Auth Manager API part 4: RESTClient, HTTPClient

aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java

@@ -26,7 +26,9 @@
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
 import org.apache.iceberg.rest.ErrorHandlers;
 import org.apache.iceberg.rest.HTTPClient;
+import org.apache.iceberg.rest.HTTPHeaders;
 import org.apache.iceberg.rest.RESTClient;
+import org.apache.iceberg.rest.auth.DefaultAuthSession;
 import org.apache.iceberg.rest.auth.OAuth2Properties;
 import org.apache.iceberg.rest.auth.OAuth2Util;
 import org.apache.iceberg.rest.credentials.Credential;
@@ -74,7 +76,14 @@ private RESTClient httpClient() {
     if (null == client) {
       synchronized (this) {
         if (null == client) {
-          client = HTTPClient.builder(properties).uri(properties.get(URI)).build();
+          DefaultAuthSession authSession =
+              DefaultAuthSession.of(
+                  HTTPHeaders.of(OAuth2Util.authHeaders(properties.get(OAuth2Properties.TOKEN))));
+          client =
+              HTTPClient.builder(properties)
+                  .uri(properties.get(URI))
+                  .withAuthSession(authSession)
+                  .build();
         }
       }
     }
@@ -88,7 +97,7 @@ private LoadCredentialsResponse fetchCredentials() {
             properties.get(URI),
             null,
             LoadCredentialsResponse.class,
-            OAuth2Util.authHeaders(properties.get(OAuth2Properties.TOKEN)),
+            Map.of(),
             ErrorHandlers.defaultErrorHandler());
   }
 

aws/src/main/java/org/apache/iceberg/aws/s3/signer/S3V4RestSignerClient.java

@@ -206,21 +206,26 @@ private AuthSession authSession() {
       return authSessionCache()
           .get(
               token,
-              id ->
-                  AuthSession.fromAccessToken(
-                      httpClient(),
-                      tokenRefreshExecutor(),
-                      token,
-                      expiresAtMillis(properties()),
-                      new AuthSession(
-                          ImmutableMap.of(),
-                          AuthConfig.builder()
-                              .token(token)
-                              .credential(credential())
-                              .scope(SCOPE)
-                              .oauth2ServerUri(oauth2ServerUri())
-                              .optionalOAuthParams(optionalOAuthParams())
-                              .build())));
+              id -> {
+                // this client will be reused for token refreshes; it must contain an empty auth
+                // session in order to avoid interfering with refreshed tokens
+                RESTClient refreshClient =
+                    httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
+                return AuthSession.fromAccessToken(
+                    refreshClient,
+                    tokenRefreshExecutor(),
+                    token,
+                    expiresAtMillis(properties()),
+                    new AuthSession(
+                        ImmutableMap.of(),
+                        AuthConfig.builder()
+                            .token(token)
+                            .credential(credential())
+                            .scope(SCOPE)
+                            .oauth2ServerUri(oauth2ServerUri())
+                            .optionalOAuthParams(optionalOAuthParams())
+                            .build()));
+              });
     }
 
     if (credentialProvided()) {
@@ -238,16 +243,20 @@ private AuthSession authSession() {
                             .optionalOAuthParams(optionalOAuthParams())
                             .build());
                 long startTimeMillis = System.currentTimeMillis();
+                // this client will be reused for token refreshes; it must contain an empty auth
+                // session in order to avoid interfering with refreshed tokens
+                RESTClient refreshClient =
+                    httpClient().withAuthSession(org.apache.iceberg.rest.auth.AuthSession.EMPTY);
                 OAuthTokenResponse authResponse =
                     OAuth2Util.fetchToken(
-                        httpClient(),
+                        refreshClient,
                         session.headers(),
                         credential(),
                         SCOPE,
                         oauth2ServerUri(),
                         optionalOAuthParams());
                 return AuthSession.fromTokenResponse(
-                    httpClient(), tokenRefreshExecutor(), authResponse, startTimeMillis, session);
+                    refreshClient, tokenRefreshExecutor(), authResponse, startTimeMillis, session);
               });
     }
 
