generateCacheKey(ParameterSet parameterSet) {
+ return parameterSet.filterParameters(new String[]{
+ PARAM_HCP_CLIENT_ID, PARAM_HCP_CLIENT_SECRET
+ });
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultAuthenticationMethod.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultAuthenticationMethod.java
new file mode 100644
index 00000000..cc52ef50
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultAuthenticationMethod.java
@@ -0,0 +1,106 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+/**
+ * Enumeration of authentication methods supported by HCP Vault Secrets.
+ *
+ * This represents the different ways to authenticate with the HCP Vault Secrets API.
+ *
+ */
+public enum HcpVaultAuthenticationMethod {
+
+ /**
+ * Authentication using client credentials via the OAuth2 client_credentials flow.
+ *
+ * This method requires the following:
+ *
+ *
+ * - A Client ID provided by the HCP Vault console or associated
+ * with an HCP Service Principal.
+ *
+ * - A Client Secret corresponding to the Client ID, ensuring
+ * secure access.
+ *
+ *
+ *
+ * By using these credentials, the method retrieves a short-lived API token
+ * by calling the HCP OAuth2 endpoint.
+ *
+ */
+ CLIENT_CREDENTIALS,
+
+ /**
+ * Authentication using the credentials file generated by the HCP CLI.
+ *
+ * This method retrieves an access token from the standard CLI-generated
+ * credentials file located at
+ * System.getProperty("user.home") + "/.config/hcp/creds-cache.json".
+ * If the token is expired,
+ * it will be automatically refreshed using the stored refresh token.
+ *
+ *
+ * The credentials file must follow the standard JSON structure containing:
+ *
+ *
+ * {
+ * "login": {
+ * "access_token": "...",
+ * "refresh_token": "...",
+ * "access_token_expiry": "..."
+ * }
+ * }
+ *
+ *
+ * The user can provide a custom path to the credentials file if needed.
+ *
+ */
+ CLI_CREDENTIALS_FILE,
+
+ /**
+ * Automatically selects the best authentication method based on available parameters.
+ *
+ * Priority order:
+ *
+ * - Uses the credentials file if present and valid.
+ * - Falls back to client credentials authentication.
+ *
+ */
+ AUTO_DETECT;
+}
\ No newline at end of file
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultCredentialsFileAuthenticator.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultCredentialsFileAuthenticator.java
new file mode 100644
index 00000000..e551925a
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultCredentialsFileAuthenticator.java
@@ -0,0 +1,246 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+import oracle.jdbc.provider.hashicorp.util.HttpUtil;
+import oracle.jdbc.provider.hashicorp.util.JsonUtil;
+import oracle.sql.json.OracleJsonObject;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.time.Instant;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
+import java.util.Base64;
+import java.util.concurrent.locks.ReentrantLock;
+
+/**
+ * Handles authentication using the HashiCorp CLI credentials cache.
+ *
+ * This class reads the authentication details from the CLI-generated credentials file
+ * (`creds-cache.json`) and manages the token lifecycle, including:
+ *
+ *
+ * - Validating the access token's expiration.
+ * - Refreshing the token using the stored refresh token when expired.
+ * - Updating the credentials file with the new token details.
+ *
+ *
+ * By default, the credentials file is expected at:
+ * System.getProperty("user.home") + "/.config/hcp/creds-cache.json".
+ * However, users can provide a custom file path through configuration.
+ *
+ */
+public final class HcpVaultCredentialsFileAuthenticator {
+ private static final String TOKEN_URL = "https://auth.idp.hashicorp.com/oauth2/token";
+ private static final String GRANT_TYPE = "refresh_token";
+ private static final String CONTENT_TYPE = "application/x-www-form-urlencoded";
+ private static final String TOKEN_REFRESH_PAYLOAD_FORMAT = "grant_type=%s&refresh_token=%s&client_id=%s";
+ private static final String CREDENTIALS_JSON_FORMAT =
+ "{ \"login\": { \"access_token\": \"%s\", \"refresh_token\": \"%s\", \"access_token_expiry\": \"%s\" } }";
+
+ // JSON field constants
+ public static final String ACCESS_TOKEN_FIELD = "access_token";
+ private static final String REFRESH_TOKEN_FIELD = "refresh_token";
+ private static final String ACCESS_TOKEN_EXPIRY_FIELD = "access_token_expiry";
+ private static final String EXPIRES_IN_FIELD = "expires_in";
+ private static final String CLIENT_ID_FIELD = "client_id";
+ private static final String LOGIN_FIELD = "login";
+
+ private final ReentrantLock lock = new ReentrantLock();
+
+ private volatile String accessToken;
+ private volatile String refreshToken;
+ private volatile Instant tokenExpiry;
+
+ private final Path credsFilePath;
+
+ /**
+ * Creates an instance of {@link HcpVaultCredentialsFileAuthenticator} to handle authentication
+ * via the HCP CLI credentials cache file.
+ *
+ * @param credentialsFilePath The path to the credentials file.
+ */
+ public HcpVaultCredentialsFileAuthenticator(String credentialsFilePath) {
+ this.credsFilePath = Paths.get(credentialsFilePath);
+ }
+
+ /**
+ * Retrieves a valid access token, refreshing it if expired.
+ *
+ * @return A valid access token.
+ * @throws IOException if authentication fails.
+ */
+ public String getValidAccessToken() throws Exception {
+ lock.lock();
+ try {
+ if (accessToken == null || isTokenExpired()) {
+ loadCredentials();
+ if (isTokenExpired()) {
+ refreshAccessToken();
+ }
+ }
+ return accessToken;
+ } finally {
+ lock.unlock();
+ }
+ }
+
+ /**
+ * Loads credentials from the CLI cache file.
+ *
+ * @throws IOException if there is an error reading the file
+ */
+ private void loadCredentials() throws IOException {
+ if (!Files.exists(credsFilePath)) {
+ throw new IOException("HCP Vault credentials file not found: " + credsFilePath);
+ }
+
+ String content = new String(Files.readAllBytes(credsFilePath), StandardCharsets.UTF_8);
+
+ OracleJsonObject rootObject = JsonUtil.convertJsonToOracleJsonObject(content);
+ if (rootObject == null) {
+ throw new IOException("Failed to parse credentials file: invalid JSON format");
+ }
+
+ OracleJsonObject loginObject;
+ try {
+ loginObject = rootObject.getObject(LOGIN_FIELD);
+ } catch (NullPointerException e) {
+ throw new IOException("Invalid credentials file format: missing 'login'" +
+ " object", e);
+ }
+ accessToken = JsonUtil.extractField(loginObject, ACCESS_TOKEN_FIELD);
+ refreshToken = JsonUtil.extractField(loginObject, REFRESH_TOKEN_FIELD);
+
+ String expiryStr = JsonUtil.extractField(loginObject, ACCESS_TOKEN_EXPIRY_FIELD);
+ if (expiryStr != null && !expiryStr.isEmpty()) {
+ tokenExpiry = OffsetDateTime.parse(expiryStr, DateTimeFormatter.ISO_OFFSET_DATE_TIME).toInstant();
+ }
+ }
+
+ /**
+ * Checks if the current token is expired.
+ *
+ * @return true if the token is expired
+ */
+ private boolean isTokenExpired() {
+ return tokenExpiry == null || Instant.now().isAfter(tokenExpiry);
+ }
+
+ /**
+ * Refreshes the access token using the refresh token.
+ *
+ * @throws IOException if the refresh operation fails
+ */
+ private void refreshAccessToken() throws Exception {
+ String clientId = extractClientIdFromToken(accessToken);
+ if (clientId == null || refreshToken == null) {
+ throw new IllegalStateException("Missing required parameters for token refresh.");
+ }
+
+ String payload = String.format(TOKEN_REFRESH_PAYLOAD_FORMAT, GRANT_TYPE, refreshToken, clientId);
+ String jsonResponse = HttpUtil.sendPostRequest(TOKEN_URL, payload, CONTENT_TYPE, null
+ , null);
+
+ OracleJsonObject response = JsonUtil.convertJsonToOracleJsonObject(jsonResponse);
+ updateTokensFromResponse(response);
+ updateCredsFile();
+ }
+
+ /**
+ * Updates tokens and expiry from the refresh response.
