U dU@sUdZddlmZddlZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZmZzDddlmZddlmZddlmZdd lmZdd lmZd ZWnek rd Ze ZYnXdd l!m"Z"m#Z#m$Z$ddl%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.m/Z/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6ddl7m8Z8ddl9m:Z:ddl;mZ>ddl?m@Z@mAZAddlBmCZCmDZDmEZEmFZFmGZGmHZHddlImJZJddlKmLZLddlMmNZNddlOmPZPmQZQmRZRddlSmTZTdd lUmVZVmWZWdd!lXmYZYdd"lZm[Z[dd#l\m]Z]dd$l^m_Z_e r>dd%lm`Z`d&Zae8Zbd'Zce*e2e&d(Zdd)eed*<e*e/d+Zfejgd,d-d.d/ZhGd0d1d1eZiGd2d3d3ZjGd4d5d5ZkGd6d7d7elejmZnGd8d9d9elejmZoGd:d;d;e e[ZpdS)tk r Yn*tk rH}z t|W5d}~XYnXdS)z2Context manager to wrap encryption related errors.N)r Exceptionr))excrA6/tmp/pip-unpacked-wheel-oblwsawz/pymongo/encryption.py_wrap_encryption_errors^s  rCc@seZdZdddddddZddd d d Zd d ddddZddddZdd d dddZd ddddZd dddd Z d!d d"d#d$Z ddd%d&Z d'S)( _EncryptionIOzOptional[MongoClient]r r%)clientkey_vault_collmongocryptd_clientoptscCsT||dk rt||_nd|_|jttddtddd|_||_||_ d|_ dS)z8Internal class to perform I/O on behalf of pymongocrypt.NZmajority)level)w) codec_optionsZ read_concernZ write_concernF) weakrefref client_refZ with_options_KEY_VAULT_OPTSr3r9rFrGrH_spawned)selfrErFrGrHrArArB__init__lsz_EncryptionIO.__init__r:None) kms_contextr>c CsN|j}|j}|j}|jj|}|dkrc CsV||jt|d4}|D]}t|dtW5QRSW5QRdSQRXdS)aGet the collection info for a namespace. The returned collection info is passed to libmongocrypt which reads the JSON schema. :Parameters: - `database`: The database on which to run listCollections. - `filter`: The filter to pass to listCollections. :Returns: The first document from the listCollections command response as BSON. )rrFN)rNZlist_collectionsrrr<)rQrqrrcursordocrArArBcollection_infos z_EncryptionIO.collection_infor=cCs.d|_|jjpdg}||jjt|dS)z~Spawn mongocryptd. Note this method is thread safe; at most one mongocryptd will start successfully. TZ mongocryptdN)rPrHZ_mongocryptd_spawn_pathextendZ_mongocryptd_spawn_argsr#)rQargsrArArBspawnsz_EncryptionIO.spawnstr)rqcmdr>cCs|js|jjs|t|t}|jdk s.tz|j|j|td}Wn:t k r|jjr`||j|j|td}YnX|j S)zMark a command for encryption. :Parameters: - `database`: The database on which to run this command. - `cmd`: The BSON command to run. :Returns: The marked command response from mongocryptd. NrK) rPrHZ_mongocryptd_bypass_spawnrxrrrGAssertionErrorcommandr,raw)rQrqrzZ inflated_cmdresrArArB mark_commands$      z_EncryptionIO.mark_commandzIterator[bytes])rrr>c cs@|jdk st|jt|}|D] }|jVq$W5QRXdS)zYields one or more keys from the key vault. :Parameters: - `filter`: The filter to pass to find. :Returns: A generator which yields the requested keys from the key vault. N)rFr|findrr~)rQrrrskeyrArArB fetch_keyss z_EncryptionIO.fetch_keysr)data_keyr>cCsNt|t}|d}t|tr(|jtkr0td|jdk s>t |j ||S)zInsert a data key into the key vault. :Parameters: - `data_key`: The data key document to insert. :Returns: The _id of the inserted data key document. _idz/data_key _id must be Binary with a UUID subtypeN) rrOr[ isinstancersubtyper TypeErrorrFr|Z insert_one)rQrraw_docZ data_key_idrArArBinsert_data_keys   z_EncryptionIO.insert_data_keyzMutableMapping[str, Any])rtr>cCst|S)zEncode a document to BSON. A document can be any mapping type (like :class:`dict`). :Parameters: - `doc`: mapping type representing a document :Returns: The encoded BSON bytes. )r)rQrtrArArB bson_encodes z_EncryptionIO.bson_encodecCs&d|_d|_|jr"|jd|_dS)zjRelease resources. Note it is not safe to call this method from __del__ or any GC hooks. N)rNrFrGr_rQrArArBr_ s  z_EncryptionIO.closeN) __name__ __module__ __qualname__rRrnrurxrrrrr_rArArArBrDks6  rDc@s4eZdZdZd dddddZeddd d ZdS) RewrapManyDataKeyResultzuResult object returned by a :meth:`~ClientEncryption.rewrap_many_data_key` operation. .. versionadded:: 4.2 NzOptional[BulkWriteResult]rS)bulk_write_resultr>cCs ||_dSNZ_bulk_write_result)rQrrArArBrR2sz RewrapManyDataKeyResult.