API Reference

AlloyError documentation is not correctly generated. Its definition is included here manually:

class AlloyError(Exception):
    """
    Errors related to IronCore Alloy SDK
    """
    class InvalidConfiguration(AlloyError):
        """
        Error while loading configuration.
        """
    class InvalidKey(AlloyError):
        """
        Error with user key used
        """
    class InvalidInput(AlloyError):
        """
        Error with user input
        """
    class EncryptError(AlloyError):
        """
        Errors while encrypting 
        """
    class DecryptError(AlloyError):
        """
        Errors while decrypting 
        """
    class DocumentError(AlloyError):
        """
        Error when encrypting or decrypting documents
        """
    class ProtobufError(AlloyError):
        """
        Error when parsing encryption headers/metadata
        """
    class TenantSecurityError(AlloyError):
        """
        Error with requests to TSC
        """
    class IronCoreDocumentsError(AlloyError):
        """
        Error with IronCore Documents
        """

Keep in mind that this manual definition may get out of step with the actual source so refer to the source if there is any ambiguity.

ironcore_alloy.ironcore_alloy

Attributes

AlloyError = _UniffiTempAlloyError module-attribute

Errors related to IronCore Alloy SDK

DerivationPath = str module-attribute

DocumentId = str module-attribute

EdekWithKeyIdHeader = EncryptedBytes module-attribute

EncryptedAttachedDocument = EncryptedBytes module-attribute

EncryptedAttachedDocuments = dict[DocumentId, EncryptedAttachedDocument] module-attribute

EncryptedBytes = bytes module-attribute

EncryptedDocuments = dict[DocumentId, EncryptedDocument] module-attribute

EncryptedFields = dict[FieldId, EncryptedField] module-attribute

EncryptedVectors = dict[VectorId, EncryptedVector] module-attribute

FieldId = str module-attribute

GenerateFieldQueryResult = dict[FieldId, typing.List[EncryptedField]] module-attribute

GenerateVectorQueryResult = dict[VectorId, typing.List[EncryptedVector]] module-attribute

KeyId = int module-attribute

PlaintextAttachedDocument = PlaintextBytes module-attribute

PlaintextAttachedDocuments = dict[DocumentId, PlaintextAttachedDocument] module-attribute

PlaintextBytes = bytes module-attribute

PlaintextDocument = dict[FieldId, PlaintextBytes] module-attribute

PlaintextDocuments = dict[DocumentId, PlaintextDocument] module-attribute

PlaintextDocumentsWithEdeks = dict[DocumentId, PlaintextDocumentWithEdek] module-attribute

PlaintextFields = dict[FieldId, PlaintextField] module-attribute

PlaintextVectors = dict[VectorId, PlaintextVector] module-attribute

SecretPath = str module-attribute

TenantId = str module-attribute

VectorId = str module-attribute

Classes

AdminEvent

Bases: Enum

Attributes

ADD = 0 class-attribute instance-attribute

CHANGE_PERMISSIONS = 1 class-attribute instance-attribute

CHANGE_SETTING = 2 class-attribute instance-attribute

REMOVE = 3 class-attribute instance-attribute

AlloyHttpClientHeaders(*, content_type, authorization) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, content_type:str, authorization:str):
    self.content_type = content_type
    self.authorization = authorization

Attributes

authorization = authorization instance-attribute

content_type = content_type instance-attribute

AlloyHttpClientResponse(*, json_body, status_code) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, json_body:str, status_code:int):
    self.json_body = json_body
    self.status_code = status_code

Attributes

json_body = json_body instance-attribute

status_code = status_code instance-attribute

AlloyMetadata(tenant_id, requesting_user_or_service_id, data_label, source_ip, object_id, request_id, other_data)

Bases: AlloyMetadataProtocol

Holds metadata fields as part of an SDK call. Each encrypted value will have metadata that associates it to a tenant ID as well as optional fields for other arbitrary key/value pairs and a request ID to send to the Tenant Security Proxy. Only the tenant ID will be used in Standalone SDKs, which can be created easily with new_simple().

Constructor for AlloyMetadata which contains the tenant's ID and other metadata to send to the Tenant Security Proxy.

Arguments

• tenant_id - Unique ID of tenant that is performing the operation.
• requesting_user_or_service_id - Unique ID of user/service that is processing data. Must be non-empty.
• data_label - Classification of data being processed.
• source_ip - IP address of the initiator of this document request.
• object_id - ID of the object/document being acted on in the host system.
• request_id - Unique ID that ties host application request ID to tenant.
• other_data - Additional String key/value pairs to add to metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    def __init__(self, tenant_id: TenantId,requesting_user_or_service_id: typing.Optional[str],data_label: typing.Optional[str],source_ip: typing.Optional[str],object_id: typing.Optional[str],request_id: typing.Optional[str],other_data: dict[str, str]):
        """
        Constructor for AlloyMetadata which contains the tenant's ID and other metadata to send to the
        Tenant Security Proxy.

        # Arguments
        - `tenant_id`                     - Unique ID of tenant that is performing the operation.
        - `requesting_user_or_service_id` - Unique ID of user/service that is processing data. Must be non-empty.
        - `data_label`                    - Classification of data being processed.
        - `source_ip`                     - IP address of the initiator of this document request.
        - `object_id`                     - ID of the object/document being acted on in the host system.
        - `request_id`                    - Unique ID that ties host application request ID to tenant.
        - `other_data`                    - Additional String key/value pairs to add to metadata.
"""

        _UniffiFfiConverterTypeTenantId.check_lower(tenant_id)

        _UniffiFfiConverterOptionalString.check_lower(requesting_user_or_service_id)

        _UniffiFfiConverterOptionalString.check_lower(data_label)

        _UniffiFfiConverterOptionalString.check_lower(source_ip)

        _UniffiFfiConverterOptionalString.check_lower(object_id)

        _UniffiFfiConverterOptionalString.check_lower(request_id)

        _UniffiFfiConverterMapStringString.check_lower(other_data)
        _uniffi_lowered_args = (
            _UniffiFfiConverterTypeTenantId.lower(tenant_id),
            _UniffiFfiConverterOptionalString.lower(requesting_user_or_service_id),
            _UniffiFfiConverterOptionalString.lower(data_label),
            _UniffiFfiConverterOptionalString.lower(source_ip),
            _UniffiFfiConverterOptionalString.lower(object_id),
            _UniffiFfiConverterOptionalString.lower(request_id),
            _UniffiFfiConverterMapStringString.lower(other_data),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeAlloyMetadata.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_alloymetadata_new,
            *_uniffi_lowered_args,
        )
        self._handle = _uniffi_ffi_result

Functions

new_simple(tenant_id) classmethod

Simplified constructor for AlloyMetadata that only takes the tenant's ID and the ID of the user/service that is processing data.

Arguments

• tenant_id - Unique ID of tenant that is performing the operation.

Source code in ironcore_alloy/ironcore_alloy.py

    @classmethod
    def new_simple(cls, tenant_id: TenantId) -> AlloyMetadata:
        """
        Simplified constructor for AlloyMetadata that only takes the tenant's ID and the
        ID of the user/service that is processing data.

        # Arguments
        - `tenant_id` - Unique ID of tenant that is performing the operation.
"""

        _UniffiFfiConverterTypeTenantId.check_lower(tenant_id)
        _uniffi_lowered_args = (
            _UniffiFfiConverterTypeTenantId.lower(tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeAlloyMetadata.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_alloymetadata_new_simple,
            *_uniffi_lowered_args,
        )
        return cls._uniffi_make_instance(_uniffi_ffi_result)

AlloyMetadataProtocol

Bases: Protocol

Holds metadata fields as part of an SDK call. Each encrypted value will have metadata that associates it to a tenant ID as well as optional fields for other arbitrary key/value pairs and a request ID to send to the Tenant Security Proxy. Only the tenant ID will be used in Standalone SDKs, which can be created easily with new_simple().