+ *
+ * @param response The JSON response from the refresh request
+ */
+ private void updateTokensFromResponse(OracleJsonObject response) {
+ accessToken = JsonUtil.extractField(response, ACCESS_TOKEN_FIELD);
+
+ try {
+ long expiresInSeconds = response.getLong(EXPIRES_IN_FIELD);
+ tokenExpiry = Instant.now().plusSeconds(expiresInSeconds);
+ } catch (NullPointerException e) {
+ throw new IllegalStateException("Missing '" + EXPIRES_IN_FIELD + "' field in token response", e);
+ }
+
+ // Update refresh token if provided
+ String newRefreshToken = JsonUtil.extractField(response, REFRESH_TOKEN_FIELD);
+ if (newRefreshToken != null && !newRefreshToken.isEmpty()) {
+ refreshToken = newRefreshToken;
+ }
+ }
+
+ /**
+ * Updates the credentials cache file with new token information.
+ *
+ * @throws IOException if file writing fails
+ */
+ private void updateCredsFile() throws IOException {
+ String updatedContent = String.format(CREDENTIALS_JSON_FORMAT, accessToken,
+ refreshToken, OffsetDateTime.ofInstant(tokenExpiry, ZoneOffset.UTC).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME)
+ );
+
+ Files.write(credsFilePath, updatedContent.getBytes(StandardCharsets.UTF_8));
+ }
+
+ /**
+ * Extracts the client ID from a JWT token.
+ *
+ * @param token The JWT token
+ * @return The extracted client ID
+ * @throws IllegalArgumentException if the token is invalid or client_id extraction fails.
+ */
+ private static String extractClientIdFromToken(String token) {
+ try {
+ String[] parts = token.split("\\.");
+ if (parts.length != 3) {
+ throw new IllegalArgumentException("Invalid JWT token format.");
+ }
+ String payloadJson = new String(Base64.getUrlDecoder().decode(parts[1]), StandardCharsets.UTF_8);
+ OracleJsonObject payload = JsonUtil.convertJsonToOracleJsonObject(payloadJson);
+ return JsonUtil.extractField(payload, CLIENT_ID_FIELD);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("Failed to extract client_id from JWT token.", e);
+ }
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultOAuthClient.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultOAuthClient.java
new file mode 100644
index 00000000..7b1773c3
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultOAuthClient.java
@@ -0,0 +1,93 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+import oracle.jdbc.provider.hashicorp.util.HttpUtil;
+import oracle.jdbc.provider.hashicorp.util.JsonUtil;
+import oracle.sql.json.OracleJsonObject;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultCredentialsFileAuthenticator.ACCESS_TOKEN_FIELD;
+
+/**
+ * A client for performing OAuth2 operations with HCP Vault Secrets.
+ *
+ * This class implements the client_credentials flow to obtain an API token
+ * required for interacting with HCP Vault Secrets.
+ *
+ */
+public final class HcpVaultOAuthClient {
+
+ private static final String OAUTH_TOKEN_URL = "https://auth.idp.hashicorp.com/oauth/token";
+ private static final String CONTENT_TYPE = "application/x-www-form-urlencoded";
+ private static final String GRANT_TYPE = "client_credentials";
+ private static final String AUDIENCE = "https://api.hashicorp.cloud";
+ private static final String CLIENT_CREDENTIALS_PAYLOAD_FORMAT =
+ "grant_type=%s&client_id=%s&client_secret=%s&audience=%s";
+
+ private HcpVaultOAuthClient() {}
+
+ /**
+ * Fetches an access token from HCP Vault Secrets using the client_credentials flow.
+ *
+ * @param clientId the OAuth2 client ID. Must not be null or empty.
+ * @param clientSecret the OAuth2 client secret. Must not be null or empty.
+ * @return the access token as a {@code String}. Never null or empty.
+ * @throws IllegalStateException if the token cannot be obtained.
+ */
+ public static String fetchHcpAccessToken(String clientId, String clientSecret) {
+ try {
+ String payload = String.format(
+ CLIENT_CREDENTIALS_PAYLOAD_FORMAT, GRANT_TYPE, clientId, clientSecret, AUDIENCE);
+
+ String jsonResponse = HttpUtil.sendPostRequest(
+ OAUTH_TOKEN_URL,
+ payload,
+ CONTENT_TYPE,
+ null,
+ null
+ );
+ OracleJsonObject response = JsonUtil.convertJsonToOracleJsonObject(jsonResponse);
+ return JsonUtil.extractField(response, ACCESS_TOKEN_FIELD);
+
+ } catch (Exception e) {
+ throw new IllegalStateException("Failed to fetch HCP access token", e);
+ }
+ }
+
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretParameters.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretParameters.java
new file mode 100644
index 00000000..80da8158
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretParameters.java
@@ -0,0 +1,205 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+import oracle.jdbc.provider.hashicorp.util.Parameterutil;
+import oracle.jdbc.provider.parameter.Parameter;
+import oracle.jdbc.provider.parameter.ParameterSet;
+import oracle.jdbc.provider.parameter.ParameterSetParser;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultAuthenticationMethod.AUTO_DETECT;
+import static oracle.jdbc.provider.parameter.Parameter.CommonAttribute.*;
+
+/**
+ * Contains parameter definitions for interacting with HCP Vault Secrets.
+ *
+ * This class centralizes configuration parameters used for authenticating
+ * with and retrieving secrets from HCP Vault Secrets.
+ *
+ */
+public class HcpVaultSecretParameters {
+
+ /**
+ * Constants representing the configuration parameter names for HCP Vault Secrets.
+ *
+ * These constants serve as both parameter names within the {@link ParameterSet}
+ * and as keys for environment variables or system properties.
+ *
+ */
+ public static final String PARAM_HCP_ORG_ID = "HCP_ORG_ID";
+ public static final String PARAM_HCP_PROJECT_ID = "HCP_PROJECT_ID";
+ public static final String PARAM_HCP_APP_NAME = "HCP_APP_NAME";
+ public static final String PARAM_HCP_CLIENT_ID = "HCP_CLIENT_ID";
+ public static final String PARAM_HCP_CLIENT_SECRET = "HCP_CLIENT_SECRET";
+ public static final String PARAM_HCP_CREDENTIALS_FILE =
+ "HCP_CREDENTIALS_FILE";
+ private static final String DEFAULT_CREDENTIALS_FILE_PATH =
+ System.getProperty("user.home") + "/.config/hcp/creds-cache.json";
+ private static final String PARAM_AUTHENTICATION = "AUTHENTICATION";
+
+ /**
+ * Parameter indicating the authentication method to use for HCP Vault Secrets.
+ */
+ public static final Parameter AUTHENTICATION_METHOD = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the OAuth2 client ID. Required.
+ */
+ public static final Parameter HCP_CLIENT_ID = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the OAuth2 client secret. Required.
+ */
+ public static final Parameter HCP_CLIENT_SECRET = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the credentials file path.
+ * By default, the credentials file is expected at:
+ * System.getProperty("user.home") + "/.config/hcp/creds-cache.json".
+ */
+ public static final Parameter HCP_CREDENTIALS_FILE = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the organization ID. Required.
+ */
+ public static final Parameter HCP_ORG_ID = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the project ID. Required.
+ */
+ public static final Parameter HCP_PROJECT_ID = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the application name. Required.
+ */
+ public static final Parameter HCP_APP_NAME = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the secret name. Required.
+ */
+ public static final Parameter SECRET_NAME = Parameter.create(REQUIRED);
+
+ /**
+ * Parameter for the optional key in the secret JSON.
+ */
+ public static final Parameter KEY = Parameter.create();
+
+ /**
+ * Builds a ParameterSet from the given options map.
+ *
+ * This method makes a defensive copy of the provided map, ensures that a default
+ * authentication method is set, and then fills in missing keys using fallback values
+ * (from system properties or environment variables) based on the authentication method.
+ * Finally, it parses the updated map into a ParameterSet.
+ *
+ *
+ * @param inputOpts The input options map.
+ * @return The ParameterSet.
