PYCBC-1705: Fix FLE imports and exceptions

Motivation
==========
Update and modernize the encryption package interfaces and exceptions so
that the separate cbencryption package is compatible with the 4.x version of the
SDK.

Changes
=======
* Update import order of encryption interfaces and classes to avoid
  circular import error
* Migrate away from comment-based type annotations
* Update crypto exceptions

Change-Id: I6630d20ae22acbcd471ef595a6b66aa0000fb59c
Reviewed-on: https://review.couchbase.org/c/couchbase-python-client/+/234185
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Dimitris Christodoulou <dimitris.christodoulou@couchbase.com>

Author: thejcfactor

couchbase/encryption/__init__.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -14,8 +14,10 @@
 #  limitations under the License.
 
 from .crypto_manager import CryptoManager  # noqa: F401
-from .decrypter import Decrypter  # noqa: F401
-from .encrypter import Encrypter  # noqa: F401
 from .encryption_result import EncryptionResult  # noqa: F401
 from .key import Key  # noqa: F401
 from .keyring import Keyring  # noqa: F401
+
+# import Encrypter/Decrypter last to avoid circular import
+from .decrypter import Decrypter  # nopep8 # isort:skip # noqa: F401
+from .encrypter import Encrypter  # nopep8 # isort:skip # noqa: F401

couchbase/encryption/crypto_manager.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -14,43 +14,39 @@
 #  limitations under the License.
 
 from abc import ABC, abstractmethod
-from typing import Optional, Union
+from typing import (Any,
+                    Optional,
+                    Union)
 
 
 class CryptoManager(ABC):
     """Interface a CryptoManager must implement
 
     """
 
-    _DEFAULT_ENCRYPTER_ALIAS = "__DEFAULT__"
+    _DEFAULT_ENCRYPTER_ALIAS = '__DEFAULT__'
 
     @abstractmethod
-    def encrypt(self,
-                plaintext,  # type: Union[str, bytes, bytearray]
-                encrypter_alias=None,  # type: Optional[str]
-                ) -> dict:
+    def encrypt(self, plaintext: Union[str, bytes, bytearray], encrypter_alias: Optional[str] = None) -> dict[str, Any]:
         """Encrypts the given plaintext using the given encrypter alias.
 
         Args:
             plaintext (Union[str, bytes, bytearray]): Input to be encrypted
             encrypter_alias (str, optional):  Alias of encrypter to use, if None, default alias is used.
 
         Returns:
-            Dict: A :class:`~couchbase.encryption.EncryptionResult` as a dict
+            dict: A :class:`~couchbase.encryption.EncryptionResult` as a dict
 
         Raises:
             :class:`~couchbase.exceptions.EncryptionFailureException`
         """
-        pass
 
     @abstractmethod
-    def decrypt(self,
-                encrypted,  # type: dict
-                ) -> bytes:
+    def decrypt(self, encrypted: dict[str, Any]) -> bytes:
         """Decrypts the given encrypted result based on the 'alg' key in the encrypted result.
 
         Args:
-            encrypted (Dict): A dict containing encryption information, must have an 'alg' key.
+            encrypted (dict[str, Any]): A dict containing encryption information, must have an 'alg' key.
 
         Returns:
             bytes: A decrypted result based on the given encrypted input.
@@ -59,12 +55,9 @@ def decrypt(self,
             :class:`~couchbase.exceptions.DecryptionFailureException`
 
         """
-        pass
 
     @abstractmethod
-    def mangle(self,
-               field_name,  # type: str
-               ) -> str:
+    def mangle(self, field_name: str) -> str:
         """Mangles provided JSON field name.
 
         Args:
@@ -73,12 +66,9 @@ def mangle(self,
         Returns:
             str: The mangled field name.
         """
-        pass
 
     @abstractmethod
-    def demangle(self,
-                 field_name,  # type: str
-                 ) -> str:
+    def demangle(self, field_name: str) -> str:
         """Demangles provided JSON field name.
 
