feat: add restcatalog authentication api

Author: shuxu.li

src/iceberg/catalog/rest/CMakeLists.txt

@@ -27,12 +27,10 @@ set(ICEBERG_REST_SOURCES
     resource_paths.cc
     rest_catalog.cc
     rest_util.cc
-    types.cc)
-
-# Add auth sources with proper path prefix
-foreach(AUTH_SOURCE ${ICEBERG_REST_AUTH_SOURCES})
-  list(APPEND ICEBERG_REST_SOURCES "auth/${AUTH_SOURCE}")
-endforeach()
+    types.cc
+    auth/auth_manager.cc
+    auth/auth_managers.cc
+    auth/auth_session.cc)
 
 set(ICEBERG_REST_STATIC_BUILD_INTERFACE_LIBS)
 set(ICEBERG_REST_SHARED_BUILD_INTERFACE_LIBS)

src/iceberg/catalog/rest/auth/CMakeLists.txt

@@ -15,9 +15,4 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set(ICEBERG_REST_AUTH_SOURCES auth_session.cc auth_manager.cc auth_managers.cc)
-
-# Expose sources to parent scope for inclusion in iceberg_rest library
-set(ICEBERG_REST_AUTH_SOURCES
-    ${ICEBERG_REST_AUTH_SOURCES}
-    PARENT_SCOPE)
+iceberg_install_all_headers(iceberg/catalog/rest/auth)

src/iceberg/catalog/rest/auth/auth_manager.cc

@@ -19,21 +19,23 @@
 
 #include "iceberg/catalog/rest/auth/auth_manager.h"
 
+#include "iceberg/catalog/rest/auth/auth_session.h"
+
 namespace iceberg::rest::auth {
 
-Result<std::shared_ptr<AuthSession>> AuthManager::InitSession(
-    HttpClient* init_client,
+Result<std::unique_ptr<AuthSession>> AuthManager::InitSession(
+    HttpClient& init_client,
     const std::unordered_map<std::string, std::string>& properties) {
   // By default, use the catalog session for initialization
   return CatalogSession(init_client, properties);
 }
 
-Result<std::shared_ptr<AuthSession>> AuthManager::TableSession(
+Result<std::unique_ptr<AuthSession>> AuthManager::TableSession(
     [[maybe_unused]] const TableIdentifier& table,
     [[maybe_unused]] const std::unordered_map<std::string, std::string>& properties,
-    std::shared_ptr<AuthSession> parent) {
-  // By default, return the parent session
-  return parent;
+    [[maybe_unused]] const AuthSession& parent) {
+  // By default, return nullptr to indicate the parent session should be reused.
+  return nullptr;
 }
 
 }  // namespace iceberg::rest::auth

src/iceberg/catalog/rest/auth/auth_manager.h

@@ -23,100 +23,58 @@
 #include <string>
 #include <unordered_map>
 
-#include "iceberg/catalog/rest/auth/auth_session.h"
 #include "iceberg/catalog/rest/iceberg_rest_export.h"
+#include "iceberg/catalog/rest/type_fwd.h"
 #include "iceberg/result.h"
 #include "iceberg/table_identifier.h"
 
 /// \file iceberg/catalog/rest/auth/auth_manager.h
 /// \brief Authentication manager interface for REST catalog.
 
-namespace iceberg::rest {
-class HttpClient;
-}  // namespace iceberg::rest
-
 namespace iceberg::rest::auth {
 
-/// \brief Manager for authentication sessions.
-///
-/// This interface is used to create sessions for the catalog, tables/views,
-/// and any other context that requires authentication.
-///
-/// Managers are typically stateful and may require initialization and cleanup.
-/// The manager is created by the catalog and is closed when the catalog is closed.
-///
-/// This interface is modeled after Java Iceberg's AuthManager interface.
+/// \brief Produces authentication sessions for catalog and table requests.
 class ICEBERG_REST_EXPORT AuthManager {
  public:
   virtual ~AuthManager() = default;
 
