OCI Connection String Provider (#124)

* Add VaultConnectionStringProvider for tnsnames.ora support

* update properties files

* Update Readme file

* Add Connection String Provider sample

* Update VaultConnectionStringProvider for early parameter validation and clarify required parameters in documentation

Author: MouhsinElmajdouby

ojdbc-provider-oci/README.md

@@ -38,6 +38,8 @@ Provider</a></dt>
 <dd>Provides TCPS/TLS wallets for secure connections to an Autonomous Database</dd>
 <dt><a href="#seps-wallet-provider">SEPS Wallet Provider</a></dt>
 <dd>Provides SEPS (Secure External Password Store) wallets for secure username and password retrieval</dd>
+<dt><a href="#vault-connection-string-provider">Vault Connection String Provider</a></dt>
+<dd>Provides connection strings for secure database connectivity based on aliases, retrieved from the tnsnames.ora file stored in OCI Vault.</dd>
 <dt><a href="#common-parameters-for-resource-providers">Common Parameters for Resource Providers</a></dt>
 <dd>Common parameters supported by the resource providers</dd>
 </dl>
@@ -512,6 +514,46 @@ Optional parameter to specify the index of the connection string to use when ret
 
 An example of a [connection properties file](https://docs.oracle.com/en/database/oracle/oracle-database/23/jajdb/oracle/jdbc/OracleConnection.html#CONNECTION_PROPERTY_CONFIG_FILE) that configures this provider can be found in [example-vault-wallet.properties](example-vault-wallet.properties).
 
+## Vault Connection String Provider
+
+The OCI Vault Connection String Provider provides Oracle JDBC with a connection string managed by the OCI Vault service.
+This is a Resource Provider identified by the name `ojdbc-provider-oci-vault-tnsnames`.
+
+This provider retrieves and decodes a `tnsnames.ora` file stored as a secret in OCI Vault, allowing selection of
+connection strings based on specified aliases.
+It supports both plain text and Base64-encoded `tnsnames.ora` files.
+
+This enables flexible and secure configuration for database connections using the alias names defined in your `tnsnames.ora` file.
+
+In addition to the set of common parameters, this provider also requires the parameters listed below:
+
+<table>
+<thead>
+<tr>
+<th>Parameter Name</th>
+<th>Description</th>
+<th>Accepted Values</th> 
+<th>Default Value</th> 
+</tr> 
+</thead>
+<tbody>
+<tr> 
+<td><code>ocid</code></td> 
+<td>The OCID of the OCI Vault secret containing the <code>tnsnames.ora</code> file.</td>
+<td>The <a href="https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm">OCID</a> of the secret</td>
+<td><i>No default value. A value must be configured for this parameter.</i></td>
+</tr>
+<tr>
+<td><code>tnsAlias</code></td>
+<td>Specifies the alias to retrieve the appropriate connection string from the <code>tnsnames.ora</code> file.</td>
+<td>Any valid alias present in your <code>tnsnames.ora</code> file.</td>
+<td><i>No default value. A value must be configured for this parameter.</i></td>
+</tr>
+</tbody>
+</table>
+
+An example of a [connection properties file](https://docs.oracle.com/en/database/oracle/oracle-database/23/jajdb/oracle/jdbc/OracleConnection.html#CONNECTION_PROPERTY_CONFIG_FILE) that configures this provider can be found in [example-vault.properties](example-vault.properties).
+
 
 ## Access Token Provider
 The Access Token Provider provides Oracle JDBC with an access token that authorizes logins to an Autonomous Database. This is a Resource Provider identified by

ojdbc-provider-oci/example-test.properties

@@ -146,3 +146,9 @@ OCI_SEPS_WALLET_PASSWORD=*****
 
 # Optional index to select specific credentials from SEPS Wallet
 OCI_SEPS_CONNECTION_STRING_INDEX=1
+
+# The OCID of a tnsnames.ora file stored in OCI Vault
+OCI_TNS_NAMES_OCID=ocid1.vaultsecret.oc1.phx.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
+
+# The alias in the tnsnames.ora file to use for the connection string
+OCI_TNS_NAMES_ALIAS=your_tns_alias

ojdbc-provider-oci/example-vault.properties

@@ -54,3 +54,10 @@ oracle.jdbc.provider.username.ocid=${USERNAME_OCID}
 # "PASSWORD_OCID":
 oracle.jdbc.provider.password=ojdbc-provider-oci-vault-password
 oracle.jdbc.provider.password.ocid=${PASSWORD_OCID}
+
+# Configures the OCI Vault Connection String Provider. The OCID of the tnsnames secret
+# and tns alias are configured as environment variables or JVM system
+# properties named "TNS_NAMES_OCID" and "TNS_ALIAS".
+oracle.jdbc.provider.connectionString=ojdbc-provider-oci-vault-tnsnames
+oracle.jdbc.provider.connectionString.ocid=${TNS_NAMES_OCID}
+oracle.jdbc.provider.connectionString.tnsAlias=${TNS_ALIAS}

ojdbc-provider-oci/src/main/java/oracle/jdbc/provider/oci/resource/VaultConnectionStringProvider.java

