Add Resource Providers for AWS Secrets Manager (#179)

* Add resource providers for AWS

* add documentation for AWS Secrets Manager resource providers (username, password, tcps wallet, seps wallet, tnsnames)

* Add fieldName parameter for Resources

* Add AwsSecretsManagerResourceParameterNames

* Update Tests and Readme

* Clarify fieldName parameter usage across AWS resource providers

Author: MouhsinElmajdouby

ojdbc-provider-aws/README.md

@@ -0,0 +1,71 @@
+################################################################################
+# Copyright (c) 2024 Oracle and/or its affiliates.
+#
+# The Universal Permissive License (UPL), Version 1.0
+#
+# Subject to the condition set forth below, permission is hereby granted to any
+# person obtaining a copy of this software, associated documentation and/or data
+# (collectively the "Software"), free of charge and under any and all copyright
+# rights in the Software, and any and all patent rights owned or freely
+# licensable by each licensor hereunder covering either (i) the unmodified
+# Software as contributed to or provided by such licensor, or (ii) the Larger
+# Works (as defined below), to deal in both
+#
+# (a) the Software, and
+# (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+# one is included with the Software (each a "Larger Work" to which the Software
+# is contributed by such licensors),
+#
+# without restriction, including without limitation the rights to copy, create
+# derivative works of, display, perform, and distribute the Software and make,
+# use, sell, offer for sale, import, export, have made, and have sold the
+# Software and the Larger Work(s), and to sublicense the foregoing rights on
+# either these or other terms.
+#
+# This license is subject to the following condition:
+# The above copyright notice and either this complete permission notice or at
+# a minimum a reference to the UPL must be included in all copies or
+# substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+################################################################################
+
+# An example of a connection properties file that configures Oracle JDBC to
+# obtain a TLS wallet and SEPS credentials from AWS Secrets Manager.
+#
+# This file can be located by Oracle JDBC using the "oracle.jdbc.config.file"
+# connection property. For details, see:
+# https://docs.oracle.com/en/database/oracle/oracle-database/23/jajdb/oracle/jdbc/OracleConnection.html#CONNECTION_PROPERTY_CONFIG_FILE
+
+# Configures the AWS Secrets Manager TCPS Wallet Provider.
+# The wallet secret name, wallet password, and file type are configured via
+# "TLS_WALLET_SECRET_NAME", "TLS_FILE_PASSWORD", and "TLS_FILE_TYPE" environment variables or JVM system properties.
+oracle.jdbc.provider.tlsConfiguration=ojdbc-provider-aws-secretsmanager-tls
+oracle.jdbc.provider.tlsConfiguration.secretName=${TLS_WALLET_SECRET_NAME}
+oracle.jdbc.provider.tlsConfiguration.walletPassword=${TLS_FILE_PASSWORD}
+oracle.jdbc.provider.tlsConfiguration.type=${TLS_FILE_TYPE}
+oracle.jdbc.provider.tlsConfiguration.awsRegion=${AWS_REGION}
+
+# Configures the AWS Secrets Manager SEPS Wallet Provider for both username and password.
+# The SEPS wallet secret name, wallet password, and index are configured via
+# "SEPS_WALLET_SECRET_NAME", "SEPS_WALLET_PASSWORD", and "SEPS_CONNECTION_STRING_INDEX".
+oracle.jdbc.provider.username=ojdbc-provider-aws-secretsmanager-seps
+oracle.jdbc.provider.username.secretName=${SEPS_WALLET_SECRET_NAME}
+oracle.jdbc.provider.username.walletPassword=${SEPS_WALLET_PASSWORD}
+oracle.jdbc.provider.username.connectionStringIndex=${SEPS_CONNECTION_STRING_INDEX}
+oracle.jdbc.provider.username.awsRegion=${AWS_REGION}
+
+oracle.jdbc.provider.password=ojdbc-provider-aws-secretsmanager-seps
+oracle.jdbc.provider.password.secretName=${SEPS_WALLET_SECRET_NAME}
+oracle.jdbc.provider.password.walletPassword=${SEPS_WALLET_PASSWORD}
+oracle.jdbc.provider.password.connectionStringIndex=${SEPS_CONNECTION_STRING_INDEX}
+oracle.jdbc.provider.password.authenticationMethod=aws-default
+oracle.jdbc.provider.password.awsRegion=${AWS_REGION}
+
+

