Update Tests and Readme

Author: MouhsinElmajdouby

ojdbc-provider-aws/README.md

@@ -230,7 +230,12 @@ Any valid secret name.
 <tr>
 <td><code>fieldName</code></td>
 <td>
-Optional key to extract a specific field from a JSON-formatted secret.
+The field inside the secret that contains the username.
+Use this parameter only when the secret is stored as a key-value pairs.
+If the secret contains multiple keys, this parameter specifies which key to extract.
+If the secret contains only one key and this parameter is not provided, that value is automatically used.
+If <code>fieldName</code> is provided but does not match any key, or if the secret is not structured as key/value pairs, an error is thrown.
+If the secret is plain text and <code>fieldName</code> is provided, an error is also thrown.
 <td>
 Key name in JSON
 </td>
@@ -275,8 +280,12 @@ Any valid secret name.
 <tr>
 <td><code>fieldName</code></td>
 <td>
-Optional key to extract a specific field from a JSON-formatted secret.
-<td>
+The field inside the secret that contains the password.
+Use this parameter only when the secret is structured as key-value pairs.
+If the secret contains multiple keys, this parameter specifies which key to extract.
+If the secret contains only one key and this parameter is not provided, that value is used automatically.
+If <code>fieldName</code> is provided but does not match any key, or if the secret is not structured as key-value pairs, an error is thrown.
+If the secret is stored as plain text and <code>fieldName</code> is provided, an error is also thrown.<td>
 Key name in JSON
 </td>
 <td>
@@ -329,17 +338,6 @@ Any valid secret name.
 </td>
 </tr>
 <tr>
-<td><code>fieldName</code></td>
-<td>
-Optional key to extract a specific field from a JSON-formatted secret.
-<td>
-Key name in JSON
-</td>
-<td>
-<i>Optional</i>
-</td>
-</tr>
-<tr>
 <td><code>walletPassword</code></td>
 <td>
 Optional password for PKCS12 or protected PEM files. If omitted, the file is assumed to be SSO or an non-protected PEM file.
@@ -359,6 +357,21 @@ Specifies the type of the file being used.
 <i>No default value. The file type must be specified.</i>
 </td>
 </tr>
+<tr>
+<td><code>fieldName</code></td>
+<td>
+The field inside the secret that contains the base64-encoded TCPS wallet.
+Use this parameter only when the secret is structured as key-value pairs.
+If the secret contains multiple keys, this parameter specifies which key to extract.
+If the secret contains only one key and this parameter is not provided, that value is used automatically.
+If <code>fieldName</code> is provided but does not match any key, or if the secret is not structured as key-value pairs, an error is thrown.
+If the secret is stored as plain text and <code>fieldName</code> is provided, an error is also thrown.<td>
+Key name in JSON
+</td>
+<td>
+<i>Optional</i>
+</td>
+</tr>
 </tbody>
 </table>
 
@@ -430,8 +443,12 @@ Optional parameter to specify the index of the connection string to use when ret
 <tr>
 <td><code>fieldName</code></td>
 <td>
-Optional key to extract a specific field from a JSON-formatted secret.
-<td>
+The field inside the secret that contains the base64-encoded SEPS wallet.
+Use this parameter only when the secret is structured as key-value pairs.
+If the secret contains multiple keys, this parameter specifies which key to extract.
+If the secret contains only one key and this parameter is not provided, that value is used automatically.
+If <code>fieldName</code> is provided but does not match any key, or if the secret is not structured as key-value pairs, an error is thrown.
+If the secret is stored as plain text and <code>fieldName</code> is provided, an error is also thrown.<td>
 Key name in JSON
 </td>
 <td>
@@ -453,11 +470,15 @@ This provider retrieves and decodes a `tnsnames.ora` file stored as a secret in
 
 You can store the contents of the tnsnames.ora file either as:
 
-- A base64-encoded string, or
+- A base64-encoded string, either directly or within a key inside a structured key-value map.
+
+- Plain text, by simply copying and pasting the contents directly into the secret value.
 
-- Plain text, by simply copying and pasting the contents directly into the secret value field.
+If the secret is a key-value map, the <code>fieldName</code> parameter must be used to specify the key that holds the base64-encoded
+tnsnames.ora content.
 