         Args:
@@ -87,12 +77,9 @@ def demangle(self,
         Returns:
             str: The demangled field name.
         """
-        pass
 
     @abstractmethod
-    def is_mangled(self,
-                   field_name,  # type: str
-                   ) -> bool:
+    def is_mangled(self, field_name: str) -> bool:
         """Checks if provided JSON field name has been mangled.
 
         Args:
@@ -102,4 +89,3 @@ def is_mangled(self,
             bool: True if the field is mangled, False otherwise.
 
         """
-        pass

couchbase/encryption/decrypter.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -14,26 +14,22 @@
 #  limitations under the License.
 
 from abc import ABC, abstractmethod
-from typing import TYPE_CHECKING, Optional
+from typing import Optional
 
-if TYPE_CHECKING:
-    from couchbase.encryption import EncryptionResult, Keyring
+from couchbase.encryption import EncryptionResult, Keyring
 
 
 class Decrypter(ABC):
     """Interface a Decrypter must implement
 
     """
 
-    def __init__(self,
-                 keyring,  # type: Keyring
-                 alg=None,  # type: Optional[str]
-                 ):
+    def __init__(self, keyring: Keyring, alg: Optional[str] = None) -> None:
         self._keyring = keyring
         self._alg = alg
 
     @property
-    def keyring(self):
+    def keyring(self) -> Keyring:
         return self._keyring
 
     def algorithm(self) -> str:
@@ -45,9 +41,7 @@ def algorithm(self) -> str:
         return self._alg
 
     @abstractmethod
-    def decrypt(self,
-                encrypted,  # type: EncryptionResult
-                ) -> bytes:
+    def decrypt(self, encrypted: EncryptionResult) -> bytes:
         """Decrypts the given :class:`~couchbase.encryption.EncryptionResult` ciphertext.
 
         The Decrypter's algorithm should match the `alg` property of the given

couchbase/encryption/encrypter.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -20,10 +20,8 @@
 
 
 class Encrypter(ABC):
-    def __init__(self,
-                 keyring,  # type: Keyring
-                 key,  # type: str
-                 ):
+
+    def __init__(self, keyring: Keyring, key: str) -> None:
         self._keyring = keyring
         self._key = key
 
@@ -36,9 +34,7 @@ def key(self) -> str:
         return self._key
 
     @abstractmethod
-    def encrypt(self,
-                plaintext,  # type: Union[str, bytes, bytearray]
-                ) -> EncryptionResult:
+    def encrypt(self, plaintext: Union[str, bytes, bytearray]) -> EncryptionResult:
         """Encrypts the given plaintext
 
         Args:
@@ -52,4 +48,3 @@ def encrypt(self,
             :class:`~couchbase.exceptions.InvalidCryptoKeyException`: If the :class:`.Encrypter` has an invalid
             key for encryption.
         """
-        pass

couchbase/encryption/encryption_result.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -25,93 +25,67 @@
 
 class EncryptionResult:
     def __init__(self,
-                 alg,  # type: str
-                 kid=None,  # type: Optional[str]
-                 ciphertext=None,  # type: Optional[str]
-                 **kwargs,  # type: Optional[Any]
+                 alg: str = '',
+                 kid: Optional[str] = None,
+                 ciphertext: Optional[str] = None,
+                 **kwargs: Any
                  ):
-        self._map = {"alg": alg}
+        if not alg:
+            raise InvalidArgumentException('EncryptionResult must include alg property.')
+
+        self._map: dict[str, Any] = {'alg': alg}
 
         if kid:
-            self._map["kid"] = kid
+            self._map['kid'] = kid
 
         if ciphertext and self._valid_base64(ciphertext):
-            self._map["ciphertext"] = ciphertext
+            self._map['ciphertext'] = ciphertext
 
         if kwargs:
             self._map.update(**kwargs)
 
     @classmethod
-    def new_encryption_result_from_dict(cls,
-                                        values,  # type: dict
-                                        ) -> EncryptionResult:
-
-        alg = values.pop("alg", None)
-        if not alg:
-            raise InvalidArgumentException(
-                "EncryptionResult must include alg property."
-            )
-
-        return EncryptionResult(alg, **values)
+    def new_encryption_result_from_dict(cls, values: dict[str, Any]) -> EncryptionResult:
+        return EncryptionResult(**values)
 
