remove oauth2manager to separate PR

Author: sungwy

mkdocs/docs/configuration.md

@@ -382,7 +382,6 @@ The RESTCatalog supports pluggable authentication via the `auth` configuration b
 
 - `noop`: No authentication (no Authorization header sent).
 - `basic`: HTTP Basic authentication.
-- `oauth2`: OAuth2 client credentials flow.
 - `legacyoauth2`: Legacy OAuth2 client credentials flow (Deprecated and will be removed in PyIceberg 1.0.0)
 - `custom`: Custom authentication manager (requires `auth.impl`).
 
@@ -406,10 +405,9 @@ catalog:
 
 | Property         | Required | Description                                                                                     |
 |------------------|----------|-------------------------------------------------------------------------------------------------|
-| `auth.type`      | Yes      | The authentication type to use (`noop`, `basic`, `oauth2`, or `custom`).                       |
+| `auth.type`      | Yes      | The authentication type to use (`noop`, `basic`, or `custom`).                       |
 | `auth.impl`      | Conditionally | The fully qualified class path for a custom AuthManager. Required if `auth.type` is `custom`. |
 | `auth.basic`     | If type is `basic` | Block containing `username` and `password` for HTTP Basic authentication.           |
-| `auth.oauth2`    | If type is `oauth2` | Block containing OAuth2 configuration (see below).                                 |
 | `auth.custom`    | If type is `custom` | Block containing configuration for the custom AuthManager.                          |
 
 ##### Examples
@@ -431,20 +429,6 @@ auth:
     password: mypass
 ```
 
-**OAuth2 Authentication:**
-
-```yaml
-auth:
-  type: oauth2
-  oauth2:
-    client_id: my-client-id
-    client_secret: my-client-secret
-    token_url: https://auth.example.com/oauth/token
-    scope: read
-    refresh_margin: 60         # (optional) seconds before expiry to refresh
-    expires_in: 3600           # (optional) fallback if server does not provide
-```
-
 **Custom Authentication:**
 
 ```yaml
@@ -460,7 +444,7 @@ auth:
 
 - If `auth.type` is `custom`, you **must** specify `auth.impl` with the full class path to your custom AuthManager.
 - If `auth.type` is not `custom`, specifying `auth.impl` is not allowed.
-- The configuration block under each type (e.g., `basic`, `oauth2`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
+- The configuration block under each type (e.g., `basic`, `custom`) is passed as keyword arguments to the corresponding AuthManager.
 
 ### SQL Catalog
 

pyiceberg/catalog/rest/auth.py

@@ -17,12 +17,9 @@
 
 import base64
 import importlib
-import threading
-import time
 from abc import ABC, abstractmethod
 from typing import Any, Dict, Optional, Type
 
-import requests
 from requests import HTTPError, PreparedRequest, Session
 from requests.auth import AuthBase
 
@@ -122,95 +119,6 @@ def auth_header(self) -> str:
         return f"Bearer {self._token}"
 
 
-class OAuth2TokenProvider:
-    """Thread-safe OAuth2 token provider with token refresh support."""
-
-    client_id: str
-    client_secret: str
-    token_url: str
-    scope: Optional[str]
-    refresh_margin: int
-    expires_in: Optional[int]
-
-    _token: Optional[str]
-    _expires_at: int
-    _lock: threading.Lock
-
-    def __init__(
-        self,
-        client_id: str,
-        client_secret: str,
-        token_url: str,
-        scope: Optional[str] = None,
-        refresh_margin: int = 60,
-        expires_in: Optional[int] = None,
-    ):
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.token_url = token_url
-        self.scope = scope
-        self.refresh_margin = refresh_margin
-        self.expires_in = expires_in
-
-        self._token = None
-        self._expires_at = 0
-        self._lock = threading.Lock()
-
-    def _refresh_token(self) -> None:
-        data = {
-            "grant_type": "client_credentials",
-            "client_id": self.client_id,
-            "client_secret": self.client_secret,
-        }
-        if self.scope:
-            data["scope"] = self.scope
-
-        response = requests.post(self.token_url, data=data)
-        response.raise_for_status()
-        result = response.json()
-
-        self._token = result["access_token"]
-        expires_in = result.get("expires_in", self.expires_in)
-        if expires_in is None:
-            raise ValueError(
-                "The expiration time of the Token must be provided by the Server in the Access Token Response in `expired_in` field, or by the PyIceberg Client."
-            )
-        self._expires_at = time.time() + expires_in - self.refresh_margin
-
-    def get_token(self) -> str:
-        with self._lock:
-            if not self._token or time.time() >= self._expires_at:
-                self._refresh_token()
-            if self._token is None:
-                raise ValueError("Authorization token is None after refresh")
-            return self._token
-
-
-class OAuth2AuthManager(AuthManager):
-    """Auth Manager implementation that supports OAuth2 as defined in IETF RFC6749."""
-
-    def __init__(
-        self,
-        client_id: str,
-        client_secret: str,
-        token_url: str,
-        scope: Optional[str] = None,
-        refresh_margin: int = 60,
-        expires_in: Optional[int] = None,
-    ):
-        self.token_provider = OAuth2TokenProvider(
-            client_id,
-            client_secret,
-            token_url,
-            scope,
-            refresh_margin,
-            expires_in,
-        )
-
-    def auth_header(self) -> str:
-        return f"Bearer {self.token_provider.get_token()}"
-
-
 class AuthManagerAdapter(AuthBase):
     """A `requests.auth.AuthBase` adapter that integrates an `AuthManager` into a `requests.Session` to automatically attach the appropriate Authorization header to every request.
 
