Config Provider support improvements and more test cases

Author: sharadraju

doc/src/api_manual/oracledb.rst

@@ -749,6 +749,21 @@ Each of the configuration properties is described below.
         const oracledb = require('oracledb');
         oracledb.autoCommit = false;
 
+.. attribute:: oracledb.configProviderCacheTimeout
+
+    This property is the number of seconds that node-oracledb keeps
+    the configuration information retrieved from a
+    :ref:`centralized configuration provider <configurationprovider>` cached.
+
+    The default value is *86400* seconds.
+
+    **Example**
+
+    .. code-block:: javascript
+
+        const oracledb = require('oracledb');
+        oracledb.configProviderCacheTimeout = 6;
+
 .. attribute:: oracledb.connectionClass
 
     The user-chosen Connection class value is a string which defines a

doc/src/release_notes.rst

@@ -13,13 +13,21 @@ node-oracledb `v6.7.0 <https://github.com/oracle/node-oracledb/compare/v6.6.0...
 Common Changes
 ++++++++++++++
 
-Thin Mode Changes
-+++++++++++++++++
+#)  Added support to connect to Oracle Database using wallets stored in
+    Azure Key Vault and OCI Vault.
+
+#)  Added ability to cache the configuration information retrieved from
+    :ref:`Azure App Configuration <conninfocacheazure>` and
+    :ref:`OCI Object Storage <conninfocacheoci>` centralized configuration
+    providers.
+
+#)  Ensure that the password stored in OCI vault and retrieved
+    in base64-encoded format is decoded correctly.
 
 #)  Changed default values of ``transportConnectTimeout`` and
-    ``retryDelay`` properties in :meth:`oracledb.getConnection()` and
-    :meth:`oracledb.createPool()` for consistency with other Oracle Database
-    drivers.
+    ``retryDelay`` properties to *20* seconds and *1* second respectively in
+    :meth:`oracledb.getConnection()` and :meth:`oracledb.createPool()` for
+    consistency with other Oracle Database drivers.
 
 #)  Changed the password type parameter values from `vault-oci` and
     `vault-azure` to `ocivault` and `azurevault` respectively for consistency
@@ -28,6 +36,9 @@ Thin Mode Changes
 #)  Added method :meth:`oracledb.getNetworkServiceNames()` to support fetching
     the list of network service names from the ``tnsnames.ora`` file.
 
+Thin Mode Changes
++++++++++++++++++
+
 #)  Fixed bug that did not allow connection to Oracle Database 23ai instances
     that have fast authentication disabled.
 

doc/src/user_guide/connection_handling.rst

@@ -4406,6 +4406,22 @@ the order of precedence from highest to lowest will be as follows:
 - Azure App Configuration
 - Application
 
+.. _conninfocacheazure:
+
+Azure App Configuration Information Caching
++++++++++++++++++++++++++++++++++++++++++++
+
+Node-oracledb caches configuration information from Azure App Configuration by
+default. This allows you to reuse the cached configuration information which
+significantly reduces the number of round-trips to this configuration
+provider.
+
+You can use the :attr:`oracledb.configProviderCacheTimeout` property to set
+the amount of time for node-oracledb to cache the configuration retrieved from
+Azure App Configuration. Once the cache expires, node-oracledb refreshes the
+cache when configuration information from this configuration provider is
+required.
+
 .. _ociobjstorage:
 
 OCI Object Storage Configuration Provider
@@ -4692,6 +4708,21 @@ precedence from highest to lowest will be as follows:
 - OCI Object Storage
 - Application
 
+.. _conninfocacheoci:
+
+OCI Object Storage Configuration Information Caching
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Node-oracledb caches configuration information from OCI Object Storage by
+default. This allows you to reuse the cached configuration information which
+significantly reduces the number of round-trips to this configuration
+provider.
+
+You can use the :attr:`oracledb.configProviderCacheTimeout` property to set
+the amount of time for node-oracledb to cache the configuration retrieved from
+OCI Object Storage. Once the cache expires, node-oracledb refreshes the cache
+when configuration information from this configuration provider is required.
+
 .. _sharding:
 