CustomEvent(*, event_name) dataclass

A custom event. The event must have a screaming snake case name and cannot start with an _.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, event_name:str):
    self.event_name = event_name

Attributes

event_name = event_name instance-attribute

DataEvent

Bases: Enum

Attributes

CHANGE_PERMISSIONS = 7 class-attribute instance-attribute

CREATE = 4 class-attribute instance-attribute

DECRYPT = 3 class-attribute instance-attribute

DELETE = 5 class-attribute instance-attribute

DENY_ACCESS = 6 class-attribute instance-attribute

ENCRYPT = 2 class-attribute instance-attribute

EXPORT = 1 class-attribute instance-attribute

IMPORT = 0 class-attribute instance-attribute

DecomposedHeader(*, key_id, remaining_bytes) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, key_id:KeyId, remaining_bytes:bytes):
    self.key_id = key_id
    self.remaining_bytes = remaining_bytes

Attributes

key_id = key_id instance-attribute

remaining_bytes = remaining_bytes instance-attribute

DeterministicDecryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:PlaintextFields, failures:dict[FieldId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

DeterministicEncryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:EncryptedFields, failures:dict[FieldId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

DeterministicFieldOps(*args, **kwargs)

Bases: DeterministicFieldOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""

        _UniffiFfiConverterTypeEncryptedField.check_lower(encrypted_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedField.lower(encrypted_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextField.check_lower(plaintext_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextField.lower(plaintext_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(fields_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(fields_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateFieldQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_generate_query_field_values(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicRotateResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_deterministicfieldops_rotate_fields(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

DeterministicFieldOpsProtocol

Bases: Protocol

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""
        raise NotImplementedError

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

encrypt_batch(fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""
        raise NotImplementedError

DeterministicRotateResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:dict[FieldId, EncryptedField], failures:dict[FieldId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

EdekType

Bases: Enum

Attributes

DATA_CONTROL_PLATFORM = 2 class-attribute instance-attribute

SAAS_SHIELD = 1 class-attribute instance-attribute

STANDALONE = 0 class-attribute instance-attribute

EncryptedDocument(*, edek, document) dataclass

Document and EDEK (encrypted document encryption key) generated by document_encrypt/documentEncrypt. Note that document_encrypt_deterministic/documentEncryptDeterministic doesn't use this type as it prefixes an encryption header to the encrypted document map instead of using a separate EDEK.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, edek:EdekWithKeyIdHeader, document:dict[FieldId, EncryptedBytes]):
    self.edek = edek
    self.document = document

Attributes

document = document instance-attribute

edek = edek instance-attribute

EncryptedField(*, encrypted_field, secret_path, derivation_path) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, encrypted_field:EncryptedBytes, secret_path:SecretPath, derivation_path:DerivationPath):
    self.encrypted_field = encrypted_field
    self.secret_path = secret_path
    self.derivation_path = derivation_path

Attributes

derivation_path = derivation_path instance-attribute

encrypted_field = encrypted_field instance-attribute

secret_path = secret_path instance-attribute

EncryptedVector(*, encrypted_vector, secret_path, derivation_path, paired_icl_info) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, encrypted_vector:typing.List[float], secret_path:SecretPath, derivation_path:DerivationPath, paired_icl_info:EncryptedBytes):
    self.encrypted_vector = encrypted_vector
    self.secret_path = secret_path
    self.derivation_path = derivation_path
    self.paired_icl_info = paired_icl_info

Attributes

derivation_path = derivation_path instance-attribute

encrypted_vector = encrypted_vector instance-attribute

paired_icl_info = paired_icl_info instance-attribute

secret_path = secret_path instance-attribute

HttpClient

Trait describing the functionality ironcore-alloy needs from a client to make SaaS Shield requests.

Functions

post_json(url, json_body, headers) async

Makes a call with a JSON body and returns a string of the JSON result. Only JSON requests and responses are supported, the provided headers will include a correct content type.

Source code in ironcore_alloy/ironcore_alloy.py

    async def post_json(self, url: str,json_body: str,headers: AlloyHttpClientHeaders) -> AlloyHttpClientResponse:
        """
        Makes a call with a JSON body and returns a string of the JSON result. Only JSON requests and responses
        are supported, the provided headers will include a correct content type.
"""
        raise NotImplementedError

HttpClientImpl(*args, **kwargs)

Bases: HttpClient

Trait describing the functionality ironcore-alloy needs from a client to make SaaS Shield requests.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

post_json(url, json_body, headers) async

Makes a call with a JSON body and returns a string of the JSON result. Only JSON requests and responses are supported, the provided headers will include a correct content type.

Source code in ironcore_alloy/ironcore_alloy.py

    async def post_json(self, url: str,json_body: str,headers: AlloyHttpClientHeaders) -> AlloyHttpClientResponse:
        """
        Makes a call with a JSON body and returns a string of the JSON result. Only JSON requests and responses
        are supported, the provided headers will include a correct content type.
"""

        _UniffiFfiConverterString.check_lower(url)

        _UniffiFfiConverterString.check_lower(json_body)

        _UniffiFfiConverterTypeAlloyHttpClientHeaders.check_lower(headers)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterString.lower(url),
            _UniffiFfiConverterString.lower(json_body),
            _UniffiFfiConverterTypeAlloyHttpClientHeaders.lower(headers),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeAlloyHttpClientResponse.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_httpclient_post_json(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

InternalError

Bases: Exception

KeyIdHeader(*, key_id, edek_type, payload_type) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, key_id:KeyId, edek_type:EdekType, payload_type:PayloadType):
    self.key_id = key_id
    self.edek_type = edek_type
    self.payload_type = payload_type

Attributes

edek_type = edek_type instance-attribute

key_id = key_id instance-attribute

payload_type = payload_type instance-attribute

KmsError

Bases: Enum

Errors originating from or relating to the tenant's KMS

Attributes

INVALID_PROVIDED_EDEK = 3 class-attribute instance-attribute

KMS_ACCOUNT_ISSUE = 10 class-attribute instance-attribute

KMS_AUTHORIZATION_FAILED = 6 class-attribute instance-attribute

KMS_CONFIGURATION_DISABLED = 2 class-attribute instance-attribute

KMS_CONFIGURATION_INVALID = 7 class-attribute instance-attribute

KMS_THROTTLED = 9 class-attribute instance-attribute

KMS_UNREACHABLE = 8 class-attribute instance-attribute

KMS_UNWRAP_FAILED = 5 class-attribute instance-attribute

KMS_WRAP_FAILED = 4 class-attribute instance-attribute

NO_PRIMARY_KMS_CONFIGURATION = 0 class-attribute instance-attribute

UNKNOWN_TENANT_OR_NO_ACTIVE_KMS_CONFIGURATIONS = 1 class-attribute instance-attribute

PayloadType

Bases: Enum

Attributes

DETERMINISTIC_FIELD = 0 class-attribute instance-attribute

STANDARD_EDEK = 2 class-attribute instance-attribute

VECTOR_METADATA = 1 class-attribute instance-attribute

PeriodicEvent

Bases: Enum

Attributes

CREATE_BACKUP = 1 class-attribute instance-attribute

ENFORCE_RETENTION_POLICY = 0 class-attribute instance-attribute

PlaintextDocumentWithEdek(*, edek, document) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, edek:EdekWithKeyIdHeader, document:PlaintextDocument):
    self.edek = edek
    self.document = document

Attributes

document = document instance-attribute

edek = edek instance-attribute

PlaintextField(*, plaintext_field, secret_path, derivation_path) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, plaintext_field:PlaintextBytes, secret_path:SecretPath, derivation_path:DerivationPath):
    self.plaintext_field = plaintext_field
    self.secret_path = secret_path
    self.derivation_path = derivation_path

Attributes

derivation_path = derivation_path instance-attribute

plaintext_field = plaintext_field instance-attribute

secret_path = secret_path instance-attribute

PlaintextVector(*, plaintext_vector, secret_path, derivation_path) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, plaintext_vector:typing.List[float], secret_path:SecretPath, derivation_path:DerivationPath):
    self.plaintext_vector = plaintext_vector
    self.secret_path = secret_path
    self.derivation_path = derivation_path

Attributes

derivation_path = derivation_path instance-attribute

plaintext_vector = plaintext_vector instance-attribute

secret_path = secret_path instance-attribute

RekeyAttachedDocumentsBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:dict[DocumentId, EncryptedAttachedDocument], failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

RekeyEdeksBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:dict[DocumentId, EdekWithKeyIdHeader], failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

RotatableSecret(current_secret, in_rotation_secret)

Bases: RotatableSecretProtocol

A single secret that allows for rotation within a secret path. Used for Deterministic and Vector operations.

Create a rotating secret. This will error if both secrets are unset. If no secret for a path is desired, leave that path out of the configuration entirely instead.

Source code in ironcore_alloy/ironcore_alloy.py

    def __init__(self, current_secret: typing.Optional[StandaloneSecret],in_rotation_secret: typing.Optional[StandaloneSecret]):
        """
        Create a rotating secret. This will error if both secrets are unset. If no secret for a path is desired, leave
        that path out of the configuration entirely instead.
"""

        _UniffiFfiConverterOptionalTypeStandaloneSecret.check_lower(current_secret)

        _UniffiFfiConverterOptionalTypeStandaloneSecret.check_lower(in_rotation_secret)
        _uniffi_lowered_args = (
            _UniffiFfiConverterOptionalTypeStandaloneSecret.lower(current_secret),
            _UniffiFfiConverterOptionalTypeStandaloneSecret.lower(in_rotation_secret),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRotatableSecret.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_rotatablesecret_new,
            *_uniffi_lowered_args,
        )
        self._handle = _uniffi_ffi_result

RotatableSecretProtocol

Bases: Protocol

A single secret that allows for rotation within a secret path. Used for Deterministic and Vector operations.