+ */
+ public static ParameterSet buildResolvedParameterSet(Map inputOpts) {
+ Map opts = new HashMap<>(inputOpts);
+
+ String authStr = opts.entrySet().stream()
+ .filter(entry -> entry.getKey().equalsIgnoreCase(PARAM_AUTHENTICATION))
+ .map(Map.Entry::getValue)
+ .findFirst()
+ .orElse(HcpVaultAuthenticationMethod.AUTO_DETECT.name());
+
+ HcpVaultAuthenticationMethod authMethod =
+ HcpVaultAuthenticationMethod.valueOf(authStr.toUpperCase());
+
+ opts.computeIfAbsent(PARAM_HCP_ORG_ID, Parameterutil::getFallback);
+ opts.computeIfAbsent(PARAM_HCP_PROJECT_ID, Parameterutil::getFallback);
+ opts.computeIfAbsent(PARAM_HCP_APP_NAME, Parameterutil::getFallback);
+
+ switch (authMethod) {
+ case CLIENT_CREDENTIALS:
+ opts.computeIfAbsent(PARAM_HCP_CLIENT_ID, Parameterutil::getFallback);
+ opts.computeIfAbsent(PARAM_HCP_CLIENT_SECRET, Parameterutil::getFallback);
+ break;
+ case CLI_CREDENTIALS_FILE:
+ opts.computeIfAbsent(PARAM_HCP_CREDENTIALS_FILE, Parameterutil::getFallback);
+ break;
+ case AUTO_DETECT:
+ opts.computeIfAbsent(PARAM_HCP_CLIENT_ID, Parameterutil::getFallback);
+ opts.computeIfAbsent(PARAM_HCP_CLIENT_SECRET, Parameterutil::getFallback);
+ opts.computeIfAbsent(PARAM_HCP_CREDENTIALS_FILE, Parameterutil::getFallback);
+ break;
+ default:
+ break;
+ }
+ return PARAMETER_SET_PARSER.parseNamedValues(opts);
+ }
+
+ /**
+ * Parses the authentication method from a string value.
+ *
+ * @param value the string value representing the authentication method. Must
+ * not be null.
+ * @return the parsed {@link HcpVaultAuthenticationMethod}.
+ * @throws IllegalArgumentException if the value is unrecognized.
+ */
+ private static HcpVaultAuthenticationMethod parseAuthMethod(String value) {
+ try {
+ return HcpVaultAuthenticationMethod.valueOf(value.toUpperCase());
+ } catch (IllegalArgumentException e) {
+ throw new IllegalArgumentException(
+ "Unrecognized HCP auth method: " + value, e);
+ }
+ }
+
+ public static final ParameterSetParser PARAMETER_SET_PARSER =
+ ParameterSetParser.builder()
+ .addParameter("value", SECRET_NAME)
+ .addParameter(PARAM_AUTHENTICATION, AUTHENTICATION_METHOD, AUTO_DETECT,
+ HcpVaultSecretParameters::parseAuthMethod)
+ .addParameter(PARAM_HCP_ORG_ID, HCP_ORG_ID)
+ .addParameter(PARAM_HCP_PROJECT_ID, HCP_PROJECT_ID)
+ .addParameter(PARAM_HCP_APP_NAME, HCP_APP_NAME)
+ .addParameter(PARAM_HCP_CLIENT_ID, HCP_CLIENT_ID)
+ .addParameter(PARAM_HCP_CLIENT_SECRET, HCP_CLIENT_SECRET)
+ .addParameter(PARAM_HCP_CREDENTIALS_FILE, HCP_CREDENTIALS_FILE, DEFAULT_CREDENTIALS_FILE_PATH)
+ .addParameter("KEY", KEY)
+ .addParameter("type", Parameter.create())
+ .build();
+
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretToken.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretToken.java
new file mode 100644
index 00000000..14a2d677
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultSecretToken.java
@@ -0,0 +1,73 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+/**
+ * Represents the credentials required to authenticate with HCP Vault Secrets.
+ *
+ * This class holds the API token obtained from the client_credentials OAuth2 flow.
+ *
+ */
+public final class HcpVaultSecretToken {
+ private final String hcpApiToken;
+
+ /**
+ * Constructs a new {@code HcpVaultSecretToken} object with
+ * the provided API token.
+ *
+ * @param hcpApiToken the token used to authenticate API requests to
+ * the HCP Vault Secret. Must not be null or empty.
+ * @throws IllegalArgumentException if {@code hcpApiToken} is null or empty.
+ */
+ public HcpVaultSecretToken(String hcpApiToken) {
+ if (hcpApiToken == null || hcpApiToken.isEmpty()) {
+ throw new IllegalArgumentException("HCP API token must not be null or empty.");
+ }
+ this.hcpApiToken = hcpApiToken;
+ }
+
+ /**
+ * Returns the HCP API token used for authentication.
+ *
+ * @return the HCP API token as a {@link String}.
+ */
+ public String getHcpApiToken() {
+ return hcpApiToken;
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultTokenFactory.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultTokenFactory.java
new file mode 100644
index 00000000..05bfdfb1
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/authentication/HcpVaultTokenFactory.java
@@ -0,0 +1,135 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication;
+
+import oracle.jdbc.AccessToken;
+import oracle.jdbc.driver.oauth.JsonWebToken;
+import oracle.jdbc.provider.factory.Resource;
+import oracle.jdbc.provider.factory.ResourceFactory;
+import oracle.jdbc.provider.parameter.Parameter;
+import oracle.jdbc.provider.parameter.ParameterSet;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Supplier;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultSecretParameters.AUTHENTICATION_METHOD;
+import static oracle.jdbc.provider.parameter.Parameter.CommonAttribute.REQUIRED;
+/**
+ * A factory for creating {@link HcpVaultSecretToken} objects for HCP Vault Secrets.
+ *
+ * Implements the client_credentials flow as well as file-based authentication.
+ * The auto-detect mode attempts file-based authentication first, then falls back
+ * to client credentials.
+ *
+ */
+public final class HcpVaultTokenFactory implements ResourceFactory {
+
+ private static final HcpVaultTokenFactory INSTANCE = new HcpVaultTokenFactory();
+
+ private static final ConcurrentHashMap, Supplier> tokenCache =
+ new ConcurrentHashMap<>();
+
+ private HcpVaultTokenFactory() {}
+
+ public static HcpVaultTokenFactory getInstance() {
+ return INSTANCE;
+ }
+
+ @Override
+ public Resource request(ParameterSet parameterSet) {
+ HcpVaultSecretToken credentials = getCredential(parameterSet);
+ return Resource.createPermanentResource(credentials, true);
+ }
+
+ /**
+ * Determines the authentication method and retrieves credentials accordingly.
+ *
+ * @param parameterSet The parameter set containing authentication details.
+ * @return The HCP Vault secret token.
+ */
+ private HcpVaultSecretToken getCredential(ParameterSet parameterSet) {
+ HcpVaultAuthenticationMethod method = parameterSet.getRequired(AUTHENTICATION_METHOD);
+ AbstractHcpVaultAuthentication authentication = getAuthentication(method);
+ return createCachedToken(parameterSet, authentication);
+ }
+
+ /**
+ * Creates or retrieves a cached {@link HcpVaultSecretToken} for the specified
+ * authentication method.
+ *
+ * @param parameterSet the set of parameters for the request.
+ * @param authentication the authentication method being used.
+ * @return a {@code HcpVaultSecretToken} instance.
+ */
+ private HcpVaultSecretToken createCachedToken(
+ ParameterSet parameterSet, AbstractHcpVaultAuthentication authentication) {
+
+ Map cacheKey = authentication.generateCacheKey(parameterSet);
+
+ Supplier tokenSupplier = tokenCache.computeIfAbsent(cacheKey, k -> AccessToken.createJsonWebTokenCache(() -> {
+ HcpVaultSecretToken token = authentication.generateToken(parameterSet);
+ return AccessToken.createJsonWebToken(token.getHcpApiToken().toCharArray());
+ }));
+
+ AccessToken cachedToken = tokenSupplier.get();
+ JsonWebToken jwt = (JsonWebToken) cachedToken;
+ return new HcpVaultSecretToken(jwt.token().get());
+ }
+
+ /**
+ * Returns the appropriate authentication strategy for the specified method.
