h]4SSKrSSKJr SSKrSSKJr SSKJs J r SSK J r J r SrSrSrSrSr\R(R*\R(R /r\R."S S 9S 5r\R."S S 9S 5rS rSrSrSrSrSrSr Sr!Sr"Sr#Sr$Sr%Sr&Sr'Sr(Sr)Sr*Sr+Sr,\R(R[S S!9S"5r.\R(R[S#S!9S$5r/S%r0S&r1S'r2g!\a SrSr Nf=f)(N) timedelta)InMemoryKmsClientverify_file_encryptedzencrypted_table.in_mem.parquets0123456789112345 footer_keys1234567890123450col_keymodule)scopec[RR[R"/SQ5[R"/SQ5[R"/SQ5S.5nU$)N))abc)xyz)paTable from_pydictarray) data_tables _/home/james-whalen/.local/lib/python3.13/site-packages/pyarrow/tests/parquet/test_encryption.pyrr0sG%% XXi XXo & XXo &'J cH[R"[[SS/0S9nU$)Nrr)r column_keys)peEncryptionConfigurationFOOTER_KEY_NAME COL_KEY_NAME)basic_encryption_configs rr!r!:s, 88" 3*   #"rcb[R"US9nSn[R"U5nX4$)zy Sets up and returns the KMS connection configuration and crypto factory based on provided KMS configuration parameters. custom_kms_confc[U5$Nrkms_connection_configurations r kms_factory1setup_encryption_environment..kms_factoryK !=>>r)rKmsConnectionConfig CryptoFactory)r$kms_connection_configr*crypto_factorys rsetup_encryption_environmentr1Ds5 22?S?%%k2N 00rcX$RS5X5RS50n[U5up[XUX5 X4$)zD Writes an encrypted parquet file based on the provided parameters. UTF-8)decoder1write_encrypted_parquet) pathrfooter_key_name col_key_namerrencryption_configr$r/r0s rwrite_encrypted_filer:TsW **73nnW-O -I-)D.?1C ! 00rc fU[- n[R"[[SS/0S[ SS9SS9nUR SLde[X![[[[U5upE[U5 [R"[ SS9S 9n[X&XE5nURU5(deg ) DWrite an encrypted parquet, verify it's encrypted, and then read it.rr AES_GCM_V1@minutesrrencryption_algorithmcache_lifetimedata_key_length_bitsFrDN) PARQUET_NAMErrrr runiform_encryptionr: FOOTER_KEYCOL_KEYrDecryptionConfigurationread_encrypted_parquetequalstempdirrr6r9r/r0decryption_config result_tables r!test_encrypted_parquet_write_readrRjs \ !D 22" 3* * - "  / /5 88 8,@ /<W-)$22 -/) !6HL   \ * ** *rc NU[- n[R"[SS[ SS9SS9nUR SLde[ X![[[SU5upE[U5 [R"[ SS9S9n[X&XE5nURU5(deg ) r<Tr=r>r?rA)rrHrCrDrErrFN) rGrrrrrHr:r rIrrKrLrMrNs r)test_uniform_encrypted_parquet_write_readrTs \ !D22") - "  / /4 77 7,@ /<S-)$22 -/) !6HL   \ * ** *rcURX25nUce[R"XRUS9nUR U5 SSS5 g!,(df  g=f)N)encryption_properties)file_encryption_propertiespq ParquetWriterschema write_table)r6tabler9r/r0rWwriters rr5r5s[!/!J!J"2 % 11 1   ,,"< >AG5! > > >s A AcURX!5nUce[R"XS9nURS:Xde[R"XS9n[ UR 5S:Xde[R"XS9nURSS9$)Ndecryption_propertiesr T use_threads) file_decryption_propertiesrX read_metadata num_columns read_schemalennames ParquetFileread)r6rPr/r0rcmetarZresults rrLrLs!/!J!J"2 % 11 1    @D   q  ^^ @F v||  !! ! ^^ @F ;;4; ((rc U[- n[R"[[SS/0S[ SS9SS9n[ X![[[[U5 [U5 [[[RS5[[RS505upE[R"[ SS9S 9n[R"[S S 9 [!X&UU5 S S S 5 g !,(df  g =f) zUWrite an encrypted parquet, verify it's encrypted, and then read it using wrong keys.rrr=r>r?rArBr3rFzIncorrect master key usedmatchN)rGrrrr rr:rIrJrr1r4rKpytestraises ValueErrorrL)rOrr6r9wrong_kms_connection_configwrong_crypto_factoryrPs r+test_encrypted_parquet_write_read_wrong_keyrus \ !D 22" 3* * - "?L#W.?A$8T0j''0V95 22 -/ z)E F %@  " G F Fs C** C8c[X5 [R"[SS9 [R "U[ - 5R5 SSS5 g!,(df  g=f)ziWrite an encrypted parquet, verify it's encrypted, but then try to read it without decryption properties. no decryptionrnN)rRrprqIOErrorrXrirGrjrOrs r0test_encrypted_parquet_read_no_decryption_configrzsA&g: w&6 7 w-.335 8 7 7s ,A A(c[X5 [R"[SS9 [R "U[ - 5 SSS5 g!,(df  g=f)zsWrite an encrypted parquet, verify it's encrypted, but then try to read its metadata without decryption properties.rwrnN)rRrprqrxrXrdrGrys r9test_encrypted_parquet_read_metadata_no_decryption_configr|s:&g: w&6 7 </0 8 7 7 A  Ac[X5 [R"[SS9 [R "U[ - 5 SSS5 g!,(df  g=f)zqWrite an encrypted parquet, verify it's encrypted, but then try to read its schema without decryption properties.rwrnN)rRrprqrxrXrfrGrys r7test_encrypted_parquet_read_schema_no_decryption_configrs8&g: w&6 7 w-. 8 7 7r}c US- n[R"[S9n[R"[ SS9 [ X![[[SU5 SSS5 g!,(df  g=f)IWrite an encrypted parquet, but give only footer key, without column key.z)encrypted_table_no_col_key.in_mem.parquetrz4Either column_keys or uniform_encryption must be setrnrN) rrrrprqOSErrorr:r rIrOrr6r9s r'test_encrypted_parquet_write_no_col_keyrsc @ @D22"$ w% & T '.? A  & & &s A A+c US- n[R"[[SS/0SS9n[R "[ SS9 [X![[[SU5 S S S 5 g !,(df  g =f) rz=encrypted_table_col_key_and_uniform_encryption.in_mem.parquetrrT)rrrHz2Cannot set both column_keys and uniform_encryptionrnrN) rrrr rprqrr:rIrs r;test_encrypted_parquet_write_col_key_and_uniform_encryptionrsx T TD22" 3*  ! wR T T '.? A T T Ts A'' A5cUS- nUn[R"5nSn[R"U5n[R"[ SS9 [ X1UXW5 SSS5 g!,(df  g=f).kms_factory-s!!=>>rrrnN)rr-r.rprqKeyErrorr5rOrr!r6r9r/r*r0s r&test_encrypted_parquet_write_kms_errorr$sh ? ?D/224? %%k2N x| 42C 5 G 5 4 4 A&& A4c(^US- nUn[R"5n"SS[R5mU4Sjn[R"U5n[R "[ SS9 [X1UXW5 SSS5 g!,(df  g=f)rrc*\rSrSrSrSrSrSrSrg)Jtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClientiBzFA KmsClient implementation that throws exception in wrap/unwrap calls cN[RRU5 Xlg)z%Create an InMemoryKmsClient instance.N)r KmsClient__init__configselfrs rrStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.__init__Gs LL ! !$ ' Krc[S5e)NCannot Wrap Keyrrr key_bytesmaster_key_identifiers rwrap_keyStest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.wrap_keyLs./ /rc[S5e)NzCannot Unwrap Keyrr wrapped_keyrs r unwrap_keyUtest_encrypted_parquet_write_kms_specific_error..ThrowingKmsClient.unwrap_keyOs01 1r)rN __name__ __module__ __qualname____firstlineno____doc__rrr__static_attributes__rrThrowingKmsClientrBs  !  0 2rrc>T"U5$r&r)r)rs rr*Dtest_encrypted_parquet_write_kms_specific_error..kms_factoryRs !=>>rrrnN)rr-rr.rprqrrr5) rOrr!r6r9r/r*r0rs @r/test_encrypted_parquet_write_kms_specific_errorr9sz ? ?D/2242BLL2 ?%%k2N z): ;2C 5 G < ; ;s ,B BcUS- nUn[R"5nSn[R"U5n[R"[ SS9 [ X1UXW5 SSS5 g!,(df  g=f)z@Write an encrypted parquet, but raise ValueError in kms_factory.0encrypted_table_kms_factory_error.in_mem.parquetc[S5e)NCannot create KmsClientrr(s rr*Ctest_encrypted_parquet_write_kms_factory_error..kms_factoryfs233rrrnN)rr-r.rprqrrr5rs r.test_encrypted_parquet_write_kms_factory_errorr]sq G GD/2244%%k2N z6 8 2C 5 G 8 8 8rc ^US- nUn[R"5n"SS5mU4Sjn[R"U5n[R"[ 5 [ X1UXW5 SSS5 g!,(df  g=f)z[Write an encrypted parquet, but use wrong KMS client type that doesn't implement KmsClient.rc*\rSrSrSrSrSrSrSrg)Otest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClienti{z4This is not an implementation of KmsClient. c&URUlgr&)r$master_keys_maprs rrXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.