-The provider will automatically handle either format and extract the appropriate connection string based on the specified alias.
+If the secret is stored as plain text, it must be provided as the raw contents of the tnsnames.ora file,
+and <code>fieldName</code> should not be set.
 
 This enables flexible configuration for secure database connections using the alias names defined in your `tnsnames.ora` file.
 
@@ -487,7 +508,15 @@ In addition to the set of [common parameters](#common-parameters-for-resource-pr
   </tr> 
   <tr>
     <td><code>fieldName</code></td>
-    <td>Optional key to extract a specific field from a JSON-formatted secret.</td>
+    <td>
+    The field inside the secret that contains the base64-encoded <code>tnsnames.ora</code> content.
+    Use this parameter only when the secret is structured as key-value pairs.
+    If the secret contains multiple keys, this parameter specifies which key to extract.
+    If the secret contains only one key and this parameter is not provided, that value is used automatically. 
+    If <code>fieldName</code> is provided but does not match any key, or if the secret is not structured
+    as key-value pairs, an error is thrown. If the secret is stored as plain text and <code>fieldName</code> is provided,
+    an error is also thrown.
+    </td>
     <td>Key name in JSON</td>
     <td><i>Optional</i></td>
   </tr>

ojdbc-provider-aws/src/main/java/oracle/jdbc/provider/aws/secrets/AwsSecretExtractor.java

@@ -70,13 +70,20 @@ public class AwsSecretExtractor {
    *       <li>Throws an exception if multiple keys exist and no field name is specified.</li>
    *     </ul>
    *   </li>
-   *   <li>If the string is not valid JSON, returns the original string as-is.</li>
+   *   <li>If the string is not valid JSON:
+   *     <ul>
+   *       <li>Returns the raw string only if {@code fieldName} is not provided.</li>
+   *       <li>Throws an exception if {@code fieldName} is provided.</li>
+   *     </ul>
+   *   </li>
    * </ul>
    *
    * @param secretString the raw secret string from AWS Secrets Manager
    * @param fieldName the key to extract from the JSON object (optional)
    * @return the extracted secret value
-   * @throws IllegalStateException if the JSON is valid but ambiguous or the field is missing
+   * @throws IllegalStateException if the JSON is valid but ambiguous,
+   * the specified field is missing, or the input is not JSON while
+   * {@code fieldName} is provided
    */
   public static String extractSecret(String secretString, String fieldName) {
     try {
@@ -95,7 +102,10 @@ public static String extractSecret(String secretString, String fieldName) {
         throw new IllegalStateException("FIELD_NAME is required when multiple keys exist in the secret JSON");
       }
     } catch (OracleJsonException e) {
-      // Fallback to plain text if not a JSON object
+      if (fieldName != null) {
+        throw new IllegalStateException("FIELD_NAME provided, but secret is not valid JSON.");
+      }
+      // Accept fallback to plain text only when fieldName is NOT specified
       return secretString;
     }
   }

ojdbc-provider-aws/src/test/java/oracle/provider/aws/AwsTestProperty.java

@@ -41,8 +41,7 @@ public enum AwsTestProperty {
   AWS_S3_URL,
   AWS_SECRETS_MANAGER_URL,
   AWS_REGION,
-  PASSWORD_SECRET_NAME,
-  USERNAME_SECRET_NAME,
+  DB_CREDENTIALS_SECRET_NAME,
   TNSNAMES_SECRET_NAME,
   TNS_ALIAS,
   PKCS12_WALLET_SECRET_NAME,

ojdbc-provider-aws/src/test/java/oracle/provider/aws/resource/SecretsManagerConnectionStringProviderTest.java

@@ -82,6 +82,13 @@ public void testGetParameters() {
     assertFalse(regionParam.isSensitive());
     assertFalse(regionParam.isRequired());
     assertNull(regionParam.defaultValue());
+
+    Parameter fieldParam = parameters.stream()
+      .filter(p -> "fieldName".equals(p.name()))
+      .findFirst().orElseThrow(AssertionError::new);
+    assertFalse(fieldParam.isSensitive());
+    assertFalse(fieldParam.isRequired());
+    assertNull(fieldParam.defaultValue());
   }
 
   @Test

ojdbc-provider-aws/src/test/java/oracle/provider/aws/resource/SecretsManagerPasswordProviderTest.java