-    def put(self,
-            key,  # type: str
-            val  # type: Any
-            ):
+    def put(self, key: str, val: Any) -> None:
         self._map[key] = val
 
-    def put_and_base64_encode(self,
-                              key,  # type: str
-                              val,  # type: bytes
-                              ):
+    def put_and_base64_encode(self, key: str, val: bytes) -> None:
         if not isinstance(val, bytes):
-            raise ValueError("Provided value must be of type bytes.")
+            raise ValueError('Provided value must be of type bytes.')
         self._map[key] = base64.b64encode(val)
 
-    def get(self,
-            key,  # type: str
-            ) -> Any:
+    def get(self, key: str) -> Any:
         val = self._map.get(key, None)
         if not val:
-            raise CryptoKeyNotFoundException(
-                message="No mapping to EncryptionResult value found for key: '{}'.".format(
-                    key)
-            )
+            raise CryptoKeyNotFoundException(message=f"No mapping to EncryptionResult value found for key: '{key}'.")
 
         return val
 
     def algorithm(self) -> str:
-        return self._map["alg"]
+        return self._map['alg']
 
-    def get_with_base64_decode(self,
-                               key,  # type: str
-                               ) -> bytes:
+    def get_with_base64_decode(self, key: str) -> bytes:
         val = self._map.get(key, None)
         if not val:
-            raise CryptoKeyNotFoundException(
-                message="No mapping to EncryptionResult value found for key: '{}'.".format(
-                    key)
-            )
+            raise CryptoKeyNotFoundException(message=f"No mapping to EncryptionResult value found for key: '{key}'.")
 
         return base64.b64decode(val)
 
     def asdict(self) -> dict:
         return self._map
 
-    def _valid_base64(self,
-                      val,  # type: Union[str, bytes, bytearray]
-                      ) -> bool:
+    def _valid_base64(self, val: Union[str, bytes, bytearray]) -> bool:
         try:
             if isinstance(val, str):
-                bytes_val = bytes(val, "ascii")
+                bytes_val = bytes(val, 'ascii')
             elif isinstance(val, bytes):
                 bytes_val = val
             elif isinstance(val, bytearray):
                 bytes_val = val
             else:
-                raise ValueError(
-                    "Provided value must be of type str, bytes or bytearray"
-                )
+                raise ValueError('Provided value must be of type str, bytes or bytearray')
 
             return base64.b64encode(base64.b64decode(bytes_val)) == bytes_val
 

couchbase/encryption/key.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -17,10 +17,7 @@
 
 
 class Key:
-    def __init__(self,
-                 id,  # type: str
-                 bytes_,  # type: Union[bytes, bytearray]
-                 ):
+    def __init__(self, id: str, bytes_: Union[bytes, bytearray]) -> None:
         self._id = id
         self._bytes = bytes_ if isinstance(bytes_, bytes) else bytes(bytes_)
 

couchbase/encryption/keyring.py

@@ -1,4 +1,4 @@
-#  Copyright 2016-2022. Couchbase, Inc.
+#  Copyright 2016-2025. Couchbase, Inc.
 #  All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License")
@@ -14,21 +14,18 @@
 #  limitations under the License.
 
 from abc import ABC, abstractmethod
-from typing import TYPE_CHECKING
 
-if TYPE_CHECKING:
-    from couchbase.encryption import Key
+from couchbase.encryption import Key
 
 
 class Keyring(ABC):
+
     @abstractmethod
-    def get_key(self,
-                key_id,  # type: str
-                ) -> Key:
+    def get_key(self, key_id: str) -> Key:
         """Returns requested key
 
         Args:
-            keyid (str): Key ID to retrieve
+            key_id (str): Key ID to retrieve
 
         Returns:
             :class:`~couchbase.encryption.Key`: The corresponding :class:`~couchbase.encryption.Key`