@@ -289,4 +197,3 @@ def create(cls, class_or_name: str, config: Dict[str, Any]) -> AuthManager:
 AuthManagerFactory.register("noop", NoopAuthManager)
 AuthManagerFactory.register("basic", BasicAuthManager)
 AuthManagerFactory.register("legacyoauth2", LegacyOAuth2AuthManager)
-AuthManagerFactory.register("oauth2", OAuth2AuthManager)

tests/catalog/test_rest.py

@@ -1519,21 +1519,26 @@ def test_request_session_with_ssl_client_cert() -> None:
     assert "Could not find the TLS certificate file, invalid path: path_to_client_cert" in str(e.value)
 
 
-def test_rest_catalog_with_basic_auth_type() -> None:
+def test_rest_catalog_with_basic_auth_type(rest_mock: Mocker) -> None:
+    # Given
+    rest_mock.get(
+        f"{TEST_URI}v1/config",
+        json={"defaults": {}, "overrides": {}},
+        status_code=200,
+    )
     # Given
     catalog_properties = {
         "uri": TEST_URI,
         "auth": {
             "type": "basic",
             "basic": {
                 "username": "one",
+                "password": "two",
             },
         },
     }
-    with pytest.raises(TypeError) as e:
-        # Missing namespace
-        RestCatalog("rest", **catalog_properties)  # type: ignore
-    assert "__init__() missing 1 required positional argument: 'password'" in str(e.value)
+    catalog = RestCatalog("rest", **catalog_properties)  # type: ignore
+    assert catalog.uri == TEST_URI
 
 
 def test_rest_catalog_with_custom_auth_type() -> None:
@@ -1555,6 +1560,28 @@ def test_rest_catalog_with_custom_auth_type() -> None:
     assert "Could not load AuthManager class for 'dummy.nonexistent.package'" in str(e.value)
 
 
+def test_rest_catalog_with_custom_basic_auth_type(rest_mock: Mocker) -> None:
+    # Given
+    catalog_properties = {
+        "uri": TEST_URI,
+        "auth": {
+            "type": "custom",
+            "impl": "pyiceberg.catalog.rest.auth.BasicAuthManager",
+            "custom": {
+                "username": "one",
+                "password": "two",
+            },
+        },
+    }
+    rest_mock.get(
+        f"{TEST_URI}v1/config",
+        json={"defaults": {}, "overrides": {}},
+        status_code=200,
+    )
+    catalog = RestCatalog("rest", **catalog_properties)  # type: ignore
+    assert catalog.uri == TEST_URI
+
+
 def test_rest_catalog_with_custom_auth_type_no_impl() -> None:
     # Given
     catalog_properties = {
@@ -1578,11 +1605,11 @@ def test_rest_catalog_with_non_custom_auth_type_impl() -> None:
     catalog_properties = {
         "uri": TEST_URI,
         "auth": {
-            "type": "oauth2",
-            "impl": "oauth2.package",
-            "oauth2": {
-                "property1": "one",
-                "property2": "two",
+            "type": "basic",
+            "impl": "basic.package",
+            "basic": {
+                "username": "one",
+                "password": "two",
             },
         },
     }
@@ -1610,40 +1637,6 @@ def test_rest_catalog_with_unsupported_auth_type() -> None:
     assert "Could not load AuthManager class for 'unsupported'" in str(e.value)
 
 
-def test_rest_catalog_with_oauth2_auth_type(requests_mock: Mocker) -> None:
-    requests_mock.post(
-        f"{TEST_URI}oauth2/token",
-        json={
-            "access_token": "MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
-            "token_type": "Bearer",
-            "expires_in": 3600,
-            "refresh_token": "IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
-            "scope": "read",
-        },
-        status_code=200,
-    )
-    requests_mock.get(
-        f"{TEST_URI}v1/config",
-        json={"defaults": {}, "overrides": {}},
-        status_code=200,
-    )
-    # Given
-    catalog_properties = {
-        "uri": TEST_URI,
-        "auth": {
-            "type": "oauth2",
-            "oauth2": {
-                "client_id": "some_client_id",
-                "client_secret": "some_client_secret",
-                "token_url": f"{TEST_URI}oauth2/token",
-                "scope": "read",
-            },
-        },
-    }
-    catalog = RestCatalog("rest", **catalog_properties)  # type: ignore
-    assert catalog.uri == TEST_URI
-
-
 EXAMPLE_ENV = {"PYICEBERG_CATALOG__PRODUCTION__URI": TEST_URI}