# Getting Started with CipherStash and Jupyter Notebook

This notebook describes how to get started with CipherStash using Python3, Jupyter Notebook, psycopg2 and SQLAlchemy.and

## Prerequisites

You must have:
* [PostgreSQL **client**](https://www.postgresql.org/) (The server will be run using Docker in this notebook)
* [Python 3](https://www.python.org/)
* [Jupyter Notebook](https://jupyter.org/install)
* [Docker](https://docs.docker.com/get-started/get-docker/)
* [Docker compose](https://docs.docker.com/compose/install/)
* [curl](https://curl.se)
* [CipherStash account](https://cipherstash.com/signup)
* [CipherStash CLI](https://github.com/cipherstash/cli-releases/releases/latest)

> Please note that on MS Windows' PowerShell, there is a built-in alias `curl` which is different from [curl listed above](https://curl.se).
A simple way around this is to start Jupyter Notebook from cmd.exe instead of PowerShell.

## Start CipherStash Proxy and PostgreSQL

In order to run the example, you will need to start CipherStash Proxy and PostgreSQL.
You can use the [playground environment](../../playground/README.md) to do this.

## Installing required components and table creation

Once the containers are up, there are a few things to be installed.
A table must also be created to store encrypted data.
Do the following steps to install them and create a table.

### Install application specific database types

In [None]:
%env PGPASSWORD=postgres 
! psql -h localhost -p 5432 -U postgres postgres < application_types.sql

### Create a table and indexes for testing encryption

In [None]:
%env PGPASSWORD=postgres
! psql -h localhost -p 5432 -U postgres postgres < create_examples_table.sql

### Start CipherStash Proxy

After running the setup scripts, CipherStash Proxy can be started:

In [None]:
! docker compose up proxy -d

The command above should start CipherStash Proxy.
At any point, you can check the logs to see if there are any errors in your terminal window.
From the directory where your docker-copmose.yml is located (`jupyter_notebook/` by default):

> docker compose logs -f proxy

## Run Python code

With the services running (this can be checked with `docker compose ps` from the shell), it's time to run some Python code.

Before actual code examples, below is a short introduction of what needs to happen between the native Python data types and encrypted database types.

### Classes that convert between the database format and Python format

There are classes prefixed with `Eql` defined in `eqlpy` which handles conversion between the format CypherStash Proxy requires and the format for Python.

In order to encrypt and store plaintext values, CipherStash Proxy requires encrypted columns in its specific format.
In Python, this conversion is done by creating an object of `EqlText` as:
```
txt = EqlText("hello, world", "pyexamples", "encrypted_utf8_str")
txt.to_db_format()
```

The constructor for `EqlText` takes the string value, the table name (`"pyexamples"`) and the column name (`"encrypted_utf8_str"`).

### Install psycopg2 and sqlalchemy

Install `psycopg2` and `sqlalchemy` if you have not done so yet:

In [None]:
%pip install psycopg2 sqlalchemy eqlpy

### Import class definitions

There are some classes defined for encrytped types in this project directory.
They are in `eql_types.py` in the `eqlpy` package if you are interested in implementation details.

In [None]:
from psycopg2.extras import RealDictCursor
import psycopg2
from eqlpy.eql_types import *

print("Importing done.")

## Define column-function mapping

In order to build plain-text `EqlRow`s from encrypted records, we have to provide `EqlRow` with information on which functions should be used to convert them.

In [None]:
mapping = {
    'encrypted_int': EqlInt.from_parsed_json,
    'encrypted_boolean': EqlBool.from_parsed_json,
    'encrypted_date': EqlDate.from_parsed_json,
    'encrypted_float': EqlFloat.from_parsed_json,
    'encrypted_utf8_str': EqlText.from_parsed_json,
    'encrypted_jsonb': EqlJsonb.from_parsed_json
}

print("column-function mapping defined")

## Insert test record

With the database extensions, EQL, and application specific data types installed together with the type definitions for Python, your setup is now ready to encrypt and decrypt data.

