+\hxUdZddlmZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z m Z mZmZmZmZmZmZmZmZmZmZ ddlmZddlmZddlmZdd lmZdd l m!Z!d Z"dd l%m&Z&m'Z'm(Z(ddl)m*Z*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4ddl5m6Z6ddl7m8Z8ddl9m:Z:ddl;mm?Z?m@Z@mAZAmBZBmCZCmDZDddlEmFZFddlGmHZHddlImJZJddlKmLZLddlMmNZNmOZOddlPmQZQddlRmSZSmTZTddlUmVZVmWZWddlXmYZYdd lZm[Z[dd!l\m]Z]dd"l^m_Z_dd#l`maZambZbdd$lcmdZdmeZedd%lfmgZge rdd&lmhZhdd'limjZjdd(l`mkZkd Zld)Zme8Znd*Zoe.eepe fe*+Zqd,erd-<e.e3.Zsd>d/Ztejd?d0ZvGd1d2e!ZwGd3d4ZxGd5d6ZyGd7d8epejZ{Gd9d:epejZ|d@d;Z}Gd<d=eeaZ~y#e#$rd Z"e$Z!YrwxYw)Az8Support for explicit client-side field level encryption.) annotationsN)deepcopy) TYPE_CHECKINGAnyDict GeneratorGenericIteratorMappingMutableMappingOptionalSequenceUnioncast)MongoCryptError)MongoCryptOptions) AutoEncrypter)ExplicitEncrypter)MongoCryptCallbackTF) _dict_to_bsondecodeencode)STANDARD UUID_SUBTYPEBinary) CodecOptions) BSONError)DEFAULT_RAW_BSON_OPTIONSRawBSONDocument _inflate_bson)_csot)CONNECT_TIMEOUT) _spawn_daemon)AutoEncryptionOpts RangeOpts)ConfigurationErrorEncryptedCollectionErrorEncryptionErrorInvalidOperationNetworkTimeoutServerSelectionTimeoutError)_get_timeout_details)sendall) UpdateOne) PoolOptions)_configured_socket_raise_connection_failure) ReadConcern)BulkWriteResult DeleteResult)BLOCKING_IO_ERRORSget_ssl_context) Collection)Cursor)Database) MongoClient) _DocumentType_DocumentTypeArg)_parse_kms_tls_options parse_host) WriteConcern)MongoCryptKmsContext)_sslConn)_Addressii')document_classuuid_representationzCodecOptions[dict[str, Any]]_DATA_KEY_OPTS)rCcv t||S#t$r!}t||t|Yd}~yd}~wwxYw)N)timeout_details)r0 Exceptionr1r,)addressoptsexcs a/root/niggaflix-v3/playground/venv/lib/python3.12/site-packages/pymongo/synchronous/encryption.py _connect_kmsrMqs=\!'400 \!'3@TUY@Z[[\s  838c#bK dy#t$rt$r}t||d}~wwxYww)z2Context manager to wrap encryption related errors.N)rrHr()rKs rL_wrap_encryption_errorsrOxs7,   ,c"+,s/ /, ',/cdeZdZ d dZd dZd dZddZddZddZddZ ddZ dd Z y ) _EncryptionIOc :||tj||_nd|_ttt |j ttdtd|_ ||_ ||_ d|_ |jt|_y)z8Internal class to perform I/O on behalf of pymongocrypt.Nmajority)level)w) codec_options read_concern write_concernF)weakrefref client_refrr7r with_options_KEY_VAULT_OPTSr2r?key_vault_collmongocryptd_clientrJ_spawned_kms_ssl_contexts_IS_SYNC)selfclientr^r_rJs rL__init__z_EncryptionIO.__init__s  %kk&1DO"DOEI  '  ' '-(z:*Z8 ( F #5  !%!7!7!Ac b|j}|j}|j}|jj |}|t dddddddt }ttjtd}t|||}t|t}|j} | r#t| dz } t!j"|  t%||} t'| ||j(dkDr| j+ttjtdt r| j-|j(} nddlm} | | |j(} | s t3d|j5| |j(dkDr| jGy#t6$rt8$r\}t;|t<rt?j@d }t;|t2rd}nd}tC|||tE| Yd}~zd}~wwxYw#| jGwxYw#t6$rt8$rw}tjH}t;|tJs||dkr |jMn/#t6$r#}t7|d ||jN}||d}~wwxYwYd}~yd}~wwxYw) zuComplete a KMS request. :param kms_context: A :class:`MongoCryptKmsContext`. :return: None NFgMbP?)connect_timeoutsocket_timeout ssl_contextg.Ar)receive_data_socketzKMS connection closedz timed out) msg_prefixrGz, last attempt failed with: )(endpointmessage kms_providerragetr6rbmaxr!clamp_remaining_KMS_CONNECT_TIMEOUTr/r> _HTTPS_PORTusleepfloattimesleeprMr- bytes_needed settimeoutrecvpymongo.network_layerrkOSErrorfeedrrH isinstancer5sockettimeoutr1r,close remainingr*failcode)rc kms_contextrmrnproviderctxrhrJrIsleep_u sleep_secconndatarkrKrlr final_errs rL kms_requestz_EncryptionIO.kms_requests~''%%++$$((2 ;" Ce334HI5Q+*  X{3$$ g,I JJy !/ ).D g&!..2OOC(=(=>R(SUV$WX#yy)A)AB 349Q9QR%&=>>$$T*"..2: #  c#56 ..5Cc7+!8J!%J)SZI]^bIc     ))I#~.93HYZ[^ )  "" )% k!