cin 4ddlZddlmZddlZ ddlmZddlmcm Z ddl m Z m Z mZmZmZdZdZdZdZdZej.j0ej.j gZej4d d Zej4d d Zej4d d ZdZdZdZ dZ!dZ" d1dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,dZ-dZ.d Z/d!Z0ej.jcd"#d$Z2d%Z3ej.jid&ejjddd'(ejjd)dd*(ejjdd)d+(ejjd)d)d,(gd-Z6d.Z7d/Z8d0Z9y#e$rdZdZ YiwxYw)2N) timedelta)InMemoryKmsClientMockVersioningKmsClientverify_file_encryptedread_external_keys_to_dictparse_wrapped_keyzencrypted_table.in_mem.parquets0123456789112345 footer_keys1234567890123450col_keymodule)scopectjjtjgdtjgdtjgdd}|S)N))abc)xyz)paTable from_pydictarray) data_tables L/tmp/pip-target-z3e9_cxr/lib/python/pyarrow/tests/parquet/test_encryption.pyrr2sG%% XXi XXo & XXo &'J cLtjttddgi}|S)Nrr)r column_keyspeEncryptionConfigurationFOOTER_KEY_NAME COL_KEY_NAME)basic_encryption_configs rr%r%<s, 88" 3*   #"rcNtjttddgid}|S)NrrF)r rinternal_key_materialr )external_encryption_configs rr(r(Fs1!#!;!;" 3* $ "% &%rcftj|}d}tj|}||fS)z Sets up and returns the KMS connection configuration and crypto factory based on provided KMS configuration parameters. custom_kms_confct|SNrkms_connection_configurations r kms_factoryz1setup_encryption_environment..kms_factoryX !=>>r)r!KmsConnectionConfig CryptoFactory)r+kms_connection_configr1crypto_factorys rsetup_encryption_environmentr7Qs7 22?S?%%k2N . 00rc||jd||jdi}t|\}} t||||| || fS)zL Writes an encrypted parquet file based on the provided parameters. UTF-8)decoder7write_encrypted_parquet) pathrfooter_key_name col_key_namer r encryption_configr+r5r6s rwrite_encrypted_filer@asc **73gnnW-O -I-)>D*.?1>C !. 00rc v|tz }tjttddgidt dd}|j dusJt||tttt|\}}t|tjt d }t||||}|j|sJy ) DWrite an encrypted parquet, verify it's encrypted, and then read it.rr AES_GCM_V1@minutesr rencryption_algorithmcache_lifetimedata_key_length_bitsFrJN) PARQUET_NAMEr!r"r#r$runiform_encryptionr@ FOOTER_KEYCOL_KEYrDecryptionConfigurationread_encrypted_parquetequalstempdirrr<r?r5r6decryption_config result_tables r!test_encrypted_parquet_write_readrXws \ !D 22" 3* * - "  / /5 88 8,@ j/<W-)>$22 -/) !6HL   \ ** *rc ^|tz }tjtddt dd}|j dusJt ||tttd|\}}t|tjt d}t||||}|j|sJy ) rBTrCrDrErG)r rNrIrJrKrrLN) rMr!r"r#rrNr@r$rOrrQrRrSrTs r)test_uniform_encrypted_parquet_write_readrZs \ !D22") - "  / /4 77 7,@ j/<S-)>$22 -/) !6HL   \ ** *rc|jr|j||}n|j|||}|Jtj||j|5}|j |dddy#1swYyxYw)N)encryption_properties)r'file_encryption_propertiespq ParquetWriterschema write_table)r<tabler?r5r6r]writers rr;r;s..%3%N%N !#4&6"&4%N%N !#4d&<" % 11 1   %,,"< >"AG5!"""s A44A=Tc^|r|j||}n|j|||}|Jtj||}|jdk(sJtj||}t |j dk(sJtj||}|jdS)Ndecryption_propertiesrT use_threads) file_decryption_propertiesr^ read_metadata num_columns read_schemalennames ParquetFileread) r<rVr5r6r'rimetar`results rrRrRs%3%N%N !#4&6"&4%N%N !#4d&<" & 11 1   $> @D   q  ^^ $>@F v||  !! ! ^^ $>@F ;;4; ((rc  |tz }tjttddgidt dd}t ||tttt|t|tttjdttjdi\}}tjt d }tjtd 5t!