__init__r=cCs|jS)aDThe result of the bulk write operation used to update the key vault collection with one or more rewrapped data keys. If :meth:`~ClientEncryption.rewrap_many_data_key` does not find any matching keys to rewrap, no bulk write operation will be executed and this field will be ``None``. rrrArArBr5sz)RewrapManyDataKeyResult.bulk_write_result)N)rrr__doc__rRpropertyrrArArArBr,src@s`eZdZdZdddddZddd d d d d ZdddddZddddZddddZdS) _EncrypterzEncrypts and decrypts MongoDB commands. This class is used to support automatic encryption and decryption of MongoDB commands. r-r%)rErHc Cs|jdkrd}nt|jdt}|jdkr.d}nt|jdt}|j|_d|_dddddd}|jdk rn|j}n |||}|jrd}n |||}|jdd \}} ||| } t |j dt d } t || | |} t | t|j||j|j|j||jd |_d|_dS) zCreate a _Encrypter for a client. :Parameters: - `client`: The encrypted MongoClient. - `opts`: The encrypted client's :class:`AutoEncryptionOpts`. NFrr-) encrypter mongo_clientr>cSs:|jjjdkr|S|jdk r"|jS|jddd}||_|S)Nr)Z minPoolSizeZauto_encryption_opts)optionsZ pool_optionsZ max_pool_size_internal_clientZ _duplicate)rrZinternal_clientrArArB_get_internal_clientZs z1_Encrypter.__init__.._get_internal_client.)connectZserverSelectionTimeoutMS)Zcrypt_shared_lib_pathZcrypt_shared_lib_requiredZbypass_encryptionencrypted_fields_mapZbypass_query_analysis)Z _schema_maprr<Z_encrypted_fields_mapZ_bypass_auto_encryptionr_key_vault_client_key_vault_namespacesplitr-Z_mongocryptd_uri_MONGOCRYPTD_TIMEOUT_MSrDrr_kms_providersZ_crypt_shared_lib_pathZ_crypt_shared_lib_requiredZ_bypass_query_analysis_auto_encrypter_closed) rQrErHZ schema_maprrkey_vault_clientZmetadata_clientdbcollrFrGZ io_callbacksrArArBrRGsH       z_Encrypter.__init__ryMapping[str, Any]rzDict[Any, Any])rqrzrKr>c CsN|t|d|}t*|j||}t|t}|W5QRSQRXdS)a!Encrypt a MongoDB command. :Parameters: - `database`: The database for this command. - `cmd`: A command document. - `codec_options`: The CodecOptions to use while encoding `cmd`. :Returns: The encrypted command to execute. FN) _check_closedrrCrencryptrr)rQrqrzrKZ encoded_cmdZ encrypted_cmdZ encrypt_cmdrArArBrs   z_Encrypter.encryptrorp)responser>c Cs2|t|j|W5QRSQRXdS)zDecrypt a MongoDB command response. :Parameters: - `response`: A MongoDB command response as BSON. :Returns: The decrypted command response. N)rrCrdecrypt)rQrrArArBrs z_Encrypter.decryptrSr=cCs|jrtddS)Nz"Cannot use MongoClient after close)rr*rrArArBrsz_Encrypter._check_closedcCs*d|_|j|jr&|jd|_dS)zCleanup resources.TN)rrr_rrrArArBr_s   z_Encrypter.closeN) rrrrrRrrrr_rArArArBr@s > rc@s$eZdZdZdZdZdZdZdZdS) Algorithmz9An enum that defines the supported encryption algorithms.z+AEAD_AES_256_CBC_HMAC_SHA_512-Deterministicz$AEAD_AES_256_CBC_HMAC_SHA_512-RandomZIndexedZ UnindexedZ RangePreviewN) rrrrZ+AEAD_AES_256_CBC_HMAC_SHA_512_DeterministicZ$AEAD_AES_256_CBC_HMAC_SHA_512_RandomZINDEXEDZ UNINDEXED RANGEPREVIEWrArArArBrsrc@seZdZdZdZdZdS) QueryTypezmAn enum that defines the supported values for explicit