Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932)

Co-authored-by: burhan94 <[email protected]>

Author: 2 people

athena-cloudera-hive/src/main/java/com/amazonaws/athena/connectors/cloudera/HiveJdbcConnectionFactory.java

@@ -20,6 +20,7 @@
 
 package com.amazonaws.athena.connectors.cloudera;
 
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
@@ -62,7 +63,7 @@ public Connection getConnection(final CredentialsProvider credentialsProvider)
         if (null != credentialsProvider) {
             Matcher secretMatcher = SECRET_NAME_PATTERN.matcher(databaseConnectionConfig.getJdbcConnectionString());
             final String secretReplacement = String.format("UID=%s;PWD=%s",
-                    credentialsProvider.getCredential().getUser(), credentialsProvider.getCredential().getPassword());
+                    credentialsProvider.getCredentialMap().get(CredentialsConstants.USER), credentialsProvider.getCredentialMap().get(CredentialsConstants.PASSWORD));
             derivedJdbcString = secretMatcher.replaceAll(Matcher.quoteReplacement(secretReplacement));
         }
         else {

athena-cloudera-impala/src/main/java/com/amazonaws/athena/connectors/cloudera/ImpalaJdbcConnectionFactory.java

@@ -20,6 +20,7 @@
 
 package com.amazonaws.athena.connectors.cloudera;
 
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
@@ -63,7 +64,7 @@ public Connection getConnection(final CredentialsProvider credentialsProvider)
             if (null != credentialsProvider) {
                 Matcher secretMatcher = SECRET_NAME_PATTERN.matcher(databaseConnectionConfig.getJdbcConnectionString());
                 final String secretReplacement = String.format("UID=%s;PWD=%s",
-                        credentialsProvider.getCredential().getUser(), credentialsProvider.getCredential().getPassword());
+                        credentialsProvider.getCredentialMap().get(CredentialsConstants.USER), credentialsProvider.getCredentialMap().get(CredentialsConstants.PASSWORD));
                 derivedJdbcString = secretMatcher.replaceAll(Matcher.quoteReplacement(secretReplacement));
             }
             else {

athena-datalakegen2/src/main/java/com/amazonaws/athena/connectors/datalakegen2/DataLakeGen2MetadataHandler.java

@@ -20,6 +20,7 @@
 package com.amazonaws.athena.connectors.datalakegen2;
 
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
+import com.amazonaws.athena.connector.credentials.CredentialsProviderFactory;
 import com.amazonaws.athena.connector.lambda.QueryStatusChecker;
 import com.amazonaws.athena.connector.lambda.data.Block;
 import com.amazonaws.athena.connector.lambda.data.BlockAllocator;
@@ -54,7 +55,6 @@
 import org.apache.arrow.vector.types.Types;
 import org.apache.arrow.vector.types.pojo.ArrowType;
 import org.apache.arrow.vector.types.pojo.Schema;
-import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.services.athena.AthenaClient;
@@ -98,7 +98,7 @@ public DataLakeGen2MetadataHandler(java.util.Map<String, String> configOptions)
     public DataLakeGen2MetadataHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
         this(databaseConnectionConfig,
-                new DataLakeGen2JdbcConnectionFactory(databaseConnectionConfig, JDBC_PROPERTIES,
+                new GenericJdbcConnectionFactory(databaseConnectionConfig, JDBC_PROPERTIES,
                 new DatabaseConnectionInfo(DataLakeGen2Constants.DRIVER_CLASS, DataLakeGen2Constants.DEFAULT_PORT)),
                 configOptions);
     }
@@ -289,11 +289,10 @@ protected Schema getSchema(Connection jdbcConnection, TableName tableName, Schem
     @Override
     protected CredentialsProvider getCredentialProvider()
     {
-        final String secretName = getDatabaseConnectionConfig().getSecret();
-        if (StringUtils.isNotBlank(secretName)) {
-            return new DataLakeGen2CredentialsProvider(secretName);
-        }
-
-        return null;
+        return CredentialsProviderFactory.createCredentialProvider(
+            getDatabaseConnectionConfig().getSecret(),
+            getCachableSecretsManager(),
+            new DataLakeGen2OAuthCredentialsProvider()
+        );
     }
 }

athena-datalakegen2/src/main/java/com/amazonaws/athena/connectors/datalakegen2/DataLakeGen2OAuthCredentialsProvider.java

