Pin ddlZddlmZddlZ ddlmZddlmcm Z ddl m Z m Z mZmZmZn#e$rdZdZ YnwxYwdZdZdZdZdZejjejjgZejd d Zejd d Zejd d ZdZdZdZ dZ!dZ" d1dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,dZ-dZ.d Z/d!Z0ej1d"#d$Z2d%Z3ej4d&ej5ddd'(ej5d)dd*(ej5dd)d+(ej5d)d)d,(gd-Z6d.Z7d/Z8d0Z9dS)2N) timedelta)InMemoryKmsClientMockVersioningKmsClientverify_file_encryptedread_external_keys_to_dictparse_wrapped_keyzencrypted_table.in_mem.parquets0123456789112345 footer_keys1234567890123450col_keymodule)scopectjtjgdtjgdtjgdd}|S)N))abc)xyz)paTable from_pydictarray) data_tables y/home/jaya/work/projects/VOICE-AGENT/VIET/agent-env/lib/python3.11/site-packages/pyarrow/tests/parquet/test_encryption.pyrr2s^%% Xiii Xooo & & Xooo & &''J cNtjttddgi}|S)Nrr)r column_keyspeEncryptionConfigurationFOOTER_KEY_NAME COL_KEY_NAME)basic_encryption_configs rr%r%<s3 8" 3*     #"rcPtjttddgid}|S)NrrF)r rinternal_key_materialr )external_encryption_configs rr(r(Fs8!#!;" 3* $ "%"%"% &%rcbtj|}d}tj|}||fS)z Sets up and returns the KMS connection configuration and crypto factory based on provided KMS configuration parameters. custom_kms_confc t|SNrkms_connection_configurations r kms_factoryz1setup_encryption_environment..kms_factoryX !=>>>r)r!KmsConnectionConfig CryptoFactory)r+kms_connection_configr1crypto_factorys rsetup_encryption_environmentr7QsD 2?SSS???%k22N . 00rc||d||di}t|\}} t||||| || fS)zL Writes an encrypted parquet file based on the provided parameters. UTF-8)decoder7write_encrypted_parquet) pathrfooter_key_name col_key_namer r encryption_configr+r5r6s rwrite_encrypted_filer@asz **733gnnW--O -I--)>D*.?1>CCC !. 00rc |tz }tjttddgidt dd}|jdusJt||tttt|\}}t|tj t d }t||||}| |sJd S) DWrite an encrypted parquet, verify it's encrypted, and then read it.rr AES_GCM_V1@minutesr rencryption_algorithmcache_lifetimedata_key_length_bitsFrJN) PARQUET_NAMEr!r"r#r$runiform_encryptionr@ FOOTER_KEYCOL_KEYrDecryptionConfigurationread_encrypted_parquetequalstempdirrr<r?r5r6decryption_config result_tables r!test_encrypted_parquet_write_readrXws \ !D 2" 3* * --- """  /5 8 8 8 8,@ j/<W--)>$2 ---///) !6HHL   \ * *** ***rc |tz }tjtddt dd}|jdusJt ||tttd|\}}t|tj t d}t||||}| |sJd S) rBTrCrDrErG)r rNrIrJrKrrLN) rMr!r"r#rrNr@r$rOrrQrRrSrTs r)test_uniform_encrypted_parquet_write_readrZs \ !D2") --- """  /4 7 7 7 7,@ j/<S--)>$2 ---///) !6HHL   \ * *** ***rc |jr|||}n||||}|Jtj||j|5}||ddddS#1swxYwYdS)N)encryption_properties)r'file_encryption_propertiespq ParquetWriterschema write_table)r<tabler?r5r6r]writers rr;r;s.<%3%N%N !#4&6&6""&4%N%N !#4d&<&<" % 1 1 1  %,"< > > >"AG5!!!""""""""""""""""""sA99A=A=Tch|r|||}n||||}|Jtj||}|jdksJtj||}t |jdksJtj||}|dS)Ndecryption_propertiesrT use_threads) file_decryption_propertiesr^ read_metadata num_columns read_schemalennames ParquetFileread) r<rVr5r6r'rimetar`results rrRrRs<%3%N%N !#4&6&6""&4%N%N !#4d&<&<" & 1 1 1  $> @ @ @D  q ^ $>@@@F v|   ! ! ! ! ^ $>@@@F ;;4; ( ((rc f|tz }tjttddgidt dd}t ||tttt|t|ttt dtt di\}}tj t d }tjtd 5t!