This is an automated email from the ASF dual-hosted git repository.
alamb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/main by this push:
new 1dc9760123 Refactor DecryptionPropertiesBuilder (#7477)
1dc9760123 is described below
commit 1dc97601230814b8772bf598be9c7a880ffecde7
Author: Adam Reeve <[email protected]>
AuthorDate: Thu May 8 22:59:28 2025 +1200
Refactor DecryptionPropertiesBuilder (#7477)
---
parquet/src/encryption/decrypt.rs | 97 +++++++++++++++++++++++----------------
1 file changed, 58 insertions(+), 39 deletions(-)
diff --git a/parquet/src/encryption/decrypt.rs
b/parquet/src/encryption/decrypt.rs
index 2cb6cccc00..43b2bb493a 100644
--- a/parquet/src/encryption/decrypt.rs
+++ b/parquet/src/encryption/decrypt.rs
@@ -89,7 +89,7 @@ use std::sync::Arc;
///
/// // Create decryption properties for reading an encrypted file.
/// // Note that we don't need to specify which columns are encrypted,
-/// // this is determined by the file metadata and the required keys will be
retrieved
+/// // this is determined by the file metadata, and the required keys will be
retrieved
/// // dynamically using our key retriever.
/// let decryption_properties =
FileDecryptionProperties::with_key_retriever(key_retriever)
/// .build()?;
@@ -293,7 +293,7 @@ impl PartialEq for DecryptionKeys {
/// `FileDecryptionProperties` hold keys and AAD data required to decrypt a
Parquet file.
///
/// When reading Arrow data, the `FileDecryptionProperties` should be included
in the
-/// [`ArrowReaderOptions`](crate::arrow::arrow_reader::ArrowReaderOptions)
using
+/// [`ArrowReaderOptions`](crate::arrow::arrow_reader::ArrowReaderOptions)
using
///
[`with_file_decryption_properties`](crate::arrow::arrow_reader::ArrowReaderOptions::with_file_decryption_properties).
///
/// # Examples
@@ -343,8 +343,10 @@ impl FileDecryptionProperties {
/// Returns a new [`FileDecryptionProperties`] builder that uses a
[`KeyRetriever`]
/// to get decryption keys based on key metadata.
- pub fn with_key_retriever(key_retriever: Arc<dyn KeyRetriever>) ->
DecryptionPropertiesBuilder {
- DecryptionPropertiesBuilder::new_with_key_retriever(key_retriever)
+ pub fn with_key_retriever(
+ key_retriever: Arc<dyn KeyRetriever>,
+ ) -> DecryptionPropertiesBuilderWithRetriever {
+ DecryptionPropertiesBuilderWithRetriever::new(key_retriever)
}
/// AAD prefix string uniquely identifies the file and prevents file
swapping
@@ -417,8 +419,7 @@ impl std::fmt::Debug for FileDecryptionProperties {
///
/// See [`FileDecryptionProperties`] for example usage.
pub struct DecryptionPropertiesBuilder {
- footer_key: Option<Vec<u8>>,
- key_retriever: Option<Arc<dyn KeyRetriever>>,
+ footer_key: Vec<u8>,
column_keys: HashMap<String, Vec<u8>>,
aad_prefix: Option<Vec<u8>>,
footer_signature_verification: bool,
@@ -429,22 +430,7 @@ impl DecryptionPropertiesBuilder {
/// decrypt footer metadata.
pub fn new(footer_key: Vec<u8>) -> DecryptionPropertiesBuilder {
Self {
- footer_key: Some(footer_key),
- key_retriever: None,
- column_keys: HashMap::default(),
- aad_prefix: None,
- footer_signature_verification: true,
- }
- }
-
- /// Create a new [`DecryptionPropertiesBuilder`] by providing a
[`KeyRetriever`] that
- /// can be used to get decryption keys based on key metadata.
- pub fn new_with_key_retriever(
- key_retriever: Arc<dyn KeyRetriever>,
- ) -> DecryptionPropertiesBuilder {
- Self {
- footer_key: None,
- key_retriever: Some(key_retriever),
+ footer_key,
column_keys: HashMap::default(),
aad_prefix: None,
footer_signature_verification: true,
@@ -453,23 +439,10 @@ impl DecryptionPropertiesBuilder {
/// Finalize the builder and return created [`FileDecryptionProperties`]
pub fn build(self) -> Result<FileDecryptionProperties> {
- let keys = match (self.footer_key, self.key_retriever) {
- (Some(footer_key), None) =>
DecryptionKeys::Explicit(ExplicitDecryptionKeys {
- footer_key,
- column_keys: self.column_keys,
- }),
- (None, Some(key_retriever)) => {
- if !self.column_keys.is_empty() {
- return Err(general_err!(
- "Cannot specify column keys directly when using a key
retriever"
- ));
- }
- DecryptionKeys::ViaRetriever(key_retriever)
- }
- _ => {
- unreachable!()
- }
- };
+ let keys = DecryptionKeys::Explicit(ExplicitDecryptionKeys {
+ footer_key: self.footer_key,
+ column_keys: self.column_keys,
+ });
Ok(FileDecryptionProperties {
keys,
aad_prefix: self.aad_prefix,
@@ -515,6 +488,52 @@ impl DecryptionPropertiesBuilder {
}
}
+/// Builder for [`FileDecryptionProperties`] that uses a [`KeyRetriever`]
+///
+/// See the [`KeyRetriever`] documentation for example usage.
+pub struct DecryptionPropertiesBuilderWithRetriever {
+ key_retriever: Arc<dyn KeyRetriever>,
+ aad_prefix: Option<Vec<u8>>,
+ footer_signature_verification: bool,
+}
+
+impl DecryptionPropertiesBuilderWithRetriever {
+ /// Create a new [`DecryptionPropertiesBuilderWithRetriever`] by providing
a [`KeyRetriever`] that
+ /// can be used to get decryption keys based on key metadata.
+ pub fn new(key_retriever: Arc<dyn KeyRetriever>) ->
DecryptionPropertiesBuilderWithRetriever {
+ Self {
+ key_retriever,
+ aad_prefix: None,
+ footer_signature_verification: true,
+ }
+ }
+
+ /// Finalize the builder and return created [`FileDecryptionProperties`]
+ pub fn build(self) -> Result<FileDecryptionProperties> {
+ let keys = DecryptionKeys::ViaRetriever(self.key_retriever);
+ Ok(FileDecryptionProperties {
+ keys,
+ aad_prefix: self.aad_prefix,
+ footer_signature_verification: self.footer_signature_verification,
+ })
+ }
+
+ /// Specify the expected AAD prefix to be used for decryption.
+ /// This must be set if the file was written with an AAD prefix and the
+ /// prefix is not stored in the file metadata.
+ pub fn with_aad_prefix(mut self, value: Vec<u8>) -> Self {
+ self.aad_prefix = Some(value);
+ self
+ }
+
+ /// Disable verification of footer tags for files that use plaintext
footers.
+ /// Signature verification is enabled by default.
+ pub fn disable_footer_signature_verification(mut self) -> Self {
+ self.footer_signature_verification = false;
+ self
+ }
+}
+
#[derive(Clone, Debug)]
pub(crate) struct FileDecryptor {
decryption_properties: FileDecryptionProperties,
