dbx-core 0.2.2

High-performance file-based database engine with 5-Tier Hybrid Storage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

//! Encrypted Parquet I/O — application-level encryption for ROS (Tier 5).
//!
//! Since the `parquet` crate's Rust implementation does not yet support
//! Parquet's native Modular Encryption, we provide application-level
//! encryption: the entire Parquet file is encrypted/decrypted as a blob.
//!
//! # Architecture
//!
//! ```text
//! RecordBatch
//!     │ ArrowWriter (with compression)
//!//! Parquet bytes (in-memory buffer)
//!     │ AEAD encrypt
//!//! Encrypted file on disk
//! ```
//!
//! # Wire Format
//!
//! ```text
//! [magic: 4 bytes "EPQT"] [version: 1 byte] [nonce: 12 bytes] [ciphertext + tag]
//! ```

use crate::error::{DbxError, DbxResult};
use crate::storage::compression::CompressionConfig;
use crate::storage::encryption::EncryptionConfig;
use arrow::record_batch::RecordBatch;
use parquet::arrow::ArrowWriter;
use parquet::arrow::arrow_reader::ParquetRecordBatchReaderBuilder;
use parquet::file::properties::WriterProperties;
use std::fs::File;
use std::io::{Read, Write};
use std::path::Path;

/// Magic bytes identifying encrypted Parquet files.
const MAGIC: &[u8; 4] = b"EPQT";
/// Current wire format version.
const VERSION: u8 = 1;
/// AAD for Parquet file encryption.
const PARQUET_AAD: &[u8] = b"dbx-parquet-v1";

/// Writes encrypted Parquet files.
pub struct EncryptedParquetWriter;

/// Reads encrypted Parquet files.
pub struct EncryptedParquetReader;

impl EncryptedParquetWriter {
    /// Write a single RecordBatch with encryption and default compression.
    pub fn write(path: &Path, batch: &RecordBatch, encryption: &EncryptionConfig) -> DbxResult<()> {
        Self::write_with_compression(path, batch, encryption, &CompressionConfig::default())
    }

    /// Write a single RecordBatch with encryption and specified compression.
    pub fn write_with_compression(
        path: &Path,
        batch: &RecordBatch,
        encryption: &EncryptionConfig,
        compression: &CompressionConfig,
    ) -> DbxResult<()> {
        Self::write_batches(path, std::slice::from_ref(batch), encryption, compression)
    }

    /// Write multiple RecordBatches with encryption and compression.
    pub fn write_batches(
        path: &Path,
        batches: &[RecordBatch],
        encryption: &EncryptionConfig,
        compression: &CompressionConfig,
    ) -> DbxResult<()> {
        if batches.is_empty() {
            return Ok(());
        }

        // Step 1: Write Parquet to a temp file, then read its bytes
        let tmp = tempfile::NamedTempFile::new()?;
        {
            let file = tmp.reopen()?;
            let props = WriterProperties::builder()
                .set_compression(compression.to_parquet_compression())
                .build();

            let mut writer = ArrowWriter::try_new(file, batches[0].schema(), Some(props))?;
            for batch in batches {
                writer.write(batch)?;
            }
            writer.close()?;
        }

        // Read the temp file bytes
        let buf = std::fs::read(tmp.path())?;

        // Step 2: Encrypt the buffer
        let ciphertext = encryption.encrypt_with_aad(&buf, PARQUET_AAD)?;

        // Step 3: Write to target file with header
        let mut file = File::create(path)?;
        file.write_all(MAGIC)?;
        file.write_all(&[VERSION])?;
        file.write_all(&ciphertext)?;
        file.flush()?;

        Ok(())
    }

    /// Re-key an existing encrypted Parquet file.
    ///
    /// Reads the file with `current_encryption`, decrypts it,
    /// and re-encrypts with `new_encryption`.
    pub fn rekey(
        path: &Path,
        current_encryption: &EncryptionConfig,
        new_encryption: &EncryptionConfig,
    ) -> DbxResult<()> {
        use super::EncryptedParquetReader;

        // 1. Read and decrypt
        let batches = EncryptedParquetReader::read(path, current_encryption)?;

        // 2. Re-encrypt and write
        Self::write_batches(
            path,
            &batches,
            new_encryption,
            &crate::storage::compression::CompressionConfig::default(),
        )
    }
}

impl EncryptedParquetReader {
    /// Read all RecordBatches from an encrypted Parquet file.
    pub fn read(path: &Path, encryption: &EncryptionConfig) -> DbxResult<Vec<RecordBatch>> {
        // Step 1: Read file
        let mut file = File::open(path)?;
        let mut data = Vec::new();
        file.read_to_end(&mut data)?;

        // Step 2: Validate header
        if data.len() < 5 {
            return Err(DbxError::Encryption(
                "file too short for encrypted Parquet".into(),
            ));
        }
        if &data[0..4] != MAGIC {
            return Err(DbxError::Encryption(
                "invalid encrypted Parquet magic".into(),
            ));
        }
        if data[4] != VERSION {
            return Err(DbxError::Encryption(format!(
                "unsupported encrypted Parquet version: {}",
                data[4]
            )));
        }

        // Step 3: Decrypt
        let ciphertext = &data[5..];
        let parquet_bytes = encryption.decrypt_with_aad(ciphertext, PARQUET_AAD)?;