SaasShield(config)

Bases: SaasShieldProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, config: SaasShieldConfiguration):

    _UniffiFfiConverterTypeSaasShieldConfiguration.check_lower(config)
    _uniffi_lowered_args = (
        _UniffiFfiConverterTypeSaasShieldConfiguration.lower(config),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShield.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_saasshield_new,
        *_uniffi_lowered_args,
    )
    self._handle = _uniffi_ffi_result

Functions

deterministic()

Source code in ironcore_alloy/ironcore_alloy.py

def deterministic(self, ) -> SaasShieldDeterministicClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldDeterministicClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshield_deterministic,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

standard()

Source code in ironcore_alloy/ironcore_alloy.py

def standard(self, ) -> SaasShieldStandardClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldStandardClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshield_standard,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

standard_attached()

Source code in ironcore_alloy/ironcore_alloy.py

def standard_attached(self, ) -> SaasShieldStandardAttachedClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldStandardAttachedClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshield_standard_attached,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

vector()

Source code in ironcore_alloy/ironcore_alloy.py

def vector(self, ) -> SaasShieldVectorClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldVectorClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshield_vector,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

SaasShieldConfiguration(tsp_uri, api_key, approximation_factor, http_client, legacy_tsc_write_format=False, allow_insecure_http=False)

Bases: SaasShieldConfigurationProtocol

Configuration for the SaaS Shield SDKs. Sets the TSP domain/URI and API key to be used for SaaS Shield operations.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, tsp_uri: str,api_key: str,approximation_factor: typing.Optional[float],http_client: HttpClient,legacy_tsc_write_format: bool = False,allow_insecure_http: bool = False):

    _UniffiFfiConverterString.check_lower(tsp_uri)

    _UniffiFfiConverterString.check_lower(api_key)

    _UniffiFfiConverterOptionalFloat32.check_lower(approximation_factor)

    _UniffiFfiConverterTypeHttpClient.check_lower(http_client)

    _UniffiFfiConverterBoolean.check_lower(legacy_tsc_write_format)

    _UniffiFfiConverterBoolean.check_lower(allow_insecure_http)
    _uniffi_lowered_args = (
        _UniffiFfiConverterString.lower(tsp_uri),
        _UniffiFfiConverterString.lower(api_key),
        _UniffiFfiConverterOptionalFloat32.lower(approximation_factor),
        _UniffiFfiConverterTypeHttpClient.lower(http_client),
        _UniffiFfiConverterBoolean.lower(legacy_tsc_write_format),
        _UniffiFfiConverterBoolean.lower(allow_insecure_http),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldConfiguration.lift
    _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_saasshieldconfiguration_new,
        *_uniffi_lowered_args,
    )
    self._handle = _uniffi_ffi_result

Functions

new_with_scaling_factor(tsp_uri, api_key, approximation_factor, http_client, legacy_tsc_write_format=False, allow_insecure_http=False) classmethod

Source code in ironcore_alloy/ironcore_alloy.py

@classmethod
def new_with_scaling_factor(cls, tsp_uri: str,api_key: str,approximation_factor: typing.Optional[float],http_client: HttpClient,legacy_tsc_write_format: bool = False,allow_insecure_http: bool = False) -> SaasShieldConfiguration:

    _UniffiFfiConverterString.check_lower(tsp_uri)

    _UniffiFfiConverterString.check_lower(api_key)

    _UniffiFfiConverterOptionalFloat32.check_lower(approximation_factor)

    _UniffiFfiConverterTypeHttpClient.check_lower(http_client)

    _UniffiFfiConverterBoolean.check_lower(legacy_tsc_write_format)

    _UniffiFfiConverterBoolean.check_lower(allow_insecure_http)
    _uniffi_lowered_args = (
        _UniffiFfiConverterString.lower(tsp_uri),
        _UniffiFfiConverterString.lower(api_key),
        _UniffiFfiConverterOptionalFloat32.lower(approximation_factor),
        _UniffiFfiConverterTypeHttpClient.lower(http_client),
        _UniffiFfiConverterBoolean.lower(legacy_tsc_write_format),
        _UniffiFfiConverterBoolean.lower(allow_insecure_http),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSaasShieldConfiguration.lift
    _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_saasshieldconfiguration_new_with_scaling_factor,
        *_uniffi_lowered_args,
    )
    return cls._uniffi_make_instance(_uniffi_ffi_result)

SaasShieldConfigurationProtocol

Bases: Protocol

Configuration for the SaaS Shield SDKs. Sets the TSP domain/URI and API key to be used for SaaS Shield operations.

SaasShieldDeterministicClient(*args, **kwargs)

Bases: SaasShieldDeterministicClientProtocol, DeterministicFieldOpsProtocol, SaasShieldSecurityEventOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""

        _UniffiFfiConverterTypeEncryptedField.check_lower(encrypted_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedField.lower(encrypted_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextField.check_lower(plaintext_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextField.lower(plaintext_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(plaintext_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(plaintext_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(fields_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(fields_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateFieldQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_generate_query_field_values(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""

        _UniffiFfiConverterTypeSecurityEvent.check_lower(event)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalInt64.check_lower(event_time_millis)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecurityEvent.lower(event),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalInt64.lower(event_time_millis),
        )
        _uniffi_lift_return = lambda val: None
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_log_security_event(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_void,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicRotateResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshielddeterministicclient_rotate_fields(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

SaasShieldDeterministicClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""
        raise NotImplementedError

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

encrypt_batch(plaintext_fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""
        raise NotImplementedError

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""
        raise NotImplementedError

SaasShieldProtocol

Bases: Protocol

Functions

deterministic()

Source code in ironcore_alloy/ironcore_alloy.py

def deterministic(self, ) -> SaasShieldDeterministicClient:
    raise NotImplementedError

standard()

Source code in ironcore_alloy/ironcore_alloy.py

def standard(self, ) -> SaasShieldStandardClient:
    raise NotImplementedError

standard_attached()

Source code in ironcore_alloy/ironcore_alloy.py

def standard_attached(self, ) -> SaasShieldStandardAttachedClient:
    raise NotImplementedError

vector()

Source code in ironcore_alloy/ironcore_alloy.py

def vector(self, ) -> SaasShieldVectorClient:
    raise NotImplementedError

SaasShieldSecurityEventOps(*args, **kwargs)

Bases: SaasShieldSecurityEventOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""

        _UniffiFfiConverterTypeSecurityEvent.check_lower(event)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalInt64.check_lower(event_time_millis)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecurityEvent.lower(event),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalInt64.lower(event_time_millis),
        )
        _uniffi_lift_return = lambda val: None
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldsecurityeventops_log_security_event(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_void,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

SaasShieldSecurityEventOpsProtocol

Bases: Protocol

Functions

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""
        raise NotImplementedError

SaasShieldStandardAttachedClient(*args, **kwargs)

Bases: SaasShieldStandardAttachedClientProtocol, SaasShieldSecurityEventOpsProtocol, StandardAttachedDocumentOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(attached_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, attached_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocument.check_lower(attached_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocument.lower(attached_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""

        _UniffiFfiConverterTypeSecurityEvent.check_lower(event)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalInt64.check_lower(event_time_millis)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecurityEvent.lower(event),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalInt64.lower(event_time_millis),
        )
        _uniffi_lift_return = lambda val: None
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_log_security_event(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_void,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyAttachedDocumentsBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardattachedclient_rekey_documents(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

SaasShieldStandardAttachedClientProtocol

Bases: Protocol

Functions

decrypt(attached_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, attached_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.
"""
        raise NotImplementedError

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""
        raise NotImplementedError

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""
        raise NotImplementedError

SaasShieldStandardClient(*args, **kwargs)

Bases: SaasShieldStandardClientProtocol, SaasShieldSecurityEventOpsProtocol, StandardDocumentOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""

        _UniffiFfiConverterTypeEncryptedDocument.check_lower(encrypted_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocument.lower(encrypted_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""

        _UniffiFfiConverterTypePlaintextDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""

        _UniffiFfiConverterTypePlaintextDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document. The provided EDEK's format will determine the output document format, not the legacy_tsc_write_format setting. A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per TSC_ALLOY_MIGRATION_GUIDE.md if this is undesired.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.
        The provided EDEK's format will determine the output document format, not the `legacy_tsc_write_format` setting.
        A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per
        `TSC_ALLOY_MIGRATION_GUIDE.md` if this is undesired.
"""

        _UniffiFfiConverterTypePlaintextDocumentWithEdek.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentWithEdek.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_encrypt_with_existing_edek(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document. The provided EDEK's format will determine the output documents format, not the legacy_tsc_write_format setting. A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per TSC_ALLOY_MIGRATION_GUIDE.md if this is undesired.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
        The provided EDEK's format will determine the output documents format, not the `legacy_tsc_write_format` setting.
        A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per
        `TSC_ALLOY_MIGRATION_GUIDE.md` if this is undesired.
"""

        _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_encrypt_with_existing_edek_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could be used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Warning: this will never match a SaaS Shield Standard EDEK created legacy_tsc_write_format (or the legacy TSCs). Upgrade to the V5 data format via the TSC_ALLOY_MIGRATION_GUIDE.md to take advantage of this functionality.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could be used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.