 Connecting to Sharded Databases

lib/configProviders/azure.js

@@ -112,11 +112,11 @@ class AzureProvider extends base {
   async returnConfig() {
     const configObject = {};
     const label = this.paramMap.get("label");
-    const credential = this._returnCredential();
+    this.credential = this._returnCredential();
     // azure config store
     const client = new AppConfigurationClient(
       "https://" + this.paramMap.get("appconfigname"), // ex: <https://<your appconfig resource>.azconfig.io>
-      credential
+      this.credential
     );
     // retrieve connect_description
     configObject.connectString = (await this._getConfigurationSetting(client, this.paramMap.get("key") + 'connect_descriptor', label)).value;
@@ -139,29 +139,40 @@ class AzureProvider extends base {
       configObject.user = null;
     }
     //retrieve password
-    let pwdJson = null;
+    configObject.password = await this.retrieveParamValueFromVault(client, label, 'password');
+    // retrieve wallet_location
+    configObject.walletContent = await this.retrieveParamValueFromVault(client, label, 'wallet_location');
+    if (configObject.walletContent) {
+      //only Pem file supported
+      if (!this.isPemFile(configObject.walletContent))
+        errors.throwErr(errors.ERR_WALLET_TYPE_NOT_SUPPORTED);
+    }
+    return configObject;
+  }
+  async retrieveParamValueFromVault(client, label, param) {
+    let paramJson = null;
     try {
-      pwdJson = await this._getConfigurationSetting(client, this.paramMap.get("key") + 'password', label);
+      paramJson = await this._getConfigurationSetting(client, this.paramMap.get("key") + param, label);
     } catch {
-      configObject.password = null;
+      return null;
     }
-    if (pwdJson) {
+    if (paramJson) {
       let obj;
       try {
-        obj = JSON.parse(pwdJson.value);
+        obj = JSON.parse(paramJson.value);
       } catch {
-        obj = pwdJson.value;
+        obj = paramJson.value;
       }
       if (obj.uri) {
         const { SecretClient } = require("@azure/keyvault-secrets");
         const vault_detail = await this._parsePwd(obj.uri);
-        const client1 = new SecretClient(vault_detail[0], credential);
-        configObject.password  = (await client1.getSecret(vault_detail[1])).value;
+        const client1 = new SecretClient(vault_detail[0], this.credential);
+        return  (await client1.getSecret(vault_detail[1])).value;
       } else {
-        configObject.password = pwdJson.value;
+        return paramJson.value;
       }
     }
-    return configObject;
+
   }
 }
 module.exports = AzureProvider;

lib/configProviders/base.js

@@ -26,49 +26,35 @@
 
 'use strict';
 
+const pemHeaders = [
+  '-----BEGIN CERTIFICATE-----',
+  '-----BEGIN PUBLIC KEY-----',
+  '-----BEGIN PRIVATE KEY-----',
+  '-----BEGIN RSA PRIVATE KEY-----',
+  '-----BEGIN DSA PRIVATE KEY-----',
+  '-----BEGIN EC PRIVATE KEY-----',
+  '-----BEGIN ENCRYPTED PRIVATE KEY-----'
+];
+const pemFooters = [
+  '-----END CERTIFICATE-----',
+  '-----END PUBLIC KEY-----',
+  '-----END PRIVATE KEY-----',
+  '-----END RSA PRIVATE KEY-----',
+  '-----END DSA PRIVATE KEY-----',
+  '-----END EC PRIVATE KEY-----',
+  '-----END ENCRYPTED PRIVATE KEY-----'
+];
 class base {
   constructor(url) {
     const params = new URLSearchParams(url);
     this.paramMap = new URLSearchParams([...params].map(([key, value]) => [key.toLowerCase(), value])); //parse the extended part and store parameters in Map
   }
 
-  /**
-  * Sets precedence for different parameters in cloudConfig/userConfig
-  * @param {cloudConfig} object - object retreived from cloud
-  * @param {userConfig} object -  user input Object
-  */
-  modifyOptionsPrecedence(cloudConfig, userConfig) {
-    // create a copy of userConfig object
-    userConfig = { ...userConfig };
-    if (!userConfig.user)
-      userConfig.user = cloudConfig.user;
-    if (!userConfig.password)
-      userConfig.password = cloudConfig.password;
-    if (cloudConfig.connectString) {
-      userConfig.connectString = cloudConfig.connectString;
-      userConfig.connectionString = undefined;
-    }
-    if (cloudConfig.poolMin)
-      userConfig.poolMin = cloudConfig.poolMin;
-    if (cloudConfig.poolMax)
-      userConfig.poolMax = cloudConfig.poolMax;
-    if (cloudConfig.poolIncrement)
-      userConfig.poolIncrement = cloudConfig.poolIncrement;
-    if (cloudConfig.poolTimeout)
-      userConfig.poolTimeout = cloudConfig.poolTimeout;
-    if (cloudConfig.poolPingInterval)
-      userConfig.poolPingInterval = cloudConfig.poolPingInterval;
-    if (cloudConfig.poolPingTimeout)
-      userConfig.poolPingTimeout = cloudConfig.poolPingTimeout;
-    if (cloudConfig.stmtCacheSize)
-      userConfig.stmtCacheSize = cloudConfig.stmtCacheSize;
-    if (cloudConfig.prefetchRows)
-      userConfig.prefetchRows = cloudConfig.prefetchRows;
-    if (cloudConfig.lobPrefetch)
-      userConfig.lobPrefetch = cloudConfig.lobPrefetch;
-
-    return userConfig;
-
+  isPemFile(content) {
+    //remove any line breaks at the end of the content
+    content = content.trim();
+    return pemHeaders.some(header => content.includes(header)) &&
+         pemFooters.some(footer => content.endsWith(footer));
   }
 
