Add Centralized Configuration Provider support (Oracle Database 23ai)

Author: sharadraju

doc/src/release_notes.rst

@@ -10,6 +10,14 @@ For deprecated and desupported features, see :ref:`Deprecations and desupported
 node-oracledb `v6.6.0 <https://github.com/oracle/node-oracledb/compare/v6.5.1...v6.6.0>`__ (TBD)
 ---------------------------------------------------------------------------------------------------------
 
+Common Changes
+++++++++++++++
+
+#)  Added support for Centralized Configuration Providers (Azure App Configuration Store and OCI 
+    Object Storage).
+    Node-oracledb extracts configuration information from the the supported provider and uses it to 
+    connect to the database.
+
 Thin Mode Changes
 +++++++++++++++++
 

examples/azureProviderSample.js

@@ -0,0 +1,89 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+
+/******************************************************************************
+ *
+ * This software is dual-licensed to you under the Universal Permissive License
+ * (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl and Apache License
+ * 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+ * either license.
+ *
+ * If you elect to accept the software under the Apache License, Version 2.0,
+ * the following applies:
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * NAME
+ *   azureProviderSample.js
+ *
+ * DESCRIPTION
+ *   Sample program to connect to the database using DB connectstring, username and password
+ *   which are fetched from the Azure Configuration Store using the connectstring which consists of
+ *   required parameters to authenticate azure configuration store.
+ *
+ *****************************************************************************/
+
+'use strict';
+
+Error.stackTraceLimit = 50;
+
+const oracledb = require('oracledb');
+
+// This example runs in both node-oracledb Thin and Thick modes.
+//
+// Optionally run in node-oracledb Thick mode
+if (process.env.NODE_ORACLEDB_DRIVER_MODE === 'thick') {
+
+  // Thick mode requires Oracle Client or Oracle Instant Client libraries.
+  // On Windows and macOS Intel you can specify the directory containing the
+  // libraries at runtime or before Node.js starts.  On other platforms (where
+  // Oracle libraries are available) the system library search path must always
+  // include the Oracle library path before Node.js starts.  If the search path
+  // is not correct, you will get a DPI-1047 error.  See the node-oracledb
+  // installation documentation.
+  let clientOpts = {};
+  // On Windows and macOS Intel platforms, set the environment
+  // variable NODE_ORACLEDB_CLIENT_LIB_DIR to the Oracle Client library path
+  if (process.platform === 'win32' || (process.platform === 'darwin' && process.arch === 'x64')) {
+    clientOpts = { libDir: process.env.NODE_ORACLEDB_CLIENT_LIB_DIR };
+  }
+  oracledb.initOracleClient(clientOpts);  // enable node-oracledb Thick mode
+}
+
+console.log(oracledb.thin ? 'Running in thin mode' : 'Running in thick mode');
+
+async function run() {
+  // replace xxxx with the corresponding values of the parameter
+  let connection;
+  const options = {
+    connectString: 'config-azure://testappconfig.azconfig.io/?key=testapp/testkey/&azure_client_id=xxxx&azure_client_certificate_path=xxxx&azure_tenant_id=xxxx'
+  };
+  try {
+    // Get a non-pooled connection
+    connection = await oracledb.getConnection(options);
+
+    console.log('Connection was successful!');
+
+  } catch (err) {
+    console.error(err);
+  } finally {
+    if (connection) {
+      try {
+        await connection.close();
+      } catch (err) {
+        console.error(err);
+      }
+    }
+  }
+}
+
+run();

