Merge branch 'main' into aws-appconfig-centralized-config-provider

Author: MouhsinElmajdouby

ojdbc-provider-aws/README.md

@@ -12,6 +12,8 @@ Provider</a></dt>
 <dt><a href="#aws-secrets-manager-config-provider">AWS Secrets Manager Configuration 
 Provider</a></dt>
 <dd>Provides connection properties managed by the Secrets Manager service</dd>
+<dt><a href="#aws-parameter-store-config-provider">AWS Parameter Store Configuration Provider</a></dt>
+<dd>Provides connection properties managed by the Systems Manager Parameter Store</dd>
 <dt><a href="#aws-appconfig-freeform-config-provider">AWS AppConfig Freeform Configuration Provider</a></dt>
 <dd>Provides connection properties managed by the AWS AppConfig Freeform Configuration service</dd>
 <dt><a href="#common-parameters-for-centralized-config-providers">Common Parameters for Centralized Config Providers</a></dt>
@@ -49,7 +51,7 @@ JDK versions. The coordinates for the latest release are:
 <dependency>
   <groupId>com.oracle.database.jdbc</groupId>
   <artifactId>ojdbc-provider-aws</artifactId>
-  <version>1.0.5</version>
+  <version>1.0.6</version>
 </dependency>
 ```
 
@@ -70,11 +72,12 @@ The {S3-URI} can be obtained from the Amazon S3 console and follows this naming
 
 ### JSON Payload format
 
-There are 3 fixed values that are looked at the root level.
+There are 4 fixed values that are looked at the root level.
 
 - connect_descriptor (required)
 - user (optional)
 - password (optional)
+- wallet_location (optional)
 
 The rest are dependent on the driver, in our case `/jdbc`. The key-value pairs that are with sub-prefix `/jdbc` will be applied to a DataSource. The key values are constant keys which are equivalent to the properties defined in the [OracleConnection](https://docs.oracle.com/en/database/oracle/oracle-database/23/jajdb/oracle/jdbc/OracleConnection.html) interface.
 
@@ -95,6 +98,11 @@ And the JSON Payload for the file **payload_ojdbc_objectstorage.json** in **mybu
     "value": "test-secret",
     "field_name": "<field-name>"  // Optional: Only needed when the secret is structured and contains multiple key-value pairs.
   },
+  "wallet_location": {
+    "type": "awssecretsmanager",
+    "value": "wallet-secret",
+    "field_name": "<field-name>" // Optional: Only needed when the secret is structured and contains multiple key-value pairs.
+  },
   "jdbc": {
     "oracle.jdbc.ReadTimeout": 1000,
     "defaultRowPrefetch": 20,
@@ -117,34 +125,69 @@ The sample code below executes as expected with the previous configuration.
 
 ### Password JSON Object
 
-For the JSON type of provider (AWS S3, AWS Secrets Manager, HTTP/HTTPS, File) the password is an object itself with the following spec:
+For the JSON type of provider (AWS S3, AWS Secrets Manager, AWS Parameter Store, HTTP/HTTPS, File) the password is an object itself with the following spec:
 
-- type
+- `type`
     - Mandatory
     - Possible values
-        - ocivault
-        - azurevault
-        - base64
-        - awssecretsmanager
-- value
+      - `ocivault` (OCI Vault)
+      - `azurevault` (Azure Key Vault)
+      - `base64` (Base64)
+      - `awssecretsmanager` (AWS Secrets Manager)
+      - `awsparameterstore` (AWS Parameter Store)
+      - `hcpvaultdedicated` (HCP Vault Dedicated)
+      - `hcpvaultsecret` (HCP Vault Secrets)
+      - `gcpsecretmanager` (GCP Secret Manager)
+- `value`
     - Mandatory
     - Possible values
         - OCID of the secret (if ocivault)
         - Azure Key Vault URI (if azurevault)
         - Base64 Encoded password (if base64)
         - AWS Secret name (if awssecretsmanager)
-- field_name
+        - AWS Parameter name (if awsparameterstore)
+        - Secret path (if hcpvaultdedicated)
+        - Secret name (if hcpvaultsecret)
+        - Secret name (if gcpsecretmanager)
+- `field_name`
   - Optional
   - Description: Specifies the key within the secret JSON object from which to extract the password value.
