o szBasicAuthManager.__init__rcC d|jS)NBasic r#rrrrrB zBasicAuthManager.auth_headerN)rrrrrr%rrrrrr;src @seZdZUdZeed<edBed<edBed<edBed<eeefdBed<    dded edBd edBd edBd eeefdBf d dZd edefddZ dddZ defddZ dS)LegacyOAuth2AuthManagerzLegacy OAuth2 AuthManager implementation. This class exists for backward compatibility, and will be removed in PyIceberg 1.0.0 in favor of OAuth2AuthManager. _sessionN _auth_urlr# _credential_optional_oauth_paramssessionauth_url credential initial_tokenoptional_oauth_paramscCs*||_||_||_||_||_|dSr)r+r,r#r-r._refresh_token)rr/r0r1r2r3rrrr%Ss  z LegacyOAuth2AuthManager.__init__rc Cst|vr|jtdd\}}nd|}}d||d}|jr"||j|jdur+td|jj|j|i|jjddid}z| Wnt y]}zt |t t d WYd}~nd}~wwt |jjS) N)maxsplitclient_credentials) grant_type client_id client_secretz1Cannot fetch access token from undefined auth_urlz Content-typez!application/x-www-form-urlencoded)urldataheaders)ii)COLONsplitr.updater, ValueErrorr+postr=raise_for_statusrr r r model_validate_jsontext access_token)rr1r9r:r<responseexcrrr_fetch_access_tokenbs$     z+LegacyOAuth2AuthManager._fetch_access_tokencCs |jdur||j|_dSdSr)r-rIr#rrrrr4zs z&LegacyOAuth2AuthManager._refresh_tokencCr&NBearer r(rrrrr~r)z#LegacyOAuth2AuthManager.auth_header)NNNNrN) rrrrr__annotations__rdictr%rIr4rrrrrr*Fs2      r*c@seZdZUdZeed<eed<eed<edBed<eed<edBed<edBed <eed <ejed <  ddededededBdededBf d dZ e defddZ dddZ defddZ dS)OAuth2TokenProviderz=Thread-safe OAuth2 token provider with token refresh support.r9r: token_urlNscoperefresh_margin expires_inr# _expires_at_lock<cCs>||_||_||_||_||_||_d|_d|_t |_ dS)Nr) r9r:rPrQrRrSr#rT threadingLockrUrr9r:rPrQrRrSrrrr%s zOAuth2TokenProvider.__init__rcCs6|jd|j}|d}t|d}d|S)Nr zutf-8r')r9r:r!rr r")rcreds creds_bytes b64_credsrrr_client_secret_headers  z)OAuth2TokenProvider._client_secret_headercCsddi}|jr |j|d<tj|j|d|jid}||}|d|_|d|j }|dur4t dt ||j |_dS) Nr8r7rQ Authorization)r<r=rFrSzThe expiration time of the Token must be provided by the Server in the Access Token Response in `expires_in` field, or by the PyIceberg Client.)rQrequestsrBrPr]rCjsonr#getrSrAtime monotonicrRrT)rr<rGresultrSrrrr4s  z"OAuth2TokenProvider._refresh_tokencCs^|j"|jrt|jkr||jdurtd|jWdS1s(wYdS)Nz)Authorization token is None after refresh)rUr#rbrcrTr4rArrrr get_tokens $zOAuth2TokenProvider.get_tokenNrVNrL)rrrrrrMintrWrXr%rr]r4rerrrrrOs>       rOc@sPeZdZdZ   ddededededBded edBf d d Zd efd dZdS)OAuth2AuthManagerzLAuth Manager implementation that supports OAuth2 as defined in IETF RFC6749.NrVr9r:rPrQrRrScCst|||||||_dSr)rOtoken_providerrYrrrr%s  zOAuth2AuthManager.__init__rcCsd|jSrJ)rirerrrrrszOAuth2AuthManager.auth_headerrf)rrrrrrgr%rrrrrrhs& rhc@s>eZdZdZd dedBdeedBfddZdefdd ZdS) GoogleAuthManagerzDAn auth manager that is responsible for handling Google credentials.Ncredentials_pathscopesc Csz ddl}ddl}Wnty}ztd|d}~ww|r*|jj||d\|_}ntd|jj|d\|_}|jj j |_ dS)z Initialize GoogleAuthManager. Args: credentials_path: Optional path to Google credentials JSON file. scopes: Optional list of OAuth2 scopes. rNz>Google Auth libraries not found. Please install 'google-auth'.)rlz,Using Google Default Application Credentials) google.authgoogle.auth.transport.requests ImportErrorauthload_credentials_from_filer$loggerinfodefault transportr_Request _auth_request)rrkrlgooglee_rrrr%s   zGoogleAuthManager.