encryption query_type. .. versionadded:: 4.2 ZequalityZ rangePreviewN)rrrrZEQUALITYrrArArArBrsrc @seZdZdZdLddddddd d d ZdMd ddd ddddddZdNddddddddZdOdddd d ddddd dd ZdPdddd d dddd!d"d#ZdQdddd d ddd$d%d&d'Z ddd(d)d*Z dd+d,d-d.Z d/d0d1d2Z dd3d,d4d5Z dddd6d7d8Zdd+d9d:d;Zddd+d6dd?d@dAZdBd0dCdDZdddddEdFdGZdd0dHdIZdd0dJdKZdS)SClientEncryptionz,Explicit client-side field level encryption.Nrryr-rzOptional[Mapping[str, Any]]rS) kms_providerskey_vault_namespacerrKkms_tls_optionsr>c Csts tdt|tstd||_||_||_||_| dd\}}|||}t |||d} t d|d| |_ t |j t|d|_|j j|_dS)aExplicit client-side field level encryption. The ClientEncryption class encapsulates explicit operations on a key vault collection that cannot be done directly on a MongoClient. Similar to configuring auto encryption on a MongoClient, it is constructed with a MongoClient (to a MongoDB cluster containing the key vault collection), KMS provider configuration, and keyVaultNamespace. It provides an API for explicitly encrypting and decrypting values, and creating data keys. It does not provide an API to query keys from the key vault collection, as this can be done directly on the MongoClient. See :ref:`explicit-client-side-encryption` for an example. :Parameters: - `kms_providers`: Map of KMS provider options. The `kms_providers` map values differ by provider: - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings. These are the AWS access key ID and AWS secret access key used to generate KMS messages. An optional "sessionToken" may be included to support temporary AWS credentials. - `azure`: Map with "tenantId", "clientId", and "clientSecret" as strings. Additionally, "identityPlatformEndpoint" may also be specified as a string (defaults to 'login.microsoftonline.com'). These are the Azure Active Directory credentials used to generate Azure Key Vault messages. - `gcp`: Map with "email" as a string and "privateKey" as `bytes` or a base64 encoded string. Additionally, "endpoint" may also be specified as a string (defaults to 'oauth2.googleapis.com'). These are the credentials used to generate Google Cloud KMS messages. - `kmip`: Map with "endpoint" as a host with required port. For example: ``{"endpoint": "example.com:443"}``. - `local`: Map with "key" as `bytes` (96 bytes in length) or a base64 encoded string which decodes to 96 bytes. "key" is the master key used to encrypt/decrypt data keys. This key should be generated and stored as securely as possible. - `key_vault_namespace`: The namespace for the key vault collection. The key vault collection contains all data keys used for encryption and decryption. Data keys are stored as documents in this MongoDB collection. Data keys are protected with encryption by a KMS provider. - `key_vault_client`: A MongoClient connected to a MongoDB cluster containing the `key_vault_namespace` collection. - `codec_options`: An instance of :class:`~bson.codec_options.CodecOptions` to use when encoding a value for encryption and decoding the decrypted BSON value. This should be the same CodecOptions instance configured on the MongoClient, Database, or Collection used to access application data. - `kms_tls_options` (optional): A map of KMS provider names to TLS options to use when creating secure connections to KMS providers. Accepts the same TLS options as :class:`pymongo.mongo_client.MongoClient`. For example, to override the