feat: Add EncryptedKey struct (#1326)

c-thiel · web-flow · commit e5215a11b23f · 2025-05-16T10:22:17.000+08:00
## Which issue does this PR close? Implements the `EncryptionKey` type as a preparation for v3 Metadata. https://github.com/apache/iceberg/pull/12162/files This doesn't implement the full v3 TableMetadata yet, but helps to keep the v3 commit smaller. Because v3 Metadata is not implemented yet, there is no way set / deserialize this field from Metadata.json yet. ## What changes are included in this PR? - Add `EncryptedKey` including serialization of `encrypted_key_metadata` as base64 - Add the `encryption_keys` field to `TableMetadata` ## Are these changes tested? yes
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -54,6 +54,7 @@ async-std = "1.12"
 async-trait = "0.1.88"
 aws-config = "1.6.1"
 aws-sdk-glue = "1.39"
+base64 = "0.22.1"
 bimap = "0.6"
 bytes = "1.10"
 chrono = "0.4.40"
diff --git a/crates/iceberg/Cargo.toml b/crates/iceberg/Cargo.toml
@@ -55,6 +55,7 @@ arrow-select = { workspace = true }
 arrow-string = { workspace = true }
 async-std = { workspace = true, optional = true, features = ["attributes"] }
 async-trait = { workspace = true }
+base64 = { workspace = true }
 bimap = { workspace = true }
 bytes = { workspace = true }
 chrono = { workspace = true }
diff --git a/crates/iceberg/src/spec/encrypted_key.rs b/crates/iceberg/src/spec/encrypted_key.rs
@@ -0,0 +1,220 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+
+/// Keys used for table encryption
+///
+/// Serializing of `encrypted_key_metadata` is done using base64 encoding.
+#[derive(Debug, Clone, PartialEq, Eq, typed_builder::TypedBuilder)]
+pub struct EncryptedKey {
+    /// Unique identifier for the key
+    #[builder(setter(into))]
+    key_id: String,
+    /// Encrypted key metadata as binary data
+    #[builder(setter(into))]
+    encrypted_key_metadata: Vec<u8>,
+    /// Identifier of the entity that encrypted this key
+    #[builder(setter(into))]
+    encrypted_by_id: String,
+    /// Additional properties associated with the key
+    #[builder(default)]
+    properties: HashMap<String, String>,
+}
+
+impl EncryptedKey {
+    /// Returns the key ID
+    pub fn key_id(&self) -> &str {
+        &self.key_id
+    }
+
+    /// Returns the encrypted key metadata
+    pub fn encrypted_key_metadata(&self) -> &[u8] {
+        &self.encrypted_key_metadata
+    }
+
+    /// Returns the ID of the entity that encrypted this key
+    pub fn encrypted_by_id(&self) -> &str {
+        &self.encrypted_by_id
+    }
+
+    /// Returns the properties map
+    pub fn properties(&self) -> &HashMap<String, String> {
+        &self.properties
+    }
+}
+
+pub(super) mod _serde {
+    use base64::engine::general_purpose::STANDARD as BASE64;
+    use base64::Engine as _;
+
+    use super::*;
+
+    /// Helper struct for serializing/deserializing EncryptedKey
+    #[derive(Serialize, Deserialize)]
+    #[serde(rename_all = "kebab-case")]
+    pub(super) struct EncryptedKeySerde {
+        pub key_id: String,
+        pub encrypted_key_metadata: String, // Base64 encoded
+        pub encrypted_by_id: String,
+        #[serde(default, skip_serializing_if = "HashMap::is_empty")]
+        pub properties: HashMap<String, String>,
+    }
+
+    impl From<&EncryptedKey> for EncryptedKeySerde {
+        fn from(key: &EncryptedKey) -> Self {
+            Self {
+                key_id: key.key_id.clone(),
+                encrypted_key_metadata: BASE64.encode(&key.encrypted_key_metadata),
+                encrypted_by_id: key.encrypted_by_id.clone(),
+                properties: key.properties.clone(),
+            }
+        }
+    }
+
+    impl TryFrom<EncryptedKeySerde> for EncryptedKey {
+        type Error = base64::DecodeError;
+
+        fn try_from(serde_key: EncryptedKeySerde) -> Result<Self, Self::Error> {
+            let encrypted_key_metadata = BASE64.decode(&serde_key.encrypted_key_metadata)?;
+
+            Ok(Self {
+                key_id: serde_key.key_id,
+                encrypted_key_metadata,