        Warning: this will never match a SaaS Shield Standard EDEK created `legacy_tsc_write_format` (or the
        legacy TSCs). Upgrade to the V5 data format via the `TSC_ALLOY_MIGRATION_GUIDE.md` to take advantage of this
        functionality.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""

        _UniffiFfiConverterTypeSecurityEvent.check_lower(event)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalInt64.check_lower(event_time_millis)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecurityEvent.lower(event),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalInt64.lower(event_time_millis),
        )
        _uniffi_lift_return = lambda val: None
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_log_security_event(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_void,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""

        _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.check_lower(edeks)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.lower(edeks),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyEdeksBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldstandardclient_rekey_edeks(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

SaasShieldStandardClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""
        raise NotImplementedError

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document. The provided EDEK's format will determine the output document format, not the legacy_tsc_write_format setting. A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per TSC_ALLOY_MIGRATION_GUIDE.md if this is undesired.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.
        The provided EDEK's format will determine the output document format, not the `legacy_tsc_write_format` setting.
        A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per
        `TSC_ALLOY_MIGRATION_GUIDE.md` if this is undesired.
"""
        raise NotImplementedError

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document. The provided EDEK's format will determine the output documents format, not the legacy_tsc_write_format setting. A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per TSC_ALLOY_MIGRATION_GUIDE.md if this is undesired.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
        The provided EDEK's format will determine the output documents format, not the `legacy_tsc_write_format` setting.
        A legacy EDEK will produce legacy document, a non-legacy EDEK will produce a current document. Rekey EDEKs per
        `TSC_ALLOY_MIGRATION_GUIDE.md` if this is undesired.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could be used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Warning: this will never match a SaaS Shield Standard EDEK created legacy_tsc_write_format (or the legacy TSCs). Upgrade to the V5 data format via the TSC_ALLOY_MIGRATION_GUIDE.md to take advantage of this functionality.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could be used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.

        Warning: this will never match a SaaS Shield Standard EDEK created `legacy_tsc_write_format` (or the
        legacy TSCs). Upgrade to the V5 data format via the `TSC_ALLOY_MIGRATION_GUIDE.md` to take advantage of this
        functionality.
"""
        raise NotImplementedError

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""
        raise NotImplementedError

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""
        raise NotImplementedError

SaasShieldVectorClient(*args, **kwargs)

Bases: SaasShieldVectorClientProtocol, SaasShieldSecurityEventOpsProtocol, VectorOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""

        _UniffiFfiConverterTypeEncryptedVector.check_lower(encrypted_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVector.lower(encrypted_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""

        _UniffiFfiConverterTypePlaintextVector.check_lower(plaintext_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVector.lower(plaintext_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(plaintext_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(plaintext_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(vectors_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(vectors_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateVectorQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_generate_query_vectors(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Get the byte prefix for the InRotation secret corresponding to this secret_path/derivation_path. Note that if you use z85 or ascii85 encoding, the result of this function should be passed to base85_compat_prefix_bytes before searching your datastore.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Get the byte prefix for the InRotation secret corresponding to this secret_path/derivation_path.
        Note that if you use z85 or ascii85 encoding, the result of this function should be passed to `base85_compat_prefix_bytes`
        before searching your datastore.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""

        _UniffiFfiConverterTypeSecurityEvent.check_lower(event)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalInt64.check_lower(event_time_millis)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecurityEvent.lower(event),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalInt64.lower(event_time_millis),
        )
        _uniffi_lift_return = lambda val: None
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_log_security_event(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_void,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_void,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Source code in ironcore_alloy/ironcore_alloy.py

async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:

    _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

    _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

    _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
        _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
        _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeVectorRotateResult.lift
    _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
    return await _uniffi_rust_call_async(
        _UniffiLib.uniffi_ironcore_alloy_fn_method_saasshieldvectorclient_rotate_vectors(*_uniffi_lowered_args),
        _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
        _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
        _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
        _uniffi_lift_return,
        _uniffi_error_converter,
    )

SaasShieldVectorClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""
        raise NotImplementedError

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""
        raise NotImplementedError

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Get the byte prefix for the InRotation secret corresponding to this secret_path/derivation_path. Note that if you use z85 or ascii85 encoding, the result of this function should be passed to base85_compat_prefix_bytes before searching your datastore.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Get the byte prefix for the InRotation secret corresponding to this secret_path/derivation_path.
        Note that if you use z85 or ascii85 encoding, the result of this function should be passed to `base85_compat_prefix_bytes`
        before searching your datastore.
"""
        raise NotImplementedError

log_security_event(event, metadata, event_time_millis) async

Log the security event event to the tenant's log sink. If the event time is unspecified the current time will be used.

Source code in ironcore_alloy/ironcore_alloy.py

    async def log_security_event(self, event: SecurityEvent,metadata: AlloyMetadata,event_time_millis: typing.Optional[int]) -> None:
        """
        Log the security event `event` to the tenant's log sink.
        If the event time is unspecified the current time will be used.
"""
        raise NotImplementedError

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Source code in ironcore_alloy/ironcore_alloy.py

async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:
    raise NotImplementedError

Secret(secret)

Bases: SecretProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, secret: bytes):

    _UniffiFfiConverterBytes.check_lower(secret)
    _uniffi_lowered_args = (
        _UniffiFfiConverterBytes.lower(secret),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeSecret.lift
    _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_secret_new,
        *_uniffi_lowered_args,
    )
    self._handle = _uniffi_ffi_result

SecretProtocol

Bases: Protocol

SecurityEvent()

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self):
    raise RuntimeError("SecurityEvent cannot be instantiated directly")

Classes

ADMIN(event) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, event:AdminEvent):
    self.event = event


    pass

Attributes

event = event instance-attribute

CUSTOM(event) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, event:CustomEvent):
    self.event = event


    pass

Attributes

event = event instance-attribute

DATA(event) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, event:DataEvent):
    self.event = event


    pass

Attributes

event = event instance-attribute

PERIODIC(event) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, event:PeriodicEvent):
    self.event = event


    pass

Attributes

event = event instance-attribute

USER(event) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, event:UserEvent):
    self.event = event


    pass

Attributes

event = event instance-attribute

Functions

is_ADMIN()

Source code in ironcore_alloy/ironcore_alloy.py

def is_ADMIN(self) -> bool:
    return isinstance(self, SecurityEvent.ADMIN)

is_CUSTOM()

Source code in ironcore_alloy/ironcore_alloy.py

def is_CUSTOM(self) -> bool:
    return isinstance(self, SecurityEvent.CUSTOM)

is_DATA()

Source code in ironcore_alloy/ironcore_alloy.py

def is_DATA(self) -> bool:
    return isinstance(self, SecurityEvent.DATA)

is_PERIODIC()

Source code in ironcore_alloy/ironcore_alloy.py

def is_PERIODIC(self) -> bool:
    return isinstance(self, SecurityEvent.PERIODIC)

is_USER()

Source code in ironcore_alloy/ironcore_alloy.py

def is_USER(self) -> bool:
    return isinstance(self, SecurityEvent.USER)

is_admin()

Source code in ironcore_alloy/ironcore_alloy.py

def is_admin(self) -> bool:
    return isinstance(self, SecurityEvent.ADMIN)

is_custom()

Source code in ironcore_alloy/ironcore_alloy.py

def is_custom(self) -> bool:
    return isinstance(self, SecurityEvent.CUSTOM)

is_data()

Source code in ironcore_alloy/ironcore_alloy.py

def is_data(self) -> bool:
    return isinstance(self, SecurityEvent.DATA)

is_periodic()

Source code in ironcore_alloy/ironcore_alloy.py

def is_periodic(self) -> bool:
    return isinstance(self, SecurityEvent.PERIODIC)

is_user()

Source code in ironcore_alloy/ironcore_alloy.py

def is_user(self) -> bool:
    return isinstance(self, SecurityEvent.USER)

SecurityEventError

Bases: Enum

Errors related to security events

Attributes

SECURITY_EVENT_REJECTED = 0 class-attribute instance-attribute

ServiceError

Bases: Enum

Errors communicating with the TSP

Attributes

INVALID_REQUEST_BODY = 2 class-attribute instance-attribute

UNAUTHORIZED_REQUEST = 1 class-attribute instance-attribute

UNKNOWN_ERROR = 0 class-attribute instance-attribute

Standalone(config)