system default CA file:: kms_tls_options={'kmip': {'tlsCAFile': certifi.where()}} Or to supply a client certificate:: kms_tls_options={'kmip': {'tlsCertificateKeyFile': 'client.pem'}} .. versionchanged:: 4.0 Added the `kms_tls_options` parameter and the "kmip" KMS provider. .. versionadded:: 3.9 zclient-side field level encryption requires the pymongocrypt library: install a compatible version with: python -m pip install 'pymongo[encryption]'zDcodec_options must be an instance of bson.codec_options.CodecOptionsrr)rN)_HAVE_PYMONGOCRYPTr'rrrrrr_codec_optionsrr%rD _io_callbacksrr _encryptionrF_key_vault_coll) rQrrrrKrrrrFrHrArArBrRs8M  zClientEncryption.__init__r$z Optional[str]rz3Tuple[Collection[_DocumentType], Mapping[str, Any]])rqnameencrypted_fieldsrZ master_keykwargsr>c Kst|}t|dD]n\}}t|tr|ddkrz|j||d|d|d<Wqtk r} zt| || W5d} ~ XYqXq||d<d|d<z|jfd|i||fWSt k r} zt| || W5d} ~ XYnXdS) a Create a collection with encryptedFields. .. warning:: This function does not update the encryptedFieldsMap in the client's AutoEncryptionOpts, thus the user must create a new client after calling this function with the encryptedFields returned. Normally collection creation is automatic. This method should only be used to specify options on creation. :class:`~pymongo.errors.EncryptionError` will be raised if the collection already exists. :Parameters: - `name`: the name of the collection to create - `encrypted_fields` (dict): Document that describes the encrypted fields for Queryable Encryption. For example:: { "escCollection": "enxcol_.encryptedCollection.esc", "ecocCollection": "enxcol_.encryptedCollection.ecoc", "fields": [ { "path": "firstName", "keyId": Binary.from_uuid(UUID('00000000-0000-0000-0000-000000000000')), "bsonType": "string", "queries": {"queryType": "equality"} }, { "path": "ssn", "keyId": Binary.from_uuid(UUID('04104104-1041-0410-4104-104104104104')), "bsonType": "string" } ] } The "keyId" may be set to ``None`` to auto-generate the data keys. - `kms_provider` (optional): the KMS provider to be used - `master_key` (optional): Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is "local" the `master_key` is not applicable and may be omitted. - `**kwargs` (optional): additional keyword arguments are the same as "create_collection". All optional `create collection command`_ parameters should be passed as keyword arguments to this method. See the documentation for :meth:`~pymongo.database.Database.create_collection` for all valid options. :Raises: - :class:`~pymongo.errors.EncryptedCollectionError`: When either data-key creation or creating the collection fails. .. versionadded:: 4.4 .. _create collection command: https://mongodb.com/docs/manual/reference/command/create fieldsZkeyIdN)rZrZencryptedFieldsFZ check_existsr) r enumeraterdictr[create_data_keyr)r(Zcreate_collectionr?) rQrqrrrZrrifieldr@rArArBcreate_encrypted_collectionNs$@ z,ClientEncryption.create_encrypted_collectionzOptional[Sequence[str]]rpr)rZr key_alt_names key_materialr>c Cs:|t"|jj||||dW5QRSQRXdS)a Create and insert a new data key into the key vault collection. :Parameters: - `kms_provider`: The KMS provider to use. Supported values are "aws", "azure", "gcp", "kmip", and "local". - `master_key`: Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is "local" the `master_key` is not applicable and may be omitted. If the `kms_provider` is "aws" it is required and has the following fields:: - `region` (string): Required. The AWS region, e.g. "us-east-1". - `key` (string): Required. The Amazon Resource Name (ARN) to the AWS customer. - `endpoint` (string): Optional. An alternate host to send KMS requests to. May include port number, e.g. "kms.us-east-1.amazonaws.com:443". If the `kms_provider` is "azure" it is required and has the following fields:: - `keyVaultEndpoint` (string): Required. Host with optional port, e.g. "example.vault.azure.net". - `keyName` (string): Required. Key name in the key vault. - `keyVersion` (string): Optional. Version of the key to use. If the `kms_provider` is "gcp" it is required and has the following fields:: - `projectId` (string): Required. The Google cloud project ID. - `location` (string): Required. The GCP location, e.g. "us-east1". - `keyRing` (string): Required. Name of the key ring that contains the key to use. - `keyName` (string): Required. Name of the key to use. - `keyVersion` (string): Optional. Version of the key to use. - `endpoint` (string): Optional. Host with optional port. Defaults to "cloudkms.googleapis.com". If the `kms_provider` is "kmip" it is optional and has the following fields:: - `keyId` (string): Optional. `keyId` is the KMIP Unique Identifier to a 96 byte KMIP Secret Data managed object. If keyId is omitted, the driver creates a random 96 byte KMIP Secret Data managed object. - `endpoint` (string): Optional. Host with optional port, e.g. "example.vault.azure.net:". - `key_alt_names` (optional): An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by ``key_id``. The following example shows creating and referring to a data key by alternate name:: client_encryption.create_data_key("local", key_alt_names=["name1"]) # reference the key with the alternate name client_encryption.encrypt("457-55-5462", key_alt_name="name1", algorithm=Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Random) - `key_material` (optional): Sets the custom key material to be used by the data key for encryption and decryption. :Returns: The ``_id`` of the created data key document as a :class:`~bson.binary.Binary` with subtype :data:`~bson.binary.UUID_SUBTYPE`. .. versionchanged:: 4.2 Added the `key_material` parameter. )rrrN)rrCrr)rQrZrrrrArArBrsMz ClientEncryption.create_data_keyFzOptional[Binary]z Optional[int]zOptional[RangeOpts]bool) value algorithmkey_id key_alt_name query_typecontention_factor range_opts is_expressionr>c Cs||dk r,t|tr$|jtks,tdtd|i|jd} d} |rVt|j|jd} t 6|j j | |||||| |d} t | dW5QRSQRXdS)Nz2key_id must be a bson.binary.Binary with subtype 4vr{rrrrrrrr) rrrrrrrrdocumentrCrrr) rQrrrrrrrrrtZrange_opts_bytesZ encrypted_docrArArB_encrypt_helpers:  z ClientEncryption._encrypt_helper)rrrrrrrr>c Cs|j|||||||ddS)aEncrypt a BSON value with a given key and algorithm. Note that exactly one of ``key_id`` or ``key_alt_name`` must be provided. :Parameters: - `value`: The BSON value to encrypt. - `algorithm` (string): The encryption algorithm to use. See :class:`Algorithm` for some valid options. - `key_id`: Identifies a data key by ``_id`` which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). - `key_alt_name`: Identifies a key vault document by 'keyAltName'. - `query_type` (str): The query type to execute. See :class:`QueryType` for valid options. - `contention_factor` (int): The contention