examples/ociProviderSample.js

@@ -0,0 +1,89 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+
+/******************************************************************************
+ *
+ * This software is dual-licensed to you under the Universal Permissive License
+ * (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl and Apache License
+ * 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+ * either license.
+ *
+ * If you elect to accept the software under the Apache License, Version 2.0,
+ * the following applies:
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * NAME
+ *   ociProviderSample.js
+ *
+ * DESCRIPTION
+ *   Sample program to connect to the database using DB connectstring, username and password
+ *   which are fetched from the OCI Object Store using the connectstring which consists of
+ *   required parameters to authenticate OCI Object Store.
+ *
+ *****************************************************************************/
+
+'use strict';
+
+Error.stackTraceLimit = 50;
+
+const oracledb = require('oracledb');
+
+// This example runs in both node-oracledb Thin and Thick modes.
+//
+// Optionally run in node-oracledb Thick mode
+if (process.env.NODE_ORACLEDB_DRIVER_MODE === 'thick') {
+
+  // Thick mode requires Oracle Client or Oracle Instant Client libraries.
+  // On Windows and macOS Intel you can specify the directory containing the
+  // libraries at runtime or before Node.js starts.  On other platforms (where
+  // Oracle libraries are available) the system library search path must always
+  // include the Oracle library path before Node.js starts.  If the search path
+  // is not correct, you will get a DPI-1047 error.  See the node-oracledb
+  // installation documentation.
+  let clientOpts = {};
+  // On Windows and macOS Intel platforms, set the environment
+  // variable NODE_ORACLEDB_CLIENT_LIB_DIR to the Oracle Client library path
+  if (process.platform === 'win32' || (process.platform === 'darwin' && process.arch === 'x64')) {
+    clientOpts = { libDir: process.env.NODE_ORACLEDB_CLIENT_LIB_DIR };
+  }
+  oracledb.initOracleClient(clientOpts);  // enable node-oracledb Thick mode
+}
+
+console.log(oracledb.thin ? 'Running in thin mode' : 'Running in thick mode');
+
+async function run() {
+  //replace xxxx with correct values of the parameter
+  let connection;
+  const options = {
+    connectString: 'config-ociobject://test.us-phoenix-1.oraclecloud.com/n/testnamespace/b/testbucket/o/testobject?oci_tenancy=xxxx&oci_user=xxxx&oci_fingerprint=xxxx&oci_key_file=xxxx',
+  };
+  try {
+    // Get a non-pooled connection
+    connection = await oracledb.getConnection(options);
+
+    console.log('Connection was successful!');
+
+  } catch (err) {
+    console.error(err);
+  } finally {
+    if (connection) {
+      try {
+        await connection.close();
+      } catch (err) {
+        console.error(err);
+      }
+    }
+  }
+}
+
+run();