Bases: StandaloneProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, config: StandaloneConfiguration):

    _UniffiFfiConverterTypeStandaloneConfiguration.check_lower(config)
    _uniffi_lowered_args = (
        _UniffiFfiConverterTypeStandaloneConfiguration.lower(config),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandalone.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_standalone_new,
        *_uniffi_lowered_args,
    )
    self._handle = _uniffi_ffi_result

Functions

deterministic()

Source code in ironcore_alloy/ironcore_alloy.py

def deterministic(self, ) -> StandaloneDeterministicClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneDeterministicClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_standalone_deterministic,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

standard()

Source code in ironcore_alloy/ironcore_alloy.py

def standard(self, ) -> StandaloneStandardClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneStandardClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_standalone_standard,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

standard_attached()

Source code in ironcore_alloy/ironcore_alloy.py

def standard_attached(self, ) -> StandaloneStandardAttachedClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneStandardAttachedClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_standalone_standard_attached,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

vector()

Source code in ironcore_alloy/ironcore_alloy.py

def vector(self, ) -> StandaloneVectorClient:
    _uniffi_lowered_args = (
        self._uniffi_clone_handle(),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneVectorClient.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_method_standalone_vector,
        *_uniffi_lowered_args,
    )
    return _uniffi_lift_return(_uniffi_ffi_result)

StandaloneConfiguration(standard, deterministic, vector)

Bases: StandaloneConfigurationProtocol

Configuration for the standalone SDKs. Sets secrets and secret paths for the different SDK operations. If usage of only one set of SDK operations is desired the others can be left as empty objects, and will error if called in that state. If you want to share a secret between multiple SDK modes, you'll need to create secrets in each mode that share the same secret bytes.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, standard: StandardSecrets,deterministic: dict[SecretPath, RotatableSecret],vector: dict[SecretPath, VectorSecret]):

    _UniffiFfiConverterTypeStandardSecrets.check_lower(standard)

    _UniffiFfiConverterMapTypeSecretPathTypeRotatableSecret.check_lower(deterministic)

    _UniffiFfiConverterMapTypeSecretPathTypeVectorSecret.check_lower(vector)
    _uniffi_lowered_args = (
        _UniffiFfiConverterTypeStandardSecrets.lower(standard),
        _UniffiFfiConverterMapTypeSecretPathTypeRotatableSecret.lower(deterministic),
        _UniffiFfiConverterMapTypeSecretPathTypeVectorSecret.lower(vector),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneConfiguration.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_standaloneconfiguration_new,
        *_uniffi_lowered_args,
    )
    self._handle = _uniffi_ffi_result

Functions

new_seeded_for_testing(standard, deterministic, vector, test_rng_seed) classmethod

Source code in ironcore_alloy/ironcore_alloy.py

@classmethod
def new_seeded_for_testing(cls, standard: StandardSecrets,deterministic: dict[SecretPath, RotatableSecret],vector: dict[SecretPath, VectorSecret],test_rng_seed: int) -> StandaloneConfiguration:

    _UniffiFfiConverterTypeStandardSecrets.check_lower(standard)

    _UniffiFfiConverterMapTypeSecretPathTypeRotatableSecret.check_lower(deterministic)

    _UniffiFfiConverterMapTypeSecretPathTypeVectorSecret.check_lower(vector)

    _UniffiFfiConverterInt32.check_lower(test_rng_seed)
    _uniffi_lowered_args = (
        _UniffiFfiConverterTypeStandardSecrets.lower(standard),
        _UniffiFfiConverterMapTypeSecretPathTypeRotatableSecret.lower(deterministic),
        _UniffiFfiConverterMapTypeSecretPathTypeVectorSecret.lower(vector),
        _UniffiFfiConverterInt32.lower(test_rng_seed),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneConfiguration.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_standaloneconfiguration_new_seeded_for_testing,
        *_uniffi_lowered_args,
    )
    return cls._uniffi_make_instance(_uniffi_ffi_result)

StandaloneConfigurationProtocol

Bases: Protocol

Configuration for the standalone SDKs. Sets secrets and secret paths for the different SDK operations. If usage of only one set of SDK operations is desired the others can be left as empty objects, and will error if called in that state. If you want to share a secret between multiple SDK modes, you'll need to create secrets in each mode that share the same secret bytes.

StandaloneDeterministicClient(*args, **kwargs)

Bases: StandaloneDeterministicClientProtocol, DeterministicFieldOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""

        _UniffiFfiConverterTypeEncryptedField.check_lower(encrypted_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedField.lower(encrypted_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextField.check_lower(plaintext_field)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextField.lower(plaintext_field),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedField.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(plaintext_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(plaintext_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""

        _UniffiFfiConverterTypePlaintextFields.check_lower(fields_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextFields.lower(fields_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateFieldQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_generate_query_field_values(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""

        _UniffiFfiConverterTypeEncryptedFields.check_lower(encrypted_fields)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedFields.lower(encrypted_fields),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeDeterministicRotateResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonedeterministicclient_rotate_fields(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandaloneDeterministicClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_field, metadata) async

Decrypt a field that was deterministically encrypted with the provided metadata.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_field: EncryptedField,metadata: AlloyMetadata) -> PlaintextField:
        """
        Decrypt a field that was deterministically encrypted with the provided metadata.
"""
        raise NotImplementedError

decrypt_batch(encrypted_fields, metadata) async

Decrypt each of the fields that were deterministically encrypted with the provided metadata. Note that because the metadata is shared between the fields, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata) -> DeterministicDecryptBatchResult:
        """
        Decrypt each of the fields that were deterministically encrypted with the provided metadata.
        Note that because the metadata is shared between the fields, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_field, metadata) async

Encrypt a field with the provided metadata. Because the field is encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_field: PlaintextField,metadata: AlloyMetadata) -> EncryptedField:
        """
        Encrypt a field with the provided metadata.
        Because the field is encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

encrypt_batch(plaintext_fields, metadata) async

Deterministically encrypt the provided fields with the provided metadata. Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls. This allows for exact matches and indexing of the encrypted field, but comes with some security considerations. If you don't need to support these use cases, we recommend using standard encryption instead.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_fields: PlaintextFields,metadata: AlloyMetadata) -> DeterministicEncryptBatchResult:
        """
        Deterministically encrypt the provided fields with the provided metadata.
        Because the fields are encrypted deterministically with each call, the result will be the same for repeated calls.
        This allows for exact matches and indexing of the encrypted field, but comes with some security considerations.
        If you don't need to support these use cases, we recommend using `standard` encryption instead.
"""
        raise NotImplementedError

generate_query_field_values(fields_to_query, metadata) async

Encrypt each plaintext field with any Current and InRotation keys for the provided secret path. The resulting encrypted fields should be used in tandem when querying the data store.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_field_values(self, fields_to_query: PlaintextFields,metadata: AlloyMetadata) -> GenerateFieldQueryResult:
        """
        Encrypt each plaintext field with any Current and InRotation keys for the provided secret path.
        The resulting encrypted fields should be used in tandem when querying the data store.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for fields encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

rotate_fields(encrypted_fields, metadata, new_tenant_id) async

Re-encrypt already encrypted fields with the Current key for the provided tenant. The metadata passed must contain the tenant ID that the fields were originally encrypted to. If new_tenant_id is empty, the fields will simply be encrypted with the same tenant's current secret.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_fields(self, encrypted_fields: EncryptedFields,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> DeterministicRotateResult:
        """
        Re-encrypt already encrypted fields with the Current key for the provided tenant. The `metadata` passed
        must contain the tenant ID that the fields were originally encrypted to. If `new_tenant_id` is empty,
        the fields will simply be encrypted with the same tenant's current secret.
"""
        raise NotImplementedError

StandaloneProtocol

Bases: Protocol

Functions

deterministic()

Source code in ironcore_alloy/ironcore_alloy.py

def deterministic(self, ) -> StandaloneDeterministicClient:
    raise NotImplementedError

standard()

Source code in ironcore_alloy/ironcore_alloy.py

def standard(self, ) -> StandaloneStandardClient:
    raise NotImplementedError

standard_attached()

Source code in ironcore_alloy/ironcore_alloy.py

def standard_attached(self, ) -> StandaloneStandardAttachedClient:
    raise NotImplementedError

vector()

Source code in ironcore_alloy/ironcore_alloy.py

def vector(self, ) -> StandaloneVectorClient:
    raise NotImplementedError

StandaloneSecret(id, secret)

Bases: StandaloneSecretProtocol

A secret used by standalone mode to derive encryption keys.

