+\h9dZddlmZddlmZmZmZmZddlm Z  ddl Z ddl m Z dZ dd lmZdd lmZdd lmZerdd lmZdd lmZmZGddZGddZy#e$rdZ Y@wxYw)zSupport for automatic client-side field level encryption. .. seealso:: This module is compatible with both the synchronous and asynchronous PyMongo APIs. ) annotations) TYPE_CHECKINGAnyMappingOptional)_parse_kms_tls_optionsN) synchronousTF)int64)validate_is_mapping)ConfigurationError) SSLContext)_AgnosticMongoClient_DocumentTypeArgczeZdZdZ d ddZddZy)AutoEncryptionOptszBOptions to configure automatic client-side field level encryption.Ncts td|r td|||_| |_| |_||_||_||_||_ ||_ ||_ ||_ ||_ | dg} | |_t|jt s!t#dt%|jt'd|jDs|jj)d| |_d|_d|_| |_||_y)a Options to configure automatic client-side field level encryption. Automatic client-side field level encryption requires MongoDB >=4.2 enterprise or a MongoDB >=4.2 Atlas cluster. Automatic encryption is not supported for operations on a database or view and will result in error. Although automatic encryption requires MongoDB >=4.2 enterprise or a MongoDB >=4.2 Atlas cluster, automatic *decryption* is supported for all users. To configure automatic *decryption* without automatic *encryption* set ``bypass_auto_encryption=True``. Explicit encryption and explicit decryption is also supported for all users with the :class:`~pymongo.asynchronous.encryption.AsyncClientEncryption` and :class:`~pymongo.encryption.ClientEncryption` classes. See :ref:`automatic-client-side-encryption` for an example. :param kms_providers: Map of KMS provider options. The `kms_providers` map values differ by provider: - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings. These are the AWS access key ID and AWS secret access key used to generate KMS messages. An optional "sessionToken" may be included to support temporary AWS credentials. - `azure`: Map with "tenantId", "clientId", and "clientSecret" as strings. Additionally, "identityPlatformEndpoint" may also be specified as a string (defaults to 'login.microsoftonline.com'). These are the Azure Active Directory credentials used to generate Azure Key Vault messages. - `gcp`: Map with "email" as a string and "privateKey" as `bytes` or a base64 encoded string. Additionally, "endpoint" may also be specified as a string (defaults to 'oauth2.googleapis.com'). These are the credentials used to generate Google Cloud KMS messages. - `kmip`: Map with "endpoint" as a host with required port. For example: ``{"endpoint": "example.com:443"}``. - `local`: Map with "key" as `bytes` (96 bytes in length) or a base64 encoded string which decodes to 96 bytes. "key" is the master key used to encrypt/decrypt data keys. This key should be generated and stored as securely as possible. KMS providers may be specified with an optional name suffix separated by a colon, for example "kmip:name" or "aws:name". Named KMS providers do not support :ref:`CSFLE on-demand credentials`. Named KMS providers enables more than one of each KMS provider type to be configured. For example, to configure multiple local KMS providers:: kms_providers = { "local": {"key": local_kek1}, # Unnamed KMS provider. "local:myname": {"key": local_kek2}, # Named KMS provider with name "myname". } :param key_vault_namespace: The namespace for the key vault collection. The key vault collection contains all data keys used for encryption and decryption. Data keys are stored as documents in this MongoDB collection. Data keys are protected with encryption by a KMS provider. :param key_vault_client: By default, the key vault collection is assumed to reside in the same MongoDB cluster as the encrypted AsyncMongoClient/MongoClient. Use this option to route data key queries to a separate MongoDB cluster. :param schema_map: Map of collection namespace ("db.coll") to JSON Schema. By default, a collection's JSONSchema is periodically polled with the listCollections command. But a JSONSchema may be specified locally with the schemaMap option. **Supplying a `schema_map` provides more security than relying on JSON Schemas obtained from the server. It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted.** Schemas supplied in the schemaMap only apply to configuring automatic encryption for client side encryption. Other validation rules in the JSON schema will not be enforced by the driver and will result in an error. :param bypass_auto_encryption: If ``True``, automatic encryption will be disabled but automatic decryption will still be enabled. Defaults to ``False``. :param mongocryptd_uri: The MongoDB URI used to connect to the *local* mongocryptd process. Defaults to ``'mongodb://localhost:27020'``. :param mongocryptd_bypass_spawn: If ``True``, the encrypted AsyncMongoClient/MongoClient will not attempt to spawn the mongocryptd process. Defaults to ``False``. :param mongocryptd_spawn_path: Used for spawning the mongocryptd process. Defaults to ``'mongocryptd'`` and spawns mongocryptd from the system path. :param mongocryptd_spawn_args: A list of string arguments to use when spawning the mongocryptd process. Defaults to ``['--idleShutdownTimeoutSecs=60']``. If