__init__s#)#9#9D rcgr&rrs rrXtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.wrap_keyrcgr&rrs rrZtest_encrypted_parquet_write_kms_factory_type_error..WrongTypeKmsClient.unwrap_keyrr)rNrrrrWrongTypeKmsClientr{s  :  rrc>T"U5$r&r)r)rs rr*Htest_encrypted_parquet_write_kms_factory_type_error..kms_factorys!">??rN)rr-r.rprq TypeErrorr5) rOrr!r6r9r/r*r0rs @r3test_encrypted_parquet_write_kms_factory_type_errorrqsr G GD/224  @%%k2N y !2C 5 G " ! !s A55 Bc 6Sn[R"[[SS/0SSS[ SS9SS S 9nU"U5 [R"[S 9n[SS/0UlSUlSUlSUl[ SS9Ul SUl S Ul U"U5 g) NcR[UR:XdeSS/UR[:XdeSUR:XdeUR (deUR (ae[SS9UR:XdeUR(aeSUR:Xdeg)NrrAES_GCM_CTR_V1$@r?) rrrr rCplaintext_footerdouble_wrappingrrDinternal_key_materialrE)r9s r!validate_encryption_configurationZtest_encrypted_parquet_encryption_configuration..validate_encryption_configurations"3">">>>>Sz.::<HHHH#4#I#IIII 1111$4444&*;*J*JJJJ$::::'<<<<.validate_kms_connection_configsb3CCCCC.?????1BBBBB)3CD%556 76rrrrrrrr)rr-rrrr$)rr/kms_connection_config_1s r(test_encrypted_parquet_kms_configurationrs722#"$$  ##89 446.9+/5,/8,  /+##:;rzNPlaintext footer - reading plaintext column subset reads encrypted columns too)reasonc4U[- n[R"[[SS/0SSS9n[R "[[ RS5[[RS50S9nSn[R"U5n[X!UXF5 g ) zWrite an encrypted parquet, with plaintext footer and with single wrapping, verify it's encrypted, and then read plaintext columns.rrTF)rrrrr3r#c[U5$r&r'r(s rr*Stest_encrypted_parquet_write_read_plain_footer_single_wrapping..kms_factoryr,rN) rGrrrr r-rIr4rJr.r5rOrr6r9r/r*r0s r>test_encrypted_parquet_write_read_plain_footer_single_wrappingrs \ !D 22" 3*  22 Z..w7 '..1 ?%%k2ND.?1Crz'External key material not supported yetcU[- n[R"[0SS9n[R"[[ R S50S9nSn[R"U5n[X!UXF5 g)ztWrite an encrypted parquet, with external key material. Currently it's not implemented, so should throw an exceptionF)rrrr3r#c[U5$r&r'r(s rr*:test_encrypted_parquet_write_external..kms_factoryr,rN) rGrrrr-rIr4r.r5rs r%test_encrypted_parquet_write_externalrsx \ !D22"#% 22(**;*;G*DE?%%k2ND.?1Crc lU[- n[X1[[[[ U5upE[ U5 [R"[SS9S9n[S5HTnURXF5nUce[R"X8S9n U RSS9n URU 5(aMTe g) z\Write an encrypted parquet, verify it's encrypted, and then read it multithreaded in a loop.r>r?rF2Nr_Tra)rGr:rr rIrJrrrKrrangercrXrirjrM) rOrr!r6r/r0rPircrlrQs rtest_encrypted_parquet_loopr s \ !D -A /<W-!)$22 -/2Y%3%N%N !&6")555 D{{t{4   ....rc @U[- n[X1[[[[ U5upE[ U5 [R"[SS9S9nURXF5nA[R"X7S9nURSS9n URU 5(deg)zV Test that decryption properties can be used if the crypto factory is no longer alive r>r?rFr_TraN)rGr:rr rIrJrrrKrrcrXrirjrM) rOrr!r6r/r0rPrcrlrQs r%test_read_with_deleted_crypto_factoryr=s \ !D,@ /<W-!)$22 -/!/!J!J"2 ^^ @F;;4;0L   \ * ** *rc bU[- n[X1[[[[ U5upE[ R"[SS9S9nURXF5n[R"X7S9nURU5(de[R"XS9nURU5(deg)z>Write an encrypted parquet then read it back using read_table.r>r?rFr_N) rGr:rr rIrJrrKrrcrX read_tablerM) rOrr!r6r/r0rPrcrQs r!test_encrypted_parquet_read_tablerUs \ !D-A /<W-!)22 -/!/!J!J"2==XL   \ * ** *==CL   \ * ** *r)3rpdatetimerpyarrowrpyarrow.parquetparquetrXpyarrow.parquet.encryption encryptionr pyarrow.tests.parquet.encryptionrr ImportErrorrGrIrrJr markparquet_encryption pytestmarkfixturerr!r1r:rRrTr5rLrurzr|rrrrrrrrrrxfailrrrrrrrrr s"2 ++ 20    KK"" KK h h# # 1 1,+>+6")" "F61/A"A(G*!GHG(GB ;FI<:23C3CNCDCEC4/:+0+{ B BsD DD