Add Support for OAuth in athena-saphana Connector (#2894)

Co-authored-by: Aimery Methena <[email protected]>
Co-authored-by: burhan94 <[email protected]>

Author: 3 people

athena-saphana/athena-saphana-connection.yaml

@@ -2,7 +2,7 @@ Transform: 'AWS::Serverless-2016-10-31'
 Metadata:
   'AWS::ServerlessRepo::Application':
     Name: AthenaSaphanaConnectorWithGlueConnection
-    Description: 'This connector enables Amazon Athena to communicate with your Teradata instance(s) using JDBC driver.'
+    Description: 'This connector enables Amazon Athena to communicate with your SAP HANA instance(s) using JDBC driver.'
     Author: 'default author'
     SpdxLicenseId: Apache-2.0
     LicenseUrl: LICENSE.txt
@@ -66,7 +66,7 @@ Resources:
         - Account: !If [IsRegionBAH, 084828588479, !If [IsRegionHKG, 183295418215, 292517598671]]
       ImageConfig:
         Command: [ "com.amazonaws.athena.connectors.saphana.SaphanaCompositeHandler" ]
-      Description: "Enables Amazon Athena to communicate with Teradata using JDBC"
+      Description: "Enables Amazon Athena to communicate with SAP HANA using JDBC"
       Timeout: 900
       MemorySize: 3008
       Role: !If [ NotHasLambdaRole, !GetAtt FunctionRole.Arn, !Ref LambdaRoleArn ]
@@ -102,6 +102,7 @@ Resources:
         Statement:
           - Action:
               - secretsmanager:GetSecretValue
+              - secretsmanager:PutSecretValue
             Effect: Allow
             Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*'
           - Action:

athena-saphana/athena-saphana.yaml

@@ -2,7 +2,7 @@ Transform: 'AWS::Serverless-2016-10-31'
 Metadata:
   'AWS::ServerlessRepo::Application':
     Name: AthenaSaphanaConnector
-    Description: 'This connector enables Amazon Athena to communicate with your Teradata instance(s) using JDBC driver.'
+    Description: 'This connector enables Amazon Athena to communicate with your SAP HANA instance(s) using JDBC driver.'
     Author: 'default author'
     SpdxLicenseId: Apache-2.0
     LicenseUrl: LICENSE.txt
@@ -77,14 +77,15 @@ Resources:
         - Account: !If [IsRegionBAH, 084828588479, !If [IsRegionHKG, 183295418215, 292517598671]]
       ImageConfig:
         Command: [ "com.amazonaws.athena.connectors.saphana.SaphanaMuxCompositeHandler" ]
-      Description: "Enables Amazon Athena to communicate with Teradata using JDBC"
+      Description: "Enables Amazon Athena to communicate with SAP HANA using JDBC"
       Timeout: !Ref LambdaTimeout
       MemorySize: !Ref LambdaMemory
       PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
       Policies:
         - Statement:
             - Action:
                 - secretsmanager:GetSecretValue
+                - secretsmanager:PutSecretValue
               Effect: Allow
               Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretNamePrefix}*'
           Version: '2012-10-17'

athena-saphana/src/main/java/com/amazonaws/athena/connectors/saphana/SaphanaMetadataHandler.java

@@ -20,6 +20,8 @@
  */
 package com.amazonaws.athena.connectors.saphana;
 
+import com.amazonaws.athena.connector.credentials.CredentialsProvider;
+import com.amazonaws.athena.connector.credentials.CredentialsProviderFactory;
 import com.amazonaws.athena.connector.lambda.QueryStatusChecker;
 import com.amazonaws.athena.connector.lambda.data.Block;
 import com.amazonaws.athena.connector.lambda.data.BlockAllocator;
@@ -448,4 +450,14 @@ private String quoteColumnName(String columnName)
         columnName = columnName.replace(SAPHANA_QUOTE_CHARACTER, SAPHANA_QUOTE_CHARACTER + SAPHANA_QUOTE_CHARACTER);
         return SAPHANA_QUOTE_CHARACTER + columnName + SAPHANA_QUOTE_CHARACTER;
     }
+
+    @Override
+    protected CredentialsProvider getCredentialProvider()
+    {
+        return CredentialsProviderFactory.createCredentialProvider(
+                getDatabaseConnectionConfig().getSecret(),
+                getCachableSecretsManager(),
+                new SaphanaOAuthCredentialsProvider()
+        );
+    }
 }

athena-saphana/src/main/java/com/amazonaws/athena/connectors/saphana/SaphanaOAuthAccessTokenCredentials.java