Create a standalone secret. The secret needs to be cryptographically random bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    def __init__(self, id: int,secret: Secret):
        """
        Create a standalone secret. The secret needs to be cryptographically random bytes.
"""

        _UniffiFfiConverterInt32.check_lower(id)

        _UniffiFfiConverterTypeSecret.check_lower(secret)
        _uniffi_lowered_args = (
            _UniffiFfiConverterInt32.lower(id),
            _UniffiFfiConverterTypeSecret.lower(secret),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandaloneSecret.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_standalonesecret_new,
            *_uniffi_lowered_args,
        )
        self._handle = _uniffi_ffi_result

StandaloneSecretProtocol

Bases: Protocol

A secret used by standalone mode to derive encryption keys.

StandaloneStandardAttachedClient(*args, **kwargs)

Bases: StandaloneStandardAttachedClientProtocol, StandardAttachedDocumentOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocument.check_lower(encrypted_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocument.lower(encrypted_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyAttachedDocumentsBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardattachedclient_rekey_documents(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandaloneStandardAttachedClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as cloaked search.
"""
        raise NotImplementedError

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""
        raise NotImplementedError

StandaloneStandardClient(*args, **kwargs)

Bases: StandaloneStandardClientProtocol, StandardDocumentOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""

        _UniffiFfiConverterTypeEncryptedDocument.check_lower(encrypted_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocument.lower(encrypted_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""

        _UniffiFfiConverterTypePlaintextDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""

        _UniffiFfiConverterTypePlaintextDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.
"""

        _UniffiFfiConverterTypePlaintextDocumentWithEdek.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentWithEdek.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_encrypt_with_existing_edek(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
"""

        _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_encrypt_with_existing_edek_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""

        _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.check_lower(edeks)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.lower(edeks),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyEdeksBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonestandardclient_rekey_edeks(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandaloneStandardClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""
        raise NotImplementedError

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.
"""
        raise NotImplementedError

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""
        raise NotImplementedError

StandaloneVectorClient(*args, **kwargs)

Bases: StandaloneVectorClientProtocol, VectorOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""

        _UniffiFfiConverterTypeEncryptedVector.check_lower(encrypted_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVector.lower(encrypted_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""

        _UniffiFfiConverterTypePlaintextVector.check_lower(plaintext_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVector.lower(plaintext_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(plaintext_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(plaintext_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(vectors_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(vectors_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateVectorQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_generate_query_vectors(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Get the byte prefix for the InRotation secret corresponding to this secret_path. Note that if you use z85 or ascii85 encoding, the result of this function should be passed to base85_compat_prefix_bytes before searching your datastore. Note: The derivation_path and metadata are not actually required for this function and can be passed any value.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Get the byte prefix for the InRotation secret corresponding to this secret_path.
        Note that if you use z85 or ascii85 encoding, the result of this function should be passed to `base85_compat_prefix_bytes`
        before searching your datastore.
        Note: The derivation_path and metadata are not actually required for this function and can be passed any value.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Rotates vectors from the in-rotation secret for their secret path to the current secret. This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is internally migrated.

WARNINGS: * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers, this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy store the source vector encrypted with standard next to the encrypted vector. standard decrypt that, vector encrypt it again, and replace the encrypted vector with the result. * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:
        """
        Rotates vectors from the in-rotation secret for their secret path to the current secret.
        This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is
        internally migrated.

        WARNINGS:
        * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers,
        this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy
        store the source vector encrypted with `standard` next to the encrypted vector. `standard` decrypt
        that, `vector` encrypt it again, and replace the encrypted vector with the result.
        * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.
"""

        _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorRotateResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standalonevectorclient_rotate_vectors(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandaloneVectorClientProtocol

Bases: Protocol

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""
        raise NotImplementedError

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""
        raise NotImplementedError

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Get the byte prefix for the InRotation secret corresponding to this secret_path. Note that if you use z85 or ascii85 encoding, the result of this function should be passed to base85_compat_prefix_bytes before searching your datastore. Note: The derivation_path and metadata are not actually required for this function and can be passed any value.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Get the byte prefix for the InRotation secret corresponding to this secret_path.
        Note that if you use z85 or ascii85 encoding, the result of this function should be passed to `base85_compat_prefix_bytes`
        before searching your datastore.
        Note: The derivation_path and metadata are not actually required for this function and can be passed any value.
"""
        raise NotImplementedError

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Rotates vectors from the in-rotation secret for their secret path to the current secret. This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is internally migrated.

WARNINGS: * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers, this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy store the source vector encrypted with standard next to the encrypted vector. standard decrypt that, vector encrypt it again, and replace the encrypted vector with the result. * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:
        """
        Rotates vectors from the in-rotation secret for their secret path to the current secret.
        This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is
        internally migrated.

        WARNINGS:
        * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers,
        this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy
        store the source vector encrypted with `standard` next to the encrypted vector. `standard` decrypt
        that, `vector` encrypt it again, and replace the encrypted vector with the result.
        * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.
"""
        raise NotImplementedError

StandardAttachedDecryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:PlaintextAttachedDocuments, failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

StandardAttachedDocumentOps(*args, **kwargs)

Bases: StandardAttachedDocumentOpsProtocol

API for encrypting and decrypting documents using our standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(attached_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, attached_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocument.check_lower(attached_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocument.lower(attached_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedAttachedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""

        _UniffiFfiConverterTypePlaintextAttachedDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextAttachedDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardAttachedEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as Cloaked Search or legacy TSC data.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as Cloaked Search
        or legacy TSC data.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""

        _UniffiFfiConverterTypeEncryptedAttachedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedAttachedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyAttachedDocumentsBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standardattacheddocumentops_rekey_documents(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandardAttachedDocumentOpsProtocol

Bases: Protocol

API for encrypting and decrypting documents using our standard encryption.

Functions

decrypt(attached_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, attached_document: EncryptedAttachedDocument,metadata: AlloyMetadata) -> PlaintextAttachedDocument:
        """
        Decrypt a document that was encrypted with the provided metadata.
        The document must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt multiple documents that were encrypted with the provided metadata. The documents must have been encrypted using attached encryption and not deterministic or standard encryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedDecryptBatchResult:
        """
        Decrypt multiple documents that were encrypted with the provided metadata.
        The documents must have been encrypted using attached encryption and not deterministic or standard encryption.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. A DEK (document encryption key) will be generated and encrypted using a derived key. The result is a single blob of bytes with the edek put on the front of it.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextAttachedDocument,metadata: AlloyMetadata) -> EncryptedAttachedDocument:
        """
        Encrypt a document with the provided metadata.
        A DEK (document encryption key) will be generated and encrypted using a derived key.
        The result is a single blob of bytes with the edek put on the front of it.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. A DEK (document encryption key) will be generated for each document and encrypted using a derived key.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextAttachedDocuments,metadata: AlloyMetadata) -> StandardAttachedEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        A DEK (document encryption key) will be generated for each document and encrypted using a derived key.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries. Note that this will not work for matching values that don't use our key_id_header format, such as Cloaked Search or legacy TSC data.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
        Note that this will not work for matching values that don't use our key_id_header format, such as Cloaked Search
        or legacy TSC data.
"""
        raise NotImplementedError

rekey_documents(encrypted_documents, metadata, new_tenant_id) async

Decrypt the provided documents and re-encrypt them using the tenant's current key. If new_tenant_id is None, the documents will be encrypted to the original tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_documents(self, encrypted_documents: EncryptedAttachedDocuments,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyAttachedDocumentsBatchResult:
        """
        Decrypt the provided documents and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the documents will be encrypted to the original tenant.
"""
        raise NotImplementedError

StandardAttachedEncryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:EncryptedAttachedDocuments, failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

StandardDecryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:PlaintextDocuments, failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

StandardDocumentOps(*args, **kwargs)

Bases: StandardDocumentOpsProtocol

API for encrypting and decrypting documents using our standard encryption. This class of encryption is the most broadly useful and secure. If you don't have a need to match on or preserve the distance properties of the encrypted value, this is likely the API you should use. Our standard encryption is fully random (or probabilistic) AES 256.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""

        _UniffiFfiConverterTypeEncryptedDocument.check_lower(encrypted_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocument.lower(encrypted_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedDocuments.check_lower(encrypted_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedDocuments.lower(encrypted_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""

        _UniffiFfiConverterTypePlaintextDocument.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocument.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""

        _UniffiFfiConverterTypePlaintextDocuments.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocuments.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document.

Note: this method matches the field format to the provided EDEK's format, ignoring the legacy_tsc_write_format setting. A V3 EDEK produces V3 fields, a V5 EDEK produces V5 fields. To upgrade a document from V3 to V5, first rekey the EDEK via rekey_edeks.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.