||||d d d d S#1swxYwYd S) zYWrite an encrypted parquet, verify it's encrypted, and then read it using wrong keys.rrrCrDrErGrHr9rLzIncorrect master key usedmatchN)rMr!r"r#r$rr@rOrPrr7r:rQpytestraises ValueErrorrR)rUrr<r?wrong_kms_connection_configwrong_crypto_factoryrVs r+test_encrypted_parquet_write_read_wrong_keyr{s \ !D 2" 3* * --- """z?L#W.?AAA$8T00j''00V995!5 2 ---/// z)E F F F"" #%@  " " """""""""""""""""""sD&&D*-D*ct||tjtd5t j|t z ddddS#1swxYwYdS)zmWrite an encrypted parquet, verify it's encrypted, but then try to read it without decryption properties. no decryptionrtN)rXrvrwIOErrorr^rorMrprUrs r0test_encrypted_parquet_read_no_decryption_configrs&gz::: w&6 7 7 766 w-..33555666666666666666666s/A((A,/A,ct||tjtd5t j|t z ddddS#1swxYwYdS)zwWrite an encrypted parquet, verify it's encrypted, but then try to read its metadata without decryption properties.r}rtN)rXrvrwr~r^rjrMrs r9test_encrypted_parquet_read_metadata_no_decryption_configrs&gz::: w&6 7 7 711 </000111111111111111111AAAct||tjtd5t j|t z ddddS#1swxYwYdS)zuWrite an encrypted parquet, verify it's encrypted, but then try to read its schema without decryption properties.r}rtN)rXrvrwr~r^rlrMrs r7test_encrypted_parquet_read_schema_no_decryption_configr s&gz::: w&6 7 7 7// w-...//////////////////rc |dz }tjt}tjt d5t ||tttd|ddddS#1swxYwYdS)MWrite an encrypted parquet, but give only footer key, without column key.z)encrypted_table_no_col_key.in_mem.parquetr z4Either column_keys or uniform_encryption must be setrtrN) r!r"r#rvrwOSErrorr@r$rOrUrr<r?s r'test_encrypted_parquet_write_no_col_keyrs @ @D2"$$$ w% & & &AA T: '.? A A A AAAAAAAAAAAAAAAAAAs%A--A14A1c  |dz }tjttddgid}t jt d5t||tttd|d d d d S#1swxYwYd S) rz=encrypted_table_col_key_and_uniform_encryption.in_mem.parquetrrT)r rrNz2Cannot set both column_keys and uniform_encryptionrtrN) r!r"r#r$rvrwrr@rOrs r;test_encrypted_parquet_write_col_key_and_uniform_encryptionr's T TD2" 3*  !!! wR T T TAA T: '.? A A AAAAAAAAAAAAAAAAAAAs%A88A<?A<c|dz }|}tj}d}tj|}tjt d5t |||||ddddS#1swxYwYdS).kms_factoryDs!!=>>>rr rtN)r!r3r4rvrwKeyErrorr;rUrr%r<r?r5r1r6s r&test_encrypted_parquet_write_kms_errorr;s ? ?D/244??? %k22N x| 4 4 4GGj2C 5~ G G GGGGGGGGGGGGGGGGGGG A..A25A2c,|dz }|}tj}Gddtjfd}tj|}t jt d5t|||||ddddS#1swxYwYdS)rrc$eZdZdZdZdZdZdS)Jtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClientzVA KmsClient implementation that throws exception in wrap/unwrap calls cRtj|||_dS)z%Create an InMemoryKmsClient instance.N)r! KmsClient__init__configselfrs rrzStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.__init__^s# L ! !$ ' ' ' DKKKrc td)NCannot Wrap Keyrxr key_bytesmaster_key_identifiers rwrap_keyzStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.wrap_keycs.// /rc td)NzCannot Unwrap Keyrr wrapped_keyrs r unwrap_keyzUtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.unwrap_keyfs011 1rN__name__ __module__ __qualname____doc__rrrrrThrowingKmsClientrYsK   ! ! !  0 0 0 2 2 2 2 2rrc|Sr-r)r0rs rr1zDtest_encrypted_parquet_write_kms_specific_error..kms_factoryis  !