@@ -76,15 +76,23 @@ public void testGetParameters() {
     assertFalse(regionParameter.isSensitive());
     assertFalse(regionParameter.isRequired());
     assertNull(regionParameter.defaultValue());
+
+    Parameter fieldParam = parameters.stream()
+      .filter(p -> "fieldName".equals(p.name()))
+      .findFirst().orElseThrow(AssertionError::new);
+    assertFalse(fieldParam.isSensitive());
+    assertFalse(fieldParam.isRequired());
+    assertNull(fieldParam.defaultValue());
   }
 
   @Test
   public void testGetPassword() {
     Map<String, String> testParameters = new HashMap<>();
     testParameters.put("secretName",
-      TestProperties.getOrAbort(AwsTestProperty.PASSWORD_SECRET_NAME));
+      TestProperties.getOrAbort(AwsTestProperty.DB_CREDENTIALS_SECRET_NAME));
     testParameters.put("awsRegion",
       TestProperties.getOrAbort(AwsTestProperty.AWS_REGION));
+    testParameters.put("fieldName", "password");
 
     Map<Parameter, CharSequence> parameterValues =
             createParameterValues(PROVIDER, testParameters);

ojdbc-provider-aws/src/test/java/oracle/provider/aws/resource/SecretsManagerSepsProviderTest.java

@@ -99,6 +99,13 @@ public void testGetParameters() {
       .findFirst().orElseThrow(AssertionError::new);
     assertFalse(awsRegion.isSensitive());
     assertFalse(awsRegion.isRequired());
+
+    Parameter fieldParam = usernameParams.stream()
+      .filter(p -> "fieldName".equals(p.name()))
+      .findFirst().orElseThrow(AssertionError::new);
+    assertFalse(fieldParam.isSensitive());
+    assertFalse(fieldParam.isRequired());
+    assertNull(fieldParam.defaultValue());
   }
 
   @Test
@@ -138,6 +145,7 @@ public void testSsoPasswordWithIndex() {
     params.put("connectionStringIndex", "1");
     params.put("awsRegion",
       TestProperties.getOrAbort(AwsTestProperty.AWS_REGION));
+    params.put("fieldName", "sso");
 
     Map<Parameter, CharSequence> values = createParameterValues(PASSWORD_PROVIDER, params);
     assertNotNull(PASSWORD_PROVIDER.getPassword(values));

ojdbc-provider-aws/src/test/java/oracle/provider/aws/resource/SecretsManagerTcpsProviderTest.java

@@ -90,6 +90,13 @@ public void testGetParameters() {
       .findFirst().orElseThrow(AssertionError::new);
     assertFalse(region.isSensitive());
     assertFalse(region.isRequired());
+
+    Parameter fieldParam = parameters.stream()
+      .filter(p -> "fieldName".equals(p.name()))
+      .findFirst().orElseThrow(AssertionError::new);
+    assertFalse(fieldParam.isSensitive());
+    assertFalse(fieldParam.isRequired());
+    assertNull(fieldParam.defaultValue());
   }
 
 

ojdbc-provider-aws/src/test/java/oracle/provider/aws/resource/SecretsManagerUsernameProviderTest.java

@@ -77,15 +77,23 @@ public void testGetParameters() {
     assertFalse(regionParameter.isSensitive());
     assertFalse(regionParameter.isRequired());
     assertNull(regionParameter.defaultValue());
+
+    Parameter fieldParam = parameters.stream()
+      .filter(p -> "fieldName".equals(p.name()))
+      .findFirst().orElseThrow(AssertionError::new);
+    assertFalse(fieldParam.isSensitive());
+    assertFalse(fieldParam.isRequired());
+    assertNull(fieldParam.defaultValue());
   }
 
   @Test
   public void testGetUsername() {
     Map<String, String> testParameters = new HashMap<>();
     testParameters.put("secretName",
-      TestProperties.getOrAbort(AwsTestProperty.USERNAME_SECRET_NAME));
+      TestProperties.getOrAbort(AwsTestProperty.DB_CREDENTIALS_SECRET_NAME));
     testParameters.put("awsRegion",
       TestProperties.getOrAbort(AwsTestProperty.AWS_REGION));
+    testParameters.put("fieldName", "username");
 
     Map<Parameter, CharSequence> parameterValues =
             createParameterValues(PROVIDER, testParameters);