| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| import base64 |
| import importlib |
| import logging |
| import threading |
| import time |
| from abc import ABC, abstractmethod |
| from functools import cached_property |
| from typing import Any, Dict, List, Optional, Type |
| |
| import requests |
| from requests import HTTPError, PreparedRequest, Session |
| from requests.auth import AuthBase |
| |
| from pyiceberg.catalog.rest.response import TokenResponse, _handle_non_200_response |
| from pyiceberg.exceptions import OAuthError |
| |
| COLON = ":" |
| logger = logging.getLogger(__name__) |
| |
| |
| class AuthManager(ABC): |
| """ |
| Abstract base class for Authentication Managers used to supply authorization headers to HTTP clients (e.g. requests.Session). |
| |
| Subclasses must implement the `auth_header` method to return an Authorization header value. |
| """ |
| |
| @abstractmethod |
| def auth_header(self) -> Optional[str]: |
| """Return the Authorization header value, or None if not applicable.""" |
| |
| |
| class NoopAuthManager(AuthManager): |
| """Auth Manager implementation with no auth.""" |
| |
| def auth_header(self) -> Optional[str]: |
| return None |
| |
| |
| class BasicAuthManager(AuthManager): |
| """AuthManager implementation that supports basic password auth.""" |
| |
| def __init__(self, username: str, password: str): |
| credentials = f"{username}:{password}" |
| self._token = base64.b64encode(credentials.encode()).decode() |
| |
| def auth_header(self) -> str: |
| return f"Basic {self._token}" |
| |
| |
| class LegacyOAuth2AuthManager(AuthManager): |
| """Legacy OAuth2 AuthManager implementation. |
| |
| This class exists for backward compatibility, and will be removed in |
| PyIceberg 1.0.0 in favor of OAuth2AuthManager. |
| """ |
| |
| _session: Session |
| _auth_url: Optional[str] |
| _token: Optional[str] |
| _credential: Optional[str] |
| _optional_oauth_params: Optional[Dict[str, str]] |
| |
| def __init__( |
| self, |
| session: Session, |
| auth_url: Optional[str] = None, |
| credential: Optional[str] = None, |
| initial_token: Optional[str] = None, |
| optional_oauth_params: Optional[Dict[str, str]] = None, |
| ): |
| self._session = session |
| self._auth_url = auth_url |
| self._token = initial_token |
| self._credential = credential |
| self._optional_oauth_params = optional_oauth_params |
| self._refresh_token() |
| |
| def _fetch_access_token(self, credential: str) -> str: |
| if COLON in credential: |
| client_id, client_secret = credential.split(COLON) |
| else: |
| client_id, client_secret = None, credential |
| |
| data = {"grant_type": "client_credentials", "client_id": client_id, "client_secret": client_secret} |
| |
| if self._optional_oauth_params: |
| data.update(self._optional_oauth_params) |
| |
| if self._auth_url is None: |
| raise ValueError("Cannot fetch access token from undefined auth_url") |
| |
| response = self._session.post( |
| url=self._auth_url, data=data, headers={**self._session.headers, "Content-type": "application/x-www-form-urlencoded"} |
| ) |
| try: |
| response.raise_for_status() |
| except HTTPError as exc: |
| _handle_non_200_response(exc, {400: OAuthError, 401: OAuthError}) |
| |
| return TokenResponse.model_validate_json(response.text).access_token |
| |
| def _refresh_token(self) -> None: |
| if self._credential is not None: |
| self._token = self._fetch_access_token(self._credential) |
| |
| def auth_header(self) -> str: |
| return f"Bearer {self._token}" |
| |
| |
| class OAuth2TokenProvider: |
| """Thread-safe OAuth2 token provider with token refresh support.""" |
| |
| client_id: str |
| client_secret: str |
| token_url: str |
| scope: Optional[str] |
| refresh_margin: int |
| expires_in: Optional[int] |
| |
| _token: Optional[str] |
| _expires_at: int |
| _lock: threading.Lock |
| |
| def __init__( |
| self, |
| client_id: str, |
| client_secret: str, |
| token_url: str, |
| scope: Optional[str] = None, |
| refresh_margin: int = 60, |
| expires_in: Optional[int] = None, |
| ): |
| self.client_id = client_id |
| self.client_secret = client_secret |
| self.token_url = token_url |
| self.scope = scope |
| self.refresh_margin = refresh_margin |
| self.expires_in = expires_in |
| |
| self._token = None |
| self._expires_at = 0 |
| self._lock = threading.Lock() |
| |
| @cached_property |
| def _client_secret_header(self) -> str: |
| creds = f"{self.client_id}:{self.client_secret}" |
| creds_bytes = creds.encode("utf-8") |
| b64_creds = base64.b64encode(creds_bytes).decode("utf-8") |
| return f"Basic {b64_creds}" |
| |
| def _refresh_token(self) -> None: |
| data = {"grant_type": "client_credentials"} |
| if self.scope: |
| data["scope"] = self.scope |
| |
| response = requests.post(self.token_url, data=data, headers={"Authorization": self._client_secret_header}) |
| response.raise_for_status() |
| result = response.json() |
| |
| self._token = result["access_token"] |
| expires_in = result.get("expires_in", self.expires_in) |
| if expires_in is None: |
| raise ValueError( |