        Note: this method matches the field format to the provided EDEK's format, ignoring the
        `legacy_tsc_write_format` setting. A V3 EDEK produces V3 fields, a V5 EDEK produces V5 fields.
        To upgrade a document from V3 to V5, first rekey the EDEK via `rekey_edeks`.
"""

        _UniffiFfiConverterTypePlaintextDocumentWithEdek.check_lower(plaintext_document)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentWithEdek.lower(plaintext_document),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedDocument.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_encrypt_with_existing_edek(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
"""

        _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.check_lower(plaintext_documents)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextDocumentsWithEdeks.lower(plaintext_documents),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_encrypt_with_existing_edek_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterInt32.check_lower(id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterInt32.lower(id),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_get_searchable_edek_prefix,
            *_uniffi_lowered_args,
        )
        return _uniffi_lift_return(_uniffi_ffi_result)

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""

        _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.check_lower(edeks)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterMapTypeDocumentIdTypeEdekWithKeyIdHeader.lower(edeks),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeRekeyEdeksBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_standarddocumentops_rekey_edeks(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

StandardDocumentOpsProtocol

Bases: Protocol

API for encrypting and decrypting documents using our standard encryption. This class of encryption is the most broadly useful and secure. If you don't have a need to match on or preserve the distance properties of the encrypted value, this is likely the API you should use. Our standard encryption is fully random (or probabilistic) AES 256.

Functions

decrypt(encrypted_document, metadata) async

Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one of the StandardDocumentOps.encrypt functions. The result contains a map from field identifiers to decrypted bytes.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_document: EncryptedDocument,metadata: AlloyMetadata) -> PlaintextDocument:
        """
        Decrypt a document that was encrypted with the provided metadata. The document must have been encrypted with one
        of the `StandardDocumentOps.encrypt` functions. The result contains a map from field identifiers to decrypted
        bytes.
"""
        raise NotImplementedError

decrypt_batch(encrypted_documents, metadata) async

Decrypt each of the provided documents with the provided metadata. Note that because the metadata is shared between the documents, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_documents: EncryptedDocuments,metadata: AlloyMetadata) -> StandardDecryptBatchResult:
        """
        Decrypt each of the provided documents with the provided metadata.
        Note that because the metadata is shared between the documents, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the document will be encrypted separately using a random IV and this single generated DEK. The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document encryption key) used for encryption. The document is encrypted differently with each call, so the result is not suited for exact matches or indexing. For the same reason however the strongest protection of the document is provided by this method. To support these uses, see the DeterministicFieldOps.encrypt function.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_document: PlaintextDocument,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        A DEK (document encryption key) will be generated and encrypted using a derived key, then each field of the
        document will be encrypted separately using a random IV and this single generated DEK.
        The result contains a map from field identifiers to encrypted bytes as well as the EDEK (encrypted document
        encryption key) used for encryption.
        The document is encrypted differently with each call, so the result is not suited for exact matches or indexing.
        For the same reason however the strongest protection of the document is provided by this method.
        To support these uses, see the `DeterministicFieldOps.encrypt` function.
"""
        raise NotImplementedError

encrypt_batch(plaintext_documents, metadata) async

Encrypt each of the provided documents with the provided metadata. Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_documents: PlaintextDocuments,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt each of the provided documents with the provided metadata.
        Note that because only a single metadata value is passed, each document will be encrypted to the same tenant.
"""
        raise NotImplementedError

encrypt_with_existing_edek(plaintext_document, metadata) async

Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext bytes, and the same metadata must be provided when decrypting the document. The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields of the document.

Note: this method matches the field format to the provided EDEK's format, ignoring the legacy_tsc_write_format setting. A V3 EDEK produces V3 fields, a V5 EDEK produces V5 fields. To upgrade a document from V3 to V5, first rekey the EDEK via rekey_edeks.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek(self, plaintext_document: PlaintextDocumentWithEdek,metadata: AlloyMetadata) -> EncryptedDocument:
        """
        Encrypt a document with the provided metadata. The document must be a map from field identifiers to plaintext
        bytes, and the same metadata must be provided when decrypting the document.
        The provided EDEK will be decrypted and used to encrypt each field. This is useful when updating some fields
        of the document.

        Note: this method matches the field format to the provided EDEK's format, ignoring the
        `legacy_tsc_write_format` setting. A V3 EDEK produces V3 fields, a V5 EDEK produces V5 fields.
        To upgrade a document from V3 to V5, first rekey the EDEK via `rekey_edeks`.
"""
        raise NotImplementedError

encrypt_with_existing_edek_batch(plaintext_documents, metadata) async

Encrypt multiple documents with the provided metadata. The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields. This is useful when updating some fields of the document.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_with_existing_edek_batch(self, plaintext_documents: PlaintextDocumentsWithEdeks,metadata: AlloyMetadata) -> StandardEncryptBatchResult:
        """
        Encrypt multiple documents with the provided metadata.
        The provided EDEKs will be decrypted and used to encrypt each corresponding document's fields.
        This is useful when updating some fields of the document.
"""
        raise NotImplementedError

get_searchable_edek_prefix(id)

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    def get_searchable_edek_prefix(self, id: int) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

rekey_edeks(edeks, metadata, new_tenant_id) async

Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If new_tenant_id is None, the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document associated with the old EDEK can be decrypted with the new EDEK without changing its document data.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rekey_edeks(self, edeks: dict[DocumentId, EdekWithKeyIdHeader],metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> RekeyEdeksBatchResult:
        """
        Decrypt the provided EDEKs and re-encrypt them using the tenant's current key. If `new_tenant_id` is `None`,
        the EDEK will be encrypted to the original tenant. Because the underlying DEK does not change, a document
        associated with the old EDEK can be decrypted with the new EDEK without changing its document data.
"""
        raise NotImplementedError

StandardEncryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:EncryptedDocuments, failures:dict[DocumentId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

StandardSecrets(primary_secret_id, secrets)

Bases: StandardSecretsProtocol

A collection of secrets for standalone standard mode used to derive encryption keys. The primary secret id is used to look up the primary secret, which will be used for encrypting new documents. The rest of the secrets will only be used to decrypt existing documents when encountered.

Create a collection of standard secrets. This will error if secret ids aren't unique or the primary secret id isn't in the secrets list.

Source code in ironcore_alloy/ironcore_alloy.py

    def __init__(self, primary_secret_id: typing.Optional[int],secrets: typing.List[StandaloneSecret]):
        """
        Create a collection of standard secrets.
        This will error if secret ids aren't unique or the primary secret id isn't in the secrets list.
"""

        _UniffiFfiConverterOptionalInt32.check_lower(primary_secret_id)

        _UniffiFfiConverterSequenceTypeStandaloneSecret.check_lower(secrets)
        _uniffi_lowered_args = (
            _UniffiFfiConverterOptionalInt32.lower(primary_secret_id),
            _UniffiFfiConverterSequenceTypeStandaloneSecret.lower(secrets),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeStandardSecrets.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_standardsecrets_new,
            *_uniffi_lowered_args,
        )
        self._handle = _uniffi_ffi_result

StandardSecretsProtocol

Bases: Protocol

A collection of secrets for standalone standard mode used to derive encryption keys. The primary secret id is used to look up the primary secret, which will be used for encrypting new documents. The rest of the secrets will only be used to decrypt existing documents when encountered.

TenantSecretError

Bases: Enum

Errors related to tenant secrets

Attributes

SECRET_CREATION_FAILED = 0 class-attribute instance-attribute

TenantSecurityProxyError()

Errors originating from the Tenant Security Proxy. These errors are broken into 4 types: service errors, KMS errors, security event errors, and tenant secret errors.

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self):
    raise RuntimeError("TenantSecurityProxyError cannot be instantiated directly")

Classes

KMS(error) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, error:KmsError):
    self.error = error


    pass

Attributes

error = error instance-attribute

SECURITY_EVENT(error) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, error:SecurityEventError):
    self.error = error


    pass

Attributes

error = error instance-attribute

SERVICE(error) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, error:ServiceError):
    self.error = error


    pass

Attributes

error = error instance-attribute

TENANT_SECRET(error) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, error:TenantSecretError):
    self.error = error


    pass

Attributes

error = error instance-attribute

Functions

is_KMS()

Source code in ironcore_alloy/ironcore_alloy.py

def is_KMS(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.KMS)

is_SECURITY_EVENT()

Source code in ironcore_alloy/ironcore_alloy.py

def is_SECURITY_EVENT(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.SECURITY_EVENT)

is_SERVICE()

Source code in ironcore_alloy/ironcore_alloy.py

def is_SERVICE(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.SERVICE)

is_TENANT_SECRET()

Source code in ironcore_alloy/ironcore_alloy.py

def is_TENANT_SECRET(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.TENANT_SECRET)

is_kms()

Source code in ironcore_alloy/ironcore_alloy.py

def is_kms(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.KMS)

is_security_event()

Source code in ironcore_alloy/ironcore_alloy.py

def is_security_event(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.SECURITY_EVENT)

is_service()

Source code in ironcore_alloy/ironcore_alloy.py

def is_service(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.SERVICE)

is_tenant_secret()

Source code in ironcore_alloy/ironcore_alloy.py

def is_tenant_secret(self) -> bool:
    return isinstance(self, TenantSecurityProxyError.TENANT_SECRET)

