mock = server + .mock("POST", "/custom/oauth/tokens") + .match_header("x-tenant", "t1") + // The default catalog scope must survive alongside the injected + // audience (with_extra_oauth_params merges onto the defaults). + .match_body(mockito::Matcher::AllOf(vec![ + mockito::Matcher::Regex("scope=catalog".to_string()), + mockito::Matcher::Regex("audience=aud-1".to_string()), + ])) + .with_status(200) + .with_body( + r#"{ + "access_token": "ey000000000000", + "token_type": "Bearer", + "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", + "expires_in": 86400 + }"#, + ) + .expect(2) + .create_async() + .await; + + let manager = OAuth2Manager::new(format!("{}/custom/oauth/tokens", server.url())) + .with_credential(Some("client1".to_string()), "secret1".to_string()) + .with_extra_headers(HeaderMap::from_iter([( + HeaderName::from_static("x-tenant"), + HeaderValue::from_static("t1"), + )])) + .with_extra_oauth_params(HashMap::from([( + "audience".to_string(), + "aud-1".to_string(), + )])); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(server.url()) + .auth_manager(Some(Arc::new(manager))) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + + // Handshake performs the first exchange; regenerate the second — both + // must use the injected endpoint/options. + catalog.context().await.unwrap(); + catalog.regenerate_token().await.unwrap(); + + config_mock.assert_async().await; + custom_endpoint_mock.assert_async().await; + default_endpoint_mock.assert_async().await; + } + + #[tokio::test] + async fn test_catalog_session_receives_resolved_warehouse() { + use tokio::sync::Mutex as AsyncMutex; + + use crate::auth::AuthSession; + + // A custom manager must receive the resolved warehouse in the props + // handed to `catalog_session`, with the standard precedence: + // server default < client-side warehouse < server override. + #[derive(Debug)] + struct PlainSession; + #[async_trait] + impl AuthSession for PlainSession { + async fn authenticate(&self, _request: &mut reqwest::Request) -> Result<()> { + Ok(()) + } + } + + #[derive(Debug)] + struct CapturingManager(Arc>>>); + #[async_trait] + impl AuthManager for CapturingManager { + async fn init_session(&self) -> Result> { + Ok(Arc::new(PlainSession)) + } + async fn catalog_session( + &self, + props: &HashMap, + ) -> Result> { + *self.0.lock().await = Some(props.clone()); + Ok(Arc::new(PlainSession)) + } + } + + // Client warehouse wins over a server default. + let mut server = Server::new_async().await; + let config_mock = server + .mock("GET", "/v1/config") + .match_query(mockito::Matcher::UrlEncoded( + "warehouse".to_string(), + "client-wh".to_string(), + )) + .with_status(200) + .with_body(r#"{"defaults": {"warehouse": "default-wh"}, "overrides": {}}"#) + .create_async() + .await; + let captured = Arc::new(AsyncMutex::new(None)); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(server.url()) + .warehouse("client-wh".to_string()) + .auth_manager(Some(Arc::new(CapturingManager(captured.clone())))) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + catalog.context().await.unwrap(); + config_mock.assert_async().await; + let props = captured.lock().await.clone().unwrap(); + assert_eq!( + props.get("warehouse").map(String::as_str), + Some("client-wh") + ); + + // A server override wins over the client warehouse. + let mut server = Server::new_async().await; + let config_mock = server + .mock("GET", "/v1/config") + .match_query(mockito::Matcher::UrlEncoded( + "warehouse".to_string(), + "client-wh".to_string(), + )) + .with_status(200) + .with_body(r#"{"defaults": {}, "overrides": {"warehouse": "override-wh"}}"#) + .create_async() + .await; + let captured = Arc::new(AsyncMutex::new(None)); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(server.url()) + .warehouse("client-wh".to_string()) + .auth_manager(Some(Arc::new(CapturingManager(captured.clone())))) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + catalog.context().await.unwrap(); + config_mock.assert_async().await; + let props = captured.lock().await.clone().unwrap(); + assert_eq!