fix(oracle): normalize encoded proxy usernames in go-ora DSN (googleapis#2469)

## Summary
Fix Oracle go-ora DSN construction so proxy usernames with brackets
(`user[client]`) are handled correctly and pre-encoded usernames are not
double-encoded.

Fixes googleapis#2454.

## Root cause
`buildGoOraConnString` built DSNs using `url.URL{Host:
connectStringBase, User: url.UserPassword(...)}`.
For Oracle connect strings like `host:1521/SERVICE`, putting the full
value in `Host` is lossy for URL formatting and brittle for userinfo
handling.
Also, when a username is already percent-encoded (`user%5Bclient%5D`),
passing it directly to `url.UserPassword` can double-encode `%` without
normalization.

## Fix
- Normalize user/password with `url.PathUnescape` before URL userinfo
encoding.
- Construct DSN as:
  - encoded userinfo (`url.UserPassword(...).String()`)
- raw Oracle connect string appended after `@` (preserves
`host:port/service` shape)
- Preserve wallet query args behavior (`ssl=true&wallet=...`).

## Tests
Added regression coverage in
`internal/sources/oracle/oracle_connstring_test.go`:
- bracketed proxy username is encoded correctly.
- already percent-encoded proxy username is not double-encoded.
- existing wallet/non-wallet DSN cases remain correct.

## Validation
- `go test ./internal/sources/oracle -run
'TestBuildGoOraConnString|TestParseFromYamlOracle|TestFailParseFromYaml'`

---------

Co-authored-by: DEVELOPER-DEEVEN <144827577+DEVELOPER-DEEVEN@users.noreply.github.com>
Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>

Author: Deeven-Seru

internal/sources/oracle/oracle.go

@@ -6,6 +6,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 
@@ -253,6 +254,41 @@ func (s *Source) RunSQL(ctx context.Context, statement string, params []any, rea
 	return out, nil
 }
 
+func buildGoOraConnString(user, password, connectStringBase, walletLocation string) string {
+	userInfo := url.UserPassword(
+		decodePercentEncodedUserInfo(user),
+		decodePercentEncodedUserInfo(password),
+	).String()
+
+	base := fmt.Sprintf("oracle://%s@%s", userInfo, connectStringBase)
+	trimmedWalletLocation := strings.TrimSpace(walletLocation)
+	if trimmedWalletLocation == "" {
+		return base
+	}
+
+	q := url.Values{}
+	q.Set("ssl", "true")
+	q.Set("wallet", trimmedWalletLocation)
+
+	separator := "?"
+	if strings.Contains(connectStringBase, "?") {
+		separator = "&"
+		if strings.HasSuffix(base, "?") || strings.HasSuffix(base, "&") {
+			separator = ""
+		}
+	}
+
+	return fmt.Sprintf("%s%s%s", base, separator, q.Encode())
+}
+
+func decodePercentEncodedUserInfo(value string) string {
+	decoded, err := url.PathUnescape(value)
+	if err != nil {
+		return value
+	}
+	return decoded
+}
+
 func initOracleConnection(ctx context.Context, tracer trace.Tracer, config Config) (*sql.DB, error) {
 	//nolint:all // Reassigned ctx
 	ctx, span := sources.InitConnectionSpan(ctx, tracer, SourceType, config.Name)
@@ -305,16 +341,11 @@ func initOracleConnection(ctx context.Context, tracer trace.Tracer, config Confi
 		// Use go-ora driver (pure Go)
 		driverName = "oracle"
 
-		user := config.User
-		password := config.Password
+		finalConnStr = buildGoOraConnString(config.User, config.Password, connectStringBase, config.WalletLocation)
 
 		if hasWallet {
-			finalConnStr = fmt.Sprintf("oracle://%s:%s@%s?ssl=true&wallet=%s",
-				user, password, connectStringBase, config.WalletLocation)
+			logger.DebugContext(ctx, fmt.Sprintf("Using go-ora driver (pure-Go) with wallet and serverString: %s\n", connectStringBase))
 		} else {
-			// Standard go-ora connection
-			finalConnStr = fmt.Sprintf("oracle://%s:%s@%s",
-				config.User, config.Password, connectStringBase)
 			logger.DebugContext(ctx, fmt.Sprintf("Using go-ora driver (pure-Go) with serverString: %s\n", connectStringBase))
 		}
 	}

internal/sources/oracle/oracle_test.go

@@ -1,6 +1,6 @@
 // Copyright © 2025, Oracle and/or its affiliates.
 