-  /// \brief Return a temporary session for contacting the configuration endpoint.
-  ///
-  /// This session is used only during catalog initialization to fetch server
-  /// configuration. The returned session will be closed after the configuration
-  /// endpoint is contacted and should not be cached.
-  ///
-  /// The provided HTTP client is a short-lived client; it should only be used
-  /// to fetch initial credentials if required, and must be discarded after that.
+  /// \brief Create a short-lived session used to contact the configuration endpoint.
   ///
-  /// By default, it returns the catalog session.
-  ///
-  /// \param init_client A short-lived HTTP client for initialization.
-  /// \param properties Configuration properties.
-  /// \return A session for initialization, or an error if session creation fails.
-  virtual Result<std::shared_ptr<AuthSession>> InitSession(
-      HttpClient* init_client,
+  /// \param init_client HTTP client used for initialization requests.
+  /// \param properties Client configuration supplied by the catalog.
+  /// \return Session for initialization or an error if credentials cannot be acquired.
+  virtual Result<std::unique_ptr<AuthSession>> InitSession(
+      HttpClient& init_client,
       const std::unordered_map<std::string, std::string>& properties);
 
-  /// \brief Return a long-lived session for catalog operations.
-  ///
-  /// This session's lifetime is tied to the owning catalog. It serves as the
-  /// parent session for all other sessions (contextual and table-specific).
-  /// It is closed when the owning catalog is closed.
+  /// \brief Create the long-lived catalog session that acts as the parent session.
   ///
-  /// The provided HTTP client is a long-lived, shared client. Implementors may
-  /// store it and reuse it for subsequent requests to the authorization server
-  /// (e.g., for renewing or refreshing credentials). It is not necessary to
-  /// close it when Close() is called.
-  ///
-  /// It is not required to cache the returned session internally, as the catalog
-  /// will keep it alive for the lifetime of the catalog.
-  ///
-  /// \param shared_client A long-lived, shared HTTP client.
-  /// \param properties Configuration properties (merged with server config).
-  /// \return A session for catalog operations, or an error if session creation fails
-  ///         (e.g., missing required credentials, network failure during token fetch).
-  virtual Result<std::shared_ptr<AuthSession>> CatalogSession(
-      HttpClient* shared_client,
+  /// \param shared_client HTTP client owned by the catalog and reused for auth calls.
+  /// \param properties Catalog properties (client config + server defaults).
+  /// \return Session for catalog operations or an error if authentication cannot be set
+  /// up.
+  virtual Result<std::unique_ptr<AuthSession>> CatalogSession(
+      HttpClient& shared_client,
       const std::unordered_map<std::string, std::string>& properties) = 0;
 
-  /// \brief Return a session for a specific table or view.
-  ///
-  /// If the table or view requires a specific AuthSession (e.g., vended credentials),
-  /// this method should return a new AuthSession instance. Otherwise, it should
-  /// return the parent session.
-  ///
-  /// By default, it returns the parent session.
+  /// \brief Create or reuse a session scoped to a single table/view.
   ///
-  /// Implementors should cache table sessions internally, as the catalog will not
-  /// cache them. Also, the owning catalog never closes table sessions; implementations
-  /// should manage their lifecycle and close them when they are no longer needed.
+  /// This method can return a new table-specific session or indicate that the parent
+  /// catalog session should be reused by returning nullptr.
   ///
-  /// \param table The table identifier.
-  /// \param properties Properties returned by the table/view endpoint.
-  /// \param parent The parent session (typically the catalog session).
-  /// \return A session for the table, or an error if session creation fails.
-  virtual Result<std::shared_ptr<AuthSession>> TableSession(
+  /// \param table Target table identifier.
+  /// \param properties Table-specific auth properties returned by the server.
+  /// \param parent Catalog session to read information from.
+  /// \return A new session for the table, nullptr to reuse parent, or an error.
+  virtual Result<std::unique_ptr<AuthSession>> TableSession(
       const TableIdentifier& table,
       const std::unordered_map<std::string, std::string>& properties,
-      std::shared_ptr<AuthSession> parent);
+      const AuthSession& parent);
 
-  /// \brief Close the manager and release any resources.
+  /// \brief Release resources held by the manager.
   ///
-  /// This method is called when the owning catalog is closed. Implementations
-  /// should release any resources held by the manager, such as cached sessions
-  /// or background threads.
-  virtual void Close() {}
+  /// \return Status of the close operation.
+  virtual Status Close() { return {}; }
 };
 