the list does not include the ``idleShutdownTimeoutSecs`` option then ``'--idleShutdownTimeoutSecs=60'`` will be added. :param kms_tls_options: A map of KMS provider names to TLS options to use when creating secure connections to KMS providers. Accepts the same TLS options as :class:`pymongo.mongo_client.AsyncMongoClient` and :class:`pymongo.mongo_client.MongoClient`. For example, to override the system default CA file:: kms_tls_options={'kmip': {'tlsCAFile': certifi.where()}} Or to supply a client certificate:: kms_tls_options={'kmip': {'tlsCertificateKeyFile': 'client.pem'}} :param crypt_shared_lib_path: Override the path to load the crypt_shared library. :param crypt_shared_lib_required: If True, raise an error if libmongocrypt is unable to load the crypt_shared library. :param bypass_query_analysis: If ``True``, disable automatic analysis of outgoing commands. Set `bypass_query_analysis` to use explicit encryption on indexed fields without the MongoDB Enterprise Advanced licensed crypt_shared library. :param encrypted_fields_map: Map of collection namespace ("db.coll") to documents that described the encrypted fields for Queryable Encryption. For example:: { "db.encryptedCollection": { "escCollection": "enxcol_.encryptedCollection.esc", "ecocCollection": "enxcol_.encryptedCollection.ecoc", "fields": [ { "path": "firstName", "keyId": Binary.from_uuid(UUID('00000000-0000-0000-0000-000000000000')), "bsonType": "string", "queries": {"queryType": "equality"} }, { "path": "ssn", "keyId": Binary.from_uuid(UUID('04104104-1041-0410-4104-104104104104')), "bsonType": "string" } ] } } :param key_expiration_ms: The cache expiration time for data encryption keys. Defaults to ``None`` which defers to libmongocrypt's default which is currently 60000. Set to 0 to disable key expiration. .. versionchanged:: 4.12 Added the `key_expiration_ms` parameter. .. versionchanged:: 4.2 Added the `encrypted_fields_map`, `crypt_shared_lib_path`, `crypt_shared_lib_required`, and `bypass_query_analysis` parameters. .. versionchanged:: 4.0 Added the `kms_tls_options` parameter and the "kmip" KMS provider. .. versionadded:: 3.9 zclient side encryption requires the pymongocrypt library: install a compatible version with: python -m pip install 'pymongo[encryption]'encrypted_fields_mapNz--idleShutdownTimeoutSecs=60z+mongocryptd_spawn_args must be a list, not c3$K|]}d|v yw)idleShutdownTimeoutSecsN).0ss ]/root/niggaflix-v3/playground/venv/lib/python3.12/site-packages/pymongo/encryption_options.py z.AutoEncryptionOpts.__init__..sXa,1Xs)_HAVE_PYMONGOCRYPTr r _encrypted_fields_map_crypt_shared_lib_path_crypt_shared_lib_required_kms_providers_key_vault_namespace_key_vault_client _schema_map_bypass_auto_encryption_mongocryptd_uri_mongocryptd_bypass_spawn_mongocryptd_spawn_path_mongocryptd_spawn_args isinstancelist TypeErrortypeanyappend_kms_tls_options_sync_kms_ssl_contexts_async_kms_ssl_contexts_bypass_query_analysis_key_expiration_ms)self kms_providerskey_vault_namespacekey_vault_client schema_mapbypass_auto_encryptionmongocryptd_urimongocryptd_bypass_spawnmongocryptd_spawn_pathmongocryptd_spawn_argskms_tls_optionscrypt_shared_lib_pathcrypt_shared_lib_requiredbypass_query_analysisrkey_expiration_mss r__init__zAutoEncryptionOpts.__init__.s L"$>   68L M%9"&;#*C'+$7!!1%'=$ /)A&'=$ ! )&D%E "'=$$66==d4C_C_>`=ab X4;W;WXX  ( ( / /0N O /GK#HL$&;#"3c|r3|jt|jd|_|jS|jt|jd|_|jS)NTF)r/rr.r0)r3is_syncs r_kms_ssl_contextsz$AutoEncryptionOpts._kms_ssl_contextssa **2.DTEZEZ\`.a+.. .++3/EdF[F[]b/c,// /rC) NNFzmongodb://localhost:27020F mongocryptdNNNFFNN) r4zMapping[str, Any]r5strr6z0Optional[_AgnosticMongoClient[_DocumentTypeArg]]r7Optional[Mapping[str, Any]]r8boolr9rHr:rJr;rHr<zOptional[list[str]]r=rIr>z Optional[str]r?rJr@rJrrIrA Optional[int]returnNone)rErJrLzdict[str, SSLContext])__name__ __module__ __qualname____doc__rBrFrrCrrr+sL NR26',:).&36:7;/3*/&+<@+/!G4(G4!G4K G4 0 G4 !% G4G4#'G4!$G4!4G45G4 -G4$(G4 $G4:G4 )!G4" #G4R0rCrcLeZdZdZ d ddZeddZy) RangeOptszAOptions to configure encrypted queries using the range algorithm.NcJ||_||_||_||_||_y)aOptions to configure encrypted queries using the range algorithm. :param sparsity: An integer. :param trim_factor: An integer. :param min: A BSON scalar value corresponding to the type being queried. :param max: A BSON scalar value corresponding to the type being queried. :param precision: An integer, may only be set for double or decimal128 types. .. versionadded:: 4.4 N)minmaxsparsity trim_factor precision)r3rWrXrUrVrYs rrBzRangeOpts.__init__s($  &"rCci}d|jrtj|jndfd|jfd|jfd|j fd|j ffD] \}}| |||<|S)NrW trimFactorrYrUrV)rWr Int64rXrYrUrV)r3dockvs rdocumentzRangeOpts.documents t}}T]]3$ O 4++ , $.. ) DHH  DHH    DAq}A  rC)NNNNN) rWrKrXrKrU Optional[Any]rVrarYrKrLrM)rLzdict[str, Any])rNrOrPrQrBpropertyr`rrCrrSrSsiK#'%)!!#' #### #  # ! # #0  rCrS)rQ __future__rtypingrrrrpymongo.uri_parser_sharedr pymongocryptr _r ImportErrorbsonr pymongo.commonr pymongo.errorsr pymongo.pyopenssl_contextr pymongo.typingsrrrrSrrCrrnsn#88<..-4FT0T0n''Es AA)(A)