feat(auth): implement SigV4 authentication for REST catalog

.github/workflows/cpp-linter.yml

@@ -37,14 +37,26 @@ jobs:
         uses: actions/checkout@v6
       - name: Install dependencies
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev
+        run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev ninja-build
+      - name: Cache vcpkg packages
+        uses: actions/cache@v4
+        id: vcpkg-cache
+        with:
+          path: /usr/local/share/vcpkg/installed
+          key: vcpkg-x64-linux-aws-sdk-cpp-core-${{ hashFiles('.github/workflows/cpp-linter.yml') }}
+      - name: Install AWS SDK via vcpkg
+        if: steps.vcpkg-cache.outputs.cache-hit != 'true'
+        shell: bash
+        run: vcpkg install aws-sdk-cpp[core]:x64-linux
       - name: Run build
         env:
           CC: gcc-14
           CXX: g++-14
         run: |
           mkdir build && cd build
-          cmake .. -G Ninja -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
+          cmake .. -G Ninja -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
+            -DICEBERG_BUILD_SIGV4=ON \
+            -DCMAKE_TOOLCHAIN_FILE=/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake
           cmake --build .
       - uses: cpp-linter/cpp-linter-action@0f6d1b8d7e38b584cbee606eb23d850c217d54f8
         id: linter

CMakeLists.txt

@@ -45,6 +45,7 @@ option(ICEBERG_BUILD_TESTS "Build tests" ON)
 option(ICEBERG_BUILD_BUNDLE "Build the battery included library" ON)
 option(ICEBERG_BUILD_REST "Build rest catalog client" ON)
 option(ICEBERG_BUILD_REST_INTEGRATION_TESTS "Build rest catalog integration tests" OFF)
+option(ICEBERG_BUILD_SIGV4 "Build SigV4 authentication support (requires AWS SDK)" OFF)
 option(ICEBERG_ENABLE_ASAN "Enable Address Sanitizer" OFF)
 option(ICEBERG_ENABLE_UBSAN "Enable Undefined Behavior Sanitizer" OFF)
 

cmake_modules/IcebergThirdpartyToolchain.cmake

@@ -531,3 +531,21 @@ endif()
 if(ICEBERG_BUILD_REST)
   resolve_cpr_dependency()
 endif()
+
+# ----------------------------------------------------------------------
+# AWS SDK for C++
+
+function(resolve_aws_sdk_dependency)
+  find_package(AWSSDK REQUIRED COMPONENTS core)
+  list(APPEND ICEBERG_SYSTEM_DEPENDENCIES AWSSDK)
+  set(ICEBERG_SYSTEM_DEPENDENCIES
+      ${ICEBERG_SYSTEM_DEPENDENCIES}
+      PARENT_SCOPE)
+endfunction()
+
+if(ICEBERG_BUILD_SIGV4)
+  if(NOT ICEBERG_BUILD_REST)
+    message(FATAL_ERROR "ICEBERG_BUILD_SIGV4 requires ICEBERG_BUILD_REST to be ON")
+  endif()
+  resolve_aws_sdk_dependency()
+endif()

meson.options

@@ -44,4 +44,11 @@ option(
     value: 'disabled',
 )
 
+option(
+    'sigv4',
+    type: 'feature',
+    description: 'Build AWS SigV4 authentication support for rest catalog',
+    value: 'disabled',
+)
+
 option('tests', type: 'feature', description: 'Build tests', value: 'enabled')

src/iceberg/catalog/rest/CMakeLists.txt

@@ -33,6 +33,10 @@ set(ICEBERG_REST_SOURCES
     rest_util.cc
     types.cc)
 
+if(ICEBERG_BUILD_SIGV4)
+  list(APPEND ICEBERG_REST_SOURCES auth/sigv4_auth_manager.cc)
+endif()
+
 set(ICEBERG_REST_STATIC_BUILD_INTERFACE_LIBS)
 set(ICEBERG_REST_SHARED_BUILD_INTERFACE_LIBS)
 set(ICEBERG_REST_STATIC_INSTALL_INTERFACE_LIBS)
@@ -51,6 +55,13 @@ list(APPEND
      "$<IF:$<TARGET_EXISTS:iceberg::iceberg_shared>,iceberg::iceberg_shared,iceberg::iceberg_static>"
      "$<IF:$<BOOL:${CPR_VENDORED}>,iceberg::cpr,cpr::cpr>")
 
+if(ICEBERG_BUILD_SIGV4)
+  list(APPEND ICEBERG_REST_STATIC_BUILD_INTERFACE_LIBS aws-cpp-sdk-core)
+  list(APPEND ICEBERG_REST_SHARED_BUILD_INTERFACE_LIBS aws-cpp-sdk-core)
+  list(APPEND ICEBERG_REST_STATIC_INSTALL_INTERFACE_LIBS aws-cpp-sdk-core)
+  list(APPEND ICEBERG_REST_SHARED_INSTALL_INTERFACE_LIBS aws-cpp-sdk-core)
+endif()
+
 add_iceberg_lib(iceberg_rest
                 SOURCES
                 ${ICEBERG_REST_SOURCES}
@@ -63,4 +74,12 @@ add_iceberg_lib(iceberg_rest
                 SHARED_INSTALL_INTERFACE_LIBS
                 ${ICEBERG_REST_SHARED_INSTALL_INTERFACE_LIBS})
 