-package oracle_test
+package oracle
 
 import (
 	"context"
@@ -11,7 +11,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/genai-toolbox/internal/server"
 	"github.com/googleapis/genai-toolbox/internal/sources"
-	"github.com/googleapis/genai-toolbox/internal/sources/oracle"
 	"github.com/googleapis/genai-toolbox/internal/testutils"
 )
 
@@ -33,9 +32,9 @@ func TestParseFromYamlOracle(t *testing.T) {
 			useOCI: true
 			`,
 			want: map[string]sources.SourceConfig{
-				"my-oracle-cs": oracle.Config{
+				"my-oracle-cs": Config{
 					Name:             "my-oracle-cs",
-					Type:             oracle.SourceType,
+					Type:             SourceType,
 					ConnectionString: "my-host:1521/XEPDB1",
 					User:             "my_user",
 					Password:         "my_pass",
@@ -56,9 +55,9 @@ func TestParseFromYamlOracle(t *testing.T) {
 			password: my_pass
 			`,
 			want: map[string]sources.SourceConfig{
-				"my-oracle-host": oracle.Config{
+				"my-oracle-host": Config{
 					Name:        "my-oracle-host",
-					Type:        oracle.SourceType,
+					Type:        SourceType,
 					Host:        "my-host",
 					Port:        1521,
 					ServiceName: "ORCLPDB",
@@ -81,9 +80,9 @@ func TestParseFromYamlOracle(t *testing.T) {
 			useOCI: true 
 			`,
 			want: map[string]sources.SourceConfig{
-				"my-oracle-tns-oci": oracle.Config{
+				"my-oracle-tns-oci": Config{
 					Name:     "my-oracle-tns-oci",
-					Type:     oracle.SourceType,
+					Type:     SourceType,
 					TnsAlias: "FINANCE_DB",
 					TnsAdmin: "/opt/oracle/network/admin",
 					User:     "my_user",
@@ -106,6 +105,68 @@ func TestParseFromYamlOracle(t *testing.T) {
 	}
 }
 
+func TestBuildGoOraConnString(t *testing.T) {
+	t.Parallel()
+
+	tcs := []struct {
+		name           string
+		user           string
+		password       string
+		connectBase    string
+		walletLocation string
+		want           string
+	}{
+		{
+			name:           "encodes_credentials_and_wallet",
+			user:           "user[client]",
+			password:       "pa:ss@word",
+			connectBase:    "dbhost:1521/XEPDB1",
+			walletLocation: "/tmp/my wallet",
+			want:           "oracle://user%5Bclient%5D:pa%3Ass%40word@dbhost:1521/XEPDB1?ssl=true&wallet=%2Ftmp%2Fmy+wallet",
+		},
+		{
+			name:        "no_wallet",
+			user:        "scott",
+			password:    "tiger",
+			connectBase: "dbhost:1521/ORCL",
+			want:        "oracle://scott:tiger@dbhost:1521/ORCL",
+		},
+		{
+			name:        "does_not_double_encode_percent_encoded_user",
+			user:        "app_user%5BCLIENT_A%5D",
+			password:    "secret",
+			connectBase: "dbhost:1521/ORCL",
+			want:        "oracle://app_user%5BCLIENT_A%5D:secret@dbhost:1521/ORCL",
+		},
+		{
+			name:           "uses_trimmed_wallet_location",
+			user:           "scott",
+			password:       "tiger",
+			connectBase:    "dbhost:1521/ORCL",
+			walletLocation: "  /tmp/wallet  ",
+			want:           "oracle://scott:tiger@dbhost:1521/ORCL?ssl=true&wallet=%2Ftmp%2Fwallet",
+		},
+		{
+			name:           "appends_wallet_query_to_existing_query",
+			user:           "scott",
+			password:       "tiger",
+			connectBase:    "dbhost:1521/ORCL?custom_opt=true",
+			walletLocation: " /tmp/wallet ",
+			want:           "oracle://scott:tiger@dbhost:1521/ORCL?custom_opt=true&ssl=true&wallet=%2Ftmp%2Fwallet",
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := buildGoOraConnString(tc.user, tc.password, tc.connectBase, tc.walletLocation)
+			if got != tc.want {
+				t.Fatalf("buildGoOraConnString() = %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
 func TestFailParseFromYaml(t *testing.T) {
 	tcs := []struct {
 		desc string
@@ -205,10 +266,10 @@ func TestRunSQLExecutesDML(t *testing.T) {
 	}
 	defer db.Close()
 
-	src := &oracle.Source{
-		Config: oracle.Config{
+	src := &Source{
+		Config: Config{
 			Name: "test-dml-source",
-			Type: oracle.SourceType,
+			Type: SourceType,
 			User: "test-user",
 		},
 		DB: db,