+ *
+ * @param method the authentication method
+ * @return the corresponding {@link AbstractHcpVaultAuthentication} instance
+ */
+ private AbstractHcpVaultAuthentication getAuthentication(HcpVaultAuthenticationMethod method) {
+ switch (method) {
+ case CLIENT_CREDENTIALS:
+ return ClientCredentialsAuthentication.INSTANCE;
+ case CLI_CREDENTIALS_FILE:
+ return CliCredentialsFileAuthentication.INSTANCE;
+ case AUTO_DETECT:
+ return AutoDetectAuthentication.INSTANCE;
+ default:
+ throw new IllegalArgumentException("Unsupported authentication method: " + method);
+ }
+ }
+
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultJsonVaultProvider.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultJsonVaultProvider.java
new file mode 100644
index 00000000..af21af4c
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultJsonVaultProvider.java
@@ -0,0 +1,95 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration;
+
+import oracle.jdbc.provider.hashicorp.hcpvaultsecret.secrets.HcpVaultSecretsManagerFactory;
+import oracle.jdbc.provider.parameter.ParameterSet;
+import oracle.jdbc.spi.OracleConfigurationSecretProvider;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Map;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultSecretParameters.PARAMETER_SET_PARSER;
+/**
+ *
+ * Implementation of {@link OracleConfigurationSecretProvider} for
+ * HCP Vault Secret. This provider retrieves secrets stored in the HCP Vault
+ * Secret using
+ * the specified {@code SECRET_NAME}.
+ *
+ *
+ * The {@code jsonObject} must adhere to the following structure:
+ *
+ *
+ * {@code
+ * "password": {
+ * "type": "hcpvaultsecret",
+ * "value": "",
+ * }
+ * }
+ *
+ *
+ * The {@code SECRET_NAME} the specific secret to retrieve from hcp vault.
+ * The secret's value is retrieved and returned as a Base64-encoded
+ * character array.
+ *
+ */
+public class HcpVaultJsonVaultProvider implements OracleConfigurationSecretProvider {
+
+
+ @Override
+ public char[] getSecret(Map map) {
+ ParameterSet parameterSet = PARAMETER_SET_PARSER.parseNamedValues(map);
+
+ String secretString = HcpVaultSecretsManagerFactory
+ .getInstance()
+ .request(parameterSet)
+ .getContent();
+
+ String base64Encoded = Base64.getEncoder()
+ .encodeToString(secretString.getBytes(StandardCharsets.UTF_8));
+ return base64Encoded.toCharArray();
+ }
+
+ @Override
+ public String getSecretType() {
+ return "hcpvaultsecret";
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultSecretsManagerConfigurationProvider.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultSecretsManagerConfigurationProvider.java
new file mode 100644
index 00000000..164c8487
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultSecretsManagerConfigurationProvider.java
@@ -0,0 +1,88 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration;
+
+import oracle.jdbc.driver.configuration.OracleConfigurationParsableProvider;
+import oracle.jdbc.provider.hashicorp.hcpvaultsecret.secrets.HcpVaultSecretsManagerFactory;
+import oracle.jdbc.provider.parameter.ParameterSet;
+import oracle.jdbc.util.OracleConfigurationCache;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultSecretParameters.*;
+
+
+public class HcpVaultSecretsManagerConfigurationProvider extends OracleConfigurationParsableProvider {
+
+ @Override
+ public InputStream getInputStream(String secretName) {
+ final String valueField = "value";
+ Map optionsWithAppName = new HashMap<>(options);
+ optionsWithAppName.put(valueField, secretName);
+
+ ParameterSet finalParams = buildResolvedParameterSet(optionsWithAppName);
+
+ String secretsJson = HcpVaultSecretsManagerFactory
+ .getInstance()
+ .request(finalParams)
+ .getContent();
+
+ return new ByteArrayInputStream(secretsJson.getBytes(StandardCharsets.UTF_8));
+ }
+
+ @Override
+ public String getType() {
+ // The provider name that appears in the JDBC URL after "config-"
+ return "hcpvaultsecret";
+ }
+
+ @Override
+ public OracleConfigurationCache getCache() {
+ return CACHE;
+ }
+
+ @Override
+ public String getParserType(String location) {
+ return "json";
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultApiClient.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultApiClient.java
new file mode 100644
index 00000000..330c5526
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultApiClient.java
@@ -0,0 +1,101 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.secrets;
+
+import oracle.jdbc.provider.hashicorp.util.HttpUtil;
+import oracle.sql.json.OracleJsonException;
+import oracle.sql.json.OracleJsonObject;
+
+import static oracle.jdbc.provider.hashicorp.util.JsonUtil.convertJsonToOracleJsonObject;
+
+/**
+ *
+ * Utility class for interacting with the HCP Vault Secrets API. Provides
+ * methods to fetch secrets and extract specific fields from JSON responses.
+ *
+ *
+ * This class is responsible for making HTTP requests to the HCP Vault API
+ * and parsing the JSON responses using the Oracle JSON library.
+ *
+ */
+public final class HcpVaultApiClient {
+
+ private static final String SECRET_FIELD = "secret";
+ private static final String STATIC_VERSION_FIELD = "static_version";
+ private static final String VALUE_FIELD = "value";
+
+ private HcpVaultApiClient() {
+ }
+
+ /**
+ * Fetches the secret value from the HCP Vault Secrets API.
+ *
+ * The API response contains metadata along with the secret. The expected format is:
+ *
+ * {
+ * "secret": {
+ * "static_version": {
+ * "value": "OUR_SECRET"
+ * }
+ * }
+ * }
+ *
+ * This method extracts and returns the `value` field.
+ *
+ * @param urlStr The HCP Vault API endpoint.
+ * @param token The Bearer token for authentication.
+ * @return The extracted secret value. Never null.
+ * @throws IllegalStateException If the request fails or JSON is invalid.
+ */
+ public static String fetchSecret(String urlStr, String token) {
+ try {
+ String jsonResponse = HttpUtil.sendGetRequest(urlStr, token, null);
+ OracleJsonObject jsonObject = convertJsonToOracleJsonObject(jsonResponse);
+
+ return jsonObject.getObject(SECRET_FIELD)
+ .getObject(STATIC_VERSION_FIELD)
+ .getString(VALUE_FIELD);
+
+ } catch (OracleJsonException e) {
+ throw new IllegalStateException("Invalid JSON structure or missing fields in response", e);
+ } catch (Exception e) {
+ throw new IllegalStateException("Failed to fetch HCP secrets from URL: " + urlStr, e);
+ }
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultSecretsManagerFactory.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultSecretsManagerFactory.java
new file mode 100644
index 00000000..3348a328
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/secrets/HcpVaultSecretsManagerFactory.java
@@ -0,0 +1,99 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.secrets;
+
+import oracle.jdbc.provider.cache.CachedResourceFactory;
+import oracle.jdbc.provider.factory.Resource;
+import oracle.jdbc.provider.factory.ResourceFactory;
+import oracle.jdbc.provider.hashicorp.hcpvaultsecret.HcpVaultResourceFactory;
+import oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultSecretToken;
+import oracle.jdbc.provider.parameter.ParameterSet;
+
+import static oracle.jdbc.provider.hashicorp.hcpvaultsecret.authentication.HcpVaultSecretParameters.*;
+
+/**
+ *
+ * Factory for retrieving secrets from (HCP) Vault Secrets.
+ * Responsible for making API calls to the HCP Vault and parsing responses.
