feat(pam): add Oracle DB access support#6134
Open
saifsmailbox98 wants to merge 20 commits intomainfrom
Open
Conversation
Backend (sql-resource-factory.ts): Resource save validation for Oracle TLS resources bypasses node-oracledb and uses a plain tls.Dial probe against localhost:<gateway-proxy-port>. node-oracledb's thin mode has no "ca only" equivalent like pg / mysql2 / tedious do — its walletLocation/walletContent options expect a full wallet (cert + private key + CAs), not a trust anchor. Using tls.Dial directly lets any PEM the user pastes (AWS RDS bundle, OCI bundle, private-PKI CA) be honoured for the save-time reachability + trust check. The actual Oracle auth still runs through node-oracledb for rotation and account validation, which is a known limitation for private CAs — operators can work around it with NODE_EXTRA_CA_CERTS. Frontend (PamSessionLogsSection.tsx): OracleDB was missing from the isDatabaseSession check, so the UI rendered an empty section for Oracle sessions even though the backend returned the logs correctly. One-line fix.
Wires up the Oracle database as a first-class PAM resource type, paired with the CLI gateway's Oracle proxied-auth handler. Backend: - New oracle-resource-* module under ee/services/pam-resource/oracle/ with resource + account schemas and list-item metadata. - Registers OracleDB in the resource enum, factory, list, and type unions; routes it through the shared SQL resource factory (same connect/rotate/validate contract as Postgres / MySQL / MSSQL). - Adds Oracle to the account credentials service, resource router response schemas, and account router schemas. Frontend: - New OracleDBResourceForm / OracleDBAccountForm using the shared SQL field sets (host, port, database, SSL toggles, certificate PEM). - PamResourceForm / PamAccountForm dispatch the new forms for PamResourceType.OracleDB. - Account-by-id, resource-by-id and access-account modal pages handle the Oracle case. - Removes OracleDB from the "coming soon" list in ResourceTypeSelect now that it's shippable. Works together with the CLI gateway's Oracle handler (packages/pam/handlers/oracle) — end-to-end verified against AWS RDS Oracle 19c including TCPS (see cli.oracle-db commit fa44af8).
Matches MySQL and MSSQL — we haven't verified password rotation against Oracle end-to-end, so stub rotateCredentials with "Unsupported operation" for now rather than ship untested ALTER USER code. The rotation logic can come back in a follow-up once it's tested against a representative set of Oracle targets.
Rotation was stubbed in the previous commit, so the probe's module comment no longer needs to reference it as a code path that goes through node-oracledb. Mentions only account credential validation now.
New page at docs/documentation/platform/pam/getting-started/resources/oracle.mdx covering: how Oracle access works through the gateway (with the protocol-placeholder password explanation), resource setup (including the TCPS/SSL options and port 2484), account creation, CLI access flow, and the supported/unsupported matrix for v1 — Autonomous DB, RAC with SCAN, and NNE are called out explicitly as known limitations.
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
saifsmailbox98
changed the title
6 tasks
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 099b174e72
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
Fixes the simple-import-sort/imports lint warning for our added `import net from "net"` line. Autofix output only; no behavior change. (Note: the companion lint failures on scim.ts and the AWS ACM public CA files on the same CI run are not ours — they come from recent upstream main commits and should be fixed on main separately.)
…ount validation - probeOracleTls now threads sslRejectUnauthorized (was hardcoded to !!caPem, which silently disabled cert validation on default form state) and sends the configured upstream host as TLS SNI (was hardcoded to "localhost"). - Moved probeOracleTls out of the generic sql-resource-factory into oracle/oracle-tls-probe.ts alongside the other Oracle resource files, and switched it to a named-options signature for readability. - Account credential validation skipped when sslEnabled=true. node-oracledb thin mode has no inline-CA option (only a wallet file requiring a matching cert+key pair), so it can't consume the resource's pasted CA. Resource-save validation still runs the raw TLS probe. Bad creds on TLS Oracle accounts will surface on first session use. Credential validation for every DB type should eventually move to the gateway where per-connection CA handling is straightforward. - Removed unreachable TCPS connectString branch; the only caller of openConnection now is the non-SSL path.
Added comment explaining AWS IAM credentials usage.
x032205
requested changes
Apr 24, 2026
Addresses review feedback. Previously, account credential validation on TLS-enabled Oracle returned silently — users could save accounts with entirely invalid Oracle setups (server gone, cert rotated, CA no longer valid) and only find out on first session. Now both resource save and account save run probeOracleTls, which verifies: (a) the tunnel forwards to a reachable Oracle listener, (b) TLS handshake succeeds, (c) cert chains to the pasted CA, (d) sslRejectUnauthorized is honored. This does NOT verify credentials — that remains deferred to first session use on TLS Oracle (see the file comment for the node-oracledb thin-mode CA limitation). But it catches every failure mode except "creds are wrong," which is a meaningful improvement over silent success.