||||d d d y #1swYy xYw) zYWrite an encrypted parquet, verify it's encrypted, and then read it using wrong keys.rrrCrDrErGrHr9rLzIncorrect master key usedmatchN)rMr!r"r#r$rr@rOrPrr7r:rQpytestraises ValueErrorrR)rUrr<r?wrong_kms_connection_configwrong_crypto_factoryrVs r+test_encrypted_parquet_write_read_wrong_keyr{s \ !D 22" 3* * - "z?L#W.?A$8T0j''0V95!5 22 -/ z)E F" #%@  """"s !C99Dct||tjtd5t j |t z jdddy#1swYyxYw)zmWrite an encrypted parquet, verify it's encrypted, but then try to read it without decryption properties. no decryptionrtN)rXrvrwIOErrorr^rorMrprUrs r0test_encrypted_parquet_read_no_decryption_configrsL&gz: w&6 76 w-.335666s +AA%ct||tjtd5t j |t z dddy#1swYyxYw)zwWrite an encrypted parquet, verify it's encrypted, but then try to read its metadata without decryption properties.r}rtN)rXrvrwr~r^rjrMrs r9test_encrypted_parquet_read_metadata_no_decryption_configrsE&gz: w&6 71 </0111 AAct||tjtd5t j |t z dddy#1swYyxYw)zuWrite an encrypted parquet, verify it's encrypted, but then try to read its schema without decryption properties.r}rtN)rXrvrwr~r^rlrMrs r7test_encrypted_parquet_read_schema_no_decryption_configr sC&gz: w&6 7/ w-.///rc |dz }tjt}tjt d5t ||tttd|dddy#1swYyxYw)MWrite an encrypted parquet, but give only footer key, without column key.z)encrypted_table_no_col_key.in_mem.parquetr z4Either column_keys or uniform_encryption must be setrtrN) r!r"r#rvrwOSErrorr@r$rOrUrr<r?s r'test_encrypted_parquet_write_no_col_keyrsn @ @D22"$ w% &A T: '.? A AAAs A""A+c |dz }tjttddgid}t j t d5t||tttd|d d d y #1swYy xYw) rz=encrypted_table_col_key_and_uniform_encryption.in_mem.parquetrrT)r rrNz2Cannot set both column_keys and uniform_encryptionrtrN) r!r"r#r$rvrwrr@rOrs r;test_encrypted_parquet_write_col_key_and_uniform_encryptionr's T TD22" 3*  ! wR TA T: '.? AAAAs A,,A5c|dz }|}tj}d}tj|}tjt d5t |||||dddy#1swYyxYw).kms_factoryDs!!=>>rr rtN)r!r3r4rvrwKeyErrorr;rUrr%r<r?r5r1r6s r&test_encrypted_parquet_write_kms_errorr;sy ? ?D/224? %%k2N x| 4Gj2C 5~ GGGG A((A1c |dz }|}tj}Gddtjfd}tj|}t j t d5t|||||dddy#1swYyxYw)rrc"eZdZdZdZdZdZy)Jtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClientzVA KmsClient implementation that throws exception in wrap/unwrap calls cPtjj|||_y)z%Create an InMemoryKmsClient instance.N)r! KmsClient__init__configselfrs rrzStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.__init__^s LL ! !$ ' DKrctd)NCannot Wrap Keyrxr key_bytesmaster_key_identifiers rwrap_keyzStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.wrap_keycs./ /rctd)NzCannot Unwrap Keyrr wrapped_keyrs r unwrap_keyzUtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.unwrap_keyfs01 1rN__name__ __module__ __qualname____doc__rrrrrThrowingKmsClientrYs  !  0 2rrc|Sr-r)r0rs rr1zDtest_encrypted_parquet_write_kms_specific_error..kms_factoryis !