Re: [PR] GH-47435: [Python][Parquet] Add direct key encryption/decryption API [arrow]

via GitHub Thu, 07 May 2026 17:02:13 -0700


smaheshwar-pltr commented on code in PR #49667:
URL: https://github.com/apache/arrow/pull/49667#discussion_r3205345771



##########
python/pyarrow/tests/parquet/test_encryption.py:
##########
@@ -722,3 +722,204 @@ def test_encrypted_parquet_read_table(tempdir, 
data_table, basic_encryption_conf
     result_table = pq.read_table(
         tempdir, decryption_properties=file_decryption_properties)
     assert data_table.equals(result_table)
+
+
+class TestDirectKeyEncryption:
+    """Tests for create_encryption_properties / 
create_decryption_properties."""
+
+    KEY_128 = b"0123456789abcdef"
+    KEY_192 = b"0123456789abcdef01234567"
+    KEY_256 = b"0123456789abcdef0123456789abcdef"
+    AAD_PREFIX = b"test_aad_prefix"
+
+    @pytest.mark.parametrize("key", [
+        b"0123456789abcdef",
+        b"0123456789abcdef01234567",
+        b"0123456789abcdef0123456789abcdef",

Review Comment:
   Thank you, addressed in 
https://github.com/apache/arrow/pull/49667/commits/640b66cf96cb7e3d397c406411bbab89a14ef03a
 (I also lifted to module scope to match the other constants)



##########
python/pyarrow/tests/parquet/test_encryption.py:
##########
@@ -722,3 +722,204 @@ def test_encrypted_parquet_read_table(tempdir, 
data_table, basic_encryption_conf
     result_table = pq.read_table(
         tempdir, decryption_properties=file_decryption_properties)
     assert data_table.equals(result_table)
+
+
+class TestDirectKeyEncryption:
+    """Tests for create_encryption_properties / 
create_decryption_properties."""
+
+    KEY_128 = b"0123456789abcdef"
+    KEY_192 = b"0123456789abcdef01234567"
+    KEY_256 = b"0123456789abcdef0123456789abcdef"
+    AAD_PREFIX = b"test_aad_prefix"
+
+    @pytest.mark.parametrize("key", [
+        b"0123456789abcdef",
+        b"0123456789abcdef01234567",
+        b"0123456789abcdef0123456789abcdef",
+    ], ids=["aes128", "aes192", "aes256"])
+    def test_roundtrip_key_sizes(self, tempdir, data_table, key):
+        path = tempdir / f"direct_{len(key) * 8}.parquet"
+
+        enc_props = pe.create_encryption_properties(footer_key=key)
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        dec_props = pe.create_decryption_properties(footer_key=key)
+        result = pq.read_table(path, decryption_properties=dec_props)
+        assert data_table.equals(result)
+
+    def test_roundtrip_with_aad_prefix(self, tempdir, data_table):
+        path = tempdir / "direct_aad.parquet"
+
+        enc_props = pe.create_encryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        dec_props = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        result = pq.read_table(path, decryption_properties=dec_props)
+        assert data_table.equals(result)
+
+    def test_roundtrip_aad_prefix_not_stored(self, tempdir, data_table):
+        """When store_aad_prefix=False, reader must supply aad_prefix."""
+        path = tempdir / "direct_aad_not_stored.parquet"
+
+        enc_props = pe.create_encryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+            store_aad_prefix=False,
+        )
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        # Reading without aad_prefix should fail
+        dec_props_no_aad = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+        )
+        with pytest.raises(IOError):

Review Comment:
     Thank you, addressed in 
https://github.com/apache/arrow/pull/49667/commits/640b66cf96cb7e3d397c406411bbab89a14ef03a.



##########
python/pyarrow/tests/parquet/test_encryption.py:
##########
@@ -722,3 +722,204 @@ def test_encrypted_parquet_read_table(tempdir, 
data_table, basic_encryption_conf
     result_table = pq.read_table(
         tempdir, decryption_properties=file_decryption_properties)
     assert data_table.equals(result_table)
+
+
+class TestDirectKeyEncryption:
+    """Tests for create_encryption_properties / 
create_decryption_properties."""
+
+    KEY_128 = b"0123456789abcdef"
+    KEY_192 = b"0123456789abcdef01234567"
+    KEY_256 = b"0123456789abcdef0123456789abcdef"
+    AAD_PREFIX = b"test_aad_prefix"
+
+    @pytest.mark.parametrize("key", [
+        b"0123456789abcdef",
+        b"0123456789abcdef01234567",
+        b"0123456789abcdef0123456789abcdef",
+    ], ids=["aes128", "aes192", "aes256"])
+    def test_roundtrip_key_sizes(self, tempdir, data_table, key):
+        path = tempdir / f"direct_{len(key) * 8}.parquet"
+
+        enc_props = pe.create_encryption_properties(footer_key=key)
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        dec_props = pe.create_decryption_properties(footer_key=key)
+        result = pq.read_table(path, decryption_properties=dec_props)
+        assert data_table.equals(result)
+
+    def test_roundtrip_with_aad_prefix(self, tempdir, data_table):
+        path = tempdir / "direct_aad.parquet"
+
+        enc_props = pe.create_encryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        dec_props = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        result = pq.read_table(path, decryption_properties=dec_props)
+        assert data_table.equals(result)
+
+    def test_roundtrip_aad_prefix_not_stored(self, tempdir, data_table):
+        """When store_aad_prefix=False, reader must supply aad_prefix."""
+        path = tempdir / "direct_aad_not_stored.parquet"
+
+        enc_props = pe.create_encryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+            store_aad_prefix=False,
+        )
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        # Reading without aad_prefix should fail
+        dec_props_no_aad = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+        )
+        with pytest.raises(IOError):
+            pq.read_table(path, decryption_properties=dec_props_no_aad)
+
+        # Reading with correct aad_prefix should succeed
+        dec_props = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        result = pq.read_table(path, decryption_properties=dec_props)
+        assert data_table.equals(result)
+
+    def test_wrong_aad_prefix_fails(self, tempdir, data_table):
+        path = tempdir / "direct_wrong_aad.parquet"
+
+        enc_props = pe.create_encryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=self.AAD_PREFIX,
+        )
+        pq.write_table(data_table, path, encryption_properties=enc_props)
+
+        dec_props = pe.create_decryption_properties(
+            footer_key=self.KEY_128,
+            aad_prefix=b"wrong_prefix",
+        )
+        with pytest.raises(IOError):

Review Comment:
     Thank you, addressed in 
https://github.com/apache/arrow/pull/49667/commits/640b66cf96cb7e3d397c406411bbab89a14ef03a.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] GH-47435: [Python][Parquet] Add direct key encryption/decryption API [arrow]

Reply via email to