From 96c3c7ed044fddf3b3ad5a2c105a7b5e80a5377a Mon Sep 17 00:00:00 2001
From: Trianz-Akshay <108925344+Trianz-Akshay@users.noreply.github.com>
Date: Fri, 10 May 2024 21:15:06 +0530
Subject: [PATCH] Feature/oracle fips (#1946)

---
 athena-oracle/athena-oracle.yaml                          | 8 ++++++++
 .../connectors/oracle/OracleJdbcConnectionFactory.java    | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/athena-oracle/athena-oracle.yaml b/athena-oracle/athena-oracle.yaml
index da9e426bd9..b3abe7d8e6 100644
--- a/athena-oracle/athena-oracle.yaml
+++ b/athena-oracle/athena-oracle.yaml
@@ -23,6 +23,13 @@ Parameters:
   SecretNamePrefix:
     Description: 'Used to create resource-based authorization policy for "secretsmanager:GetSecretValue" action. E.g. All Athena JDBC Federation secret names can be prefixed with "AthenaJdbcFederation" and authorization policy will allow "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:AthenaJdbcFederation*". Parameter value in this case should be "AthenaJdbcFederation". If you do not have a prefix, you can manually update the IAM policy to add allow any secret names.'
     Type: String
+  IsFIPSEnabled:
+    AllowedValues:
+      - true
+      - false
+    Default: false
+    Description: "If oracle rds is FIPS compliance select true, [true, false] (default is false)"
+    Type: String
   SpillBucket:
     Description: 'The name of the bucket where this function can spill data.'
     Type: String
@@ -68,6 +75,7 @@ Resources:
           spill_bucket: !Ref SpillBucket
           spill_prefix: !Ref SpillPrefix
           default: !Ref DefaultConnectionString
+          is_FIPS_Enabled: !Ref IsFIPSEnabled
       FunctionName: !Ref LambdaFunctionName
       Handler: "com.amazonaws.athena.connectors.oracle.OracleMuxCompositeHandler"
       CodeUri: "./target/athena-oracle-2022.47.1.jar"
diff --git a/athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java b/athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java
index e145cc4aab..433f3d28ff 100644
--- a/athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java
+++ b/athena-oracle/src/main/java/com/amazonaws/athena/connectors/oracle/OracleJdbcConnectionFactory.java
@@ -37,6 +37,7 @@
 
 public class OracleJdbcConnectionFactory extends GenericJdbcConnectionFactory
 {
+    public static final String IS_FIPS_ENABLED = "is_FIPS_Enabled";
     private final DatabaseConnectionInfo databaseConnectionInfo;
     private final DatabaseConnectionConfig databaseConnectionConfig;
     private static final Logger LOGGER = LoggerFactory.getLogger(OracleJdbcConnectionFactory.class);
@@ -70,6 +71,9 @@ public Connection getConnection(final JdbcCredentialProvider jdbcCredentialProvi
                     properties.put("javax.net.ssl.trustStoreType", "JKS");
                     properties.put("javax.net.ssl.trustStorePassword", "changeit");
                     properties.put("oracle.net.ssl_server_dn_match", "true");
+                    if (System.getenv().getOrDefault(IS_FIPS_ENABLED, "false").equalsIgnoreCase("true")) {
+                        properties.put("oracle.net.ssl_cipher_suites", "(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)");
+                    }
                 }
                 else {
                     LOGGER.info("Establishing normal connection..");