( + props.get("warehouse").map(String::as_str), + Some("override-wh") + ); + } + + #[tokio::test] + async fn test_init_session_dropped_before_catalog_session() { + use std::sync::atomic::{AtomicBool, Ordering}; + + use crate::auth::AuthSession; + + // A manager whose init session guards a one-shot resource (released on + // drop) must see it released before `catalog_session` is invoked. + #[derive(Debug)] + struct GuardSession(Arc); + impl Drop for GuardSession { + fn drop(&mut self) { + self.0.store(true, Ordering::SeqCst); + } + } + #[async_trait] + impl AuthSession for GuardSession { + async fn authenticate(&self, _request: &mut reqwest::Request) -> Result<()> { + Ok(()) + } + } + + #[derive(Debug)] + struct PlainSession; + #[async_trait] + impl AuthSession for PlainSession { + async fn authenticate(&self, _request: &mut reqwest::Request) -> Result<()> { + Ok(()) + } + } + + #[derive(Debug)] + struct GuardManager(Arc); + #[async_trait] + impl AuthManager for GuardManager { + async fn init_session(&self) -> Result> { + Ok(Arc::new(GuardSession(self.0.clone()))) + } + async fn catalog_session( + &self, + _props: &HashMap, + ) -> Result> { + if !self.0.load(Ordering::SeqCst) { + return Err(Error::new( + ErrorKind::Unexpected, + "init session must be dropped before catalog_session", + )); + } + Ok(Arc::new(PlainSession)) + } + } + + let mut server = Server::new_async().await; + let config_mock = create_config_mock(&mut server).await; + + let dropped = Arc::new(AtomicBool::new(false)); + let catalog = RestCatalog::new( + RestCatalogConfig::builder() + .uri(server.url()) + .auth_manager(Some(Arc::new(GuardManager(dropped.clone())))) + .build(), + Some(Arc::new(LocalFsStorageFactory)), + Runtime::current(), + None, + ); + + catalog.context().await.unwrap(); + config_mock.assert_async().await; + assert!(dropped.load(Ordering::SeqCst)); + } + + #[test] + fn test_unknown_auth_type_is_rejected() { + let props = HashMap::from([( + REST_CATALOG_PROP_AUTH_TYPE.to_string(), + "kerberos".to_string(), + )]); + let config = RestCatalogConfig::builder() + .uri("http://localhost".to_string()) + .props(props) + .build(); + + let err = config.resolve_auth_manager().unwrap_err(); + assert!(err.message().contains(REST_CATALOG_PROP_AUTH_TYPE)); + } + + #[test] + fn test_with_auth_manager_overrides_config() { + // A custom auth manager takes precedence over `rest.auth.type`. + #[derive(Debug)] + struct StubAuthManager; + #[async_trait] + impl AuthManager for StubAuthManager { + async fn init_session(&self) -> Result> { + unimplemented!() + } + async fn catalog_session( + &self, + _props: &HashMap, + ) -> Result> { + unimplemented!() + } + } + + let config = RestCatalogConfig::builder() + .uri("http://localhost".to_string()) + .props(HashMap::from([( + REST_CATALOG_PROP_AUTH_TYPE.to_string(), + "kerberos".to_string(), + )])) + .auth_manager(Some(Arc::new(StubAuthManager))) + .build(); + + // The unknown auth type is never consulted. + assert!(config.resolve_auth_manager().is_ok()); + } + #[tokio::test] async fn test_list_namespace_with_pagination() { let mut server = Server::new_async().await; diff --git a/crates/catalog/rest/src/client.rs b/crates/catalog/rest/src/client.rs index 07dc0620da..1996827a2f 100644 --- a/crates/catalog/rest/src/client.rs +++ b/crates/catalog/rest/src/client.rs @@ -17,34 +17,27 @@ use std::collections::HashMap; use std::fmt::{Debug, Formatter}; +use std::sync::Arc; -use http::StatusCode; use iceberg::{Error, ErrorKind, Result}; use reqwest::header::HeaderMap; use reqwest::{Client, IntoUrl, Method, Request, RequestBuilder, Response}; use serde::de::DeserializeOwned; -use tokio::sync::Mutex; use crate::RestCatalogConfig; -use crate::types::{ErrorResponse, TokenResponse}; +use crate::auth::{AuthManager, AuthSession}; pub(crate) struct HttpClient { client: Client, - /// The token to be used for authentication. - /// - /// It's possible to fetch the token from the server while needed. - token: Mutex>, - /// The token endpoint to be used for authentication. - token_endpoint: String, - /// The credential to be used for authentication. - credential: Option<(Option, String)>, /// Extra headers to be added to each request. extra_headers: HeaderMap, - /// Extra oauth parameters to be added to each authentication request. - extra_oauth_params: HashMap, /// Whether to disable header redaction in error logs (defaults to false for security). disable_header_redaction: bool, + /// The auth manager living for the lifetime of the catalog. + auth_manager: Arc, + /// The session authenticating requests in the current phase. + session: Arc, } impl Debug for HttpClient { @@ -58,16 +51,15 @@ impl Debug for HttpClient { impl HttpClient { /// Create a new http client. - pub fn new(cfg: &RestCatalogConfig) -> Result { - let extra_headers = cfg.extra_headers()?; + pub async fn new(cfg: &RestCatalogConfig) -> Result { + let auth_manager = cfg.resolve_auth_manager()?; + let session = auth_manager.init_session().await?; Ok(HttpClient { - client: cfg.client().unwrap_or_default(), - token: Mutex::new(cfg.token()), - token_endpoint: cfg.get_token_endpoint(), - credential: cfg.credential(), - extra_headers, - extra_oauth_params: cfg.extra_oauth_params(), + client: cfg.client(), + extra_headers: cfg.extra_headers()?, disable_header_redaction: cfg.disable_header_redaction(), + auth_manager, + session, }) } @@ -75,172 +67,47 @@ impl HttpClient { /// /// If cfg carries new value, we will use cfg instead. /// Otherwise, we will keep the old value. - pub fn update_with(self, cfg: &RestCatalogConfig) -> Result { + /// + /// The auth manager is kept; it derives a new session from the merged + /// properties (carrying over state such as a cached token). + pub async fn update_with(self, cfg: &RestCatalogConfig) -> Result { + let HttpClient { + // The same client comes back from `cfg.client()` below: the config + // clone shares the lazily-created default (or the user's client). + client: _, + extra_headers: current_headers, + disable_header_redaction: _, + auth_manager, + session: init_session, + } = self; + // Release the init-phase session before deriving the catalog session, + // so a manager whose init session guards a one-shot resource (released + // on drop) can build its catalog session without deadlocking. + drop(init_session); + let extra_headers = (!cfg.extra_headers()?.is_empty()) .then(|| cfg.extra_headers()) .transpose()? - .unwrap_or(self.extra_headers); + .unwrap_or(current_headers); + let session = auth_manager.catalog_session(&cfg.auth_props()).await?; Ok(HttpClient { - client: cfg.client().unwrap_or(self.client), - token: Mutex::new(cfg.token().or_else(|| self.token.into_inner())), - token_endpoint: if !cfg.get_token_endpoint().is_empty() { - cfg.get_token_endpoint() - } else { - self.token_endpoint - }, - credential: cfg.credential().or(self.credential), + client: cfg.client(), extra_headers, - extra_oauth_params: if !cfg.extra_oauth_params().is_empty() { - cfg.extra_oauth_params() - } else { - self.extra_oauth_params - }, disable_header_redaction: cfg.disable_header_redaction(), + auth_manager, + session, }) } - /// This API is testing only to assert the token. - #[cfg(test)] - pub(crate) async fn token(&self) -> Option { - let mut req = self - .request(Method::GET, &self.token_endpoint) - .build() - .unwrap(); - self.authenticate(&mut req).await.ok(); - self.token.lock().await.clone() + /// The session authenticating requests in the current phase. + pub(crate) fn session(&self) -> &Arc { + &self.session } - async fn exchange_credential_for_token(&self) -> Result { - // Credential must exist here. - let (client_id, client_secret) = self.credential.as_ref().ok_or_else(|| { - Error::new( - ErrorKind::DataInvalid, - "Credential must be provided for authentication", - ) - })?; - - let mut params = HashMap::with_capacity(4); - params.insert("grant_type", "client_credentials"); - if let Some(client_id) = client_id { - params.insert("client_id", client_id); - } - params.insert("client_secret", client_secret); - params.extend( - self.extra_oauth_params - .iter() - .map(|(k, v)| (k.as_str(), v.as_str())), - ); - - let mut auth_req = self - .request(Method::POST, &self.token_endpoint) - .form(¶ms) - .build()?; - // extra headers add content-type application/json header it's necessary to override it with proper type - // note that form call doesn't add content-type header if already present - auth_req.headers_mut().insert( - http::header::CONTENT_TYPE, - http::HeaderValue::from_static("application/x-www-form-urlencoded"), - ); - let auth_url = auth_req.url().clone(); - let auth_resp = self.client.execute(auth_req).await?; - - let auth_res: TokenResponse = if auth_resp.status() == StatusCode::OK { - let text = auth_resp - .bytes() - .await - .map_err(|err| err.with_url(auth_url.clone()))?; - Ok(serde_json::from_slice(&text).map_err(|e| { - Error::new( - ErrorKind::Unexpected, - "Failed to parse response from rest catalog server!", - ) - .with_context("operation", "auth") - .with_context("url", auth_url.to_string()) - .with_context("json", String::from_utf8_lossy(&text)) - .with_source(e) - })?) - } else { - let code = auth_resp.status(); - let text = auth_resp - .bytes() - .await - .map_err(|err| err.with_url(auth_url.clone()))?; - let e: ErrorResponse = serde_json::from_slice(&text).map_err(|e| { - Error::new(ErrorKind::Unexpected, "Received unexpected response") - .with_context("code", code.to_string()) - .with_context("operation", "auth") - .with_context("url", auth_url.to_string()) - .with_context("json", String::from_utf8_lossy(&text)) - .with_source(e) - })?; - Err(Error::from(e)) - }?; - Ok(auth_res.access_token) - } - - /// Invalidate the current token without generating a new one. On the next request, the client - /// will attempt to generate a new token. - pub(crate) async fn invalidate_token(&self) -> Result<()> { - *self.token.lock().await = None; - Ok(()) - } - - /// Invalidate the current token and set a new one. Generates a new token before invalidating - /// the current token, meaning the old token will be used until this function acquires the lock - /// and overwrites the token. - /// - /// If credential is invalid, or the request fails, this method will return an error and leave - /// the current token unchanged. - pub(crate) async fn regenerate_token(&self) -> Result<()> { - let new_token = self.exchange_credential_for_token().await?; - *self.token.lock().await = Some(new_token.clone()); - Ok(()) - } - - /// Authenticates the request by adding a bearer token to the authorization header. - /// - /// This method supports three authentication modes: - /// - /// 1. **No authentication** - Skip authentication when both `credential` and `token` are missing. - /// 2. **Token authentication** - Use the provided `token` directly for authentication. - /// 3. **OAuth authentication** - Exchange `credential` for a token, cache it, then use it for authentication. - /// - /// When both `credential` and `token` are present, `token` takes precedence. - /// - /// # TODO: Support automatic token refreshing. - async fn authenticate(&self, req: &mut Request) -> Result<()> { - // Clone the token from lock without holding the lock for entire function. - let token = self.token.lock().await.clone(); - - if self.credential.is_none() && token.is_none() { - return Ok(()); - } - - // Either use the provided token or exchange credential for token, cache and use that - let token = match token { - Some(token) => token, - None => { - let token = self.exchange_credential_for_token().await?; - // Update token so that we use it for next request instead of - // exchanging credential for token from the server again - *self.token.lock().await = Some(token.clone()); - token - } - }; - - // Insert token in request. - req.headers_mut().insert( - http::header::AUTHORIZATION, - format!("Bearer {token}").parse().map_err(|e| { - Error::new( - ErrorKind::DataInvalid, - "Invalid token received from catalog server!", - ) - .with_source(e) - })?, - ); - - Ok(()) + /// This API is testing only to assert the bearer token the session caches. + #[cfg(test)] + pub(crate) async fn token(&self) -> Option { + self.session.bearer_token().await } #[inline] @@ -250,17 +117,15 @@ impl HttpClient { .headers(self.extra_headers.clone()) } - /// Executes the given `Request` and returns a `Response`. - pub async fn execute(&self, mut request: Request) -> Result { - request.headers_mut().extend(self.extra_headers.clone()); - Ok(self.client.execute(request).await?) - } - // Queries the Iceberg REST catalog after authentication with the given `Request` and // returns a `Response`. pub async fn query_catalog(&self, mut request: Request) -> Result { - self.authenticate(&mut request).await?; - self.execute(request).await + // Order preserved from the pre-AuthManager code: authenticate first, + // then apply extra headers, so a user-configured `header.authorization` + // keeps overriding a token, exactly as before. + self.session.authenticate(&mut request).await?; + request.headers_mut().extend(self.extra_headers.clone()); + Ok(self.client.execute(request).await?) } /// Returns whether header redaction is disabled for this client. diff --git a/crates/catalog/rest/src/lib.rs b/crates/catalog/rest/src/lib.rs index 383728401f..663ea65f26 100644 --- a/crates/catalog/rest/src/lib.rs +++ b/crates/catalog/rest/src/lib.rs @@ -51,11 +51,13 @@ #![deny(missing_docs)] +mod auth; mod catalog; mod client; mod endpoint; mod types; +pub use auth::*; pub use catalog::*; pub use endpoint::Endpoint; pub use types::*;