lib/configProviders/azure.js

@@ -0,0 +1,168 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+
+//-----------------------------------------------------------------------------
+//
+// This software is dual-licensed to you under the Universal Permissive License
+// (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl and Apache License
+// 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+// either license.
+//
+// If you elect to accept the software under the Apache License, Version 2.0,
+// the following applies:
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//-----------------------------------------------------------------------------
+
+'use strict';
+
+let AppConfigurationClient;
+let ClientSecretCredential, ClientCertificateCredential, ChainedTokenCredential, ManagedIdentityCredential, EnvironmentCredential;
+const errors = require("../errors.js");
+const { base } = require("./base.js");
+
+class AzureProvider extends base {
+  constructor(provider_arg, urlExtendedPart) {
+    super(urlExtendedPart);
+    this._addParam("appconfigname", provider_arg);
+  }
+
+  //---------------------------------------------------------------------------
+  // init()
+  //
+  // Require/import modules from azure
+  //---------------------------------------------------------------------------
+  init() {
+    ({AppConfigurationClient } = require("@azure/app-configuration"));
+    ({ClientSecretCredential, ClientCertificateCredential, ChainedTokenCredential, ManagedIdentityCredential, EnvironmentCredential} = require("@azure/identity"));
+  }
+
+  //---------------------------------------------------------------------------
+  // _withChainedTokenCredential()
+  //
+  // Use of ChainedTokenCredential class which provides the ability to link
+  // together multiple credential instances to be tried sequentially when authenticating.
+  // Default authentication to try when no authentication parameter is given by the user
+  //---------------------------------------------------------------------------
+  _withChainedTokenCredential() {
+    const tokens = [];
+    if ((this.paramMap.get("azure_client_secret")))
+      tokens.push(new ClientSecretCredential(this.paramMap.get("azure_tenant_id"), this.paramMap.get("azure_client_id"), this.paramMap.get("azure_client_secret")));
+    if ((this.paramMap.get("azure_client_certificate_path")))
+      tokens.push(new ClientCertificateCredential(this.paramMap.get("azure_tenant_id"), this.paramMap.get("azure_client_id"), this.paramMap.get("azure_client_certificate_path")));
+    if ((this.paramMap.get('azure_managed_identity_client_id')))
+      tokens.push(this.paramMap.get('azure_managed_identity_client_id'));
+    tokens.push(new EnvironmentCredential());
+    const credential = new ChainedTokenCredential(...tokens);
+    return credential;
+  }
+
+  //---------------------------------------------------------------------------
+  // _returnCredential()
+  //
+  // Returns credential to access Azure Config Store on the basis of
+  // authentication parameters given by the user.
+  //---------------------------------------------------------------------------
+  _returnCredential() {
+    let auth = null;
+    if (this.paramMap.get('authentication')) {
+      auth = this.paramMap.get('authentication').toUpperCase();
+    }
+    if (auth && !(auth == 'AZURE_DEFAULT')) {
+      // do the given authentication
+      if (auth == 'AZURE_SERVICE_PRINCIPAL') {
+        if (this.paramMap.get("azure_client_certificate_path"))
+          return new ClientCertificateCredential(this.paramMap.get("azure_tenant_id"), this.paramMap.get("azure_client_id"), this.paramMap.get("azure_client_certificate_path"));
+        else if (this.paramMap.get("azure_client_secret"))
+          return new ClientSecretCredential(this.paramMap.get("azure_tenant_id"), this.paramMap.get("azure_client_id"), this.paramMap.get("azure_client_secret"));
+        else
+          errors.throwErr(errors.ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED);
+      } else if (auth == 'AZURE_MANAGED_IDENTITY') {
+        return new ManagedIdentityCredential(this.paramMap.get('azure_managed_identity_client_id'));
+      } else {
+        errors.throwErr(errors.ERR_AZURE_CONFIG_PROVIDER_AUTH_FAILED, auth);
+      }
+    } else {
+      //return default token credential
+      return this._withChainedTokenCredential();
+    }
+  }
+
+  //---------------------------------------------------------------------------
+  // _getConfigurationSetting()
+  //
+  // Get configuration setting from the config provider given a key
+  //and an optional label
+  //---------------------------------------------------------------------------
+  async _getConfigurationSetting(client, key, label) {
+    return await client.getConfigurationSetting({ key: key, label: label });
+
+  }
+
+  async returnConfig() {
+    const configObject = {};
+    const label = this.paramMap.get("label");
+    const credential = this._returnCredential();
+    // azure config store
+    const client = new AppConfigurationClient(
+      "https://" + this.paramMap.get("appconfigname"), // ex: <https://<your appconfig resource>.azconfig.io>
+      credential
+    );
+    // retrieve connect_description
+    configObject.connectString = (await this._getConfigurationSetting(client, this.paramMap.get("key") + 'connect_descriptor', label)).value;
+
+    // retrieve node-oracledb parameters
+    try {
+      const params = (await this._getConfigurationSetting(client, this.paramMap.get("key") + 'node-oracledb', label)).value;
+      const obj = JSON.parse(params);
+      for (const key in obj) {
+        var val = obj[key];
+        configObject[key] = val;
+      }
+    } catch {
+      configObject['node-oracledb'] = null;
+    }
+    try {
+      // retrieve user
+      configObject.user = (await this._getConfigurationSetting(client, this.paramMap.get("key") + 'user', label)).value;
+    } catch {
+      configObject.user = null;
+    }
+    //retrieve password
+    let pwdJson = null;
+    try {
+      pwdJson = await this._getConfigurationSetting(client, this.paramMap.get("key") + 'password', label);
+    } catch {
+      configObject.password = null;
+    }
+    if (pwdJson) {
+      let obj;
+      try {
+        obj = JSON.parse(pwdJson.value);
+      } catch {
+        obj = pwdJson.value;
+      }
+      if (obj.uri) {
+        const { SecretClient } = require("@azure/keyvault-secrets");
+        const vault_detail = await this._parsePwd(obj.uri);
+        const client1 = new SecretClient(vault_detail[0], credential);
+        configObject.password  = (await client1.getSecret(vault_detail[1])).value;
+      } else {
+        configObject.password = pwdJson.value;
+      }
+    }
+    return configObject;
+  }
+}
+module.exports = AzureProvider;
+