+ *
+ *
+ * The secrets API URL structure follows the format:
+ *
+ *
+ * {@code
+ * https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/{ORG_ID}/projects/{PROJECT_ID}/apps/{APP_NAME}/secrets/{SECRET_NAME}:open
+ * }
+ *
+ *
+ * For more details, refer to the official HCP Vault Secrets API documentation:
+ *
+ * Retrieve a Secret from HCP Vault Secrets
+ *
+ *
+ */
+public final class HcpVaultSecretsManagerFactory extends HcpVaultResourceFactory {
+
+ private static final String HCP_SECRETS_API_URL_FORMAT =
+ "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/%s/projects/%s/apps/%s/secrets/%s:open";
+
+
+ private static final ResourceFactory INSTANCE =
+ CachedResourceFactory.create(new HcpVaultSecretsManagerFactory());
+
+ private HcpVaultSecretsManagerFactory() {}
+
+ public static ResourceFactory getInstance() {
+ return INSTANCE;
+ }
+
+ @Override
+ public Resource request(HcpVaultSecretToken credentials, ParameterSet parameterSet) {
+ String orgId = parameterSet.getRequired(HCP_ORG_ID);
+ String projectId = parameterSet.getRequired(HCP_PROJECT_ID);
+ String appName = parameterSet.getRequired(HCP_APP_NAME);
+ String secretName = parameterSet.getRequired(SECRET_NAME);
+
+ String hcpUrl = String.format(HCP_SECRETS_API_URL_FORMAT, orgId, projectId, appName, secretName);
+
+ String secretsJson = HcpVaultApiClient.fetchSecret(hcpUrl, credentials.getHcpApiToken());
+
+ return Resource.createPermanentResource(secretsJson, true);
+ }
+
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/HttpUtil.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/HttpUtil.java
new file mode 100644
index 00000000..b247aff9
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/HttpUtil.java
@@ -0,0 +1,217 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.util;
+
+import java.io.*;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.stream.Collectors;
+
+/**
+ * Utility class for handling HTTP requests and responses.
+ */
+public class HttpUtil {
+ // HTTP methods
+ private static final String HTTP_METHOD_GET = "GET";
+ private static final String HTTP_METHOD_POST = "POST";
+
+ // HTTP headers
+ private static final String HEADER_ACCEPT = "Accept";
+ private static final String HEADER_AUTHORIZATION = "Authorization";
+ private static final String HEADER_CONTENT_TYPE = "Content-Type";
+ private static final String HEADER_VAULT_NAMESPACE = "X-Vault-Namespace";
+ private static final String ACCEPT_JSON = "application/json";
+
+ /**
+ * Sends a GET request to the specified URL and retrieves the response.
+ *
+ * @param urlStr The URL to send the request to. Must not be null.
+ * @param authToken The optional Bearer token for authorization. Can be null or empty.
+ * @param namespace The optional Vault namespace. Can be null or empty.
+ * @return The response as a UTF-8 encoded string. Never null.
+ * @throws Exception if the request fails or the response cannot be read.
+ */
+ public static String sendGetRequest(String urlStr, String authToken, String namespace)
+ throws Exception {
+ if (urlStr == null) {
+ throw new IllegalArgumentException("URL must not be null");
+ }
+
+ HttpURLConnection conn = createConnection(urlStr, HTTP_METHOD_GET, authToken, namespace);
+ try {
+ return sendGetRequestAndGetResponse(conn);
+ } finally {
+ conn.disconnect();
+ }
+ }
+
+ /**
+ * Sends a POST request with a payload to the specified URL and retrieves the response.
+ *
+ * @param urlStr The URL to send the request to. Must not be null.
+ * @param payload The payload to send in UTF-8 encoding. Must not be null.
+ * @param contentType The content type for the request payload (e.g., "application/json").
+ * @param authToken The optional Bearer token for authorization. Can be null or empty.
+ * @param namespace The optional Vault namespace. Can be null or empty.
+ * @return The response as a UTF-8 encoded string. Never null.
+ * @throws Exception if the request fails or the response cannot be read.
+ */
+ public static String sendPostRequest(String urlStr, String payload, String contentType,
+ String authToken, String namespace) throws Exception {
+ if (urlStr == null) {
+ throw new IllegalArgumentException("URL must not be null");
+ }
+ if (payload == null) {
+ throw new IllegalArgumentException("Payload must not be null");
+ }
+
+ HttpURLConnection conn = createConnection(urlStr, HTTP_METHOD_POST, authToken,
+ namespace);
+ try {
+ return sendPayloadAndGetResponse(conn, payload, contentType);
+ } finally {
+ conn.disconnect();
+ }
+ }
+
+ /**
+ * Creates an HTTP connection to the specified URL with the given settings.
+ *
+ * @param urlStr The URL to connect to. Must not be null.
+ * @param method The HTTP method (e.g., "GET", "POST"). Must not be null.
+ * @param authToken The optional Bearer token for authorization. Can be null or empty.
+ * @param namespace The optional Vault namespace. Can be null or empty.
+ * @return A configured {@link HttpURLConnection}. Never null.
+ * @throws IOException if an I/O error occurs while creating the connection
+ * @throws IllegalArgumentException if urlStr or method is null
+ * such as network failures, invalid configurations or authentication issues
+ */
+ public static HttpURLConnection createConnection(String urlStr, String method, String authToken, String namespace)
+ throws IOException {
+ if (method == null) {
+ throw new IllegalArgumentException("HTTP method must not be null");
+ }
+ URL url = new URL(urlStr);
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ conn.setRequestMethod(method);
+ conn.setRequestProperty(HEADER_ACCEPT, ACCEPT_JSON);
+ if (authToken != null && !authToken.isEmpty()) {
+ conn.setRequestProperty(HEADER_AUTHORIZATION, "Bearer " + authToken);
+ }
+ if (namespace != null && !namespace.isEmpty()) {
+ conn.setRequestProperty(HEADER_VAULT_NAMESPACE, namespace);
+ }
+ conn.setDoOutput(true);
+ return conn;
+ }
+
+ /**
+ * Reads the full response from an InputStream as a String.
+ *
+ * @param in the input stream to read.
+ * @return the response string.
+ */
+ private static String readResponse(InputStream in) {
+ try (BufferedReader reader = new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
+ return reader.lines().collect(Collectors.joining("\n"));
+ } catch (Exception e) {
+ throw new IllegalStateException("Failed to read HTTP response", e);
+ }
+ }
+
+ /**
+ * Sends a payload via the provided {@link HttpURLConnection} and retrieves
+ * the response as a string.
+ *
+ * @param conn The configured HTTP connection. Must not be null.
+ * @param payload The payload to send in UTF-8 encoding. Must not be null.
+ * @param contentType The content type for the request payload (e.g., "application/json").
+ * @return The response as a UTF-8 encoded string. Never null.
+ * @throws Exception if the request fails or the response cannot be read.
+ */
+ public static String sendPayloadAndGetResponse(HttpURLConnection conn, String payload, String contentType) throws Exception {
+ if (contentType != null && !contentType.isEmpty()) {
+ conn.setRequestProperty(HEADER_CONTENT_TYPE, contentType);
+ }
+ try (OutputStream os = conn.getOutputStream()) {
+ os.write(payload.getBytes(StandardCharsets.UTF_8));
+ }
+ handleErrorResponse(conn);
+ return readResponse(conn.getInputStream());
+ }
+
+ /**
+ * Sends a GET request via the provided {@link HttpURLConnection} and
+ * retrieves the response as a string.
+ *
+ * @param conn The configured HTTP connection. Must not be null.
+ * @return The response as a string. Never null.
+ * @throws Exception if the request fails or the response cannot be read.
+ */
+ public static String sendGetRequestAndGetResponse(HttpURLConnection conn) throws Exception {
+ handleErrorResponse(conn);
+ return readResponse(conn.getInputStream());
+ }
+
+ /**
+ * Handles HTTP error responses.
+ *
+ * @param conn The HTTP connection. Must not be null.
+ * @throws IllegalStateException if the response indicates an error.
+ */
+ private static void handleErrorResponse(HttpURLConnection conn) {
+ try {
+ int responseCode = conn.getResponseCode();
+ if (responseCode != HttpURLConnection.HTTP_OK) {
+ String errorResponse = "";
+ try {
+ errorResponse = readResponse(conn.getErrorStream());
+ } catch (Exception ignore) { }
+ String errorMessage = String.format("HTTP request failed with status code %d. " +
+ "Please verify any provided parameters. Error Response:" +
+ " %s ", responseCode, errorResponse);
+ throw new IllegalStateException(errorMessage);
+ }
+ } catch (Exception e) {
+ throw new IllegalStateException("Failed to process HTTP response", e);
+ }
+ }
+
+}
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/JsonUtil.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/JsonUtil.java
new file mode 100644
index 00000000..8c12dd5d
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/JsonUtil.java
@@ -0,0 +1,83 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.util;
+
+import oracle.sql.json.OracleJsonFactory;
+import oracle.sql.json.OracleJsonObject;
+
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
+
+/**
+ * Utility class for JSON parsing and extraction using Oracle JSON library.