=cUCY^^y(  )# )st H%B5FH%H 1AHHH  HH""H%%J.7,J)$I54J)5 J!>JJ!!J))J.c |j|jt|5}|Dcgc]}t|dtc}cdddScc}w#1swYyxYw)apGet the collection info for a namespace. The returned collection info is passed to libmongocrypt which reads the JSON schema. :param database: The database on which to run listCollections. :param filter: The filter to pass to listCollections. :return: All documents from the listCollections command response as BSON. )filterFN)r[list_collectionsrrrE)rcdatabasercursordocs rLcollection_infoz_EncryptionIO.collection_infosc__ x ( 9 9QWAX 9 Y Q]cIOP#M#un=P Q QP Q QsAA AAA$cd|_|jjxsdg}|j|jjt |y)z~Spawn mongocryptd. Note this method is thread safe; at most one mongocryptd will start successfully. T mongocryptdN)r`rJ_mongocryptd_spawn_pathextend_mongocryptd_spawn_argsr#)rcargss rLspawnz_EncryptionIO.spawns@   11B]C DII556drfc|js&|jjs|jt |t }|j J |j |j|t }|jS#t$rY|jjr|j|j |j|t }Y|jSwxYw)zMark a command for encryption. :param database: The database on which to run this command. :param cmd: The BSON command to run. :return: The marked command response from mongocryptd. rV) r`rJ_mongocryptd_bypass_spawnrr rr_commandr+raw)rcrcmd inflated_cmdress rL mark_commandz_EncryptionIO.mark_commands}}TYY%H%H JJL%S*BC &&222 ))(3;;,D<Cww+ yy22 JJL))(3;;,D<Cww s$BAC$#C$c#K|jJ|jjt|5}|D]}|j dddy#1swYyxYww)zYields one or more keys from the key vault. :param filter: The filter to pass to find. :return: A generator which yields the requested keys from the key vault. N)r^findrr)rcrrkeys rL fetch_keysz_EncryptionIO.fetch_keys*sa""...  % %of&= > & gg     s3A!A A!AA!ct|t}|jd}t|tr|j t k7rtdt||jJ|jj||S)zInsert a data key into the key vault. :param data_key: The data key document to insert. :return: The _id of the inserted data key document. _idz5data_key _id must be Binary with a UUID subtype, not ) rr]rprrsubtyper TypeErrortyper^ insert_one)rcdata_keyraw_doc data_key_ids rLinsert_data_keyz_EncryptionIO.insert_data_key6s"(O<kk%( +v.+2E2E2UG[HYGZ[ ""... &&w/rfct|S)zEncode a document to BSON. A document can be any mapping type (like :class:`dict`). :param doc: mapping type representing a document :return: The encoded BSON bytes. )r)rcrs rL bson_encodez_EncryptionIO.bson_encodeHsc{rfc|d|_d|_|jr"|jjd|_yy)zjRelease resources. Note it is not safe to call this method from __del__ or any GC hooks. N)r[r^r_rrcs rLrz_EncryptionIO.closeSs; "  " "  # # ) ) +&*D # #rfN)rd'Optional[MongoClient[_DocumentTypeArg]]r^zCollection[_DocumentTypeArg]r_rrJr$)rr@returnNone)rstrrbytesrzOptional[list[bytes]]rr)rrrrrr)rrrzGenerator[bytes, None])rrrr)rzMutableMapping[str, Any]rr) __name__ __module__ __qualname__rerrrrrrrrrfrLrQrQs^B7B5BD B ! B6S)j Q 6 $  +rfrQc4eZdZdZdddZeddZd dZy) RewrapManyDataKeyResultzuResult object returned by a :meth:`~ClientEncryption.rewrap_many_data_key` operation. .. versionadded:: 4.2 Nc||_yN_bulk_write_result)rcbulk_write_results rLrez RewrapManyDataKeyResult.__init__es "3rfc|jS)aDThe result of the bulk write operation used to update the key vault collection with one or more rewrapped data keys. If :meth:`~ClientEncryption.rewrap_many_data_key` does not find any matching keys to rewrap, no bulk write operation will be executed and this field will be ``None``. rrs rLrz)RewrapManyDataKeyResult.bulk_write_resulths&&&rfcN|jjd|jdS)N()) __class__rrrs rL__repr__z RewrapManyDataKeyResult.__repr__rs'..))