ojdbc-provider-aws/example-aws-secretsmanager-wallet.properties

@@ -0,0 +1,68 @@
+################################################################################
+# Copyright (c) 2025 Oracle and/or its affiliates.
+#
+# The Universal Permissive License (UPL), Version 1.0
+#
+# Subject to the condition set forth below, permission is hereby granted to any
+# person obtaining a copy of this software, associated documentation and/or data
+# (collectively the "Software"), free of charge and under any and all copyright
+# rights in the Software, and any and all patent rights owned or freely
+# licensable by each licensor hereunder covering either (i) the unmodified
+# Software as contributed to or provided by such licensor, or (ii) the Larger
+# Works (as defined below), to deal in both
+#
+# (a) the Software, and
+# (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+# one is included with the Software (each a "Larger Work" to which the Software
+# is contributed by such licensors),
+#
+# without restriction, including without limitation the rights to copy, create
+# derivative works of, display, perform, and distribute the Software and make,
+# use, sell, offer for sale, import, export, have made, and have sold the
+# Software and the Larger Work(s), and to sublicense the foregoing rights on
+# either these or other terms.
+#
+# This license is subject to the following condition:
+# The above copyright notice and either this complete permission notice or at
+# a minimum a reference to the UPL must be included in all copies or
+# substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+################################################################################
+
+# An example of a connection properties file that configures Oracle JDBC to
+# login using a username and password managed by AWS Secrets manager Service.
+#
+# This file can be located by Oracle JDBC using the "oracle.jdbc.config.file"
+# connection property. For details, see:
+# https://docs.oracle.com/en/database/oracle/oracle-database/23/jajdb/oracle/jdbc/OracleConnection.html#CONNECTION_PROPERTY_CONFIG_FILE
+
+# Configures the AWS Secrets Manager Username Provider.
+# The secret name is configured as an environment variable or JVM system property
+# named "USERNAME_SECRET_NAME". The AWS region is configured via "AWS_REGION".
+oracle.jdbc.provider.username=ojdbc-provider-aws-secretsmanager-username
+oracle.jdbc.provider.username.secretName=${USERNAME_SECRET_NAME}
+oracle.jdbc.provider.username.awsRegion=${AWS_REGION}
+
+# Configures the AWS Secrets Manager Password Provider.
+# The secret name is configured as an environment variable or JVM system property
+# named "PASSWORD_SECRET_NAME". The AWS region is configured via "AWS_REGION".
+oracle.jdbc.provider.password=ojdbc-provider-aws-secretsmanager-password
+oracle.jdbc.provider.password.secretName=${PASSWORD_SECRET_NAME}
+oracle.jdbc.provider.password.awsRegion=${AWS_REGION}
+
+# Configures the AWS Secrets Manager Connection String Provider.
+# The secret name and alias are configured as environment variables or JVM system properties
+# named "TNSNAMES_SECRET_NAME" and "TNS_ALIAS", respectively. The AWS region is configured via "AWS_REGION".
+oracle.jdbc.provider.connectionString=ojdbc-provider-aws-secretsmanager-tnsnames
+oracle.jdbc.provider.connectionString.secretName=${TNSNAMES_SECRET_NAME}
+oracle.jdbc.provider.connectionString.tnsAlias=${TNS_ALIAS}
+oracle.jdbc.provider.connectionString.awsRegion=${AWS_REGION}
+
+

ojdbc-provider-aws/example-aws-secretsmanager.properties

@@ -86,3 +86,30 @@ AWS_S3_URL=jdbc:oracle:thin:@config-awss3://...
 