+ */
+public class JsonUtil {
+
+ /**
+ * Converts a JSON string into an {@link OracleJsonObject}.
+ *
+ * @param jsonResponse the JSON response string to convert. Must not be null.
+ * @return the corresponding {@link OracleJsonObject}. Never null.
+ * @throws IllegalStateException if conversion fails due to invalid JSON.
+ */
+ public static OracleJsonObject convertJsonToOracleJsonObject(String jsonResponse) {
+ try {
+ return new OracleJsonFactory()
+ .createJsonTextValue(new ByteArrayInputStream(jsonResponse.getBytes(StandardCharsets.UTF_8)))
+ .asJsonObject();
+ } catch (Exception e) {
+ throw new IllegalStateException("Failed to convert JSON string to OracleJsonObject", e);
+ }
+ }
+
+ /**
+ * Extracts a specific field from an {@link OracleJsonObject}.
+ *
+ * @param jsonObject The JSON object containing the field. Must not be null.
+ * @param fieldName The name of the field to extract. Must not be null.
+ * @return The value of the field as a string. Never null.
+ * @throws IllegalStateException if the field does not exist or is not a string.
+ */
+ public static String extractField(OracleJsonObject jsonObject, String fieldName) {
+ if (jsonObject.containsKey(fieldName)) {
+ return jsonObject.getString(fieldName);
+ }
+ throw new IllegalStateException("Missing field '" + fieldName + "' in the response JSON.");
+ }
+}
\ No newline at end of file
diff --git a/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/Parameterutil.java b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/Parameterutil.java
new file mode 100644
index 00000000..f0d55af6
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/java/oracle/jdbc/provider/hashicorp/util/Parameterutil.java
@@ -0,0 +1,60 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.util;
+
+/**
+ * Utility class for parameter resolution.
+ */
+public final class Parameterutil {
+
+ private Parameterutil() {
+ // Prevent instantiation.
+ }
+
+ /**
+ * Returns the fallback value for the given key by checking system properties first,
+ * then environment variables.
+ *
+ * @param key the key to look up
+ * @return the fallback value, or null if not found
+ */
+ public static String getFallback(String key) {
+ return System.getProperty(key, System.getenv(key));
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationProvider b/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationProvider
new file mode 100644
index 00000000..489b2cdd
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationProvider
@@ -0,0 +1,2 @@
+oracle.jdbc.provider.hashicorp.hcpvaultdedicated.configuration.DedicatedVaultSecretsManagerConfigurationProvider
+oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration.HcpVaultSecretsManagerConfigurationProvider
\ No newline at end of file
diff --git a/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationSecretProvider b/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationSecretProvider
new file mode 100644
index 00000000..d29219b9
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/main/resources/META-INF/services/oracle.jdbc.spi.OracleConfigurationSecretProvider
@@ -0,0 +1,2 @@
+oracle.jdbc.provider.hashicorp.hcpvaultdedicated.configuration.DedicatedVaultJsonSecretProvider
+oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration.HcpVaultJsonVaultProvider
\ No newline at end of file
diff --git a/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultConfigurationProviderTest.java b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultConfigurationProviderTest.java
new file mode 100644
index 00000000..b321543c
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultConfigurationProviderTest.java
@@ -0,0 +1,254 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultdedicated.configuration;
+
+import oracle.jdbc.provider.TestProperties;
+import oracle.jdbc.spi.OracleConfigurationProvider;
+import org.junit.jupiter.api.Test;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Properties;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Test class for the Dedicated Vault Configuration Provider.
+ */
+public class DedicatedVaultConfigurationProviderTest {
+
+ static {
+ OracleConfigurationProvider.allowedProviders.add("hcpvaultdedicated");
+ }
+
+
+ private static final OracleConfigurationProvider PROVIDER =
+ OracleConfigurationProvider.find("hcpvaultdedicated");
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with TOKEN-based
+ * authentication.
+ * Without the key option.
+ **/
+ @Test
+ public void testTokenAuthentication() throws SQLException {
+ String location =
+ composeUrl(TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH),
+ "VAULT_ADDR="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "VAULT_TOKEN="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_TOKEN),
+ "authentication=vault_token");
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with TOKEN-based
+ * authentication.
+ * With the key option.
+ */
+ @Test
+ public void testTokenAuthenticationWithKeyOption() throws SQLException {
+ String location =
+ composeUrl(TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS),
+ "key="+TestProperties.getOrAbort(DedicatedVaultTestProperty.KEY),
+ "VAULT_ADDR="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "VAULT_TOKEN="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_TOKEN),
+ "authentication=vault_token");
+
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with TOKEN-based
+ * authentication.
+ * Without the key option.
+ */
+ @Test
+ public void testUserPassAuthenticationWithoutKeyOption() throws SQLException {
+ String location =
+ composeUrl(TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH),
+ "VAULT_ADDR="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "VAULT_USERNAME="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_USERNAME),
+ "VAULT_PASSWORD="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_PASSWORD),
+ "VAULT_NAMESPACE="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_NAMESPACE),
+ "authentication=userpass");
+
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with TOKEN-based
+ * authentication.
+ * With the key option.
+ */
+ @Test
+ public void testUserPassAuthenticationWithKeyOption() throws SQLException {
+ String location =
+ composeUrl(TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS),
+ "key="+TestProperties.getOrAbort(DedicatedVaultTestProperty.KEY),
+ "VAULT_ADDR="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "VAULT_USERNAME="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_USERNAME),
+ "VAULT_PASSWORD="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_PASSWORD),
+ "VAULT_NAMESPACE="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_NAMESPACE),
+ "authentication=userpass");
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with AppRole
+ * authentication and a key option for secrets with multiple keys.
+ */
+ @Test
+ public void testAppRoleAuthenticationWithKeyOption() throws SQLException {
+ String location = composeUrl(
+ TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS),
+ "key=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.KEY),
+ "VAULT_ADDR=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "ROLE_ID=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.ROLE_ID),
+ "VAULT_NAMESPACE="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_NAMESPACE),
+ "SECRET_ID=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.SECRET_ID),
+ "authentication=approle");
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with GitHub
+ * authentication and a key option for secrets with multiple keys.
+ */
+ @Test
+ public void testGithubAuthenticationWithKeyOption() throws SQLException {
+ String location = composeUrl(
+ TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS),
+ "key=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.KEY),
+ "VAULT_ADDR=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR),
+ "GITHUB_TOKEN=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.GITHUB_TOKEN),
+ "VAULT_NAMESPACE="+TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_NAMESPACE),
+ "authentication=github");
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if Dedicated Vault Configuration Provider works with the
+ * AUTO-DETECT authentication and a key option for secrets with multiple keys.
+ */
+ @Test
+ public void testAutoDetectAuthenticationWithKeyOption() throws SQLException {
+ String baseUrl = TestProperties.getOrAbort(DedicatedVaultTestProperty.DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS);
+ String key = "key=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.KEY);
+ String vaultAddr = "VAULT_ADDR=" + TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_ADDR);
+
+ List params = new ArrayList<>();
+ params.add(vaultAddr);
+ params.add(key);
+
+ // Add available authentication methods dynamically
+ String vaultToken = TestProperties.getOptional(DedicatedVaultTestProperty.VAULT_TOKEN);
+ if (vaultToken != null) {
+ params.add("VAULT_TOKEN=" + vaultToken);
+ }
+
+ String vaultUsername = TestProperties.getOptional(DedicatedVaultTestProperty.VAULT_USERNAME);
+ String vaultPassword =
+ TestProperties.getOrAbort(DedicatedVaultTestProperty.VAULT_PASSWORD);
+ if (vaultUsername != null && vaultPassword != null) {
+ params.add("VAULT_USERNAME=" + vaultUsername);
+ params.add("VAULT_PASSWORD=" + vaultPassword);
+ }
+
+ String roleId = TestProperties.getOptional(DedicatedVaultTestProperty.ROLE_ID);
+ String secretId = TestProperties.getOptional(DedicatedVaultTestProperty.SECRET_ID);
+ if (roleId != null && secretId != null) {
+ params.add("ROLE_ID=" + roleId);
+ params.add("SECRET_ID=" + secretId);
+ }
+
+ String githubToken = TestProperties.getOptional(DedicatedVaultTestProperty.GITHUB_TOKEN);
+ if (githubToken != null) {
+ params.add("GITHUB_TOKEN=" + githubToken);
+ }
+
+ params.add("authentication=auto_detect");
+
+ String location = composeUrl(baseUrl, params.toArray(new String[0]));
+
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Composes a full URL from a base URL and query options.