factor to use when the algorithm is :attr:`Algorithm.INDEXED`. An integer value *must* be given when the :attr:`Algorithm.INDEXED` algorithm is used. - `range_opts`: Experimental only, not intended for public use. :Returns: The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. .. versionchanged:: 4.2 Added the `query_type` and `contention_factor` parameters. Frr)rQrrrrrrrrArArBr s$zClientEncryption.encryptr) expressionrrrrrrr>c Cs|j|||||||ddS)aEncrypt a BSON expression with a given key and algorithm. Note that exactly one of ``key_id`` or ``key_alt_name`` must be provided. :Parameters: - `expression`: The BSON aggregate or match expression to encrypt. - `algorithm` (string): The encryption algorithm to use. See :class:`Algorithm` for some valid options. - `key_id`: Identifies a data key by ``_id`` which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). - `key_alt_name`: Identifies a key vault document by 'keyAltName'. - `query_type` (str): The query type to execute. See :class:`QueryType` for valid options. - `contention_factor` (int): The contention factor to use when the algorithm is :attr:`Algorithm.INDEXED`. An integer value *must* be given when the :attr:`Algorithm.INDEXED` algorithm is used. - `range_opts`: Experimental only, not intended for public use. :Returns: The encrypted expression, a :class:`~bson.RawBSONDocument`. .. versionadded:: 4.4 Trr)rQrrrrrrrrArArBencrypt_expressionOs$z#ClientEncryption.encrypt_expression)rr>c Csl|t|tr|jdks$tdt8td|i}|j|}t ||j ddW5QRSQRXdS)zDecrypt an encrypted value. :Parameters: - `value` (Binary): The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. :Returns: The decrypted BSON value. zcCs&||jdk st|jd|iS)a+Get a data key by id. :Parameters: - `id` (Binary): The UUID of a key a which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). :Returns: The key document. .. versionadded:: 4.2 Nrrrr|Zfind_onerQrrArArBget_keys zClientEncryption.get_keyzCursor[RawBSONDocument]r=cCs"||jdk st|jiS)zGet all of the data keys. :Returns: An instance of :class:`~pymongo.cursor.Cursor` over the data key documents. .. versionadded:: 4.2 N)rrr|rrrArArBget_keyss zClientEncryption.get_keysr5cCs&||jdk st|jd|iS)agDelete a key document in the key vault collection that has the given ``key_id``. :Parameters: - `id` (Binary): The UUID of a key a which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). :Returns: The delete result. .. versionadded:: 4.2 Nr)rrr|Z delete_onerrArArB delete_keys zClientEncryption.delete_key)rrr>cCs4|dd|ii}|jdk s"t|jd|i|S)aAdd ``key_alt_name`` to the set of alternate names in the key document with UUID ``key_id``. :Parameters: - ``id``: The UUID of a key a which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). - ``key_alt_name``: The key alternate name to add. :Returns: The previous version of the key document. .. versionadded:: 4.2 z $addToSet keyAltNamesNrrrr|Zfind_one_and_update)rQrrupdaterArArBadd_key_alt_names z!ClientEncryption.add_key_alt_name)rr>cCs&||jdk st|jd|iS)a Get a key document in the key vault collection that has the given ``key_alt_name``. :Parameters: - `key_alt_name`: (str): The key alternate name of the key to get. :Returns: The key document. .. versionadded:: 4.2 Nrr)rQrrArArBget_key_by_alt_names z$ClientEncryption.get_key_by_alt_namec Cs\|ddddd|ggiddddd |gid igiiig}|jd k sJt|jd |i|S) a.Remove ``key_alt_name`` from the