@@ -0,0 +1,139 @@
+/*
+ ** Copyright (c) 2024 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.oci.resource;
+
+import oracle.jdbc.provider.resource.ResourceParameter;
+import oracle.jdbc.provider.util.TNSNames;
+import oracle.jdbc.spi.ConnectionStringProvider;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Base64;
+import java.util.Map;
+
+import static oracle.jdbc.provider.oci.vault.SecretFactory.OCID;
+import static oracle.jdbc.provider.util.CommonParameters.TNS_ALIAS;
+
+/**
+ * <p>
+ * A provider for securely retrieving the connection string from a tnsnames.ora
+ * file stored in OCI Vault for use with an Oracle Autonomous Database.
+ * The tnsnames.ora file can be stored as plain text or base64-encoded content
+ * in OCI Vault. This class decodes and parses the content to select
+ * connection strings based on specified aliases.
+ * </p>
+ * <p>
+ * This class implements the {@link ConnectionStringProvider} SPI defined by
+ * Oracle JDBC.
+ * It is designed to be instantiated via {@link java.util.ServiceLoader}.
+ * </p>
+ */
+public class VaultConnectionStringProvider
+        extends OciResourceProvider
+        implements ConnectionStringProvider {
+
+  private static final ResourceParameter[] PARAMETERS = {
+          new ResourceParameter("ocid", OCID),
+          new ResourceParameter("tnsAlias", TNS_ALIAS)
+  };
+
+  /**
+   * A public no-arg constructor used by {@link java.util.ServiceLoader} to
+   * construct an instance of this provider.
+   */
+  public VaultConnectionStringProvider() {
+    super("vault-tnsnames", PARAMETERS);
+  }
+
+  /**
+   * Retrieves a database connection string from the tnsnames.ora file stored
+   * in OCI Vault.
+   * <p>
+   * This method accesses the file in OCI Vault, decodes it if it is
+   * base64-encoded, and parses the `tnsnames.ora` content. The method
+   * returns the connection string associated with the specified alias from
+   * the `tnsnames.ora` file.
+   * The file can either be stored as plain text or as base64-encoded content
+   * in the vault.
+   * </p>
+   *
+   * @param parameterValues The parameters required to access the `tnsnames.ora`
+   * file in OCI Vault, including the vault OCID and the tns-alias.
+   * @return The connection string associated with the specified alias
+   * in the `tnsnames.ora` file.
+   * @throws IllegalStateException If there is an error reading the `tnsnames.ora`
+   * file, decoding its content, or accessing the OCI Vault.
+   * @throws IllegalArgumentException If the specified alias is invalid or
+   * does not exist in the `tnsnames.ora` file.
+   */
+  @Override
+  public String getConnectionString(Map<Parameter, CharSequence> parameterValues) {
+
+    String alias;
+    try {
+      alias = parseParameterValues(parameterValues).getRequired(TNS_ALIAS);
+    } catch (IllegalStateException e) {
+      throw new IllegalArgumentException(
+              "Required parameter 'tnAlias' is missing", e
+      );
+    }
+
+    // Retrieve the secret containing tnsnames.ora content from OCI Vault
+    String secretValue = getVaultSecret(parameterValues)
+                           .getBase64Secret();
+
+    byte[] fileBytes = Base64.getDecoder().decode(secretValue);
+
+    TNSNames tnsNames;
+    try (InputStream inputStream = new ByteArrayInputStream(fileBytes)) {
+      tnsNames = TNSNames.read(inputStream);
+    } catch (IOException e) {
+      throw new IllegalStateException("Failed to read tnsnames.ora content", e);
+    }
+
+    String connectionString = tnsNames.getConnectionStringByAlias(alias);
+    if (connectionString == null) {
+      throw new IllegalArgumentException(
+              "Alias specified does not exist in tnsnames.ora: " + alias
+      );
+    }
+    return connectionString;
+  }
+}

ojdbc-provider-oci/src/main/resources/META-INF/services/oracle.jdbc.spi.ConnectionStringProvider