@@ -0,0 +1,56 @@
+/*-
+ * #%L
+ * athena-saphana
+ * %%
+ * Copyright (C) 2019 - 2025 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connectors.saphana;
+
+import com.amazonaws.athena.connector.credentials.Credentials;
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
+import org.apache.commons.lang3.Validate;
+
+import java.util.Map;
+
+/**
+ * Saphana-specific OAuth credentials implementation.
+ * Unlike the standard OAuthAccessTokenCredentials which uses "accessToken" as the property key,
+ * Saphana requires the OAuth access token to be provided as the "password" property.
+ */
+public class SaphanaOAuthAccessTokenCredentials implements Credentials
+{
+    private final String accessToken;
+
+    public SaphanaOAuthAccessTokenCredentials(String accessToken)
+    {
+        this.accessToken = Validate.notBlank(accessToken, "Access token must not be blank");
+    }
+
+    public String getAccessToken()
+    {
+        return accessToken;
+    }
+
+    @Override
+    public Map<String, String> getProperties()
+    {
+        // saphana OAuth mapping: user = empty, password = access token
+        return Map.of(
+            CredentialsConstants.USER, "",
+            CredentialsConstants.PASSWORD, accessToken
+        );
+    }
+}

athena-saphana/src/main/java/com/amazonaws/athena/connectors/saphana/SaphanaOAuthCredentialsProvider.java

@@ -0,0 +1,91 @@
+/*-
+ * #%L
+ * athena-saphana
+ * %%
+ * Copyright (C) 2019 - 2025 Amazon Web Services
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+package com.amazonaws.athena.connectors.saphana;
+
+import com.amazonaws.athena.connector.credentials.Credentials;
+import com.amazonaws.athena.connector.credentials.CredentialsConstants;
+import com.amazonaws.athena.connector.credentials.OAuthAccessTokenCredentials;
+import com.amazonaws.athena.connector.credentials.OAuthCredentialsProvider;
+import com.google.common.annotations.VisibleForTesting;
+
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Map;
+
+/**
+ * OAuth credentials provider for Saphana.
+ */
+public class SaphanaOAuthCredentialsProvider extends OAuthCredentialsProvider
+{
+    protected static final String TOKEN_URL = "token_url";
+
+    public SaphanaOAuthCredentialsProvider()
+    {
+        super();
+    }
+
+    @VisibleForTesting
+    protected SaphanaOAuthCredentialsProvider(HttpClient httpClient)
+    {
+        super(httpClient);
+    }
+
+    @Override
+    protected boolean isOAuthConfigured(Map<String, String> oauthConfig)
+    {
+        return oauthConfig.containsKey(CredentialsConstants.CLIENT_ID) &&
+                !oauthConfig.get(CredentialsConstants.CLIENT_ID).isEmpty() &&
+                oauthConfig.containsKey(CredentialsConstants.CLIENT_SECRET) &&
+                !oauthConfig.get(CredentialsConstants.CLIENT_SECRET).isEmpty() &&
+                oauthConfig.containsKey(TOKEN_URL) &&
+                !oauthConfig.get(TOKEN_URL).isEmpty();
+    }
+
+    @Override
+    protected HttpRequest buildTokenRequest(Map<String, String> secretMap)
+    {
+        String clientId = secretMap.get(CredentialsConstants.CLIENT_ID);
+        String clientSecret = secretMap.get(CredentialsConstants.CLIENT_SECRET);
+        String tokenEndpoint = secretMap.get(TOKEN_URL);
+
+        String auth = clientId + ":" + clientSecret;
+        String encodedAuth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8));
+
+        return HttpRequest.newBuilder()
+                .uri(URI.create(tokenEndpoint))
+                .header("Authorization", "Basic " + encodedAuth)
+                .header("Content-Type", "application/x-www-form-urlencoded")
+                .POST(HttpRequest.BodyPublishers.ofString("grant_type=client_credentials"))
+                .build();
+    }
+
+    @Override
+    public Credentials getCredential()
+    {
+        // Parent always returns OAuthAccessTokenCredentials (or throws exception)
+        OAuthAccessTokenCredentials parentCredentials = (OAuthAccessTokenCredentials) super.getCredential();
+        
+        // Convert to Saphana-specific credentials that use "password" property
+        return new SaphanaOAuthAccessTokenCredentials(parentCredentials.getAccessToken());
+    }
+}

athena-saphana/src/main/java/com/amazonaws/athena/connectors/saphana/SaphanaRecordHandler.java

@@ -21,6 +21,8 @@
  */
 package com.amazonaws.athena.connectors.saphana;
 
+import com.amazonaws.athena.connector.credentials.CredentialsProvider;
+import com.amazonaws.athena.connector.credentials.CredentialsProviderFactory;
 import com.amazonaws.athena.connector.lambda.domain.Split;
 import com.amazonaws.athena.connector.lambda.domain.TableName;
 import com.amazonaws.athena.connector.lambda.domain.predicate.Constraints;
@@ -112,4 +114,14 @@ private void clearChildren(Schema schema)
             LOGGER.debug("SaphanaRecordHandler:clearChildren exception raised", exception);
         }
     }
+
+    @Override
+    protected CredentialsProvider getCredentialProvider()
+    {
+        return CredentialsProviderFactory.createCredentialProvider(
+                getDatabaseConnectionConfig().getSecret(),
+                getCachableSecretsManager(),
+                new SaphanaOAuthCredentialsProvider()
+        );
+    }
 }

athena-saphana/src/test/java/com/amazonaws/athena/connectors/saphana/SaphanaMuxJdbcMetadataHandlerTest.java

@@ -1,6 +1,6 @@
 /*-
  * #%L
- * athena-Teradata
+ * athena-saphana
  * %%
  * Copyright (C) 2019 Amazon Web Services
  * %%