set of keyAltNames in the key document with UUID ``id``. Also removes the ``keyAltNames`` field from the key document if it would otherwise be empty. :Parameters: - ``id``: The UUID of a key a which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). - ``key_alt_name``: The key alternate name to remove. :Returns: Returns the previous version of the key document. .. versionadded:: 4.2 $setrz$condz$eqz $keyAltNamesz$$REMOVEz$filterz$nez$$this)inputZcondNrr)rQrrZpipelinerArArBremove_key_alt_names$  z$ClientEncryption.remove_key_alt_namer)rrrgrr>c Cs|dk r|dkrtd|t0|j|||}|dkrRtW5QRSW5QRXt|t}g}|dD]<}|d|ddddid }td |d i|} | | qr|stS|j dk st |j |} t| S) a6Decrypts and encrypts all matching data keys in the key vault with a possibly new `master_key` value. :Parameters: - `filter`: A document used to filter the data keys. - `provider`: The new KMS provider to use to encrypt the data keys, or ``None`` to use the current KMS provider(s). - ``master_key``: The master key fields corresponding to the new KMS provider when ``provider`` is not ``None``. :Returns: A :class:`RewrapManyDataKeyResult`. This method allows you to re-encrypt all of your data-keys with a new CMK, or master key. Note that this does *not* require re-encrypting any of the data in your encrypted collections, but rather refreshes the key that protects the keys that encrypt the data: .. code-block:: python client_encryption.rewrap_many_data_key( filter={"keyAltNames": "optional filter for which keys you want to update"}, master_key={ "provider": "azure", # replace with your cloud provider "master_key": { # put the rest of your master_key options here "key": "" }, }, ) .. versionadded:: 4.2 Nz1A provider must be given if a master_key is givenr keyMaterial masterKey)rrZ updateDateT)rz $currentDater) r'rrCrrewrap_many_data_keyrrrr/appendrr|Z bulk_write) rQrrrgrZ raw_resultr replacementsrZ update_modelopresultrArArBrs(%    z%ClientEncryption.rewrap_many_data_keyz'ClientEncryption'cCs|SrrArrArArB __enter__DszClientEncryption.__enter__)exc_typeexc_valexc_tbr>cCs |dSr)r_)rQrrrrArArB__exit__GszClientEncryption.__exit__cCs|jdkrtddS)Nz"Cannot use closed ClientEncryption)rr*rrArArBrJs zClientEncryption._check_closedcCs*|jr&|j|jd|_d|_dS)aERelease resources. Note that using this class in a with-statement will automatically call :meth:`close`:: with ClientEncryption(...) as client_encryption: encrypted = client_encryption.encrypt(value, ...) decrypted = client_encryption.decrypt(encrypted) N)rr_rrrArArBr_Ns   zClientEncryption.close)N)NN)NNN)NNNNNF)NNNNN)NNNNN)NN)rrrrrRrrrrrrrrrrrrrrrrr_rArArArBrsVpWZ ,3/ )<r)qr __future__r contextlibenumrerLcopyrtypingrrrrrr r r r r Zpymongocrypt.auto_encrypterrZpymongocrypt.errorsrZpymongocrypt.explicit_encrypterrZpymongocrypt.mongocryptrZpymongocrypt.state_machinerr ImportErrorobjectZbsonrrrZ bson.binaryrrrZbson.codec_optionsrZ bson.errorsrZ bson.raw_bsonrrrZbson.sonrZpymongorZpymongo.collectionr Zpymongo.commonr!Zpymongo.cursorr"Zpymongo.daemonr#Zpymongo.databaser$Zpymongo.encryption_optionsr%r&Zpymongo.errorsr'r(r)r*r+r,Zpymongo.mongo_clientr-Zpymongo.networkr.Zpymongo.operationsr/Z pymongo.poolr0r1r2Zpymongo.read_concernr3Zpymongo.resultsr4r5Zpymongo.ssl_supportr6Zpymongo.typingsr7Zpymongo.uri_parserr8Zpymongo.write_concernr9r:r^r]rr<__annotations__rOcontextmanagerrCrDrrryEnumrrrrArArArBsr  0                            Bt