*!D,C,C+FaHHrfr)rOptional[BulkWriteResult]rr)rr)rr)rrr__doc__repropertyrrrrfrLrr_s& 4''IrfrcHeZdZdZddZ d dZd dZd dZd dZy) _EncrypterzEncrypts and decrypts MongoDB commands. This class is used to support automatic encryption and decryption of MongoDB commands. c |jd}nt|jdt}|jd}nt|jdt}|j|_d|_|j t dd}|j |j}n |||}|jrd}n |||}|jjdd\}} ||| } t|jdt} t|| | |} t| t!|j"||j$|j&|j||j(|j*|_d|_y) zCreate a _Encrypter for a client. :param client: The encrypted MongoClient. :param opts: The encrypted client's :class:`AutoEncryptionOpts`. NFc|jjj|S|j |jS|j dd}||_|S)Nr) minPoolSizeauto_encryption_opts)options pool_options max_pool_size_internal_client _duplicate) encrypter mongo_clientinternal_clients rL_get_internal_clientz1_Encrypter.__init__.._get_internal_clients^##00>>F##))5 111*55!Z^5_O)8I &" "rf.)connectserverSelectionTimeoutMS) kms_providers schema_mapcrypt_shared_lib_pathcrypt_shared_lib_requiredbypass_encryptionencrypted_fields_mapbypass_query_analysiskey_expiration_ms)rrrMongoClient[_DocumentTypeArg]rr) _schema_maprrE_encrypted_fields_map_bypass_auto_encryptionrrarb_key_vault_client_key_vault_namespacesplitr:_mongocryptd_uri_MONGOCRYPTD_TIMEOUT_MSrQr_create_mongocrypt_options_kms_providers_crypt_shared_lib_path_crypt_shared_lib_required_bypass_query_analysis_key_expiration_ms_auto_encrypter_closed) rcrdrJrrrkey_vault_clientmetadata_clientdbcollr^r_ io_callbackss rLrez_Encrypter.__init__}s    #J&t'7'7OJ  % % -#' #01K1KUTb#c '+'C'C$ $ x( #! #1N # * #  ! ! -#55 3D&A   ' '"O24@O,,223:D)"-d3=H  ! !5Kb> %      -  &"11%&*&A&A*.*I*I"&">">%9&*&A&A"&"9"9   rfc|jt|d|}t5|jj ||}t |t cdddS#1swYyxYw)aEncrypt a MongoDB command. :param database: The database for this command. :param cmd: A command document. :param codec_options: The CodecOptions to use while encoding `cmd`. :return: The encrypted command to execute. FN) _check_closedrrOrencryptr r)rcrrrV encoded_cmd encrypted_cmds rLrz_Encrypter.encrypts` #C > $ & J 0088;OM 0HI J J Js ,AA'c|jt5tt|jj |cdddS#1swYyxYw)zDecrypt a MongoDB command response. :param response: A MongoDB command response as BSON. :return: The decrypted command response. N)rrOrrrdecrypt)rcresponses rLr z_Encrypter.decryptsJ  $ & Gt33;;HEF G G Gs )AAc2|jr tdy)Nz"Cannot use MongoClient after close)rr)rs rLrz_Encrypter._check_closeds <<"#GH H rfcd|_|jj|jr"|jjd|_yy)zCleanup resources.TN)rrrrrs rLrz_Encrypter.closesC  ""$   ! ! ' ' )$(D ! !rfN)rdrrJr$)rrrMapping[str, Any]rVCodecOptions[_DocumentTypeArg]rzdict[str, Any])r rrOptional[bytes]r) rrrrrerr rrrrfrLrrvsI ENJJ"3JDbJ J$ GI)rfrc2eZdZdZdZ dZ dZ dZ dZ dZ y) Algorithmz9An enum that defines the supported encryption algorithms.z+AEAD_AES_256_CBC_HMAC_SHA_512-Deterministicz$AEAD_AES_256_CBC_HMAC_SHA_512-RandomIndexed UnindexedRange RangePreviewN) rrrr+AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic$AEAD_AES_256_CBC_HMAC_SHA_512_RandomINDEXED UNINDEXEDRANGE RANGEPREVIEWrrfrLrrsEC2_/6+Q(/GI E"Lrfrc eZdZdZdZ dZ dZy) QueryTypezmAn enum that defines the supported values for explicit encryption query_type. .. versionadded:: 4.2 equalityrangerN)rrrrEQUALITYrrrrfrLrr s' H8 E "Lrfrc f|jd|jddtdi|ddiS)Nrenable_multiple_collinfoTr)rppopr)kwargss rLrr%s4 zz%&. &-  Ev E EErfceZdZdZ d ddZ d ddZ d ddZ d ddZ d ddZ d ddZ dd Z d d Z d!d Z d"d Z d#d Zd$dZd%dZ d d&dZd'dZd(dZd)dZd)dZy)*ClientEncryptionz,Explicit client-side field level encryption.Ncts tdt|tst dt |t|t sFtdt |jDs!t dt |j||_ ||_ ||_ ||_ |jdd\}}|||} t||||} t!