+ */
+ private static String composeUrl(String baseUrl, String... options) {
+ return String.format("%s?%s", baseUrl, String.join("&", options));
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultTestProperty.java b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultTestProperty.java
new file mode 100644
index 00000000..97212117
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/DedicatedVaultTestProperty.java
@@ -0,0 +1,66 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultdedicated.configuration;
+
+/**
+ * Enumeration of test properties for Dedicated Vault.
+ */
+public enum DedicatedVaultTestProperty {
+ DEDICATED_VAULT_SECRET_PATH,
+
+ DEDICATED_VAULT_SECRET_PATH_WITH_MULTIPLE_KEYS,
+
+ KEY,
+
+ VAULT_TOKEN,
+
+ VAULT_ADDR,
+
+ VAULT_USERNAME,
+
+ VAULT_PASSWORD,
+
+ VAULT_NAMESPACE,
+
+ ROLE_ID,
+
+ SECRET_ID,
+
+ GITHUB_TOKEN
+}
diff --git a/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultConfigurationProviderTest.java b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultConfigurationProviderTest.java
new file mode 100644
index 00000000..dcee9b56
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultConfigurationProviderTest.java
@@ -0,0 +1,193 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration;
+
+import oracle.jdbc.provider.TestProperties;
+import oracle.jdbc.spi.OracleConfigurationProvider;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Properties;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Test class for the HCP Vault Configuration Provider.
+ */
+public class HcpVaultConfigurationProviderTest {
+
+ static {
+ OracleConfigurationProvider.allowedProviders.add("hcpvaultsecret");
+ }
+
+ private static final OracleConfigurationProvider PROVIDER =
+ OracleConfigurationProvider.find("hcpvaultsecret");
+
+ @BeforeAll
+ public static void setUp() {
+ System.setProperty("HCP_ORG_ID",
+ TestProperties.getOrAbort(HcpVaultTestProperty.HCP_ORG_ID));
+ System.setProperty("HCP_PROJECT_ID",
+ TestProperties.getOrAbort(HcpVaultTestProperty.HCP_PROJECT_ID));
+ System.setProperty("HCP_APP_NAME",
+ TestProperties.getOrAbort(HcpVaultTestProperty.HCP_APP_NAME));
+
+ }
+
+ /**
+ * Verifies if HCP Vault Configuration Provider works with
+ * CLIENT_CREDENTIALS authentication.
+ * Without Key Option
+ */
+ @Test
+ public void testClientCredentialsAuthentication() throws SQLException {
+ // Load parameters from TestProperties
+ String baseUrl = TestProperties.getOrAbort(HcpVaultTestProperty.SECRET_NAME);
+ String clientId = "HCP_CLIENT_ID=" + TestProperties.getOrAbort(HcpVaultTestProperty.HCP_CLIENT_ID);
+ String clientSecret = "HCP_CLIENT_SECRET=" + TestProperties.getOrAbort(HcpVaultTestProperty.HCP_CLIENT_SECRET);
+ // Compose the connection URL
+ String location = composeUrl(baseUrl, clientId, clientSecret);
+
+ // Fetch properties using the provider
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ // Assert required properties
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if HCP Vault Configuration Provider works with
+ * CLIENT_CREDENTIALS authentication.
+ * With Key Option
+ */
+ @Test
+ public void testClientCredentialsAuthenticationWithKeyOption() throws SQLException {
+ // Load parameters from TestProperties
+ String baseUrl = TestProperties.getOrAbort(HcpVaultTestProperty.SECRET_NAME_WITH_MULTIPLE_KEYS);
+ String clientId = "HCP_CLIENT_ID=" + TestProperties.getOrAbort(HcpVaultTestProperty.HCP_CLIENT_ID);
+ String clientSecret = "HCP_CLIENT_SECRET=" + TestProperties.getOrAbort(HcpVaultTestProperty.HCP_CLIENT_SECRET);
+ String authMethod = "authentication=CLIENT_CREDENTIALS";
+ String key = "key=" + TestProperties.getOrAbort(HcpVaultTestProperty.KEY);
+ // Compose the connection URL
+ String location = composeUrl(baseUrl, clientId, clientSecret, key, authMethod);
+
+ // Fetch properties using the provider
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ // Assert required properties
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+
+ /**
+ * Verifies if HCP Vault Configuration Provider works with
+ * CLI_CREDENTIALS_FILE authentication.
+ * With Key Option
+ */
+ @Test
+ @Disabled
+ public void testCLICredentialsFileAuthenticationWithKeyOption() throws SQLException {
+ // Load parameters from TestProperties
+ String baseUrl = TestProperties.getOrAbort(HcpVaultTestProperty.SECRET_NAME_WITH_MULTIPLE_KEYS);
+ String key = "key=" + TestProperties.getOrAbort(HcpVaultTestProperty.KEY);
+ String authMethod = "authentication=CLI_CREDENTIALS_FILE";
+ // Compose the connection URL
+ String location = composeUrl(baseUrl, key, authMethod);
+
+ // Fetch properties using the provider
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ // Assert required properties
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Verifies if the HCP Vault Configuration Provider works with
+ * AUTO_DETECT authentication (with the key option).
+ */
+ @Test
+ public void testAutoDetectAuthenticationWithKeyOption() throws SQLException {
+ List params = new ArrayList<>();
+ String baseUrl = TestProperties.getOrAbort(HcpVaultTestProperty.SECRET_NAME_WITH_MULTIPLE_KEYS);
+ String key = "key=" + TestProperties.getOrAbort(HcpVaultTestProperty.KEY);
+ params.add(key);
+ // Construct optional authentication parameters
+ String clientId =
+ TestProperties.getOptional(HcpVaultTestProperty.HCP_CLIENT_ID);
+ String clientSecret =
+ TestProperties.getOptional(HcpVaultTestProperty.HCP_CLIENT_SECRET);
+ if(clientId!=null && clientSecret!=null) {
+ params.add("HCP_CLIENT_ID=" + clientId);
+ params.add("HCP_CLIENT_SECRET=" + clientSecret);
+ }
+ String credentialsFile =
+ TestProperties.getOptional(HcpVaultTestProperty.HCP_CREDENTIALS_FILE);
+ if(credentialsFile!=null) {
+ params.add("HCP_CREDENTIALS_FILE=" + credentialsFile);
+ }
+
+ // Compose the connection URL
+ String location = composeUrl(baseUrl, params.toArray(new String[0]));
+
+ // Fetch properties using the provider
+ Properties properties = PROVIDER.getConnectionProperties(location);
+
+ // Assert required properties
+ assertTrue(properties.containsKey("URL"), "Contains property URL");
+ assertTrue(properties.containsKey("user"), "Contains property user");
+ assertTrue(properties.containsKey("password"), "Contains property password");
+ }
+
+ /**
+ * Composes a full URL from a base URL and query options.
+ */
+ private static String composeUrl(String baseUrl, String... options) {
+ return String.format("%s?%s", baseUrl, String.join("&", options));
+ }
+}
diff --git a/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultTestProperty.java b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultTestProperty.java
new file mode 100644
index 00000000..c69eb5de
--- /dev/null
+++ b/ojdbc-provider-hashicorp/src/test/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/HcpVaultTestProperty.java
@@ -0,0 +1,62 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration;
+
+/**
+ * Enumeration of test properties for HCP Vault.