@@ -338,11 +347,12 @@ public SdkHttpFullRequest sign(
       Consumer<Map<String, String>> responseHeadersConsumer = responseHeaders::putAll;
       S3SignResponse s3SignResponse =
           httpClient()
+              .withAuthSession(authSession())
               .post(
                   endpoint(),
                   remoteSigningRequest,
                   S3SignResponse.class,
-                  () -> authSession().headers(),
+                  Map.of(),
                   ErrorHandlers.defaultErrorHandler(),
                   responseHeadersConsumer);
 

aws/src/test/java/org/apache/iceberg/aws/TestRESTSigV4Signer.java

@@ -27,6 +27,7 @@
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
 import org.apache.iceberg.rest.HTTPClient;
+import org.apache.iceberg.rest.auth.AuthSession;
 import org.apache.iceberg.rest.auth.OAuth2Util;
 import org.apache.iceberg.rest.responses.ConfigResponse;
 import org.apache.iceberg.rest.responses.OAuthTokenResponse;
@@ -64,6 +65,7 @@ public static void beforeClass() {
         HTTPClient.builder(properties)
             .uri("http://localhost:" + mockServer.getLocalPort())
             .withHeader(HttpHeaders.AUTHORIZATION, "Bearer existing_token")
+            .withAuthSession(AuthSession.EMPTY)
             .build();
   }
 

core/src/main/java/org/apache/iceberg/rest/BaseHTTPClient.java

@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.rest;
+
+import java.util.Map;
+import java.util.function.Consumer;
+import org.apache.iceberg.rest.HTTPRequest.HTTPMethod;
+import org.apache.iceberg.rest.auth.AuthSession;
+import org.apache.iceberg.rest.responses.ErrorResponse;
+
+/**
+ * A base class for {@link RESTClient} implementations.
+ *
+ * <p>All methods in {@link RESTClient} are implemented in the same way: first, an {@link
+ * HTTPRequest} is {@linkplain #buildRequest(HTTPMethod, String, Map, Map, Object) built from the
+ * method arguments}, then {@linkplain #execute(HTTPRequest, Class, Consumer, Consumer) executed}.
+ *
+ * <p>This allows subclasses to provide a consistent way to execute all requests, regardless of the
+ * method or arguments.
+ */
+public abstract class BaseHTTPClient implements RESTClient {
+
+  @Override
+  public abstract RESTClient withAuthSession(AuthSession session);
+
+  @Override
+  public void head(String path, Map<String, String> headers, Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.HEAD, path, null, headers, null);
+    execute(request, null, errorHandler, h -> {});
+  }
+
+  @Override
+  public <T extends RESTResponse> T delete(
+      String path,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.DELETE, path, null, headers, null);
+    return execute(request, responseType, errorHandler, h -> {});
+  }
+
+  @Override
+  public <T extends RESTResponse> T delete(
+      String path,
+      Map<String, String> queryParams,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.DELETE, path, queryParams, headers, null);
+    return execute(request, responseType, errorHandler, h -> {});
+  }
+
+  @Override
+  public <T extends RESTResponse> T get(
+      String path,
+      Map<String, String> queryParams,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.GET, path, queryParams, headers, null);
+    return execute(request, responseType, errorHandler, h -> {});
+  }
+
+  @Override
+  public <T extends RESTResponse> T post(
+      String path,
+      RESTRequest body,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.POST, path, null, headers, body);
+    return execute(request, responseType, errorHandler, h -> {});
+  }
+
+  @Override
+  public <T extends RESTResponse> T post(
+      String path,
+      RESTRequest body,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler,
+      Consumer<Map<String, String>> responseHeaders) {
+    HTTPRequest request = buildRequest(HTTPMethod.POST, path, null, headers, body);
+    return execute(request, responseType, errorHandler, responseHeaders);
+  }
+
+  @Override
+  public <T extends RESTResponse> T postForm(
+      String path,
+      Map<String, String> formData,
+      Class<T> responseType,
+      Map<String, String> headers,
+      Consumer<ErrorResponse> errorHandler) {
+    HTTPRequest request = buildRequest(HTTPMethod.POST, path, null, headers, formData);
+    return execute(request, responseType, errorHandler, h -> {});
+  }
+
+  protected abstract HTTPRequest buildRequest(
+      HTTPMethod method,
+      String path,
+      Map<String, String> queryParams,
+      Map<String, String> headers,
+      Object body);
+
+  protected abstract <T extends RESTResponse> T execute(
+      HTTPRequest request,
+      Class<T> responseType,
+      Consumer<ErrorResponse> errorHandler,
+      Consumer<Map<String, String>> responseHeaders);
+}