     If the secret JSON contains multiple key-value pairs, field_name must be provided to unambiguously select the desired secret value.
     If the secret contains only a single key-value pair and field_name is not provided, that sole value will be used.
     If the secret is provided as plain text (i.e., not structured as a JSON object), no field_name is required.
-- authentication
+- `authentication`
     - Optional
     - Possible Values
         - method
         - optional parameters (depends on the cloud provider).
 
+### Wallet_location JSON Object
+
+The `oracle.net.wallet_location` connection property is not allowed in the `jdbc` object due to security reasons. Instead, users should use the `wallet_location` object to specify the wallet in the configuration.
+
+For the JSON type of provider (AWS S3, HTTPS, File) the wallet_location is an object itself with the same spec as the [password JSON object](#password-json-object) mentioned above.
+
+The value stored in the secret should be the Base64 representation of of a supported wallet file. This is equivalent to setting the `oracle.net.wallet_location` connection property in a regular JDBC application using the following format:
+
+```
+data:;base64,<Base64 representation of the wallet file>
+```
+
+#### Supported formats
+- `cwallet.sso` (SSO wallet)
+- `ewallet.pem` (PEM wallet)
+
+If the PEM wallet is encrypted, you must also set the wallet password using the `oracle.net.wallet_password` property.
+This property should be included inside the jdbc object of the JSON payload:
+
+```
+"jdbc": {
+  "oracle.net.wallet_password": "<your-password>"
+}
+```
+
+<i>*Note: When storing a wallet in AWS Secrets Manager, store the raw Base64-encoded wallet bytes directly. The provider will automatically detect and handle the encoding correctly.</i>
+
 ## AWS Secrets Manager Config Provider
 Apart from AWS S3, users can also store JSON Payload in the content of AWS Secrets Manager secret. Users need to indicate the secret name:
 
@@ -154,6 +197,16 @@ jdbc:oracle:thin:@config-awssecretsmanager://{secret-name}
 
 The JSON Payload retrieved by AWS Secrets Manager Provider follows the same format in [AWS S3 Configuration Provider](#json-payload-format).
 
+## AWS Parameter Store Config Provider
+Apart from AWS S3 and Secrets Manager, users can also store JSON payload in AWS Systems Manager Parameter Store. 
+To use it, specify the name of the parameter:
+
+<pre>
+jdbc:oracle:thin:@config-awsparameterstore://{parameter-name}
+</pre>
+
+The JSON payload stored in the parameter should follow the same format as described in [AWS S3 Configuration Provider](#json-payload-format).
+
 ## AWS AppConfig Freeform Config Provider
 The Oracle DataSource uses the prefix `jdbc:oracle:thin:@config-awsappconfig` to identify that the freeform
 configuration parameters should be loaded using AWS AppConfig. Users need to specify the application identifier or name, along with the environment and configuration profile

ojdbc-provider-aws/example-test.properties

@@ -87,6 +87,8 @@ AWS_S3_URL=jdbc:oracle:thin:@config-awss3://...
 # The URL to test with the AWS Secrets Manager Configuration Provider
 AWS_SECRETS_MANAGER_URL=jdbc:oracle:thin:@config-awssecretsmanager://...
 
+# The URL to test with the AWS Parameter Store Configuration Provider
+AWS_PARAMETER_STORE_URL=jdbc:oracle:thin:@config-awsparameterstore://...