| j"t$|_t)d| d| |_t-|j*t/|d| |_|j*j2J|j*j2|_y) aExplicit client-side field level encryption. The ClientEncryption class encapsulates explicit operations on a key vault collection that cannot be done directly on a MongoClient. Similar to configuring auto encryption on a MongoClient, it is constructed with a MongoClient (to a MongoDB cluster containing the key vault collection), KMS provider configuration, and keyVaultNamespace. It provides an API for explicitly encrypting and decrypting values, and creating data keys. It does not provide an API to query keys from the key vault collection, as this can be done directly on the MongoClient. See :ref:`explicit-client-side-encryption` for an example. :param kms_providers: Map of KMS provider options. The `kms_providers` map values differ by provider: - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings. These are the AWS access key ID and AWS secret access key used to generate KMS messages. An optional "sessionToken" may be included to support temporary AWS credentials. - `azure`: Map with "tenantId", "clientId", and "clientSecret" as strings. Additionally, "identityPlatformEndpoint" may also be specified as a string (defaults to 'login.microsoftonline.com'). These are the Azure Active Directory credentials used to generate Azure Key Vault messages. - `gcp`: Map with "email" as a string and "privateKey" as `bytes` or a base64 encoded string. Additionally, "endpoint" may also be specified as a string (defaults to 'oauth2.googleapis.com'). These are the credentials used to generate Google Cloud KMS messages. - `kmip`: Map with "endpoint" as a host with required port. For example: ``{"endpoint": "example.com:443"}``. - `local`: Map with "key" as `bytes` (96 bytes in length) or a base64 encoded string which decodes to 96 bytes. "key" is the master key used to encrypt/decrypt data keys. This key should be generated and stored as securely as possible. KMS providers may be specified with an optional name suffix separated by a colon, for example "kmip:name" or "aws:name". Named KMS providers do not support :ref:`CSFLE on-demand credentials`. :param key_vault_namespace: The namespace for the key vault collection. The key vault collection contains all data keys used for encryption and decryption. Data keys are stored as documents in this MongoDB collection. Data keys are protected with encryption by a KMS provider. :param key_vault_client: A MongoClient connected to a MongoDB cluster containing the `key_vault_namespace` collection. :param codec_options: An instance of :class:`~bson.codec_options.CodecOptions` to use when encoding a value for encryption and decoding the decrypted BSON value. This should be the same CodecOptions instance configured on the MongoClient, Database, or Collection used to access application data. :param kms_tls_options: A map of KMS provider names to TLS options to use when creating secure connections to KMS providers. Accepts the same TLS options as :class:`pymongo.mongo_client.MongoClient`. For example, to override the system default CA file:: kms_tls_options={'kmip': {'tlsCAFile': certifi.where()}} Or to supply a client certificate:: kms_tls_options={'kmip': {'tlsCertificateKeyFile': 'client.pem'}} :param key_expiration_ms: The cache expiration time for data encryption keys. Defaults to ``None`` which defers to libmongocrypt's default which is currently 60000. Set to 0 to disable key expiration. .. versionchanged:: 4.12 Added the `key_expiration_ms` parameter. .. versionchanged:: 4.0 Added the `kms_tls_options` parameter and the "kmip" KMS provider. .. versionadded:: 3.9 zclient-side field level encryption requires the pymongocrypt library: install a compatible version with: python -m pip install --upgrade 'pymongo[encryption]'zJcodec_options must be an instance of bson.codec_options.CodecOptions, not c3:K|]}|jdk(yw)r:Nr.0clss rL z,ClientEncryption.