+ */
+public enum HcpVaultTestProperty {
+ HCP_APP_NAME,
+
+ HCP_ORG_ID,
+
+ HCP_PROJECT_ID,
+
+ HCP_CLIENT_ID,
+
+ HCP_CLIENT_SECRET,
+
+ SECRET_NAME,
+
+ SECRET_NAME_WITH_MULTIPLE_KEYS,
+
+ KEY,
+
+ HCP_CREDENTIALS_FILE
+}
diff --git a/ojdbc-provider-oci/README.md b/ojdbc-provider-oci/README.md
index 9ed54084..bc90350c 100644
--- a/ojdbc-provider-oci/README.md
+++ b/ojdbc-provider-oci/README.md
@@ -161,6 +161,8 @@ For the JSON type of provider (OCI Object Storage, HTTPS, File) the password is
- `azurevault`
- `base64`
- `awssecretsmanager`
+ - `hcpvaultdedicated`
+ - `hcpvaultsecret`
- `value`
- Mandatory
- Possible values:
@@ -168,6 +170,8 @@ For the JSON type of provider (OCI Object Storage, HTTPS, File) the password is
- Azure Key Vault URI (if azurevault)
- Base64 Encoded password (if base64)
- AWS resource name of the secret (if awssecretsmanager)
+ - Secret path (if hcpvaultdedicated)
+ - Secret name (if hcpvaultsecret)
- `authentication`
- Optional. It will apply defaults in the same way as described in [Configuring Authentication](#configuring-authentication)
- Possible Values:
diff --git a/ojdbc-provider-samples/pom.xml b/ojdbc-provider-samples/pom.xml
index fe4ec2bc..d8bd27db 100644
--- a/ojdbc-provider-samples/pom.xml
+++ b/ojdbc-provider-samples/pom.xml
@@ -40,6 +40,11 @@
ojdbc-provider-aws
${project.parent.version}
+
+ com.oracle.database.jdbc
+ ojdbc-provider-hashicorp
+ ${project.parent.version}
+
com.oracle.database.security
oraclepki
diff --git a/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/SimpleVaultDedicatedJsonExample.java b/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/SimpleVaultDedicatedJsonExample.java
new file mode 100644
index 00000000..9d74fb62
--- /dev/null
+++ b/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultdedicated/configuration/SimpleVaultDedicatedJsonExample.java
@@ -0,0 +1,105 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultdedicated.configuration;
+
+import oracle.jdbc.datasource.impl.OracleDataSource;
+import oracle.jdbc.provider.Configuration;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+/**
+ * A standalone example demonstrating how to connect to an Oracle database using
+ * connection properties retrieved from a dedicated HashiCorp Vault.
+ */
+public class SimpleVaultDedicatedJsonExample {
+
+ /**
+ * The configuration parameter for the Vault secret path.
+ *
+ * This parameter should be set as a JVM system property, environment variable,
+ * or an entry in the configuration.properties file under the key
+ * "DEDICATED_VAULT_SECRET_PATH".
+ *
+ */
+ private static final String VAULT_DEDICATED_SECRET_PATH = Configuration.getRequired(
+ "DEDICATED_VAULT_SECRET_PATH");
+
+ /**
+ *
+ * Connects to a database using connection properties retrieved from the
+ * configured Vault secret path.
+ *
+ *
+ *
+ * Ensure that the dedicated provider is properly configured and the secret
+ * path is accessible for authentication and configuration retrieval.
+ *
+ *
+ * @param args the command line arguments
+ * @throws SQLException if an error occurs during the database calls
+ */
+ public static void main(String[] args) throws SQLException {
+
+ // Construct a JDBC URL for the dedicated type provider
+ String url = "jdbc:oracle:thin:@config-hcpvaultdedicated://" + VAULT_DEDICATED_SECRET_PATH;
+
+ // Sample default URL if not provided in arguments
+ if (args.length > 0) {
+ url = args[0];
+ }
+
+ // Configure the data source
+ OracleDataSource ds = new OracleDataSource();
+ ds.setURL(url);
+
+ // Standard JDBC code
+ try (Connection cn = ds.getConnection()) {
+ System.out.println("Connected to: " + cn.getMetaData().getURL());
+
+ Statement st = cn.createStatement();
+ ResultSet rs = st.executeQuery("SELECT 'Hello, Dedicated Vault' FROM sys.dual");
+ if (rs.next()) {
+ System.out.println(rs.getString(1));
+ }
+ }
+ }
+}
diff --git a/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/SimpleVaultSecretsJsonExample.java b/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/SimpleVaultSecretsJsonExample.java
new file mode 100644
index 00000000..4779bdfc
--- /dev/null
+++ b/ojdbc-provider-samples/src/main/java/oracle/jdbc/provider/hashicorp/hcpvaultsecret/configuration/SimpleVaultSecretsJsonExample.java
@@ -0,0 +1,101 @@
+/*
+ ** Copyright (c) 2025 Oracle and/or its affiliates.
+ **
+ ** The Universal Permissive License (UPL), Version 1.0
+ **
+ ** Subject to the condition set forth below, permission is hereby granted to any
+ ** person obtaining a copy of this software, associated documentation and/or data
+ ** (collectively the "Software"), free of charge and under any and all copyright
+ ** rights in the Software, and any and all patent rights owned or freely
+ ** licensable by each licensor hereunder covering either (i) the unmodified
+ ** Software as contributed to or provided by such licensor, or (ii) the Larger
+ ** Works (as defined below), to deal in both
+ **
+ ** (a) the Software, and
+ ** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ ** one is included with the Software (each a "Larger Work" to which the Software
+ ** is contributed by such licensors),
+ **
+ ** without restriction, including without limitation the rights to copy, create
+ ** derivative works of, display, perform, and distribute the Software and make,
+ ** use, sell, offer for sale, import, export, have made, and have sold the
+ ** Software and the Larger Work(s), and to sublicense the foregoing rights on
+ ** either these or other terms.
+ **
+ ** This license is subject to the following condition:
+ ** The above copyright notice and either this complete permission notice or at
+ ** a minimum a reference to the UPL must be included in all copies or
+ ** substantial portions of the Software.
+ **
+ ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ ** SOFTWARE.
+ */
+
+package oracle.jdbc.provider.hashicorp.hcpvaultsecret.configuration;
+
+import oracle.jdbc.datasource.impl.OracleDataSource;
+import oracle.jdbc.provider.Configuration;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public class SimpleVaultSecretsJsonExample {
+
+ /**
+ * The configuration parameter for the Vault application name.
+ *
+ * This parameter should be set as a JVM system property, environment variable,
+ * or an entry in the configuration.properties file under the key
+ * "VAULT_APP_NAME".
+ *
+ */
+ private static final String VAULT_SECRET_NAME = Configuration.getRequired(
+ "VAULT_SECRET_NAME");
+
+ /**
+ *
+ * Connects to a database using connection properties retrieved from the
+ * configured Vault application in HCP Vault Secrets.
+ *
+ *
+ *
+ * Ensure that the HCP Vault Secrets provider is properly configured, and the
+ * specified application name is valid and accessible.
+ *
+ *
+ * @param args the command line arguments
+ * @throws SQLException if an error occurs during the database calls
+ */
+ public static void main(String[] args) throws SQLException {
+ // Construct a JDBC URL for the dedicated type provider
+ String url = "jdbc:oracle:thin:@config-hcpvaultsecret://" + VAULT_SECRET_NAME;
+
+ // Sample default URL if not provided in arguments
+ if (args.length > 0) {
+ url = args[0];
+ }
+
+ // Configure the data source
+ OracleDataSource ds = new OracleDataSource();
+ ds.setURL(url);
+
+ // Standard JDBC code
+ try (Connection cn = ds.getConnection()) {
+ System.out.println("Connected to: " + cn.getMetaData().getURL());
+
+ Statement st = cn.createStatement();
+ ResultSet rs = st.executeQuery("SELECT 'Hello, Vault Secrets' FROM sys" +
+ ".dual");
+ if (rs.next()) {
+ System.out.println(rs.getString(1));
+ }
+ }
+ }
+}
diff --git a/pom.xml b/pom.xml
index 28583708..d14264a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,6 +63,7 @@
ojdbc-provider-opentelemetry
ojdbc-provider-aws
ojdbc-provider-jackson-oson
+ ojdbc-provider-hashicorp