awslabs
diff --git a/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleCredentialsProvider.java‎
Lines changed: 101 additions & 0 deletions b/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleCredentialsProvider.java‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java‎
Lines changed: 0 additions & 115 deletions b/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java‎
Lines changed: 0 additions & 115 deletions
diff --git a/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleMetadataHandler.java‎
Lines changed: 11 additions & 1 deletion b/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleMetadataHandler.java‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleRecordHandler.java‎
Lines changed: 12 additions & 1 deletion b/‎athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleRecordHandler.java‎
Lines changed: 12 additions & 1 deletion
@@ -0,0 +1,101 @@
+/*-
+ * #%L
+ * athena-oracle
+ * %%
+ * Copyright (C) 2019 - 2026 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connectors.oracle;
+
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
+import com.amazonaws.athena.connector.credentials.DefaultCredentials;
+import com.amazonaws.athena.connector.credentials.DefaultCredentialsProvider;
+import com.google.common.annotations.VisibleForTesting;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class OracleCredentialsProvider extends DefaultCredentialsProvider
+{
+    public static final String IS_FIPS_ENABLED = "is_fips_enabled";
+    public static final String IS_FIPS_ENABLED_LEGACY = "is_FIPS_Enabled";
+    private static final Logger LOGGER = LoggerFactory.getLogger(OracleCredentialsProvider.class);
+
+    private final String jdbcConnectionString;
+
+    public OracleCredentialsProvider(final String secretString, final String jdbcConnectionString)
+    {
+        super(secretString);
+        this.jdbcConnectionString = jdbcConnectionString;
+    }
+
+    @Override
+    public Map<String, String> getCredentialMap()
+    {
+        DefaultCredentials creds = getCredential();
+        String password = creds.getPassword();
+        if (!password.contains("\"")) {
+            password = String.format("\"%s\"", password);
+        }
+        
+        Map<String, String> credMap = new HashMap<>();
+        credMap.put(CredentialsConstants.USER, creds.getUser());
+        credMap.put(CredentialsConstants.PASSWORD, password);
+
+        //checking for tcps (Secure Communication) protocol as part of the connection string.
+        if (jdbcConnectionString != null && jdbcConnectionString.toLowerCase().contains("@tcps://")) {
+            LOGGER.info("Adding SSL properties...");
+            credMap.put("javax.net.ssl.trustStoreType", "JKS");
+            credMap.put("javax.net.ssl.trustStorePassword", "changeit");
+            credMap.put("oracle.net.ssl_server_dn_match", "true");
+
+            // By default; Oracle RDS uses SSL_RSA_WITH_AES_256_CBC_SHA
+            // Adding the following cipher suits to support others listed in Doc
+            // https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html#Appendix.Oracle.Options.SSL.CipherSuites
+            if (isFipsEnabled()) {
+                credMap.put("oracle.net.ssl_cipher_suites", 
+                    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
+                    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
+                    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," +
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," +
+                    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
+            }
+        }
+        
+        return credMap;
+    }
+
+    // Returns true if either current or legacy FIPS environment variable is set to "true"
+    private boolean isFipsEnabled()
+    {
+        return Boolean.parseBoolean(getFipsEnabledEnv()) ||
+                Boolean.parseBoolean(getFipsEnabledLegacyEnv());
+    }
+
+    @VisibleForTesting
+    protected String getFipsEnabledEnv()
+    {
+        return System.getenv(IS_FIPS_ENABLED);
+    }
+
+    @VisibleForTesting
+    protected String getFipsEnabledLegacyEnv()
+    {
+        return System.getenv(IS_FIPS_ENABLED_LEGACY);
+    }
+}
@@ -20,6 +20,7 @@
  */
 package com.amazonaws.athena.connectors.oracle;
 
+import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connector.lambda.QueryStatusChecker;
 import com.amazonaws.athena.connector.lambda.data.Block;
 import com.amazonaws.athena.connector.lambda.data.BlockAllocator;
@@ -45,6 +46,7 @@
 import com.amazonaws.athena.connector.lambda.metadata.optimizations.pushdown.TopNPushdownSubType;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
+import com.amazonaws.athena.connectors.jdbc.connection.GenericJdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.connection.JdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.manager.JDBCUtil;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcArrowTypeConverter;
@@ -112,7 +114,7 @@ public OracleMetadataHandler(java.util.Map<String, String> configOptions)
      */
     public OracleMetadataHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
-        this(databaseConnectionConfig, new OracleJdbcConnectionFactory(databaseConnectionConfig, new DatabaseConnectionInfo(OracleConstants.ORACLE_DRIVER_CLASS, OracleConstants.ORACLE_DEFAULT_PORT)), configOptions);
+        this(databaseConnectionConfig, new GenericJdbcConnectionFactory(databaseConnectionConfig, null, new DatabaseConnectionInfo(OracleConstants.ORACLE_DRIVER_CLASS, OracleConstants.ORACLE_DEFAULT_PORT)), configOptions);
     }
 
     public OracleMetadataHandler(DatabaseConnectionConfig databaseConnectionConfig, JdbcConnectionFactory jdbcConnectionFactory, java.util.Map<String, String> configOptions)
@@ -384,4 +386,12 @@ protected Schema getSchema(Connection jdbcConnection, TableName tableName, Schem
             return schemaBuilder.build();
         }
     }
+
+    @Override
+    public CredentialsProvider createCredentialsProvider(String secretName, AwsRequestOverrideConfiguration requestOverrideConfiguration)
+    {
+        return new OracleCredentialsProvider(
+                getSecret(secretName, requestOverrideConfiguration),
+                getDatabaseConnectionConfig().getJdbcConnectionString());
+    }
 }
@@ -19,11 +19,13 @@
  */
 package com.amazonaws.athena.connectors.oracle;
 
+import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connector.lambda.domain.Split;
 import com.amazonaws.athena.connector.lambda.domain.TableName;
 import com.amazonaws.athena.connector.lambda.domain.predicate.Constraints;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
+import com.amazonaws.athena.connectors.jdbc.connection.GenericJdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.connection.JdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.manager.JDBCUtil;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcRecordHandler;
@@ -33,6 +35,7 @@
 import org.apache.commons.lang3.Validate;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
 import software.amazon.awssdk.services.athena.AthenaClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
@@ -69,7 +72,7 @@ public OracleRecordHandler(java.util.Map<String, String> configOptions)
 
     public OracleRecordHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
-        this(databaseConnectionConfig, new OracleJdbcConnectionFactory(databaseConnectionConfig, new DatabaseConnectionInfo(ORACLE_DRIVER_CLASS, ORACLE_DEFAULT_PORT)), configOptions);
+        this(databaseConnectionConfig, new GenericJdbcConnectionFactory(databaseConnectionConfig, null, new DatabaseConnectionInfo(ORACLE_DRIVER_CLASS, ORACLE_DEFAULT_PORT)), configOptions);
     }
 
     public OracleRecordHandler(DatabaseConnectionConfig databaseConnectionConfig, JdbcConnectionFactory jdbcConnectionFactory, java.util.Map<String, String> configOptions)
@@ -103,4 +106,12 @@ public PreparedStatement buildSplitSql(Connection jdbcConnection, String catalog
 
         return preparedStatement;
     }
+
+    @Override
+    public CredentialsProvider createCredentialsProvider(String secretName, AwsRequestOverrideConfiguration requestOverrideConfiguration)
+    {
+        return new OracleCredentialsProvider(
+                getSecret(secretName, requestOverrideConfiguration),
+                getDatabaseConnectionConfig().getJdbcConnectionString());
+    }
 }