__init__..s_s||}4_zMongoClient required but given rr)kms_tls_optionsrN)rrr)_HAVE_PYMONGOCRYPTr&rrrrr:any__mro__rrrr_codec_optionsrr$r=_kms_tls_optionsrbrarQ _io_callbacksrr _encryptionr^_key_vault_coll) rcrkey_vault_namespacerrVr/rrrr^rJs rLrezClientEncryption.__init__/skj"$H  -6\]abo]p\qr *K8_EU@V@^@^__"A$GWBXBaBaAb cdd+$7!!1+&,,S!4D)"-d3!  +/   "88M8Mx!X6C .$7 -    &+Pa  !!00<<<#11@@rfc *t|tsFtdt|jDs!t dt|j t|}t|dD]E\}}t|ts|jd) |j|||d|d<G||d<d|d < |jd d |i||fS#t$r} t| || d} ~ wwxYw#t$r} t| || d} ~ wwxYw) a Create a collection with encryptedFields. .. warning:: This function does not update the encryptedFieldsMap in the client's AutoEncryptionOpts, thus the user must create a new client after calling this function with the encryptedFields returned. Normally collection creation is automatic. This method should only be used to specify options on creation. :class:`~pymongo.errors.EncryptionError` will be raised if the collection already exists. :param database: the database to create the collection :param name: the name of the collection to create :param encrypted_fields: Document that describes the encrypted fields for Queryable Encryption. The "keyId" may be set to ``None`` to auto-generate the data keys. For example: .. code-block: python { "escCollection": "enxcol_.encryptedCollection.esc", "ecocCollection": "enxcol_.encryptedCollection.ecoc", "fields": [ { "path": "firstName", "keyId": Binary.from_uuid(UUID('00000000-0000-0000-0000-000000000000')), "bsonType": "string", "queries": {"queryType": "equality"} }, { "path": "ssn", "keyId": Binary.from_uuid(UUID('04104104-1041-0410-4104-104104104104')), "bsonType": "string" } ] } :param kms_provider: the KMS provider to be used :param master_key: Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is "local" the `master_key` is not applicable and may be omitted. :param kwargs: additional keyword arguments are the same as "create_collection". All optional `create collection command`_ parameters should be passed as keyword arguments to this method. See the documentation for :meth:`~pymongo.database.Database.create_collection` for all valid options. :raises: - :class:`~pymongo.errors.EncryptedCollectionError`: When either data-key creation or creating the collection fails. .. versionadded:: 4.4 .. _create collection command: https://mongodb.com/docs/manual/reference/command/create c3:K|]}|jdk(yw)r9Nr)r*s rLr-z?ClientEncryption.create_encrypted_collection..sTcs||z1Tr.zDatabase required but given fieldskeyIdN)ro master_keyencryptedFieldsF check_existsnamer)rr9r1rr2rrr enumeratedictrpcreate_data_keyr(r'create_collectionrH) rcrr@encrypted_fieldsror=r$ifieldrKs rLcreate_encrypted_collectionz,ClientEncryption.create_encrypted_collectionsD@(H-TT(^=S=STT">tH~?V?V>W XYY#$45!"28"<= SHAu%&599W+=+ES=A=Q=Q%1#->R>$X.q1': S%5 !!&~ K***???   