 # The name of an AWS Secrets Manager secret
 AWS_USERNAME_SECRET_NAME=example-name
 

ojdbc-provider-aws/pom.xml

@@ -10,7 +10,7 @@
   <parent>
     <groupId>com.oracle.database.jdbc</groupId>
     <artifactId>ojdbc-extensions</artifactId>
-    <version>1.0.5</version>
+    <version>1.0.6</version>
   </parent>
 
   <dependencyManagement>
@@ -66,6 +66,10 @@
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>secretsmanager</artifactId>
     </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>ssm</artifactId>
+    </dependency>
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>appconfigdata</artifactId>

ojdbc-provider-aws/src/main/java/oracle/jdbc/provider/aws/configuration/AwsJsonParameterStoreProvider.java

@@ -0,0 +1,97 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.aws.configuration;
+
+import oracle.jdbc.provider.aws.parameterstore.ParameterStoreFactory;
+import oracle.jdbc.provider.parameter.ParameterSet;
+import oracle.jdbc.spi.OracleConfigurationSecretProvider;
+
+import java.util.Base64;
+import java.util.Map;
+
+import static oracle.jdbc.provider.aws.configuration.AwsParameterStoreConfigurationProvider.PARAMETER_SET_PARSER;
+
+public class AwsJsonParameterStoreProvider
+  implements OracleConfigurationSecretProvider {
+
+  /**
+   * {@inheritDoc}
+   * <p>
+   * Returns the value of the parameter retrieved from AWS Systems Manager
+   * Parameter Store.
+   * </p>
+   * <p>
+   * The {@code jsonObject} is expected to be in the following form:
+   * </p>
+   *
+   * <pre>{@code
+   *   "password": {
+   *       "type": "awsparameterstore",
+   *       "value": "/my-app/database-password"
+   *   }
+   * }</pre>
+   *
+   * <p>
+   * The provider retrieves the parameter specified by the {@code value} field
+   * from AWS Parameter Store, then encodes it as a Base64 string.
+   * The encoded value is returned as a {@code char[]} for use with Oracle JDBC's
+   * centralized configuration.
+   * </p>
+   *
+   * @param map Map object containing key-value pairs parsed from the JSON configuration.
+   * @return Base64-encoded {@code char[]} representing the retrieved secret value.
+   */
+  @Override
+  public char[] getSecret(Map<String, String> map) {
+    ParameterSet parameterSet = PARAMETER_SET_PARSER.parseNamedValues(map);
+
+    String parameterValue = ParameterStoreFactory.getInstance()
+      .request(parameterSet)
+      .getContent();
+
+    return Base64.getEncoder()
+      .encodeToString(parameterValue.getBytes())
+      .toCharArray();
+  }
+
+  @Override
+  public String getSecretType() {
+    return "awsparameterstore";
+  }
+}

ojdbc-provider-aws/src/main/java/oracle/jdbc/provider/aws/configuration/AwsJsonSecretsManagerProvider.java

@@ -42,12 +42,11 @@
 import oracle.jdbc.provider.parameter.ParameterSet;
 import oracle.jdbc.spi.OracleConfigurationSecretProvider;
 
-import java.nio.charset.StandardCharsets;
-import java.util.Base64;
 import java.util.Map;
 
 import static oracle.jdbc.provider.aws.configuration.AwsConfigurationParameters.FIELD_NAME;
 import static oracle.jdbc.provider.aws.configuration.AwsSecretsManagerConfigurationProvider.PARAMETER_SET_PARSER;
+import static oracle.jdbc.provider.util.FileUtils.toBase64EncodedCharArray;
 
 public class AwsJsonSecretsManagerProvider
     implements OracleConfigurationSecretProvider {
@@ -96,9 +95,7 @@ public char[] getSecret(Map<String, String> map) {
     String extractedSecret = AwsSecretExtractor.extractSecret(secretString,
       fieldName);
 
-    return Base64.getEncoder()
-        .encodeToString(extractedSecret.getBytes(StandardCharsets.UTF_8))
-        .toCharArray();
+    return toBase64EncodedCharArray(extractedSecret);
   }
 
   @Override