=>>>rrrtN)r!r3rr4rvrwrxr;) rUrr%r<r?r5r1r6rs @r/test_encrypted_parquet_write_kms_specific_errorrPs- ? ?D/24422222BL222 ?????%k22N z): ; ; ;GGj2C 5~ G G GGGGGGGGGGGGGGGGGGGs(B  B B c|dz }|}tj}d}tj|}tjt d5t |||||ddddS#1swxYwYdS)z@Write an encrypted parquet, but raise ValueError in kms_factory.0encrypted_table_kms_factory_error.in_mem.parquetc td)NCannot create KmsClientrr/s rr1zCtest_encrypted_parquet_write_kms_factory_error..kms_factory}s2333rrrtN)r!r3r4rvrwrxr;rs r.test_encrypted_parquet_write_kms_factory_errorrts G GD/244444%k22N z6 8 8 8GG j2C 5~ G G GGGGGGGGGGGGGGGGGGGrc|dz }|}tj}Gddfd}tj|}tjt 5t |||||ddddS#1swxYwYdS)z_Write an encrypted parquet, but use wrong KMS client type that doesn't implement KmsClient.rc$eZdZdZdZdZdZdS)Otest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClientz4This is not an implementation of KmsClient. c|j|_dSr-)r+master_keys_maprs rrzXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.__init__s#)#9D rcdSr-rrs rrzXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.wrap_key4rcdSr-rrs rrzZtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.unwrap_keyrrNrrrrWrongTypeKmsClientrsK   : : :        rrc|Sr-r)r0rs rr1zHtest_encrypted_parquet_write_kms_factory_type_error..kms_factorys!!">???rN)r!r3r4rvrw TypeErrorr;) rUrr%r<r?r5r1r6rs @r3test_encrypted_parquet_write_kms_factory_type_errorrs( G GD/244        @@@@@%k22N y ! !GGj2C 5~ G G GGGGGGGGGGGGGGGGGGGsA<<BBc ld}tjttddgidddt ddd }||tjt }tddgi|_d|_d|_d|_t d|_ d|_ d |_ ||dS) Nct|jksJddg|jtksJd|jksJ|jsJ|jrJtd|jksJ|j rJd|j ksJdS)NrrAES_GCM_CTR_V1$@rE) r#r rr$rIplaintext_footerdouble_wrappingrrJr'rK)r?s r!validate_encryption_configurationzZtest_encrypted_parquet_encryption_configuration..validate_encryption_configurations"3">>>>>Sz.:<HHHHH#4#IIIII 1111$4444&&&*;*JJJJJ$::::'<<<<<<.validate_kms_connection_configsq3CCCCC.?????1BBBBB)3CDD%5666666rrrrrrrr)r!r3rrrr+)rr5kms_connection_config_1s r(test_encrypted_parquet_kms_configurationrs7772#"$$     #"#8999 466.9+/5,/8,  //+#"#:;;;;;rzNPlaintext footer - reading plaintext column subset reads encrypted columns too)reasonc`|tz }tjttddgidd}tjtt dttdi}d}tj |}t|||||d S) zWrite an encrypted parquet, with plaintext footer and with single wrapping, verify it's encrypted, and then read plaintext columns.rrTF)r rrrr9r*c t|Sr-r.r/s rr1zStest_encrypted_parquet_write_read_plain_footer_single_wrapping..kms_factoryr2rN) rMr!r"r#r$r3rOr:rPr4r;)rUrr<r?r5r1r6s r>test_encrypted_parquet_write_read_plain_footer_single_wrappingrs \ !D 2" 3*  2 Z..w77 '..11 ???%k22ND*.?1>CCCCCrc " |tz }t||tttt |\}}t |tj}t||||d}tj j | t x}t|jtdzksJt# fd|DsJ||sJdS)zWrite an encrypted parquet file with external key material, verify it's encrypted, then read both the table and external store. Fr'rc>g|]}|duSr-)get_key_material).0kstores r z>test_encrypted_parquet_write_read_external..1s,GGG!