        // Step 4: Write decrypted bytes to temp file and read as Parquet
        let mut tmp = tempfile::NamedTempFile::new()?;
        tmp.write_all(&parquet_bytes)?;
        tmp.flush()?;

        let file = File::open(tmp.path())?;
        let builder = ParquetRecordBatchReaderBuilder::try_new(file)?;
        let reader = builder.build()?;

        let mut batches = Vec::new();
        for batch_result in reader {
            batches.push(batch_result?);
        }
        Ok(batches)
    }

    /// Check if a file is an encrypted Parquet file.
    pub fn is_encrypted_parquet(path: &Path) -> DbxResult<bool> {
        let mut file = File::open(path)?;
        let mut magic_buf = [0u8; 4];
        match file.read_exact(&mut magic_buf) {
            Ok(()) => Ok(&magic_buf == MAGIC),
            Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => Ok(false),
            Err(e) => Err(e.into()),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use arrow::array::{Float64Array, Int32Array, StringArray};
    use arrow::datatypes::{DataType, Field, Schema};
    use std::sync::Arc;
    use tempfile::NamedTempFile;

    fn test_schema() -> Arc<Schema> {
        Arc::new(Schema::new(vec![
            Field::new("id", DataType::Int32, false),
            Field::new("name", DataType::Utf8, false),
            Field::new("value", DataType::Float64, true),
        ]))
    }

    fn test_batch(schema: &Arc<Schema>, count: usize) -> RecordBatch {
        let ids: Vec<i32> = (0..count as i32).collect();
        let names: Vec<String> = (0..count).map(|i| format!("item_{i}")).collect();
        let values: Vec<f64> = (0..count).map(|i| i as f64 * 1.5).collect();

        RecordBatch::try_new(
            Arc::clone(schema),
            vec![
                Arc::new(Int32Array::from(ids)),
                Arc::new(StringArray::from(names)),
                Arc::new(Float64Array::from(values)),
            ],
        )
        .unwrap()
    }

    fn test_encryption() -> EncryptionConfig {
        EncryptionConfig::from_password("test-parquet-password")
    }

    #[test]
    fn encrypted_parquet_round_trip() {
        let schema = test_schema();
        let batch = test_batch(&schema, 100);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write(tmp.path(), &batch, &enc).unwrap();

        let read_batches = EncryptedParquetReader::read(tmp.path(), &enc).unwrap();
        assert!(!read_batches.is_empty());

        let total_rows: usize = read_batches.iter().map(|b| b.num_rows()).sum();
        assert_eq!(total_rows, 100);

        let ids = read_batches[0]
            .column(0)
            .as_any()
            .downcast_ref::<Int32Array>()
            .unwrap();
        assert_eq!(ids.value(0), 0);
    }

    #[test]
    fn wrong_key_fails() {
        let schema = test_schema();
        let batch = test_batch(&schema, 10);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write(tmp.path(), &batch, &enc).unwrap();

        let wrong_enc = EncryptionConfig::from_password("wrong-password");
        let result = EncryptedParquetReader::read(tmp.path(), &wrong_enc);
        assert!(result.is_err());
    }

    #[test]
    fn is_encrypted_check() {
        let schema = test_schema();
        let batch = test_batch(&schema, 10);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write(tmp.path(), &batch, &enc).unwrap();

        assert!(EncryptedParquetReader::is_encrypted_parquet(tmp.path()).unwrap());
    }

    #[test]
    fn plain_parquet_not_encrypted() {
        use crate::storage::parquet_io::ParquetWriter;

        let schema = test_schema();
        let batch = test_batch(&schema, 10);

        let tmp = NamedTempFile::new().unwrap();
        ParquetWriter::write(tmp.path(), &batch).unwrap();

        assert!(!EncryptedParquetReader::is_encrypted_parquet(tmp.path()).unwrap());
    }

    #[test]
    fn large_batch_round_trip() {
        let schema = test_schema();
        let batch = test_batch(&schema, 10_000);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write(tmp.path(), &batch, &enc).unwrap();

        let read_batches = EncryptedParquetReader::read(tmp.path(), &enc).unwrap();
        let total_rows: usize = read_batches.iter().map(|b| b.num_rows()).sum();
        assert_eq!(total_rows, 10_000);
    }

    #[test]
    fn raw_file_not_readable_as_parquet() {
        let schema = test_schema();
        let batch = test_batch(&schema, 10);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write(tmp.path(), &batch, &enc).unwrap();

        // Try to read as plain Parquet — should fail
        let result = ParquetRecordBatchReaderBuilder::try_new(File::open(tmp.path()).unwrap());
        assert!(
            result.is_err(),
            "Encrypted file should not be readable as plain Parquet"
        );
    }

    #[test]
    fn multiple_batches() {
        let schema = test_schema();
        let batch1 = test_batch(&schema, 50);
        let batch2 = test_batch(&schema, 50);
        let enc = test_encryption();

        let tmp = NamedTempFile::new().unwrap();
        EncryptedParquetWriter::write_batches(
            tmp.path(),
            &[batch1, batch2],
            &enc,
            &CompressionConfig::default(),
        )
        .unwrap();

        let read_batches = EncryptedParquetReader::read(tmp.path(), &enc).unwrap();
        let total_rows: usize = read_batches.iter().map(|b| b.num_rows()).sum();
        assert_eq!(total_rows, 100);
    }
}