@@ -0,0 +1,80 @@
+/*-
+ * #%L
+ * athena-datalakegen2
+ * %%
+ * Copyright (C) 2019 - 2025 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connectors.datalakegen2;
+
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
+import com.amazonaws.athena.connector.credentials.OAuthCredentialsProvider;
+import com.google.common.annotations.VisibleForTesting;
+
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.util.Map;
+
+/**
+ * OAuth credentials provider for Azure Data Lake Gen2.
+ */
+public class DataLakeGen2OAuthCredentialsProvider extends OAuthCredentialsProvider
+{
+    private static final String TOKEN_ENDPOINT_FORMAT = "https://login.microsoftonline.com/%s/oauth2/v2.0/token";
+    private static final String SCOPE = "https://sql.azuresynapse.net/.default";
+    private static final String TENANT_ID = "tenant_id";
+
+    public DataLakeGen2OAuthCredentialsProvider()
+    {
+        super();
+    }
+
+    @VisibleForTesting
+    protected DataLakeGen2OAuthCredentialsProvider(HttpClient httpClient)
+    {
+        super(httpClient);
+    }
+
+    @Override
+    protected boolean isOAuthConfigured(Map<String, String> secretMap)
+    {
+        return secretMap.containsKey(CredentialsConstants.CLIENT_ID) &&
+               !secretMap.get(CredentialsConstants.CLIENT_ID).isEmpty() &&
+               secretMap.containsKey(CredentialsConstants.CLIENT_SECRET) &&
+               !secretMap.get(CredentialsConstants.CLIENT_SECRET).isEmpty() &&
+               secretMap.containsKey(TENANT_ID) &&
+               !secretMap.get(TENANT_ID).isEmpty();
+    }
+
+    @Override
+    protected HttpRequest buildTokenRequest(Map<String, String> secretMap)
+    {
+        String clientId = secretMap.get(CredentialsConstants.CLIENT_ID);
+        String clientSecret = secretMap.get(CredentialsConstants.CLIENT_SECRET);
+        String tenantId = secretMap.get(TENANT_ID);
+        String tokenEndpoint = String.format(TOKEN_ENDPOINT_FORMAT, tenantId);
+
+        String formData = String.format(
+                "grant_type=client_credentials&scope=%s&client_id=%s&client_secret=%s",
+                SCOPE, clientId, clientSecret);
+
+        return HttpRequest.newBuilder()
+            .uri(URI.create(tokenEndpoint))
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .POST(HttpRequest.BodyPublishers.ofString(formData))
+            .build();
+    }
+}

athena-datalakegen2/src/main/java/com/amazonaws/athena/connectors/datalakegen2/DataLakeGen2RecordHandler.java