Run the following to create a record in the `pyexamples` table:

In [None]:
from pprint import pprint
from datetime import datetime

conn = psycopg2.connect("host=localhost dbname=postgres user=postgres password=postgres port=6432")

cur = conn.cursor(cursor_factory=RealDictCursor)

cur.execute("delete from pyexamples") # Clear the table in case there are records from previous runs
cur.execute("select cs_refresh_encrypt_config()")

cur.execute("INSERT INTO pyexamples (encrypted_int, encrypted_boolean, encrypted_date, encrypted_float, encrypted_utf8_str) VALUES (%s, %s, %s, %s, %s)",
    (
        EqlInt(-51, "pyexamples", "encrypted_int").to_db_format(),
        EqlBool(False, "pyexamples", "encrypted_boolean").to_db_format(),
        EqlDate(datetime.now().date(), "pyexamples", "encrypted_date").to_db_format(),
        EqlFloat(-0.5, "pyexamples", "encrypted_float").to_db_format(),
        EqlText("hello, world", "pyexamples", "encrypted_utf8_str").to_db_format()
    )
)

conn.commit()

print("example row created in pyexamples table")

This should insert a single row in the encrypted `pyexamples` table as:

|encrypted_int|encrypted_boolean|encrypted_date|encrypted_float|encrypted_utf8_str|
|---|-----|--------------|----|------------|
|-51|false|2024-11-01    |-0.5|hello, world|

You can check what it looks like from both regular PostgreSQL running on port 5432 and CipherStash Proxy running on port 6432.
To look at the data through CipherStash Proxy, run the following:

In [None]:
# From CipherStash Proxy; you should see plaintext JSONB
%env PGPASSWORD=postgres
! psql -h localhost -p 6432 -U postgres -x -c "select * from pyexamples limit 1;" postgres

To look at the data directly on the PostgreSQL server, run the following:

In [None]:
# From PostgreSQL; you should see JSONB with encrypted values
%env PGPASSWORD=postgres
! psql -h localhost -p 5432 -U postgres -x -c "select * from pyexamples limit 1;" postgres

In the above example, not all fields are populated, but the populated fields contain JSONB values including the encrypted values.

### Converting to Python types

By querying the proxy, you will see the JSONB values as seen above (decrypted version in the Proxy example, not the PostgreSQL example).

The values should then be converted to types that can be used in Python using class methods for each type:

In [None]:
from IPython.display import display, Markdown

cur.execute("select * from pyexamples")

records = cur.fetchall()

record0 = records[0]

# `from_parsed_json` methods convert the values into the corresponding Python types
content = f"""
### Values in the record
|  |  |
|--|--|
|int | {EqlInt.from_parsed_json(record0['encrypted_int'])}|
|boolean | {EqlBool.from_parsed_json(record0['encrypted_boolean'])}|
|datetime | {EqlDate.from_parsed_json(record0['encrypted_date'])}|
|float | {EqlFloat.from_parsed_json(record0['encrypted_float'])}|
|text | {EqlText.from_parsed_json(record0['encrypted_utf8_str'])}|
"""

display(Markdown(content))


### Querying with the encrypted fields

You can also use the encrypted fields for queries.

First, add some values so there are more than 1 text values and float values stored:

In [None]:
# data for MATCH
cur.execute("INSERT INTO pyexamples (encrypted_utf8_str) VALUES (%s) ON CONFLICT DO NOTHING",
    (
        EqlText("hello, python", "pyexamples", "encrypted_utf8_str").to_db_format(),
    )
)

cur.execute("INSERT INTO pyexamples (encrypted_utf8_str) VALUES (%s) ON CONFLICT DO NOTHING",
    (
        EqlText("hello, jupyter", "pyexamples", "encrypted_utf8_str").to_db_format(),
    )
)

# data for ORE
cur.execute("INSERT INTO pyexamples (encrypted_float) VALUES (%s)",
    (
        EqlFloat(100.1, "pyexamples", "encrypted_float").to_db_format(),
    )
)

cur.execute("INSERT INTO pyexamples (encrypted_float) VALUES (%s)",
    (
        EqlFloat(100.2, "pyexamples", "encrypted_float").to_db_format(),
    )
)

conn.commit()

print("created data for MATCH and ORE queries")

The example code above should insert rows like these in the pyexamples table:

|  | encrypted_utf_data | encrypted_float||
|--|---|---|---|
|  |hello, python| | |
|  |hello, jupyter| | |
|  |   | 100.1 | |
|  |   | 100.2 | |


### Partial matching

Now, a query can be run to look for a record in the `pyexamples` table where `encrypted_utf_8_str` field contains text `"pyth"`, which should match `"hello, python"`:

In [None]:
# MATCH query for "pyth"
cur.execute("SELECT * FROM pyexamples WHERE cs_match_v1(encrypted_utf8_str) @> cs_match_v1(%s)", (EqlText("pyth", "pyexamples", "encrypted_utf8_str").to_db_format(),))

found = cur.fetchall()[0]
print(f"Record Found with MATCH query: {EqlRow(mapping, found).row}\n")
print(f"Text inside the found record: {EqlText.from_parsed_json(found['encrypted_utf8_str'])}")

### Exact matching

Similarly, a query for the exact text of `"hello, jupyter"` in the `encrypted_utf_8_str` field:

In [None]:
# UNIQUE
cur.execute("SELECT * FROM pyexamples WHERE cs_unique_v1(encrypted_utf8_str) = cs_unique_v1(%s)", (EqlText("hello, jupyter", "pyexamples", "encrypted_utf8_str").to_db_format(),))
found = cur.fetchall()[0]
print(f"Record Found with UNIQUE query: {EqlRow(mapping, found).row}\n")
print(f"Text inside the found record: {EqlText.from_parsed_json(found['encrypted_utf8_str'])}")

### ORE queries

With ORE, you can run a query for a record with `encrypted_float` that is larger than `100.15` which should match `100.2`:

In [None]:
# ORE
cur.execute("SELECT * FROM pyexamples WHERE cs_ore_64_8_v1(encrypted_float) > cs_ore_64_8_v1(%s)", (EqlFloat(100.15, "pyexamples", "encrypted_float").to_db_format(),))
found = cur.fetchall()[0]
print(f"Record Found with ORE query: {EqlRow(mapping, found).row}\n")
print(f"Float inside the found record: {EqlFloat.from_parsed_json(found['encrypted_float'])}")


### Updating records

Encrypted fields can be updated too.
The interface is similar to creating and querying:

In [None]:
cur.execute("SELECT * FROM pyexamples WHERE cs_unique_v1(encrypted_utf8_str) = cs_unique_v1(%s)", (EqlText("hello, jupyter", "pyexamples", "encrypted_utf8_str").to_db_format(),))
found = cur.fetchall()[0]
record_id = found['id']

cur.execute(
    "UPDATE pyexamples SET encrypted_utf8_str = %s WHERE id = %s",
    (EqlText("UPDATED TEXT", "pyexamples", "encrypted_utf8_str").to_db_format(), record_id)  # Replace 'column_name' and 'new_value' with actual column and value
)
cur.execute("SELECT * FROM pyexamples WHERE id = %s", (record_id,))
found = cur.fetchall()[0]
print(f"Updated row: {EqlRow(mapping, found).row}")

### JSONB queries and operations

There are multiple types of JSONB queries and operations supported.
Here, we introduce:

* Containment query
* Field extraction
* WHERE with field exctraction
* ORDER BY with field extraction
* GROUP BY with field extraction

First, create the data for JSONB queries. The following queries will create records with JSONB values as:

| encrypted_jsonb |
|---------|
| {"num": 1, "category": "a", "top": {"nested": ["a", "b", "c"]} |
| {"num": 2, "category": "b", "top": {"nested": ["a"]}} |
| {"num": 3, "category": "b", "top": {"nested": ["z"]}} |

In [None]:
cur.execute("DELETE FROM pyexamples;")

# data for JSONB queries
cur.execute("INSERT INTO pyexamples (encrypted_jsonb) VALUES (%s)",
    (
        EqlJsonb({"num": 1, "category": "a", "top": {"nested": ["a", "b", "c"]}}, "pyexamples", "encrypted_jsonb").to_db_format(),
    )
)

cur.execute("INSERT INTO pyexamples (encrypted_jsonb) VALUES (%s)",
    (
        EqlJsonb({"num": 2, "category": "b", "top": {"nested": ["a"]}}, "pyexamples", "encrypted_jsonb").to_db_format(),
    )
)

cur.execute("INSERT INTO pyexamples (encrypted_jsonb) VALUES (%s)",
    (
        EqlJsonb({"num": 3, "category": "b", "top": {"nested": ["z"]}}, "pyexamples", "encrypted_jsonb").to_db_format(),
    )
)# JSONB containment 1


conn.commit()

print("Data for JSONB queries created")

### JSONB containment queries

A record can be found using the JSONB containment.
The following matches the JSONB field containing keys `top` and `nested` with the `@>` operator:

In [None]:
# JSONB containment 1
cur.execute("SELECT * from pyexamples WHERE cs_ste_vec_v1(encrypted_jsonb) @> cs_ste_vec_v1(%s)", (EqlJsonb({'top': { 'nested': ['a', 'b'] } }, "pyexamples", "encrypted_jsonb").to_db_format("ste_vec"),))
found = cur.fetchall()
for f in found:
    print(f"Record Found with JSONB query: {EqlRow(mapping, f).row}\n")
    print(f"JSONB inside the found record: {EqlJsonb.from_parsed_json(f['encrypted_jsonb'])}\n")

Also, the reverse operator (`<@`) is available to the above.
This query matches the JSONB field that's contained in the query:

In [None]:
# JSONB containment 2
cur.execute("SELECT * from pyexamples WHERE cs_ste_vec_v1(encrypted_jsonb) <@ cs_ste_vec_v1(%s)", (EqlJsonb({"num": 2, "category": "b", 'top': {'nested': ['a'] } }, "pyexamples", "encrypted_jsonb").to_db_format("ste_vec"),))
found = cur.fetchall()
print("Record Found with JSONB query:")
for f in found:
    print(f"  {EqlRow(mapping, f).row}")

### JSONB field extraction

Specific JSONB fields can be accessed in queries.

The following finds all values in `$.top.nested`:



In [None]:
query = "SELECT cs_ste_vec_value_v1(encrypted_jsonb, %s) AS val FROM pyexamples"

results = cur.execute(query, (EqlJsonb("$.top.nested", "pyexamples", "encrypted_jsonb").to_db_format("ejson_path"),))

found = cur.fetchall()
print("values from '$.top.nested':")
for f in found:
    print(f"  {EqlRow(mapping, f).row.get('val', {}).get('p')}")

### JSONB field in WHERE query

In [None]:
query = "SELECT * FROM pyexamples WHERE cs_ste_vec_term_v1(encrypted_jsonb, %s) > cs_ste_vec_term_v1(%s)"

cur.execute(
    query,
    (EqlJsonb("$.num", "pyexamples", "encrypted_jsonb").to_db_format("ejson_path"),
        EqlJsonb(1, "pyexamples", "encrypted_jsonb").to_db_format("ste_vec")
    )
)

found = cur.fetchall()

for f in found:
    print(f"Record Found with JSONB query: {EqlRow(mapping, f).row}\n")

### JSONB field in ORDER BY

Field extraction can also be used to order the results.
The following will demonstrate ordering by the 'num' field in descending order:

In [None]:
query = "SELECT * FROM pyexamples ORDER BY cs_ste_vec_term_v1(encrypted_jsonb, %s) DESC"

cur.execute(
    query,
    (EqlJsonb("$.num", "pyexamples", "encrypted_jsonb").to_db_format("ejson_path"),)
)
found = cur.fetchall();
print("JSONB contents, ordered by 'num' desc:")
for f in found:
    print(f"  {EqlRow(mapping, f).row.get('encrypted_jsonb')}")

### JSONB field in GROUP BY

Field extraction can also be used in GROUP BY.
This example demonstrates how to group the count results by the 'category' column:

In [None]:
query = "SELECT cs_grouped_value_v1(cs_ste_vec_value_v1(encrypted_jsonb, %s)) AS category, COUNT(*) FROM pyexamples GROUP BY cs_ste_vec_term_v1(encrypted_jsonb, %s)"

cur.execute(
    query,
    (EqlJsonb("$.category", "pyexamples", "encrypted_jsonb").to_db_format("ejson_path"),
    EqlJsonb("$.category", "pyexamples", "encrypted_jsonb").to_db_format("ejson_path"))
)

found = cur.fetchall()

print("count, grouped by category:")
for f in found:
    row = EqlRow(mapping, f).row
    print(f"  category: {row.get('category', {}).get('p')}, count: {row.get('count')}")


### Clean up

Clean up the data before going to the next section:

In [None]:
cur.execute("DELETE FROM pyexamples")
conn.commit()

## Using SQLAlchemy

### Model definitions and example data

To use SQLAlchemy with CipherStash Encrypt, it is necessary to have model classes that can handle the format conversion.