+if(ICEBERG_BUILD_SIGV4)
+  foreach(LIB iceberg_rest_static iceberg_rest_shared)
+    if(TARGET ${LIB})
+      target_compile_definitions(${LIB} PUBLIC ICEBERG_BUILD_SIGV4)
+    endif()
+  endforeach()
+endif()
+
 iceberg_install_all_headers(iceberg/catalog/rest)

src/iceberg/catalog/rest/auth/auth_manager_internal.h

@@ -47,4 +47,11 @@ Result<std::unique_ptr<AuthManager>> MakeOAuth2Manager(
     std::string_view name,
     const std::unordered_map<std::string, std::string>& properties);
 
+#ifdef ICEBERG_BUILD_SIGV4
+/// \brief Create a SigV4 authentication manager with a delegate.
+Result<std::unique_ptr<AuthManager>> MakeSigV4AuthManager(
+    std::string_view name,
+    const std::unordered_map<std::string, std::string>& properties);
+#endif
+
 }  // namespace iceberg::rest::auth

src/iceberg/catalog/rest/auth/auth_managers.cc

@@ -62,11 +62,15 @@ std::string InferAuthType(
 }
 
 AuthManagerRegistry CreateDefaultRegistry() {
-  return {
+  AuthManagerRegistry registry = {
       {AuthProperties::kAuthTypeNone, MakeNoopAuthManager},
       {AuthProperties::kAuthTypeBasic, MakeBasicAuthManager},
       {AuthProperties::kAuthTypeOAuth2, MakeOAuth2Manager},
   };
+#ifdef ICEBERG_BUILD_SIGV4
+  registry[AuthProperties::kAuthTypeSigV4] = MakeSigV4AuthManager;
+#endif
+  return registry;
 }
 
 // Get the global registry of auth manager factories.

src/iceberg/catalog/rest/auth/auth_properties.h

@@ -54,10 +54,14 @@ class ICEBERG_REST_EXPORT AuthProperties : public ConfigBase<AuthProperties> {
 
   // ---- SigV4 entries ----
 
-  inline static const std::string kSigV4Region = "rest.auth.sigv4.region";
-  inline static const std::string kSigV4Service = "rest.auth.sigv4.service";
   inline static const std::string kSigV4DelegateAuthType =
       "rest.auth.sigv4.delegate-auth-type";
+  inline static const std::string kSigV4SigningRegion = "rest.signing-region";
+  inline static const std::string kSigV4SigningName = "rest.signing-name";
+  inline static const std::string kSigV4SigningNameDefault = "execute-api";
+  inline static const std::string kSigV4AccessKeyId = "rest.access-key-id";
+  inline static const std::string kSigV4SecretAccessKey = "rest.secret-access-key";
+  inline static const std::string kSigV4SessionToken = "rest.session-token";
 
   // ---- OAuth2 entries ----
 

src/iceberg/catalog/rest/auth/auth_session.cc

@@ -33,11 +33,12 @@ class DefaultAuthSession : public AuthSession {
   explicit DefaultAuthSession(std::unordered_map<std::string, std::string> headers)
       : headers_(std::move(headers)) {}
 
-  Status Authenticate(std::unordered_map<std::string, std::string>& headers) override {
+  Result<HTTPRequest> Authenticate(const HTTPRequest& request) override {
+    HTTPRequest authenticated = request;
     for (const auto& [key, value] : headers_) {
-      headers.try_emplace(key, value);
+      authenticated.headers.try_emplace(key, value);
     }
-    return {};
+    return authenticated;
   }
 
  private:

src/iceberg/catalog/rest/auth/auth_session.h

@@ -23,6 +23,7 @@
 #include <string>
 #include <unordered_map>
 
+#include "iceberg/catalog/rest/endpoint.h"
 #include "iceberg/catalog/rest/iceberg_rest_export.h"
 #include "iceberg/catalog/rest/type_fwd.h"
 #include "iceberg/result.h"
@@ -32,25 +33,37 @@
 
 namespace iceberg::rest::auth {
 
+/// \brief An outgoing HTTP request passed through an AuthSession. Mirrors the
+/// HTTPRequest type used by the Java reference implementation so signing
+/// implementations like SigV4 can operate on method, url, headers, and body
+/// as a single value.
+struct ICEBERG_REST_EXPORT HTTPRequest {
+  HttpMethod method = HttpMethod::kGet;
+  std::string url;
+  std::unordered_map<std::string, std::string> headers;
+  std::string body;
+};
+
 /// \brief An authentication session that can authenticate outgoing HTTP requests.
 class ICEBERG_REST_EXPORT AuthSession {
  public:
   virtual ~AuthSession() = default;
 
-  /// \brief Authenticate the given request headers.
+  /// \brief Authenticate an outgoing HTTP request.
   ///
-  /// This method adds authentication information (e.g., Authorization header)
-  /// to the provided headers map. The implementation should be idempotent.
+  /// Returns a new request with authentication information (e.g., an
+  /// Authorization header) added. Implementations must be idempotent and must
+  /// not mutate the input request.
   ///
-  /// \param[in,out] headers The headers map to add authentication information to.
-  /// \return Status indicating success or one of the following errors:
+  /// \param request The request to authenticate.
+  /// \return The authenticated request on success, or one of:
   ///         - AuthenticationFailed: General authentication failure (invalid credentials,
   ///         etc.)
   ///         - TokenExpired: Authentication token has expired and needs refresh
   ///         - NotAuthorized: Not authenticated (401)
   ///         - IOError: Network or connection errors when reaching auth server
   ///         - RestError: HTTP errors from authentication service
-  virtual Status Authenticate(std::unordered_map<std::string, std::string>& headers) = 0;
+  virtual Result<HTTPRequest> Authenticate(const HTTPRequest& request) = 0;
 
   /// \brief Close the session and release any resources.
   ///