+                encrypted_by_id: serde_key.encrypted_by_id,
+                properties: serde_key.properties,
+            })
+        }
+    }
+}
+
+impl Serialize for EncryptedKey {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where S: serde::Serializer {
+        let serde_key = _serde::EncryptedKeySerde::from(self);
+        serde_key.serialize(serializer)
+    }
+}
+
+impl<'de> Deserialize<'de> for EncryptedKey {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where D: serde::Deserializer<'de> {
+        let serde_key = _serde::EncryptedKeySerde::deserialize(deserializer)?;
+
+        Self::try_from(serde_key).map_err(serde::de::Error::custom)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use serde_json::json;
+
+    use super::*;
+
+    #[test]
+    fn test_encrypted_key_serialization() {
+        // Test data
+        let metadata = b"iceberg";
+        let mut properties = HashMap::new();
+        properties.insert("algo".to_string(), "AES-256".to_string());
+        properties.insert("created-at".to_string(), "2023-05-15T10:30:00Z".to_string());
+
+        // Create the encrypted key
+        let key = EncryptedKey::builder()
+            .key_id("5f819b")
+            .encrypted_key_metadata(metadata.to_vec())
+            .encrypted_by_id("user-456")
+            .properties(properties)
+            .build();
+
+        // Serialize to JSON
+        let serialized = serde_json::to_value(&key).unwrap();
+
+        let expected = json!({
+            "key-id": "5f819b",
+            "encrypted-key-metadata": "aWNlYmVyZw==",
+            "encrypted-by-id": "user-456",
+            "properties": {
+                "algo": "AES-256",
+                "created-at": "2023-05-15T10:30:00Z"
+            }
+        });
+        assert_eq!(serialized, expected);
+    }
+
+    #[test]
+    fn test_encrypted_key_round_trip() {
+        // Test data
+        let metadata = b"binary\0data\xff\xfe with special bytes";
+        let mut properties = HashMap::new();
+        properties.insert("algo".to_string(), "AES-256".to_string());
+
+        // Create the original encrypted key
+        let original_key = EncryptedKey::builder()
+            .key_id("key-abc")
+            .encrypted_key_metadata(metadata.to_vec())
+            .encrypted_by_id("service-xyz")
+            .properties(properties)
+            .build();
+
+        // Serialize to JSON string
+        let json_string = serde_json::to_string(&original_key).unwrap();
+
+        // Deserialize back from JSON string
+        let deserialized_key: EncryptedKey = serde_json::from_str(&json_string).unwrap();
+
+        // Verify the keys match
+        assert_eq!(deserialized_key, original_key);
+        assert_eq!(deserialized_key.encrypted_key_metadata(), metadata);
+    }
+
+    #[test]
+    fn test_encrypted_key_empty_properties() {
+        // Create a key without properties
+        let key = EncryptedKey::builder()
+            .key_id("key-123")
+            .encrypted_key_metadata(b"data".to_vec())
+            .encrypted_by_id("user-456")
+            .build();
+
+        // Serialize to JSON
+        let serialized = serde_json::to_value(&key).unwrap();
+
+        // Verify properties field is skipped when empty
+        assert!(!serialized.as_object().unwrap().contains_key("properties"));
+
+        // Deserialize back
+        let deserialized: EncryptedKey = serde_json::from_value(serialized).unwrap();
+        assert_eq!(deserialized.properties().len(), 0);
+    }
+
+    #[test]
+    fn test_invalid_base64() {
+        // Invalid base64 string
+        let json_value = json!({
+            "key-id": "key-123",
+            "encrypted-key-metadata": "invalid@base64",
+            "encrypted-by-id": "user-456"
+        });
+
+        // Attempt to deserialize should fail
+        let result: Result<EncryptedKey, _> = serde_json::from_value(json_value);
+        assert!(result.is_err());
+    }
+}
diff --git a/crates/iceberg/src/spec/mod.rs b/crates/iceberg/src/spec/mod.rs
@@ -18,6 +18,7 @@
 //! Spec for Iceberg.
 