 # The URL to test with the AWS Secrets Manager Configuration Provider
 AWS_SECRETS_MANAGER_URL=jdbc:oracle:thin:@config-awssecretsmanager://...
+
+# The name of an AWS Secrets Manager secret
+AWS_USERNAME_SECRET_NAME=example-name
+
+# The name of an AWS Secrets Manager secret for TCPS (TLS) wallet
+AWS_TLS_WALLET_SECRET_NAME=aws-tcps-wallet-secret
+
+# The type of the file stored in AWS Secrets Manager (SSO, PKCS12, PEM)
+AWS_TLS_FILE_TYPE=PKCS12
+
+# Optional password for the TLS file stored in AWS Secrets Manager
+AWS_TLS_FILE_PASSWORD=******
+
+# The name of an AWS Secrets Manager secret for SEPS wallet
+AWS_SEPS_WALLET_SECRET_NAME=aws-seps-wallet-secret
+
+# Optional password for the SEPS wallet stored in AWS Secrets Manager
+AWS_SEPS_WALLET_PASSWORD=*****
+
+# Optional index to select specific credentials from the SEPS wallet
+AWS_SEPS_CONNECTION_STRING_INDEX=1
+
+# The name of the AWS Secrets Manager secret containing the tnsnames.ora file
+AWS_TNSNAMES_SECRET_NAME=aws-tnsnames-secret
+
+# The alias in the tnsnames.ora file to use for the connection string
+AWS_TNS_NAMES_ALIAS=your_tns_alias

ojdbc-provider-aws/example-test.properties

@@ -37,14 +37,11 @@
  */
 package oracle.jdbc.provider.aws.configuration;
 
+import oracle.jdbc.provider.aws.secrets.AwsSecretExtractor;
 import oracle.jdbc.provider.aws.secrets.SecretsManagerFactory;
 import oracle.jdbc.provider.parameter.ParameterSet;
 import oracle.jdbc.spi.OracleConfigurationSecretProvider;
-import oracle.sql.json.OracleJsonException;
-import oracle.sql.json.OracleJsonFactory;
-import oracle.sql.json.OracleJsonObject;
 
-import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Map;
@@ -55,8 +52,6 @@
 public class AwsJsonSecretsManagerProvider
     implements OracleConfigurationSecretProvider {
 
-  private static final OracleJsonFactory JSON_FACTORY = new OracleJsonFactory();
-
   /**
    * {@inheritDoc}
    * <p>
@@ -98,28 +93,8 @@ public char[] getSecret(Map<String, String> map) {
         .request(parameterSet)
         .getContent();
 
-    String extractedSecret;
-
-    try {
-      OracleJsonObject jsonObject = JSON_FACTORY.createJsonTextValue(
-           new ByteArrayInputStream(secretString.getBytes(StandardCharsets.UTF_8)))
-        .asJsonObject();
-
-      if (fieldName != null) {
-        if (!jsonObject.containsKey(fieldName)) {
-          throw new IllegalStateException("Field '" + fieldName + "' not found in secret JSON.");
-        }
-        extractedSecret = jsonObject.get(fieldName).asJsonString().getString();
-      } else if (jsonObject.size() == 1) {
-        extractedSecret = jsonObject.values().iterator().next().asJsonString().getString();
-      } else {
-        throw new IllegalStateException(
-          "FIELD_NAME is required when multiple keys exist in the secret JSON");
-      }
-
-    } catch (OracleJsonException e) {
-      extractedSecret = secretString;
-    }
+    String extractedSecret = AwsSecretExtractor.extractSecret(secretString,
+      fieldName);
 
     return Base64.getEncoder()
         .encodeToString(extractedSecret.getBytes(StandardCharsets.UTF_8))

ojdbc-provider-aws/src/main/java/oracle/jdbc/provider/aws/configuration/AwsJsonSecretsManagerProvider.java