   //---------------------------------------------------------------------------

lib/configProviders/ociobject.js

@@ -32,7 +32,6 @@ const fs = require('fs');
 const cloud_net_naming_pattern_oci = new RegExp("(?<objservername>[A-Za-z0-9._-]+)/n/" + "(?<namespace>[A-Za-z0-9._-]+)/b/" + "(?<bucketname>[A-Za-z0-9._-]+)/o/" + "(?<filename>[A-Za-z0-9._-]+)" + "(/c/(?<alias>.+))?$");
 // object to store module references that will be populated by init()
 const oci = {};
-
 class OCIProvider extends base {
   constructor(provider_arg, urlExtendedPart) {
     super(urlExtendedPart);
@@ -127,65 +126,41 @@ class OCIProvider extends base {
   //---------------------------------------------------------------------------
   async returnConfig() {
     const configObject = {};
-    const credential = await this._returnCredential();
+    this.credential = await this._returnCredential();
     // oci object store
     const client_oci = new (oci.objectstorage).ObjectStorageClient({
-      authenticationDetailsProvider: credential
+      authenticationDetailsProvider: this.credential
     });
     const getObjectRequest = {
       objectName: this.paramMap.get('filename'),
       bucketName: this.paramMap.get('bucketname'),
       namespaceName: this.paramMap.get('namespace')
     };
-    let credential1;
     const getObjectResponse = await client_oci.getObject(getObjectRequest);
     const resp = await this._streamToString(getObjectResponse.value);
     // Entire object we get from OCI Object Storage
-    let obj = JSON.parse(resp);
+    this.obj = JSON.parse(resp);
     const userAlias = this.paramMap.get('alias');
     if (userAlias) {
-      obj = obj[userAlias];
+      this.obj = this.obj[userAlias];
     }
     const pmSection = 'node-oracledb';
-    const params = obj[pmSection];
+    const params = this.obj[pmSection];
     for (const key in params) {
       var val = params[key];
       configObject[key] = val;
     }
-    configObject.connectString = obj.connect_descriptor;
-    configObject.user = obj.user;
-    if (obj.password) {
-      if (obj.password.type == "azurevault") {
-        if (obj.password.authentication) {
-          const { SecretClient } = require("@azure/keyvault-secrets");
-          const {ClientSecretCredential, ClientCertificateCredential} = require("@azure/identity");
-          if (obj.password.authentication.azure_client_secret)
-            credential1 = new ClientSecretCredential(obj.password.authentication.azure_tenant_id, obj.password.authentication.azure_client_id, obj.password.authentication.azure_client_secret);
-          else if (obj.password.authentication.azure_client_certificate_path)
-            credential1 = new ClientCertificateCredential(obj.password.authentication.azure_tenant_id, obj.password.authentication.azure_client_id, obj.password.authentication.azure_client_certificate_path);
-          else
-            errors.throwErr(errors.ERR_AZURE_VAULT_AUTH_FAILED);
-          const vault_detail = await this._parsePwd(obj.password.value);
-          const client1 = new SecretClient(vault_detail[0], credential1);
-          configObject.password = (await client1.getSecret(vault_detail[1])).value;
-        } else {
-          errors.throwErr(errors.ERR_AZURE_VAULT_AUTH_FAILED);
-        }
-      } else if (obj.password.type == "ocivault") {
-        const secrets = require('oci-secrets');
-        const secretClientOci =  new secrets.SecretsClient({
-          authenticationDetailsProvider: credential
-        });
-        const getSecretBundleRequest = {
-          secretId: obj.password.value
-        };
-        const getSecretBundleResponse = await secretClientOci.getSecretBundle(getSecretBundleRequest);
-        configObject.password = getSecretBundleResponse.secretBundle.secretBundleContent.content;
-      } else if (obj.password) {
-        configObject.password = obj.password;
-      }
-    } else {
-      configObject.password = null;
+    configObject.connectString = this.obj.connect_descriptor;
+    configObject.user = this.obj.user;
+    if (this.obj.password) {
+      configObject.password = await this.retrieveParamValueFromVault('password');
+    }
+    if (this.obj.wallet_location) {
+      // retrieve wallet_location
+      configObject.walletContent = await this.retrieveParamValueFromVault('wallet_location');
+      //only Pem file supported
+      if (!this.isPemFile(configObject.walletContent))
+        errors.throwErr(errors.ERR_WALLET_TYPE_NOT_SUPPORTED);
     }
     return configObject;
   }
@@ -199,5 +174,40 @@ class OCIProvider extends base {
     const arr = objservername.split(".");
     return arr[1].toUpperCase().replaceAll('-', '_');
   }
+
+  async retrieveParamValueFromVault(param) {
+    if (this.obj[param].type == "azurevault") {
+      if (this.obj[param].authentication) {
+        const { SecretClient } = require("@azure/keyvault-secrets");
+        const {ClientSecretCredential, ClientCertificateCredential} = require("@azure/identity");
+        if (this.obj[param].authentication.azure_client_secret)
+          this.credential = new ClientSecretCredential(this.obj[param].authentication.azure_tenant_id, this.obj[param].authentication.azure_client_id, this.obj[param].authentication.azure_client_secret);
+        else if (this.obj[param].authentication.azure_client_certificate_path)
+          this.credential = new ClientCertificateCredential(this.obj[param].authentication.azure_tenant_id, this.obj[param].authentication.azure_client_id, this.obj[param].authentication.azure_client_certificate_path);
+        else
+          errors.throwErr(errors.ERR_AZURE_VAULT_AUTH_FAILED);
+        const vault_detail = await this._parsePwd(this.obj[param].value);
+        const client1 = new SecretClient(vault_detail[0], this.credential);
+        return (await client1.getSecret(vault_detail[1])).value;
+      } else {
+        errors.throwErr(errors.ERR_AZURE_VAULT_AUTH_FAILED);
+      }
+    } else if (this.obj[param].type == "ocivault") {
+      const secrets = require('oci-secrets');
+      const secretClientOci =  new secrets.SecretsClient({
+        authenticationDetailsProvider: this.credential
+      });
+      const getSecretBundleRequest = {
+        secretId: this.obj[param].value
+      };
+      const getSecretBundleResponse = await secretClientOci.getSecretBundle(getSecretBundleRequest);
+      const base64content = getSecretBundleResponse.secretBundle.secretBundleContent.content;
+      // decode base64 content
+      const returnVal = Buffer.from(base64content, "base64").toString("utf-8");
+      return returnVal;
+    }  else {
+      return this.obj[param];
+    }
+  }
 }
 module.exports = OCIProvider;