Import the model definition and create some records as below:

In [None]:
from sqlalchemy import create_engine, select, text
from sqlalchemy.orm import sessionmaker
from eqlpy.eqlalchemy import *
from datetime import date
from example_model import Example

# Creating engine. Optionally add echo=True to see the SQL statetments dumped to stdout
engine = create_engine('postgresql://postgres:postgres@localhost:6432/postgres')
Session = sessionmaker(bind=engine)
session = Session()

BaseModel.metadata.create_all(engine) # Create table for models if it's not created yetbelow and

# Clear data if there is any from previous runs
session.query(Example).delete()

ex = Example(e_utf8_str = "example record 1", e_jsonb = {'a': {'b': 1}}, e_int = 42, e_float = 3.14, e_date = date(2024, 10, 25), e_bool=False)
session.add(ex)
session.commit()

ex = Example(e_utf8_str = "example record 2", e_jsonb = {'a': {'c': 2}}, e_int = 43, e_float = 1.41, e_date = date(2024, 10, 26), e_bool=True)
session.add(ex)
session.commit()

ex = Example(e_utf8_str = "example record 3", e_jsonb = {'a': {'b': 1}}, e_int = 44, e_float = 2.718, e_date = date(2024, 10, 27), e_bool=True)
session.add(ex)
session.commit()

print("Example data creation done")

### Querying by exact match

With the example data, you can query the data much like the psycopg2 examples above:

In [None]:
# UNIQUE
query_text = text('cs_unique_v1(encrypted_utf8_str) == cs_unique_v1(:term)')
query = select(Example).where(query_text).params(term=EqlText("example record 1", "pyexamples", "encrypted_utf8_str").to_db_format())
results = session.execute(query).scalars().all()

for e in results:
    print(f"UNIQUE query results: {e}")


Model attributes are available as plain text: 

In [None]:
results[0].encrypted_utf8_str

### Querying by partial match

Partial matching can also performed with SQLAlchemy:

In [None]:
# MATCH
query_text = text('cs_match_v1(encrypted_utf8_str) @> cs_match_v1(:term)')
query = select(Example).where(query_text).params(term=EqlText("example record", "pyexamples", "encrypted_utf8_str").to_db_format())
results = session.execute(query).scalars().all()

for e in results:
    print(f"MATCH query results: {e}")

### Query by ORE

ORE queries can be peformed too:

In [None]:
# ORE
cur.execute("SELECT * FROM pyexamples WHERE cs_ore_64_8_v1(encrypted_float) > cs_ore_64_8_v1(%s)", (EqlFloat(100.15, "pyexamples", "encrypted_float").to_db_format(),))

query_text = text('cs_ore_64_8_v1(encrypted_float) > cs_ore_64_8_v1(:term)')
query = select(Example).where(query_text).params(term=EqlFloat(2.0, "pyexamples", "encrypted_float").to_db_format())
results = session.execute(query).scalars().all()

for e in results:
    print(f"ORE query results: {e}")

### Querying by JSONB containment

These records can be queried by JSONB containment too:

In [None]:
# JSONB

query_text = text(
    "cs_ste_vec_v1(encrypted_jsonb) @> cs_ste_vec_v1(:term)"
)

query = select(Example).where(query_text).params(
    term=EqlJsonb({'a': { 'b': 1 } }, "pyexamples", "encrypted_jsonb").to_db_format("ste_vec")
)
result = session.execute(query).scalars().all()

for e in result:
    print(f"JSONB results: {e}")
    print(f"JSONB field: {e.encrypted_jsonb}")


In [None]:
# JSONB containment 1
cur.execute("SELECT * from pyexamples WHERE cs_ste_vec_v1(encrypted_jsonb) @> cs_ste_vec_v1(%s)", (EqlJsonb({'a': { 'b': 1 } }, "pyexamples", "encrypted_jsonb").to_db_format("ste_vec"),))
found = cur.fetchall()
for f in found:
    print(f"Record Found with JSONB query: {EqlRow(mapping, f).row}\n")
    print(f"JSONB inside the found record: {EqlJsonb.from_parsed_json(f['encrypted_jsonb'])}\n")

### Updating the records

In [None]:
if len(results) > 0:
    record_id = results[0].id

    results[0].encrypted_utf8_str = 'example record 1 UPDATED'
    results[0].encrypted_jsonb = json.dumps({'z': {'y': 0}})
    session.commit()

    updated = session.query(Example).where(Example.id == record_id).first()

    print(f"Updated record: {updated}")
else:
    print("Unexpected: results are empty")

This updated record is still encrypted in the database:

In [None]:
%env PGPASSWORD=postgres
! psql -h localhost -p 5432 -U postgres -x -c "select * from pyexamples where id = {record_id};" postgres

## Wrapping up

That's all for this notebook.

There are many more features not covered in this notebook.
Refer to [EQL repository](https://github.com/cipherstash/encrypt-query-language/) and [CipherStash documentation](https://cipherstash.com/docs) for more information.