&&q))5GGGrN)rMr@r#r$rOrPrr!rQrRr_parquet_encryptionFileSystemKeyMaterialStorefor_filermget_key_id_setrallrS) rUrr(r<r5r6rVrWkey_idsrs @r*test_encrypted_parquet_write_read_externalrs& \ !D,@ j/<W"-$-$)>$244) !6#%%%L  " = F Ft L LE %..000w 1 1 & 2< @AAAE G G G G GGGGwGGG H HHH H   \ * *** ***r)double_wrap_initialdouble_wrap_rotatedzdouble wrapping)idFzsingle to double wrappedzdouble to singe wrappedzsingle wrappingc |tz }tjttddgid}tjd}d}tj|}t|||||t| | d| || t| t|t|tj ||d } t vsJt vsJt vsJt vsJd td d f fd } | t| t|| sJd S)aTests CryptoFactory.rotate_master_keys Note: The CryptoFactory.rotate_master_keys() double_wrapping keword arg may be either True (the default) or False regardless of whether EncryptionConfig.double_wrapping was set to true (also the default) when the external key material store was written. This means double wrapping may be set one way initially and then applied or removed during rotation. rrF)r rr'r1)rc t|Sr-)rr/s rr1z8test_external_key_material_rotation..kms_factoryRs&'CDDDr2)rr master_key_idreturnNc |} r|j}n|j}t|\}}}|} r|j}n|j}t|\}}}||ksJdSr-) wrapped_kek wrapped_dekr) rbefore_key_matbefore_key_wrapped_ before_ver after_key_matafter_key_wrapped after_ver after_keys before_keysrrs rcheck_rotated_external_keyszHtest_external_key_material_rotation..check_rotated_external_keysrs$]3  >9aI%%%%%%r)rMr!r"r#r$r3r4r;rrefresh_key_access_tokenrotate_master_keysrrRrQstrrS) reusable_tempdirrrrr<r?r5r1r6table_read_after_rotationr rr s `` @@r#test_external_key_material_rotationr5s& l *D2"!C:.#+ ---2CHHHEEE%k22N   -T22K223777%% +&--- ,D11J$ 6  "$$# !%!%!% k ) ) ) ) ; & & & & j ( ( ( ( : % % % %&3&4&&&&&&&&&" 000 ---   6 7 777 777rc |tz }t||tttt |\}}t |tjtd}tdD]_}| ||}|Jtj ||} | d} || sJ`dS) z`Write an encrypted parquet, verify it's encrypted, and then read it multithreaded in a loop.rDrErL2NreTrg)rMr@r#r$rOrPrr!rQrrangerir^rorprS) rUrr%r<r5r6rVirirrrWs rtest_encrypted_parquet_looprs \ !D -A j/<W-!-!)>$2 ---///2YY / /%3%N%N !#4&6&6")555 (BDDD{{t{44   ...... / /rc |tz }t||tttt |\}}t |tjtd}| ||}~tj ||}| d} || sJdS)z^ Test that decryption properties can be used if the crypto factory is no longer alive rDrErLreTrgN)rMr@r#r$rOrPrr!rQrrir^rorprS) rUrr%r<r5r6rVrirrrWs r%test_read_with_deleted_crypto_factoryrs \ !D,@ j/<W-!-!)>$2 ---///!/!J!J0"2"2 ^ $>@@@F;;4;00L   \ * *** ***rc |tz }t||tttt |\}}t jtd}| ||}tj ||}| |sJtj ||}| |sJdS)z>Write an encrypted parquet then read it back using read_table.rDrErLreN) rMr@r#r$rOrPr!rQrrir^ read_tablerS) rUrr%r<r5r6rVrirWs r!test_encrypted_parquet_read_tablers \ !D-A j/<W-!-!)>2 ---///!/!J!J0"2"2==WXXXL   \ * *** *='ACCCL   \ * *** ***r)T):rvdatetimerpyarrowrpyarrow.parquetparquetr^pyarrow.parquet.encryption encryptionr! pyarrow.tests.parquet.encryptionrrrrr ImportErrorrMrOr#rPr$markparquet_encryption pytestmarkfixturerr%r(r7r@rXrZr;rRr{rrrrrrrrrrrrxfailrr parametrizeparamrrrrrrrr*s"  E      +++++++++ EEEEEEEEEEEEEEE  B BBB0    K" K h h## #h&& & 1 1 1 111,+++>+++6 " " ""26)))). " " "F666111///AAA"AAA(GGG*!G!G!GHGGG(GGGB ; ; ;FIII<<<:233CC33CN+++22 T4$5666 UD%?@@@ T5%>??? UE&7888 5:;; J8J8 ;; J8Z///:+++0+++++s . ::