Add Support for OAuth in athena-saphana Connector

[Jithendar12]

Issue #, if available:

Description of changes:
This PR introduces support for OAuth-based authentication in the SAP HANA connector using JWT tokens issued by SAP XSUAA. It implements the client_credentials grant type to fetch access tokens and manages them securely via AWS Secrets Manager.

Users must store the following credentials in AWS Secrets Manager:
{
"client_id": "<oauth-client-id>",
"client_secret": "<oauth-client-secret>",
"token_url": "<issuer-url-from-xsuaa-service-key>"
}

The connector uses these credentials to fetch a new access token, updates the secret with {access_token}, {fetched_at}, and {expires_in}, and refreshes the token automatically if it has expired based on those values. Please find attached reference and test document.
OAuth Integration in SAP HANA.docx

saphana-oauth-testing.odt

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

software.amazon.awssdk.services.secretsmanager.SecretsManagerClient.putSecretValue API can also throw the following exception types: InvalidParameterException, SdkClientException, ResourceExistsException, SecretsManagerException, SdkException, AwsServiceException, InternalServiceErrorException, InvalidRequestException, LimitExceededException, EncryptionFailureException, ResourceNotFoundException. We recommend handling these uncaught exceptions as well.

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

InputStreamReader

While converting a byte stream into characters, if no encoding is specified, the constructor assumes the default system runtime encoding, which may not be the correct encoding.

Suggested solution:

Specify an encoding

(likely UTF-8, which is backward compatible with ASCII and has multi-language support)

InputStreamReader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8); 

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

It appears that your code handles a broad swath of exceptions in the catch block, potentially trapping dissimilar issues or problems that should not be dealt with at this point in the program.

Learn more

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

It appears that your code handles a broad swath of exceptions in the catch block, potentially trapping dissimilar issues or problems that should not be dealt with at this point in the program.

Learn more

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Deprecated client constructor detected. Using deprecated client constructors can lead to security vulnerabilities, performance issues, and lack of support for newer features. Replace with the current recommended client libraries and builder patterns (e.g., HttpClientBuilder, AmazonS3ClientBuilder, MongoClients, etc.).

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html

[AbdulR3hman]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential hardcoded credential detected. This code may contain sensitive data such as passwords or API keys embedded directly in the source. Hardcoded credentials can be extracted and misused, leading to unauthorized access to systems or data breaches. To remediate this, store secrets in environment variables or use a secrets management tool like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. Avoid committing credentials to version control. For best practices, refer to - https://cwe.mitre.org/data/definitions/798.html

[Jithendar12]

Addressed CodeGuru review feedback:

1) Regarding character encoding:
    Added explicit StandardCharsets.UTF_8 for InputStreamReader
    Ensures proper encoding for all HTTP responses

2) Regarding deprecated HTTP client:
    Replaced HttpURLConnection with modern java.net.http.HttpClient
    Updated request/response handling to use new API

3) Regarding hardcoded credential constants:
    These are just field names used as keys in JSON configuration
    Organized constants into clear groups (OAuth config, token response, basic auth)
    No actual credentials are hardcoded, all sensitive data is stored in AWS Secrets Manager

4) Regarding exception handling:
    Added specific exception handling with appropriate error codes:
        ResourceNotFoundException -> ENTITY_NOT_FOUND_EXCEPTION
        InvalidParameterException -> INVALID_INPUT_EXCEPTION
        LimitExceededException -> THROTTLING_EXCEPTION
        EncryptionFailureException -> INTERNAL_SERVICE_EXCEPTION
    Each exception type now maps to a specific FederationSourceErrorCode

[burhan94]

Can we please use the framework being created in this PR here and reuse it for this connector? http://github.com/awslabs/aws-athena-query-federation/pull/2932

[Jithendar12]

Can we please use the framework being created in this PR here and reuse it for this connector? http://github.com/awslabs/aws-athena-query-federation/pull/2932

Hi @burhan94, yes, we have a plan for this. Once the Gen2 PR is approved and merged, we will update this PR. Thank you!

[burhan94]

Hi,

#2932 has been merged, can you please update this PR

[codecov]

Codecov Report

❌ Patch coverage is 76.47059% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.60%. Comparing base (fe0a5d9) to head (2ae5a48).
⚠️ Report is 40 commits behind head on master.

Files with missing lines	Patch %	Lines
...ctors/saphana/SaphanaOAuthCredentialsProvider.java	78.26%	0 Missing and 5 partials ⚠️
...thena/connectors/saphana/SaphanaRecordHandler.java	0.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2894      +/-   ##
============================================
+ Coverage     63.67%   64.60%   +0.93%     
- Complexity     4344     4611     +267     
============================================
  Files           621      635      +14     
  Lines         23286    24108     +822     
  Branches       2859     2993     +134     
============================================
+ Hits          14827    15575     +748     
- Misses         7070     7094      +24     
- Partials       1389     1439      +50     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Jithendar12]

Hi,

#2932 has been merged, can you please update this PR

Hi @burhan94 , this PR has been updated. Kindly review. Thanks!