=>>rrrtN)r!r3rr4rvrwrxr;) rUrr%r<r?r5r1r6rs @r/test_encrypted_parquet_write_kms_specific_errorrPs ? ?D/2242BLL2 ?%%k2N z): ;Gj2C 5~ GGGGs +BB c|dz }|}tj}d}tj|}tjt d5t |||||dddy#1swYyxYw)z@Write an encrypted parquet, but raise ValueError in kms_factory.0encrypted_table_kms_factory_error.in_mem.parquetctd)NCannot create KmsClientrr/s rr1zCtest_encrypted_parquet_write_kms_factory_error..kms_factory}s233rrrtN)r!r3r4rvrwrxr;rs r.test_encrypted_parquet_write_kms_factory_errorrts~ G GD/2244%%k2N z6 8G j2C 5~ GGGGrc|dz }|}tj}Gddfd}tj|}tjt 5t |||||dddy#1swYyxYw)z_Write an encrypted parquet, but use wrong KMS client type that doesn't implement KmsClient.rc"eZdZdZdZdZdZy)Otest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClientz4This is not an implementation of KmsClient. c&|j|_yr-)r+master_keys_maprs rrzXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.__init__s#)#9#9D rcyr-rrs rrzXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.wrap_keyrcyr-rrs rrzZtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.unwrap_keyrrNrrrrWrongTypeKmsClientrs  :  rrc|Sr-r)r0rs rr1zHtest_encrypted_parquet_write_kms_factory_type_error..kms_factorys!">??rN)r!r3r4rvrw TypeErrorr;) rUrr%r<r?r5r1r6rs @r3test_encrypted_parquet_write_kms_factory_type_errorrs G GD/224  @%%k2N y !Gj2C 5~ GGGGs A33A<c Jd}tjttddgidddt ddd }||tjt }tddgi|_d|_d|_d|_t d|_ d|_ d |_ ||y) Nc0t|jk(sJddg|jtk(sJd|jk(sJ|j sJ|j rJtd|jk(sJ|jrJd|jk(sJy)NrrAES_GCM_CTR_V1$@rE) r#r rr$rIplaintext_footerdouble_wrappingrrJr'rK)r?s r!validate_encryption_configurationzZtest_encrypted_parquet_encryption_configuration..validate_encryption_configurations"3">">>>>Sz.::<HHHH#4#I#IIII 1111$4444&*;*J*JJJJ$::::'<<<<.validate_kms_connection_configsb3CCCCC.?????1BBBBB)3CD%556 76rrrrrrrr)r!r3rrrr+)rr5kms_connection_config_1s r(test_encrypted_parquet_kms_configurationrs722#"$$  ##89 446.9+/5,/8,  /+##:;rzNPlaintext footer - reading plaintext column subset reads encrypted columns too)reasonc>|tz }tjttddgidd}tj tt jdttjdi}d}tj|}t|||||y ) zWrite an encrypted parquet, with plaintext footer and with single wrapping, verify it's encrypted, and then read plaintext columns.rrTF)r rrrr9r*ct|Sr-r.r/s rr1zStest_encrypted_parquet_write_read_plain_footer_single_wrapping..kms_factoryr2rN) rMr!r"r#r$r3rOr:rPr4r;)rUrr<r?r5r1r6s r>test_encrypted_parquet_write_read_plain_footer_single_wrappingrs \ !D 22" 3*  22 Z..w7 '..1 ?%%k2ND*.?1>Crc |tz }t||tttt |\}}t |tj}t||||d}tjjj|}t|jx} t|j tdzk(sJt#| D cgc]} |j%| duc} sJ|j'|sJycc} w)zWrite an encrypted parquet file with external key material, verify it's encrypted, then read both the table and external store. Fr'rN)rMr@r#r$rOrPrr!rQrRr_parquet_encryptionFileSystemKeyMaterialStorefor_filermget_key_id_setrallget_key_materialrS) rUrr(r<r5r6rVrWstorekey_idsks r*test_encrypted_parquet_write_read_externalrs \ !D,@ j/<W"-$)>$224) !6#%L  " " = = F Ft LE %..00w 1 & 2 2< @AAE GG G wG!