…se union Addresses reviewer finding that OracleSessionCredentialsSchema was defined but never imported. The schema is the response shape for GET /:sessionId/credentials (the endpoint gateways hit to fetch live session credentials). Other SQL dialects are already in the zod union in pam-session-router.ts; Oracle was missing. Runtime happened to work because Oracle's credentials are structurally identical to MySQL's (both extend BaseSqlResourceConnectionDetails + BaseSqlAccountCredentials), so the response validator accepted Oracle payloads as if they were MySQL. Adding Oracle explicitly makes the schema validation Oracle-aware rather than relying on that coincidence. (Note: MsSQL and WindowsServer have the same pattern — defined but not in the union — but fixing those is pre-existing and out of scope here.)
…aming parity Every other dialect in pam-resource/ uses the <dialect>-resource-<kind> file naming pattern (factory / fns / schemas / types / enums). The probe helper was sitting in a freshly-named oracle-tls-probe.ts, which broke that convention. Moved probeOracleTls (and its ProbeOracleTlsArgs interface) into the existing oracle-resource-fns.ts alongside getOracleResourceListItem. Deleted oracle-tls-probe.ts. Import path in sql-resource-factory updated accordingly. No behavior change.
…andard files Reviewer feedback: ProbeOracleTlsArgs should be a type (not interface) and should live in oracle-resource-types.ts with the other T* types; the timeout constant should live in a constants file. - Moved ProbeOracleTlsArgs to oracle-resource-types.ts as type TProbeOracleTlsArgs (matches the T-prefixed type convention already used in that file). - New oracle-resource-constants.ts with ORACLE_TLS_PROBE_TIMEOUT_MS (matches the <service>-constants.ts pattern used elsewhere — pam-account-policy-constants.ts, gateway-v2-constants.ts, relay-constants.ts, etc.). - oracle-resource-fns.ts now imports both and stays focused on the probeOracleTls implementation + getOracleResourceListItem helper. No behavior change.
|
💬 Discussion in Slack: #pr-review-infisical-6134-feat-pam-add-oracle-db-access-support Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
x032205
requested changes
May 5, 2026
…robe Node's tls.checkServerIdentity validates the cert's CN/SAN against the servername option, not the TCP socket's connected address. Since servername is already set to the real upstream host, the default check works correctly even when dialing through the localhost tunnel.
Trim bloated JSDoc blocks and section headers. Keep only the one non-obvious comment (servername used for TLS SNI + cert validation, not for TCP dialing).
Moves Oracle's connection logic out of the shared SQL factory switch into oracle/oracle-resource-factory.ts, following the same pattern as the MongoDB factory. The shared SQL factory no longer imports oracledb or probeOracleTls.
x032205
requested changes
May 7, 2026
| MongoDB = "mongodb", | ||
| Windows = "windows" | ||
| Windows = "windows", | ||
| Oracle = "oracledb" |
Member
There was a problem hiding this comment.
We should probably rename "Oracle" to "OracleDB" or "OracleDb" to stick with the 1:1 key and value convention we have for this enum
Member
There was a problem hiding this comment.
I just realized the frontend uses "OracleDB", so let's go with that
Comment on lines
+51
to
+53
| validate: async (connectOnly) => { | ||
| // TLS Oracle: probe reachability + cert only (thin mode can't accept inline CA). | ||
| if (sslEnabled) { |
Member
There was a problem hiding this comment.
I wonder if instead of doing this if SSL is enabled, we can do this when CA is provided. What do you think? If you enable SSL without CA can you still validate creds?
Member
There was a problem hiding this comment.
To make TLS work properly, you'll need to update the connect string on line 45:
You can do some logic like this:
const connectString = sslEnabled
? `tcps://localhost:${proxyPort}/${connectionDetails.database}?ssl_server_dn_match=false`
: `localhost:${proxyPort}/${connectionDetails.database}`;
Member
There was a problem hiding this comment.
I tested this and it allows me to accurately do credential checks without a CA
| oracledb.getConnection({ | ||
| user: actualUsername, | ||
| password: actualPassword, | ||
| connectString: `localhost:${proxyPort}/${connectionDetails.database}`, |
Member
There was a problem hiding this comment.
we may want to do some filter or sanitization on the database input either here or at the zod level. Maybe like restrict the characters that users can input
Comment on lines
+164
to
+176
| await executeWithGateway( | ||
| { | ||
| connectionDetails, | ||
| gatewayId, | ||
| username: credentials.username, | ||
| password: credentials.password | ||
| }, | ||
| gatewayV2Service, | ||
| async (client) => { | ||
| await client.validate(false); | ||
| } | ||
| ); | ||
| return credentials; |
Member
There was a problem hiding this comment.
We may want to work on improving common error messages here. Right now they're a little too scary I think 🤣
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Adds Oracle as a new PAM database resource
Infisical/cli#192
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).