'S238HIsRS K*30@As J Ks0CC7 C4" C//C47 D D  Dc |jt5tt|jj ||||cdddS#1swYyxYw)aCreate and insert a new data key into the key vault collection. :param kms_provider: The KMS provider to use. Supported values are "aws", "azure", "gcp", "kmip", "local", or a named provider like "kmip:name". :param master_key: Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is "local" the `master_key` is not applicable and may be omitted. If the `kms_provider` type is "aws" it is required and has the following fields:: - `region` (string): Required. The AWS region, e.g. "us-east-1". - `key` (string): Required. The Amazon Resource Name (ARN) to the AWS customer. - `endpoint` (string): Optional. An alternate host to send KMS requests to. May include port number, e.g. "kms.us-east-1.amazonaws.com:443". If the `kms_provider` type is "azure" it is required and has the following fields:: - `keyVaultEndpoint` (string): Required. Host with optional port, e.g. "example.vault.azure.net". - `keyName` (string): Required. Key name in the key vault. - `keyVersion` (string): Optional. Version of the key to use. If the `kms_provider` type is "gcp" it is required and has the following fields:: - `projectId` (string): Required. The Google cloud project ID. - `location` (string): Required. The GCP location, e.g. "us-east1". - `keyRing` (string): Required. Name of the key ring that contains the key to use. - `keyName` (string): Required. Name of the key to use. - `keyVersion` (string): Optional. Version of the key to use. - `endpoint` (string): Optional. Host with optional port. Defaults to "cloudkms.googleapis.com". If the `kms_provider` type is "kmip" it is optional and has the following fields:: - `keyId` (string): Optional. `keyId` is the KMIP Unique Identifier to a 96 byte KMIP Secret Data managed object. If keyId is omitted, the driver creates a random 96 byte KMIP Secret Data managed object. - `endpoint` (string): Optional. Host with optional port, e.g. "example.vault.azure.net:". - `delegated` (bool): Optional. If True (recommended), the KMIP server will perform encryption and decryption. If delegated is not provided, defaults to false. :param key_alt_names: An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by ``key_id``. The following example shows creating and referring to a data key by alternate name:: client_encryption.create_data_key("local", key_alt_names=["name1"]) # reference the key with the alternate name client_encryption.encrypt("457-55-5462", key_alt_name="name1", algorithm=Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Random) :param key_material: Sets the custom key material to be used by the data key for encryption and decryption. :return: The ``_id`` of the created data key document as a :class:`~bson.binary.Binary` with subtype :data:`~bson.binary.UUID_SUBTYPE`. .. versionchanged:: 4.2 Added the `key_material` parameter. )r= key_alt_names key_materialN)rrOrrr6rC)rcror=rJrKs rLrCz ClientEncryption.create_data_key s\^  $ &   00 )"/!- 1   s -AAc |jt|tjrt j |}|.t|tr|j tk(s tdtd|i|j} d} |r!t|j|j} t5|jj| |||||| |} t| dcdddS#1swYyxYw)Nz2key_id must be a bson.binary.Binary with subtype 4vrvalue algorithmkey_id key_alt_name query_typecontention_factor range_opts is_expression)rruuidUUIDr from_uuidrrrrr3documentrOr6rr) rcrOrPrQrRrSrTrUrVrrange_opts_bytes encrypted_docs rL_encrypt_helperz ClientEncryption._encrypt_helperes  fdii (%%f-F   vv &6>>\+IPQ Q %L--   %##"11  % & . ,,44#)%"3++5 M-(- . . .s 81C33C<c Ptt|j|||||||dS)aEncrypt a BSON value with a given key and algorithm. Note that exactly one of ``key_id`` or ``key_alt_name`` must be provided. :param value: The BSON value to encrypt. :param algorithm` (string): The encryption algorithm to use. See :class:`Algorithm` for some valid options. :param key_id: Identifies a data key by ``_id`` which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). :param key_alt_name: Identifies a key vault document by 'keyAltName'. :param query_type` (str): The query type to execute. See :class:`QueryType` for valid options. :param contention_factor` (int): The contention factor to use when the algorithm is :attr:`Algorithm.INDEXED`. An integer value *must* be given when the :attr:`Algorithm.INDEXED` algorithm is used. :param range_opts: Index options for `range` queries. See :class:`RangeOpts` for some valid options. :return: The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. .. versionchanged:: 4.9 Added the `range_opts` parameter. .. versionchanged:: 4.7 ``key_id`` can now be passed in as a :class:`uuid.UUID`. .. versionchanged:: 4.2 Added the `query_type` and `contention_factor` parameters. FrN)rrr])rcrOrPrQrRrSrTrUs rLrzClientEncryption.encrypts@R   #)%"3%# !   rfc Ptt|j|||||||dS)alEncrypt a BSON expression with a given key and algorithm. Note that exactly one of ``key_id`` or ``key_alt_name`` must be provided. :param expression: The BSON aggregate or match expression to encrypt. :param algorithm` (string): The encryption algorithm to use. See :class:`Algorithm` for some valid options. :param key_id: Identifies a data key by ``_id`` which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). :param key_alt_name: Identifies a key vault document by 'keyAltName'. :param query_type` (str): The query type to execute. See :class:`QueryType` for valid options. :param contention_factor` (int): The contention factor to use when the algorithm is :attr:`Algorithm.INDEXED`. An integer value *must* be given when the :attr:`Algorithm.INDEXED` algorithm is used. :param range_opts: Index options for `range` queries. See :class:`RangeOpts` for some valid options. :return: The encrypted expression, a :class:`~bson.RawBSONDocument`. .. versionchanged:: 4.9 Added the `range_opts` parameter. .. versionchanged:: 4.7 ``key_id`` can now be passed in as a :class:`uuid.UUID`. .. versionadded:: 4.4 TrN)rrr])rc expressionrPrQrRrSrTrUs rLencrypt_expressionz#ClientEncryption.encrypt_expressions@R    #)%"3%" !   rfc:|jt|tr|jdk(s t dt 5t d|i}|jj|}t||jdcdddS#1swYyxYw)zDecrypt an encrypted value. :param value` (Binary): The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. :return: The decrypted BSON value. z ##///##,,m\-JKKrfc |jddddd|ggiddddd |gid igiiig}|jJ|jjd |i|S) a Remove ``key_alt_name`` from the set of keyAltNames in the key document with UUID ``id``. Also removes the ``keyAltNames`` field from the key document if it would otherwise be empty. :param id: The UUID of a key a which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). :param key_alt_name: The key alternate name to remove. :return: Returns the previous version of the key document. .. versionadded:: 4.2 $setrqz$condz$eqz $keyAltNamesz$$REMOVEz$filterz$nez$$this)inputcondrrr)rcrirRpipelines rLremove_key_alt_namez$ClientEncryption.remove_key_alt_nameVs !"