 }  // namespace iceberg::rest::auth

src/iceberg/catalog/rest/auth/auth_managers.cc

@@ -23,19 +23,12 @@
 #include <cctype>
 
 #include "iceberg/catalog/rest/auth/auth_properties.h"
+#include "iceberg/util/string_util.h"
 
 namespace iceberg::rest::auth {
 
 namespace {
 
-/// \brief Convert a string to lowercase for case-insensitive comparison.
-std::string ToLower(std::string_view str) {
-  std::string result(str);
-  std::ranges::transform(result, result.begin(),
-                         [](unsigned char c) { return std::tolower(c); });
-  return result;
-}
-
 /// \brief Infer the authentication type from properties.
 ///
 /// If no explicit auth type is set, this function tries to infer it from
@@ -48,7 +41,7 @@ std::string InferAuthType(
   // Check for explicit auth type first
   auto it = properties.find(std::string(AuthProperties::kAuthType));
   if (it != properties.end() && !it->second.empty()) {
-    return ToLower(it->second);
+    return StringUtils::ToLower(it->second);
   }
 
   // Infer from OAuth2 properties (credential or token)
@@ -63,19 +56,20 @@ std::string InferAuthType(
   return std::string(AuthProperties::kAuthTypeNone);
 }
 
-}  // namespace
-
-std::unordered_map<std::string, AuthManagerFactory>& AuthManagers::GetRegistry() {
-  static std::unordered_map<std::string, AuthManagerFactory> registry;
+/// \brief Get the global registry of auth manager factories.
+AuthManagerRegistry& GetRegistry() {
+  static AuthManagerRegistry registry;
   return registry;
 }
 
-void AuthManagers::Register(const std::string& auth_type, AuthManagerFactory factory) {
-  GetRegistry()[ToLower(auth_type)] = std::move(factory);
+}  // namespace
+
+void AuthManagers::Register(std::string_view auth_type, AuthManagerFactory factory) {
+  GetRegistry()[StringUtils::ToLower(std::string(auth_type))] = std::move(factory);
 }
 
 Result<std::unique_ptr<AuthManager>> AuthManagers::Load(
-    const std::string& name,
+    std::string_view name,
     const std::unordered_map<std::string, std::string>& properties) {
   std::string auth_type = InferAuthType(properties);
 

src/iceberg/catalog/rest/auth/auth_managers.h

@@ -22,67 +22,49 @@
 #include <functional>
 #include <memory>
 #include <string>
+#include <string_view>
 #include <unordered_map>
 
 #include "iceberg/catalog/rest/auth/auth_manager.h"
 #include "iceberg/catalog/rest/iceberg_rest_export.h"
 #include "iceberg/result.h"
+#include "iceberg/util/string_util.h"
 
 /// \file iceberg/catalog/rest/auth/auth_managers.h
 /// \brief Factory for creating authentication managers.
 
 namespace iceberg::rest::auth {
 
-/// \brief Factory function type for creating AuthManager instances.
+/// \brief Function that builds an AuthManager for a given catalog.
 ///
-/// \param name The name of the manager (used for logging).
-/// \param properties Configuration properties.
-/// \return A unique pointer to the created AuthManager.
+/// \param name Catalog name passed to the manager.
+/// \param properties Consolidated catalog configuration.
+/// \return Newly created manager instance.
 using AuthManagerFactory = std::function<std::unique_ptr<AuthManager>(
-    const std::string& name,
+    std::string_view name,
     const std::unordered_map<std::string, std::string>& properties)>;
 