@@ -19,18 +19,19 @@
  */
 package com.amazonaws.athena.connectors.datalakegen2;
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
+import com.amazonaws.athena.connector.credentials.CredentialsProviderFactory;
 import com.amazonaws.athena.connector.lambda.domain.Split;
 import com.amazonaws.athena.connector.lambda.domain.TableName;
 import com.amazonaws.athena.connector.lambda.domain.predicate.Constraints;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
+import com.amazonaws.athena.connectors.jdbc.connection.GenericJdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.connection.JdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.manager.JDBCUtil;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcRecordHandler;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcSplitQueryBuilder;
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.arrow.vector.types.pojo.Schema;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Validate;
 import software.amazon.awssdk.services.athena.AthenaClient;
 import software.amazon.awssdk.services.s3.S3Client;
@@ -53,7 +54,7 @@ public DataLakeGen2RecordHandler(java.util.Map<String, String> configOptions)
     public DataLakeGen2RecordHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
         this(databaseConnectionConfig, S3Client.create(), SecretsManagerClient.create(), AthenaClient.create(),
-                new DataLakeGen2JdbcConnectionFactory(databaseConnectionConfig, DataLakeGen2MetadataHandler.JDBC_PROPERTIES,
+                new GenericJdbcConnectionFactory(databaseConnectionConfig, DataLakeGen2MetadataHandler.JDBC_PROPERTIES,
                         new DatabaseConnectionInfo(DataLakeGen2Constants.DRIVER_CLASS, DataLakeGen2Constants.DEFAULT_PORT)), new DataLakeGen2QueryStringBuilder(QUOTE_CHARACTER, new DataLakeGen2FederationExpressionParser(QUOTE_CHARACTER)), configOptions);
     }
     @VisibleForTesting
@@ -81,11 +82,10 @@ public PreparedStatement buildSplitSql(Connection jdbcConnection, String catalog
     @Override
     protected CredentialsProvider getCredentialProvider()
     {
-        final String secretName = getDatabaseConnectionConfig().getSecret();
-        if (StringUtils.isNotBlank(secretName)) {
-            return new DataLakeGen2CredentialsProvider(secretName);
-        }
-
-        return null;
+        return CredentialsProviderFactory.createCredentialProvider(
+            getDatabaseConnectionConfig().getSecret(),
+            getCachableSecretsManager(),
+            new DataLakeGen2OAuthCredentialsProvider()
+        );
     }
 }

athena-datalakegen2/src/test/java/com/amazonaws/athena/connectors/datalakegen2/DataLakeGen2OAuthCredentialsProviderTest.java