&&q)5G HH H   \ ** *Hs D)double_wrap_initialdouble_wrap_rotatedzdouble wrapping)idFzsingle to double wrappedzdouble to singe wrappedzsingle wrappingcz |tz }tjttddgid}tj d}d}tj |}t|||||t| |jd|j|| t| t|t|tj||d } t vsJt vsJt vsJt vsJd td d f fd } | t| t|j| sJy )aTests CryptoFactory.rotate_master_keys Note: The CryptoFactory.rotate_master_keys() double_wrapping keword arg may be either True (the default) or False regardless of whether EncryptionConfig.double_wrapping was set to true (also the default) when the external key material store was written. This means double wrapping may be set one way initially and then applied or removed during rotation. rrF)r rr'r1)rct|Sr-)rr/s rr1z8test_external_key_material_rotation..kms_factoryRs&'CDDr2)rr master_key_idreturnNc |} r |j}n |j}t|\}}}|} r |j}n |j}t|\}}}||ksJyr-) wrapped_kek wrapped_dekr) rbefore_key_matbefore_key_wrapped_ before_ver after_key_matafter_key_wrapped after_ver after_keys before_keysrrs rcheck_rotated_external_keyszHtest_external_key_material_rotation..check_rotated_external_keysrs$]3 !/!;!; !/!;!; ,-?@:q"=1  - 9 9  - 9 9 +,=>9aI%%%r)rMr!r"r#r$r3r4r;rrefresh_key_access_tokenrotate_master_keysrrRrQstrrS) reusable_tempdirrrrr<r?r5r1r6table_read_after_rotationrrrs `` @@r#test_external_key_material_rotationr 5s]& l *D22"!C:.#+ -22CHE%%k2N   -T2K2237%% +&- ,D1J$ 6  ""$# !% k )) ) ; && & j (( ( : %% %&3&4&&" 0 -   6 77 7rc x|tz }t||tttt |\}}t |tjtd}tdD]T}|j||}|Jtj||} | jd} |j| rTJy) z`Write an encrypted parquet, verify it's encrypted, and then read it multithreaded in a loop.rDrErL2NreTrg)rMr@r#r$rOrPrr!rQrrangerir^rorprS) rUrr%r<r5r6rVirirrrWs rtest_encrypted_parquet_looprs \ !D -A j/<W-!)>$22 -/2Y /%3%N%N !#4&6")555 (BD{{t{4   ... /rc R|tz }t||tttt |\}}t |tjtd}|j||}~tj||}|jd} |j| sJy)z^ Test that decryption properties can be used if the crypto factory is no longer alive rDrErLreTrgN)rMr@r#r$rOrPrr!rQrrir^rorprS) rUrr%r<r5r6rVrirrrWs r%test_read_with_deleted_crypto_factoryrs \ !D,@ j/<W-!)>$22 -/!/!J!J0"2 ^^ $>@F;;4;0L   \ ** *rc j|tz }t||tttt |\}}t jtd}|j||}tj||}|j|sJtj||}|j|sJy)z>Write an encrypted parquet then read it back using read_table.rDrErLreN) rMr@r#r$rOrPr!rQrrir^ read_tablerS) rUrr%r<r5r6rVrirWs r!test_encrypted_parquet_read_tablers \ !D-A j/<W-!)>22 -/!/!J!J0"2===WXL   \ ** *=='ACL   \ ** *r)T):rvdatetimerpyarrowrpyarrow.parquetparquetr^pyarrow.parquet.encryption encryptionr! pyarrow.tests.parquet.encryptionrrrrr ImportErrorrMrOr#rPr$markparquet_encryption pytestmarkfixturerr%r(r7r@rXrZr;rRr{rrrrrrrrrrrrxfailrr parametrizeparamr rrrrrrr's " E ++ EE0    KK"" KK h h# #h& & 1 1,+>+6 ""26). "F61/A"A(G*!GHG(GB ;FI<:23C3CN+22 T4$56 UD%?@ T5%>? UE&78 5:; J8 ; J8Z/:+0+M B BsF FF