@@ -1 +1,2 @@
-oracle.jdbc.provider.oci.resource.DatabaseConnectionStringProvider
+oracle.jdbc.provider.oci.resource.DatabaseConnectionStringProvider
+oracle.jdbc.provider.oci.resource.VaultConnectionStringProvider

ojdbc-provider-oci/src/test/java/oracle/jdbc/provider/oci/OciTestProperty.java

@@ -104,5 +104,11 @@ public enum OciTestProperty {
 
   OCI_PASSWORD_PAYLOAD_OCID_MULTIPLE_KEYS,
 
-  OCI_PASSWORD_PAYLOAD_OCID_KEY;
+  OCI_PASSWORD_PAYLOAD_OCID_KEY,
+
+  OCI_TNS_NAMES_OCID,
+
+  OCI_TNS_NAMES_ALIAS,
+
+  OCI_NON_BASE64_TNS_NAMES_OCID;
 }

ojdbc-provider-oci/src/test/java/oracle/jdbc/provider/oci/resource/VaultConnectionStringProviderTest.java

@@ -0,0 +1,143 @@
+/*
+ ** Copyright (c) 2024 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.oci.resource;
+
+import oracle.jdbc.provider.TestProperties;
+import oracle.jdbc.provider.oci.OciTestProperty;
+import oracle.jdbc.spi.ConnectionStringProvider;
+import oracle.jdbc.spi.OracleResourceProvider.Parameter;
+import org.junit.jupiter.api.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static oracle.jdbc.provider.resource.ResourceProviderTestUtil.createParameterValues;
+import static oracle.jdbc.provider.resource.ResourceProviderTestUtil.findProvider;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+/** Verifies {@link DatabaseConnectionStringProvider} */
+public class VaultConnectionStringProviderTest {
+
+  private static final ConnectionStringProvider PROVIDER =
+    findProvider(
+      ConnectionStringProvider.class,
+      "ojdbc-provider-oci-vault-tnsnames");
+
+  @Test
+  public void testValidAlias() {
+    Map<String, String> testParameters = new HashMap<>();
+    testParameters.put("authenticationMethod", "config-file");
+    testParameters.put("configFile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_FILE));
+    testParameters.put("profile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_PROFILE));
+    testParameters.put("ocid",
+            TestProperties.getOrAbort(OciTestProperty.OCI_TNS_NAMES_OCID));
+    testParameters.put("tnsAlias",
+            TestProperties.getOrAbort(OciTestProperty.OCI_TNS_NAMES_ALIAS));
+
+    Map<Parameter, CharSequence> parameterValues =
+            createParameterValues(PROVIDER, testParameters);
+
+    String connectionString = PROVIDER.getConnectionString(parameterValues);
+    assertNotNull(connectionString);
+  }
+
+  @Test
+  public void testInvalidOrNonExistentAlias() {
+    Map<String, String> testParameters = new HashMap<>();
+    testParameters.put("authenticationMethod", "config-file");
+    testParameters.put("configFile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_FILE));
+    testParameters.put("profile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_PROFILE));
+    testParameters.put("ocid",
+            TestProperties.getOrAbort(OciTestProperty.OCI_TNS_NAMES_OCID));
+    testParameters.put("tnsAlias", "INVALID_ALIAS");
+
+    Map<Parameter, CharSequence> parameterValues =
+            createParameterValues(PROVIDER, testParameters);
+
+    assertThrows(IllegalArgumentException.class,
+            () -> PROVIDER.getConnectionString(parameterValues),
+            "Expected IllegalArgumentException for invalid alias"
+    );
+  }
+
+  @Test
+  public void testMissingAliasParameter() {
+    Map<String, String> testParameters = new HashMap<>();
+    testParameters.put("authenticationMethod", "config-file");
+    testParameters.put("configFile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_FILE));
+    testParameters.put("profile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_PROFILE));
+    testParameters.put("ocid",
+            TestProperties.getOrAbort(OciTestProperty.OCI_TNS_NAMES_OCID));
+
+    Map<Parameter, CharSequence> parameterValues =
+            createParameterValues(PROVIDER, testParameters);
+
+    assertThrows(IllegalArgumentException.class,
+            () -> PROVIDER.getConnectionString(parameterValues),
+            "Expected IllegalArgumentException when tnsAlias parameter is missing"
+    );
+  }
+
+  @Test
+  public void testPlainTextEncodedTnsnamesContent() {
+    Map<String, String> testParameters = new HashMap<>();
+    testParameters.put("authenticationMethod", "config-file");
+    testParameters.put("configFile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_FILE));
+    testParameters.put("profile",
+            TestProperties.getOrAbort(OciTestProperty.OCI_CONFIG_PROFILE));
+    testParameters.put("ocid",
+            TestProperties.getOrAbort(OciTestProperty.OCI_NON_BASE64_TNS_NAMES_OCID));
+    testParameters.put("tnsAlias",
+            TestProperties.getOrAbort(OciTestProperty.OCI_TNS_NAMES_ALIAS));
+
+    Map<Parameter, CharSequence> parameterValues =
+            createParameterValues(PROVIDER, testParameters);
+
+    String connectionString = PROVIDER.getConnectionString(parameterValues);
+    assertNotNull(connectionString);
+  }
+}