| "The expiration time of the Token must be provided by the Server in the Access Token Response in `expires_in` field, or by the PyIceberg Client." |
| ) |
| self._expires_at = time.monotonic() + expires_in - self.refresh_margin |
| |
| def get_token(self) -> str: |
| with self._lock: |
| if not self._token or time.monotonic() >= self._expires_at: |
| self._refresh_token() |
| if self._token is None: |
| raise ValueError("Authorization token is None after refresh") |
| return self._token |
| |
| |
| class OAuth2AuthManager(AuthManager): |
| """Auth Manager implementation that supports OAuth2 as defined in IETF RFC6749.""" |
| |
| def __init__( |
| self, |
| client_id: str, |
| client_secret: str, |
| token_url: str, |
| scope: Optional[str] = None, |
| refresh_margin: int = 60, |
| expires_in: Optional[int] = None, |
| ): |
| self.token_provider = OAuth2TokenProvider( |
| client_id, |
| client_secret, |
| token_url, |
| scope, |
| refresh_margin, |
| expires_in, |
| ) |
| |
| def auth_header(self) -> str: |
| return f"Bearer {self.token_provider.get_token()}" |
| |
| |
| class GoogleAuthManager(AuthManager): |
| """An auth manager that is responsible for handling Google credentials.""" |
| |
| def __init__(self, credentials_path: Optional[str] = None, scopes: Optional[List[str]] = None): |
| """ |
| Initialize GoogleAuthManager. |
| |
| Args: |
| credentials_path: Optional path to Google credentials JSON file. |
| scopes: Optional list of OAuth2 scopes. |
| """ |
| try: |
| import google.auth |
| import google.auth.transport.requests |
| except ImportError as e: |
| raise ImportError("Google Auth libraries not found. Please install 'google-auth'.") from e |
| |
| if credentials_path: |
| self.credentials, _ = google.auth.load_credentials_from_file(credentials_path, scopes=scopes) |
| else: |
| logger.info("Using Google Default Application Credentials") |
| self.credentials, _ = google.auth.default(scopes=scopes) |
| self._auth_request = google.auth.transport.requests.Request() |
| |
| def auth_header(self) -> str: |
| self.credentials.refresh(self._auth_request) |
| return f"Bearer {self.credentials.token}" |
| |
| |
| class AuthManagerAdapter(AuthBase): |
| """A `requests.auth.AuthBase` adapter that integrates an `AuthManager` into a `requests.Session` to automatically attach the appropriate Authorization header to every request. |
| |
| This adapter is useful when working with `requests.Session.auth` |
| and allows reuse of authentication strategies defined by `AuthManager`. |
| This AuthManagerAdapter is only intended to be used against the REST Catalog |
| Server that expects the Authorization Header. |
| """ |
| |
| def __init__(self, auth_manager: AuthManager): |
| """ |
| Initialize AuthManagerAdapter. |
| |
| Args: |
| auth_manager (AuthManager): An instance of an AuthManager subclass. |
| """ |
| self.auth_manager = auth_manager |
| |
| def __call__(self, request: PreparedRequest) -> PreparedRequest: |
| """ |
| Modify the outgoing request to include the Authorization header. |
| |
| Args: |
| request (requests.PreparedRequest): The HTTP request being prepared. |
| |
| Returns: |
| requests.PreparedRequest: The modified request with Authorization header. |
| """ |
| if auth_header := self.auth_manager.auth_header(): |
| request.headers["Authorization"] = auth_header |
| return request |
| |
| |
| class AuthManagerFactory: |
| _registry: Dict[str, Type["AuthManager"]] = {} |
| |
| @classmethod |
| def register(cls, name: str, auth_manager_class: Type["AuthManager"]) -> None: |
| """ |
| Register a string name to a known AuthManager class. |
| |
| Args: |
| name (str): unique name like 'oauth2' to register the AuthManager with |
| auth_manager_class (Type["AuthManager"]): Implementation of AuthManager |
| |
| Returns: |
| None |
| """ |
| cls._registry[name] = auth_manager_class |
| |
| @classmethod |
| def create(cls, class_or_name: str, config: Dict[str, Any]) -> AuthManager: |
| """ |
| Create an AuthManager by name or fully-qualified class path. |
| |
| Args: |
| class_or_name (str): Either a name like 'oauth2' or a full class path like 'my.module.CustomAuthManager' |
| config (Dict[str, Any]): Configuration passed to the AuthManager constructor |
| |
| Returns: |
| AuthManager: An instantiated AuthManager subclass |
| """ |
| if class_or_name in cls._registry: |
| manager_cls = cls._registry[class_or_name] |
| else: |
| try: |
| module_path, class_name = class_or_name.rsplit(".", 1) |
| module = importlib.import_module(module_path) |
| manager_cls = getattr(module, class_name) |
| except Exception as err: |
| raise ValueError(f"Could not load AuthManager class for '{class_or_name}'") from err |
| |
| return manager_cls(**config) |
| |
| |
| AuthManagerFactory.register("noop", NoopAuthManager) |
| AuthManagerFactory.register("basic", BasicAuthManager) |
| AuthManagerFactory.register("legacyoauth2", LegacyOAuth2AuthManager) |
| AuthManagerFactory.register("oauth2", OAuth2AuthManager) |
| AuthManagerFactory.register("google", GoogleAuthManager) |