@@ -0,0 +1,144 @@
+/*-
+ * #%L
+ * athena-datalakegen2
+ * %%
+ * Copyright (C) 2019 - 2025 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connectors.datalakegen2;
+
+import com.amazonaws.athena.connector.credentials.OAuthAccessTokenCredentials;
+import com.amazonaws.athena.connector.lambda.security.CachableSecretsManager;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
+import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
+import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
+
+import java.io.IOException;
+import java.net.http.HttpClient;
+import java.net.http.HttpResponse;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.amazonaws.athena.connector.credentials.CredentialsConstants.ACCESS_TOKEN;
+import static com.amazonaws.athena.connector.credentials.CredentialsConstants.CLIENT_ID;
+import static com.amazonaws.athena.connector.credentials.CredentialsConstants.CLIENT_SECRET;
+import static com.amazonaws.athena.connector.credentials.CredentialsConstants.EXPIRES_IN;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class DataLakeGen2OAuthCredentialsProviderTest
+{
+    protected static final String SECRET_NAME = "test-secret";
+    protected static final String TEST_CLIENT_ID = "test-client-id";
+    protected static final String TEST_CLIENT_SECRET = "test-client-secret";
+    protected static final String TENANT_ID = "tenant_id";
+    protected static final String TEST_TENANT_ID = "test-tenant-id";
+    protected static final String TEST_ACCESS_TOKEN = "test-access-token";
+
+    @Mock
+    private SecretsManagerClient secretsManagerClient;
+
+    @Mock
+    private HttpClient httpClient;
+
+    private DataLakeGen2OAuthCredentialsProvider credentialsProvider;
+    private ObjectMapper objectMapper;
+
+    @Before
+    public void setup()
+    {
+        MockitoAnnotations.openMocks(this);
+        CachableSecretsManager cachableSecretsManager = new CachableSecretsManager(secretsManagerClient);
+        credentialsProvider = new DataLakeGen2OAuthCredentialsProvider(httpClient);
+        credentialsProvider.initialize(SECRET_NAME, new HashMap<>(), cachableSecretsManager);
+        objectMapper = new ObjectMapper();
+    }
+
+    @Test
+    public void testIsOAuthConfigured_WithValidConfig()
+    {
+        Map<String, String> secretMap = new HashMap<>();
+        secretMap.put(CLIENT_ID, TEST_CLIENT_ID);
+        secretMap.put(CLIENT_SECRET, TEST_CLIENT_SECRET);
+        secretMap.put(TENANT_ID, TEST_TENANT_ID);
+
+        assertTrue(credentialsProvider.isOAuthConfigured(secretMap));
+    }
+
+    @Test
+    public void testIsOAuthConfigured_WithMissingConfig()
+    {
+        Map<String, String> secretMap = new HashMap<>();
+        secretMap.put(CLIENT_ID, TEST_CLIENT_ID);
+        // Missing client_secret and tenant_id
+
+        assertFalse(credentialsProvider.isOAuthConfigured(secretMap));
+    }
+
+    @Test
+    public void testBuildTokenRequest()
+    {
+        Map<String, String> secretMap = new HashMap<>();
+        secretMap.put(CLIENT_ID, TEST_CLIENT_ID);
+        secretMap.put(CLIENT_SECRET, TEST_CLIENT_SECRET);
+        secretMap.put(TENANT_ID, TEST_TENANT_ID);
+
+        var request = credentialsProvider.buildTokenRequest(secretMap);
+
+        assertEquals("POST", request.method());
+        assertEquals("application/x-www-form-urlencoded", request.headers().firstValue("Content-Type").get());
+        assertTrue(request.uri().toString().contains(TEST_TENANT_ID));
+    }
+
+    @Test
+    public void testGetCredential_WithValidOAuthConfig() throws IOException, InterruptedException
+    {
+        // Setup secret with OAuth config
+        Map<String, String> secretMap = new HashMap<>();
+        secretMap.put(CLIENT_ID, TEST_CLIENT_ID);
+        secretMap.put(CLIENT_SECRET, TEST_CLIENT_SECRET);
+        secretMap.put(TENANT_ID, TEST_TENANT_ID);
+        String secretString = objectMapper.writeValueAsString(secretMap);
+
+        when(secretsManagerClient.getSecretValue(any(GetSecretValueRequest.class)))
+            .thenReturn(GetSecretValueResponse.builder().secretString(secretString).build());
+
+        // Setup mock HTTP response with token
+        Map<String, String> tokenResponse = new HashMap<>();
+        tokenResponse.put(ACCESS_TOKEN, TEST_ACCESS_TOKEN);
+        tokenResponse.put(EXPIRES_IN, "3600");
+        String responseBody = objectMapper.writeValueAsString(tokenResponse);
+
+        @SuppressWarnings("unchecked")
+        HttpResponse<Object> typedResponse = mock(HttpResponse.class);
+        when(typedResponse.statusCode()).thenReturn(200);
+        when(typedResponse.body()).thenReturn(responseBody);
+        when(httpClient.send(any(), any())).thenReturn(typedResponse);
+
+        // Get and verify credential
+        var credential = credentialsProvider.getCredential();
+        assertTrue(credential instanceof OAuthAccessTokenCredentials);
+        assertEquals(TEST_ACCESS_TOKEN, ((OAuthAccessTokenCredentials) credential).getAccessToken());
+    }
+}

athena-federation-sdk/src/main/java/com/amazonaws/athena/connector/credentials/Credentials.java

@@ -0,0 +1,38 @@
+/*-
+ * #%L
+ * athena-federation-sdk
+ * %%
+ * Copyright (C) 2019 - 2025 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connector.credentials;
+
+import java.util.Map;
+
+/**
+ * Represents a set of credentials required to authenticate and connect to a database.
+ * Implementations may provide credentials in different forms, such as username/password or OAuth tokens.
+ */
+public interface Credentials
+{
+    /**
+     * Gets the credential properties for database authentication.
+     * Keys are property names (e.g., "username", "password", "accesToken"),
+     * and values are the associated property values.
+     *
+     * @return a map of credential property names to values
+     */
+    Map<String, String> getProperties();
+}