-/// \brief Factory class for loading authentication managers.
-///
-/// This class provides a registry-based approach to create AuthManager instances
-/// based on the configured authentication type. It supports built-in types
-/// (none, basic, oauth2) and allows registration of custom types.
-///
-/// This class is modeled after Java Iceberg's AuthManagers class.
+/// \brief Registry type for AuthManager factories with heterogeneous lookup support.
+using AuthManagerRegistry =
+    std::unordered_map<std::string, AuthManagerFactory, StringHash, StringEqual>;
+
+/// \brief Registry-backed factory for AuthManager implementations.
 class ICEBERG_REST_EXPORT AuthManagers {
  public:
-  /// \brief Load an authentication manager based on configuration.
-  ///
-  /// This method reads the "rest.auth.type" property to determine which
-  /// AuthManager implementation to create. Supported types include:
-  /// - "none": NoopAuthManager (no authentication)
-  /// - "basic": BasicAuthManager (HTTP Basic authentication)
-  /// - "oauth2": OAuth2AuthManager (OAuth2 authentication)
-  /// - "sigv4": SigV4AuthManager (AWS Signature V4)
+  /// \brief Load a manager by consulting the "rest.auth.type" configuration.
   ///
-  /// If no auth type is specified, the method will infer the type based on
-  /// other properties (e.g., presence of "credential" or "token" implies oauth2).
-  /// If no auth-related properties are found, it defaults to "none".
-  ///
-  /// \param name A name for the manager (used for logging).
-  /// \param properties Configuration properties.
-  /// \return A unique pointer to the created AuthManager, or an error.
+  /// \param name Catalog name passed to the manager.
+  /// \param properties Catalog properties used to determine auth type.
+  /// \return Manager instance or an error if no factory matches.
   static Result<std::unique_ptr<AuthManager>> Load(
-      const std::string& name,
+      std::string_view name,
       const std::unordered_map<std::string, std::string>& properties);
 
-  /// \brief Register a custom authentication manager factory.
-  ///
-  /// This allows users to extend the supported authentication types by
-  /// registering their own AuthManager implementations.
+  /// \brief Register or override the factory for a given auth type.
   ///
-  /// \param auth_type The authentication type name (e.g., "custom").
-  /// \param factory The factory function to create the AuthManager.
-  static void Register(const std::string& auth_type, AuthManagerFactory factory);
-
- private:
-  /// \brief Get the global registry of auth manager factories.
-  static std::unordered_map<std::string, AuthManagerFactory>& GetRegistry();
+  /// \param auth_type Case-insensitive type identifier (e.g., "basic").
+  /// \param factory Factory function that produces the manager.
+  static void Register(std::string_view auth_type, AuthManagerFactory factory);
 };
 
 }  // namespace iceberg::rest::auth

src/iceberg/catalog/rest/auth/auth_properties.h

@@ -33,49 +33,34 @@ namespace iceberg::rest::auth {
 struct AuthProperties {
   /// \brief Property key for specifying the authentication type.
   static constexpr std::string_view kAuthType = "rest.auth.type";
-
   /// \brief Authentication type: no authentication.
   static constexpr std::string_view kAuthTypeNone = "none";
-
   /// \brief Authentication type: HTTP Basic authentication.
   static constexpr std::string_view kAuthTypeBasic = "basic";
-
   /// \brief Authentication type: OAuth2 authentication.
   static constexpr std::string_view kAuthTypeOAuth2 = "oauth2";
-
   /// \brief Authentication type: AWS SigV4 authentication.
   static constexpr std::string_view kAuthTypeSigV4 = "sigv4";
-
   /// \brief Property key for Basic auth username.
   static constexpr std::string_view kBasicUsername = "rest.auth.basic.username";
-
   /// \brief Property key for Basic auth password.
   static constexpr std::string_view kBasicPassword = "rest.auth.basic.password";
-
   /// \brief Property key for OAuth2 token (bearer token).
   static constexpr std::string_view kOAuth2Token = "token";
-
   /// \brief Property key for OAuth2 credential (client_id:client_secret).
   static constexpr std::string_view kOAuth2Credential = "credential";
-
   /// \brief Property key for OAuth2 scope.
   static constexpr std::string_view kOAuth2Scope = "scope";
-
   /// \brief Property key for OAuth2 server URI.
   static constexpr std::string_view kOAuth2ServerUri = "oauth2-server-uri";
-
   /// \brief Property key for enabling token refresh.
   static constexpr std::string_view kOAuth2TokenRefreshEnabled = "token-refresh-enabled";
-
   /// \brief Default OAuth2 scope for catalog operations.
   static constexpr std::string_view kOAuth2DefaultScope = "catalog";
-
   /// \brief Property key for SigV4 region.
   static constexpr std::string_view kSigV4Region = "rest.auth.sigv4.region";
-
   /// \brief Property key for SigV4 service name.
   static constexpr std::string_view kSigV4Service = "rest.auth.sigv4.service";
-
   /// \brief Property key for SigV4 delegate auth type.
   static constexpr std::string_view kSigV4DelegateAuthType =
       "rest.auth.sigv4.delegate-auth-type";