^l^$DE& )-;-2X|4L,M," " $   $##///##77 XNNrfc| | td|jt5|jj |||}|t cdddS dddt t}g}|dD]4}|d|ddddid }td |d i|} |j| 6|s t S|jJ|jj|} t | S#1swYxYw) aDecrypts and encrypts all matching data keys in the key vault with a possibly new `master_key` value. :param filter: A document used to filter the data keys. :param provider: The new KMS provider to use to encrypt the data keys, or ``None`` to use the current KMS provider(s). :param master_key: The master key fields corresponding to the new KMS provider when ``provider`` is not ``None``. :return: A :class:`RewrapManyDataKeyResult`. This method allows you to re-encrypt all of your data-keys with a new CMK, or master key. Note that this does *not* require re-encrypting any of the data in your encrypted collections, but rather refreshes the key that protects the keys that encrypt the data: .. code-block:: python client_encryption.rewrap_many_data_key( filter={"keyAltNames": "optional filter for which keys you want to update"}, master_key={ "provider": "azure", # replace with your cloud provider "master_key": { # put the rest of your master_key options here "key": "" }, }, ) .. versionadded:: 4.2 Nz1A provider must be given if a master_key is givenrM keyMaterial masterKey)rr updateDateT)ryz $currentDater) r&rrOr6rewrap_many_data_keyrrrr.appendr7 bulk_write) rcrrr= raw_resultr replacementsr update_modelopresults rLrz%ClientEncryption.rewrap_many_data_keyzs%F  !h&6$%XY Y  $ & 1))>>vxQ[\J!.0 1 1! 1 "*.FG 3< $C(+M(:[IYZ!-t 4LE3u:. =B    #  $*, ,##///%%00>&v..% 1 1s )C44C=c|Srrrs rL __enter__zClientEncryption.__enter__s rfc$|jyr)r)rcexc_typeexc_valexc_tbs rL__exit__zClientEncryption.__exit__s  rfc2|j tdy)Nz"Cannot use closed ClientEncryption)r6r)rs rLrzClientEncryption._check_closeds    #"#GH H $rfc|jrC|jj|jjd|_d|_yy)aERelease resources. Note that using this class in a with-statement will automatically call :meth:`close`:: with ClientEncryption(...) as client_encryption: encrypted = client_encryption.encrypt(value, ...) decrypted = client_encryption.decrypt(encrypted) N)r5rr6rs rLrzClientEncryption.closesF       $ $ &    " " $!%D #D  rf)NN)rr r8rrrrVrr/Optional[Mapping[str, Any]]r Optional[int]rr)rzDatabase[_DocumentTypeArg]r@rrEr ro Optional[str]r=rr$rrz6tuple[Collection[_DocumentTypeArg], Mapping[str, Any]])NNN) rorr=rrJzOptional[Sequence[str]]rKrrr)NNNNNF)rOrrPrrQ"Optional[Union[Binary, uuid.UUID]]rRrrSrrTrrUOptional[RangeOpts]rVboolrr)NNNNN)rOrrPrrQrrRrrSrrTrrUrrr)r`r rPrrQrrRrrSrrTrrUrrr)rOrrr)rirrOptional[RawBSONDocument])rzCursor[RawBSONDocument])rirrr4)rirrRrrr)rRrrr)rirrRrrr)rr rrr=rrr)rzClientEncryption[_DocumentType])rrrrrrrrr)rrrrrerHrCr]rrar rjrlrorurwr}rrrrrrrfrLr&r&,s68<+/@A(@A!@A8 @A 6 @A 5 @A)@A @AN'+26 WK,WKWK, WK $ WK 0 WKWK @WKx3715(, YY0Y/ Y & Y  Y~6:&*$(+/*.#(.(.(.3 (. $ (. " (.)(.((.(. (.\6:&*$(+/*.5 5 5 3 5 $ 5 " 5 )5 (5  5 v6:&*$(+/*.5 %5 5 3 5 $ 5 " 5 )5 (5  5 nQ" : - <M" L"ON#'26 8/!8/ 8/0 8/ ! 8/tI$rfr&)rIrBrJr/rzUnion[socket.socket, _sslConn])rzIterator[None])r$rrr)r __future__r contextlibenumrrwrWrYcopyrtypingrrrrr r r r r rrrpymongocrypt.errorsrpymongocrypt.mongocryptr'pymongocrypt.synchronous.auto_encrypterr+pymongocrypt.synchronous.explicit_encrypterr&pymongocrypt.synchronous.state_machinerr0 ImportErrorobjectbsonrrr bson.binaryrrrbson.codec_optionsr bson.errorsr bson.raw_bsonrrr pymongor!pymongo.commonr"pymongo.daemonr#pymongo.encryption_optionsr$r%pymongo.errorsr&r'r(r)r*r+pymongo.helpers_sharedr,r|r-pymongo.operationsr.pymongo.pool_optionsr/pymongo.pool_sharedr0r1pymongo.read_concernr2pymongo.resultsr3r4pymongo.ssl_supportr5r6pymongo.synchronous.collectionr7pymongo.synchronous.cursorr8pymongo.synchronous.databaser9 pymongo.synchronous.mongo_clientr:pymongo.typingsr;r<pymongo.uri_parser_sharedr=r>pymongo.write_concernr?r@pymongo.pyopenssl_contextrArBrbrtrsrrrE__annotations__r]rMcontextmanagerrOrQrrEnumrrrr&rrfrLrs?"       39E /.66+!RR*(D8)(,-9C5-18;H.<2(  &/;S>x0, o>\  , ,W+&W+tII.u)u)pTYY>TYY0Fa $w}-a $q  s G GG