 mod datatypes;
+mod encrypted_key;
 mod manifest;
 mod manifest_list;
 mod name_mapping;
@@ -36,6 +37,7 @@ mod view_metadata_builder;
 mod view_version;
 
 pub use datatypes::*;
+pub use encrypted_key::*;
 pub use manifest::*;
 pub use manifest_list::*;
 pub use name_mapping::*;
diff --git a/crates/iceberg/src/spec/table_metadata.rs b/crates/iceberg/src/spec/table_metadata.rs
@@ -175,6 +175,8 @@ pub struct TableMetadata {
     pub(crate) statistics: HashMap<i64, StatisticsFile>,
     /// Mapping of snapshot ids to partition statistics files.
     pub(crate) partition_statistics: HashMap<i64, PartitionStatisticsFile>,
+    /// Encryption Keys
+    pub(crate) encryption_keys: HashMap<String, String>,
 }
 
 impl TableMetadata {
@@ -418,6 +420,18 @@ impl TableMetadata {
         }
     }
 
+    /// Iterate over all encryption keys
+    #[inline]
+    pub fn encryption_keys_iter(&self) -> impl ExactSizeIterator<Item = (&String, &String)> {
+        self.encryption_keys.iter()
+    }
+
+    /// Get the encryption key for a given key id
+    #[inline]
+    pub fn encryption_key(&self, key_id: &str) -> Option<&String> {
+        self.encryption_keys.get(key_id)
+    }
+
     /// Normalize this partition spec.
     ///
     /// This is an internal method
@@ -905,6 +919,7 @@ pub(super) mod _serde {
                 }),
                 statistics: index_statistics(value.statistics),
                 partition_statistics: index_partition_statistics(value.partition_statistics),
+                encryption_keys: HashMap::new(),
             };
 
             metadata.borrow_mut().try_normalize()?;
@@ -1061,6 +1076,7 @@ pub(super) mod _serde {
                 },
                 statistics: index_statistics(value.statistics),
                 partition_statistics: index_partition_statistics(value.partition_statistics),
+                encryption_keys: HashMap::new(),
             };
 
             metadata.borrow_mut().try_normalize()?;
@@ -1460,6 +1476,7 @@ mod tests {
             refs: HashMap::new(),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         let expected_json_value = serde_json::to_value(&expected).unwrap();
@@ -1635,6 +1652,7 @@ mod tests {
             refs: HashMap::from_iter(vec![("main".to_string(), SnapshotReference { snapshot_id: 638933773299822130, retention: SnapshotRetention::Branch { min_snapshots_to_keep: None, max_snapshot_age_ms: None, max_ref_age_ms: None } })]),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(data, expected);
@@ -1732,6 +1750,7 @@ mod tests {
             refs: HashMap::new(),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         let expected_json_value = serde_json::to_value(&expected).unwrap();
@@ -2262,6 +2281,7 @@ mod tests {
                     max_ref_age_ms: None,
                 },
             })]),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(data, expected);
@@ -2396,6 +2416,7 @@ mod tests {
                     max_ref_age_ms: None,
                 },
             })]),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(data, expected);
@@ -2557,6 +2578,7 @@ mod tests {
             })]),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(&metadata, expected);
@@ -2641,6 +2663,7 @@ mod tests {
             refs: HashMap::new(),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(&metadata, expected);
@@ -2709,6 +2732,7 @@ mod tests {
             refs: HashMap::new(),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         check_table_metadata_serde(&metadata, expected);
diff --git a/crates/iceberg/src/spec/table_metadata_builder.rs b/crates/iceberg/src/spec/table_metadata_builder.rs
@@ -120,6 +120,7 @@ impl TableMetadataBuilder {
                 refs: HashMap::default(),
                 statistics: HashMap::new(),
                 partition_statistics: HashMap::new(),
+                encryption_keys: HashMap::new(),
             },
             last_updated_ms: None,
             changes: vec![],
diff --git a/crates/iceberg/src/writer/file_writer/location_generator.rs b/crates/iceberg/src/writer/file_writer/location_generator.rs
@@ -179,6 +179,7 @@ pub(crate) mod test {
             refs: HashMap::new(),
             statistics: HashMap::new(),
             partition_statistics: HashMap::new(),
+            encryption_keys: HashMap::new(),
         };
 
         let file_name_genertaor = super::DefaultFileNameGenerator::new(