lib/errors.js

@@ -193,6 +193,7 @@ const ERR_CONFIG_PROVIDER_LOAD_FAILED = 525;
 const ERR_OCIOBJECT_CONFIG_PROVIDER_AUTH_FAILED = 526;
 const ERR_AZURE_VAULT_AUTH_FAILED = 527;
 const ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED = 528;
+const ERR_WALLET_TYPE_NOT_SUPPORTED = 529;
 
 // Oracle SUCCESS_WITH_INFO warning start from 700
 const WRN_COMPILATION_CREATE = 700;
@@ -521,6 +522,7 @@ messages.set(ERR_AZURE_VAULT_AUTH_FAILED,                        // NJS-527
   'Azure Vault: Provide correct azure vault authentication details');
 messages.set(ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED,                        // NJS-528
   'Azure service principal authentication requires either a client certificate path or a client secret string');
+messages.set(ERR_WALLET_TYPE_NOT_SUPPORTED, 'Invalid wallet content format. Supported format is PEM');// NJS-529
 // Oracle SUCCESS_WITH_INFO warning
 
 messages.set(WRN_COMPILATION_CREATE,                           // NJS-700
@@ -837,6 +839,7 @@ module.exports = {
   ERR_CONFIG_PROVIDER_FAILED_TO_RETRIEVE_CONFIG,
   ERR_CONFIG_PROVIDER_NOT_SUPPORTED,
   ERR_CONFIG_PROVIDER_LOAD_FAILED,
+  ERR_WALLET_TYPE_NOT_SUPPORTED,
   ERR_INVALID_BIND_NAME,
   ERR_WRONG_NUMBER_OF_POSITIONAL_BINDS,
   ERR_BUFFER_LENGTH_INSUFFICIENT,