@@ -0,0 +1,96 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.aws.resource;
+
+import oracle.jdbc.provider.aws.authentication.AwsAuthenticationMethod;
+import oracle.jdbc.provider.aws.authentication.AwsCredentialsFactory;
+import oracle.jdbc.provider.resource.AbstractResourceProvider;
+import oracle.jdbc.provider.resource.ResourceParameter;
+
+import java.util.stream.Stream;
+
+import static oracle.jdbc.provider.aws.authentication.AwsAuthenticationMethod.DEFAULT;
+import static oracle.jdbc.provider.aws.authentication.AwsCredentialsFactory.AUTHENTICATION_METHOD;
+import static oracle.jdbc.provider.aws.configuration.AwsConfigurationParameters.REGION;
+import static oracle.jdbc.provider.aws.resource.AwsSecretsManagerResourceParameterNames.AWS_REGION;
+
+/**
+ * Super class of all {@code OracleResourceProvider} implementations
+ * that request a resource from AWS. This super class defines parameters for
+ * authentication with AWS.
+ */
+public abstract class AwsResourceProvider extends AbstractResourceProvider {
+
+  private static final ResourceParameter[] PARAMETERS = {
+    new ResourceParameter("authenticationMethod", AUTHENTICATION_METHOD,
+      "aws-default",
+      AwsResourceProvider::parseAuthenticationMethod),
+    new ResourceParameter(AWS_REGION, REGION)
+  };
+
+  /**
+   * Constructs a provider identified by the name:
+   * <pre>{@code
+   *   ojdbc-provider-aws-{resourceType}
+   * }</pre>
+   * @param resourceType The resource type identifier used in the provider name.
+   * @param parameters Additional parameters specific to the subclass provider.
+   */
+  protected AwsResourceProvider(String resourceType, ResourceParameter... parameters) {
+    super("aws", resourceType,
+      Stream.concat(Stream.of(PARAMETERS), Stream.of(parameters))
+        .toArray(ResourceParameter[]::new));
+  }
+
+  /**
+   * Parses the "authenticationMethod" parameter as an
+   * {@link AwsAuthenticationMethod} recognized by {@link AwsCredentialsFactory}.
+   *
+   * @param authenticationMethod The value to parse.
+   * @return An {@link AwsAuthenticationMethod} enum.
+   * @throws IllegalArgumentException if the value is unrecognized.
+   */
+  private static AwsAuthenticationMethod parseAuthenticationMethod(String authenticationMethod) {
+    switch (authenticationMethod) {
+      case "aws-default": return DEFAULT;
+      default:
+        throw new IllegalArgumentException("Unrecognized authentication method: " + authenticationMethod);
+    }
+  }
+}

ojdbc-provider-aws/src/main/java/oracle/jdbc/provider/aws/resource/AwsResourceProvider.java

@@ -0,0 +1,68 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.aws.resource;
+
+/**
+ * Centralized parameter name constants used by AWS Secrets Manager resource providers.
+ */
+public final class AwsSecretsManagerResourceParameterNames {
+
+  private AwsSecretsManagerResourceParameterNames() {}
+
+  /** The AWS region where the secret is located (e.g., eu-north-1). */
+  public static final String AWS_REGION = "awsRegion";
+
+  /** The name of the secret stored in AWS Secrets Manager. */
+  public static final String SECRET_NAME = "secretName";
+
+  /** Optional field name to extract from a JSON secret. */
+  public static final String FIELD_NAME = "fieldName";
+
+  /** The alias used to retrieve a connection string from tnsnames.ora. */
+  public static final String TNS_ALIAS = "tnsAlias";
+
+  /** Optional password used to decrypt the wallet (for PKCS12 or encrypted PEM). */
+  public static final String WALLET_PASSWORD = "walletPassword";
+
+  /** The wallet format: SSO, PKCS12, or PEM. */
+  public static final String TYPE = "type";
+
+  /** Index of the credential set in the wallet */
+  public static final String CONNECTION_STRING_INDEX = "connectionStringIndex";
+}