__init__rcCs|j|jd|jjSrJ)r$refreshrwtokenrrrrrszGoogleAuthManager.auth_header)NN)rrrrrlistr%rrrrrrjs rjc@sXeZdZdZdZ ddeedBdefddZdd d Z defd d Z defd dZ dS)EntraAuthManageraAuth Manager implementation that supports Microsoft Entra ID (Azure AD) authentication. This manager uses the Azure Identity library's DefaultAzureCredential which automatically tries multiple authentication methods including environment variables, managed identity, and Azure CLI. See https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication/credential-chains for more details on DefaultAzureCredential. z"https://storage.azure.com/.defaultNrlcredential_kwargsc Kslzddlm}Wnty}ztd|d}~ww|p|jg|_t|_d|_d|_ |di||_ dS)a Initialize EntraAuthManager. Args: scopes: List of OAuth2 scopes. Defaults to ["https://storage.azure.com/.default"]. **credential_kwargs: Arguments passed to DefaultAzureCredential. Supported authentication methods: - Environment Variables: Set AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET - Managed Identity: Works automatically on Azure; for user-assigned, pass managed_identity_client_id - Azure CLI: Works automatically if logged in via `az login` - Workload Identity: Works automatically in AKS with workload identity configured # codespell:ignore aks r)DefaultAzureCredentialzXAzure Identity library not found. Please install with: pip install pyiceberg[entra-auth]Nr) azure.identityrro DEFAULT_SCOPE_scopesrWrXrUr#rTr-)rrlrrryrrrr% s  zEntraAuthManager.__init__rcCs&|jj|j}|j|_|jd|_dS)z$Refresh the access token from Azure.rVN)r-rerr|r# expires_onrT)rr|rrrr4%szEntraAuthManager._refresh_tokencCs^|j"|jrt|jkr||jdurtd|jWdS1s(wYdS)z2Get a valid access token, refreshing if necessary.Nz#Failed to obtain Entra access token)rUr#rbrTr4rArrrr _get_token,s $zEntraAuthManager._get_tokencCsd|S)z@Return the Authorization header value with a valid Bearer token.rK)rrrrrr5szEntraAuthManager.auth_headerrrL) rrrrrr}rrr%r4rrrrrrr~s    r~c@s0eZdZdZdefddZdedefddZd S) AuthManagerAdapteraA `requests.auth.AuthBase` adapter for integrating an `AuthManager` into a `requests.Session`. This adapter automatically attaches the appropriate Authorization header to every request. This adapter is useful when working with `requests.Session.auth` and allows reuse of authentication strategies defined by `AuthManager`. This AuthManagerAdapter is only intended to be used against the REST Catalog Server that expects the Authorization Header. auth_managercCs ||_dS)z Initialize AuthManagerAdapter. Args: auth_manager (AuthManager): An instance of an AuthManager subclass. N)r)rrrrrr%Ds zAuthManagerAdapter.__init__requestrcCs|j}r ||jd<|S)a Modify the outgoing request to include the Authorization header. Args: request (requests.PreparedRequest): The HTTP request being prepared. Returns: requests.PreparedRequest: The modified request with Authorization header. r^)rrr=)rrrrrr__call__Ms zAuthManagerAdapter.__call__N)rrrrrr%rrrrrrr:s  rc@sfeZdZUiZeeedfed<edededddfddZ ed ed eee fde fd d Z dS) AuthManagerFactoryr _registrynameauth_manager_classrNcCs||j|<dS)a Register a string name to a known AuthManager class. Args: name (str): unique name like 'oauth2' to register the AuthManager with auth_manager_class (Type["AuthManager"]): Implementation of AuthManager Returns: None N)r)clsrrrrrregister_s zAuthManagerFactory.register class_or_nameconfigc Csx||jvr |j|}n*z|dd\}}t|}t||}Wnty4}z td|d|d}~ww|di|S)a{ Create an AuthManager by name or fully-qualified class path. Args: class_or_name (str): Either a name like 'oauth2' or a full class path like 'my.module.CustomAuthManager' config (Dict[str, Any]): Configuration passed to the AuthManager constructor Returns: AuthManager: An instantiated AuthManager subclass .r5z&Could not load AuthManager class for ''Nr)rrsplit importlib import_modulegetattr ExceptionrA)rrr manager_cls module_path class_namemoduleerrrrrcreatems  zAuthManagerFactory.create) rrrrrNrtyperM classmethodrrrrrrrrr\s  $rnoopbasic legacyoauth2oauth2rxentra)'rrloggingrWrbabcrr functoolsrtypingrr_rrr requests.authr pyiceberg.catalog.rest.responser r pyiceberg.exceptionsr AUTH_MANAGERr> getLoggerrrrrrrr*rOrhrjr~rrrrrrrs@       <D>" *