UserEvent

Bases: Enum

Attributes

ADD = 0 class-attribute instance-attribute

CHANGE_EMAIL = 14 class-attribute instance-attribute

CHANGE_PASSWORD = 10 class-attribute instance-attribute

CHANGE_PERMISSIONS = 7 class-attribute instance-attribute

DISABLE_TWO_FACTOR = 13 class-attribute instance-attribute

ENABLE_TWO_FACTOR = 12 class-attribute instance-attribute

EXPIRE_PASSWORD = 8 class-attribute instance-attribute

LOCKOUT = 5 class-attribute instance-attribute

LOGIN = 3 class-attribute instance-attribute

LOGOUT = 6 class-attribute instance-attribute

REJECT_LOGIN = 11 class-attribute instance-attribute

REMOVE = 2 class-attribute instance-attribute

REQUEST_EMAIL_VERIFICATION = 15 class-attribute instance-attribute

RESET_PASSWORD = 9 class-attribute instance-attribute

SUSPEND = 1 class-attribute instance-attribute

TIMEOUT_SESSION = 4 class-attribute instance-attribute

VERIFY_EMAIL = 16 class-attribute instance-attribute

VectorDecryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:PlaintextVectors, failures:dict[VectorId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

VectorEncryptBatchResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:EncryptedVectors, failures:dict[VectorId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

VectorOps(*args, **kwargs)

Bases: VectorOpsProtocol

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *args, **kwargs):
    raise ValueError("This class has no default constructor")

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""

        _UniffiFfiConverterTypeEncryptedVector.check_lower(encrypted_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVector.lower(encrypted_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypePlaintextVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_decrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""

        _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorDecryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_decrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""

        _UniffiFfiConverterTypePlaintextVector.check_lower(plaintext_vector)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVector.lower(plaintext_vector),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeEncryptedVector.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_encrypt(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(plaintext_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(plaintext_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorEncryptBatchResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_encrypt_batch(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""

        _UniffiFfiConverterTypePlaintextVectors.check_lower(vectors_to_query)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypePlaintextVectors.lower(vectors_to_query),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeGenerateVectorQueryResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_generate_query_vectors(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""

        _UniffiFfiConverterTypeSecretPath.check_lower(secret_path)

        _UniffiFfiConverterTypeDerivationPath.check_lower(derivation_path)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeSecretPath.lower(secret_path),
            _UniffiFfiConverterTypeDerivationPath.lower(derivation_path),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
        )
        _uniffi_lift_return = _UniffiFfiConverterBytes.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_get_in_rotation_prefix(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Rotates vectors from the in-rotation secret for their secret path to the current secret. This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is internally migrated.

WARNINGS: * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers, this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy, store the source vector encrypted with standard next to the encrypted vector. standard decrypt that, vector encrypt it again, and replace the encrypted vector with the result. * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:
        """
        Rotates vectors from the in-rotation secret for their secret path to the current secret.
        This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is
        internally migrated.

        WARNINGS:
        * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers,
        this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy,
        store the source vector encrypted with `standard` next to the encrypted vector. `standard` decrypt
        that, `vector` encrypt it again, and replace the encrypted vector with the result.
        * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.
"""

        _UniffiFfiConverterTypeEncryptedVectors.check_lower(encrypted_vectors)

        _UniffiFfiConverterTypeAlloyMetadata.check_lower(metadata)

        _UniffiFfiConverterOptionalTypeTenantId.check_lower(new_tenant_id)
        _uniffi_lowered_args = (
            self._uniffi_clone_handle(),
            _UniffiFfiConverterTypeEncryptedVectors.lower(encrypted_vectors),
            _UniffiFfiConverterTypeAlloyMetadata.lower(metadata),
            _UniffiFfiConverterOptionalTypeTenantId.lower(new_tenant_id),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorRotateResult.lift
        _uniffi_error_converter = _UniffiFfiConverterTypeAlloyError
        return await _uniffi_rust_call_async(
            _UniffiLib.uniffi_ironcore_alloy_fn_method_vectorops_rotate_vectors(*_uniffi_lowered_args),
            _UniffiLib.ffi_ironcore_alloy_rust_future_poll_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_complete_rust_buffer,
            _UniffiLib.ffi_ironcore_alloy_rust_future_free_rust_buffer,
            _uniffi_lift_return,
            _uniffi_error_converter,
        )

VectorOpsProtocol

Bases: Protocol

Functions

decrypt(encrypted_vector, metadata) async

Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will be unshuffled to their original positions during decryption.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt(self, encrypted_vector: EncryptedVector,metadata: AlloyMetadata) -> PlaintextVector:
        """
        Decrypt a vector embedding that was encrypted with the provided metadata. The values of the embedding will
        be unshuffled to their original positions during decryption.
"""
        raise NotImplementedError

decrypt_batch(encrypted_vectors, metadata) async

Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings will be unshuffled to their original positions during decryption. Note that because the metadata is shared between the vectors, they all must correspond to the same tenant ID.

Source code in ironcore_alloy/ironcore_alloy.py

    async def decrypt_batch(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata) -> VectorDecryptBatchResult:
        """
        Decrypt multiple vector embeddings that were encrypted with the provided metadata. The values of the embeddings
        will be unshuffled to their original positions during decryption.
        Note that because the metadata is shared between the vectors, they all must correspond to the
        same tenant ID.
"""
        raise NotImplementedError

encrypt(plaintext_vector, metadata) async

Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized and its values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embedding.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt(self, plaintext_vector: PlaintextVector,metadata: AlloyMetadata) -> EncryptedVector:
        """
        Encrypt a vector embedding with the provided metadata. The provided embedding is assumed to be normalized
        and its values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embedding.
"""
        raise NotImplementedError

encrypt_batch(plaintext_vectors, metadata) async

Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized and their values will be shuffled as part of the encryption. The same tenant ID must be provided in the metadata when decrypting the embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    async def encrypt_batch(self, plaintext_vectors: PlaintextVectors,metadata: AlloyMetadata) -> VectorEncryptBatchResult:
        """
        Encrypt multiple vector embeddings with the provided metadata. The provided embeddings are assumed to be normalized
        and their values will be shuffled as part of the encryption.
        The same tenant ID must be provided in the metadata when decrypting the embeddings.
"""
        raise NotImplementedError

generate_query_vectors(vectors_to_query, metadata) async

Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path. The resulting encrypted vectors should be used in tandem when querying the vector database.

Source code in ironcore_alloy/ironcore_alloy.py

    async def generate_query_vectors(self, vectors_to_query: PlaintextVectors,metadata: AlloyMetadata) -> GenerateVectorQueryResult:
        """
        Encrypt each plaintext vector with any Current and InRotation keys for the provided secret path.
        The resulting encrypted vectors should be used in tandem when querying the vector database.
"""
        raise NotImplementedError

get_in_rotation_prefix(secret_path, derivation_path, metadata) async

Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through encode_prefix_z85 or base85_prefix_padding. Make sure you've read the documentation of those functions to avoid pitfalls when encoding across byte boundaries.

Source code in ironcore_alloy/ironcore_alloy.py

    async def get_in_rotation_prefix(self, secret_path: SecretPath,derivation_path: DerivationPath,metadata: AlloyMetadata) -> bytes:
        """
        Generate a prefix that could used to search a data store for documents encrypted using an identifier (KMS
        config id for SaaS Shield, secret id for Standalone). These bytes should be encoded into
        a format matching the encoding in the data store. z85/ascii85 users should first pass these bytes through
        `encode_prefix_z85` or `base85_prefix_padding`. Make sure you've read the documentation of those functions to
        avoid pitfalls when encoding across byte boundaries.
"""
        raise NotImplementedError

rotate_vectors(encrypted_vectors, metadata, new_tenant_id) async

Rotates vectors from the in-rotation secret for their secret path to the current secret. This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is internally migrated.

WARNINGS: * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers, this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy, store the source vector encrypted with standard next to the encrypted vector. standard decrypt that, vector encrypt it again, and replace the encrypted vector with the result. * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.

Source code in ironcore_alloy/ironcore_alloy.py

    async def rotate_vectors(self, encrypted_vectors: EncryptedVectors,metadata: AlloyMetadata,new_tenant_id: typing.Optional[TenantId]) -> VectorRotateResult:
        """
        Rotates vectors from the in-rotation secret for their secret path to the current secret.
        This can also be used to rotate data from one tenant ID to a new one, which most useful when a tenant is
        internally migrated.

        WARNINGS:
        * this involves decrypting then encrypting vectors. Since the vectors are full of floating point numbers,
        this process is lossy, which will cause some drift over time. If you need perfectly preserved accuracy,
        store the source vector encrypted with `standard` next to the encrypted vector. `standard` decrypt
        that, `vector` encrypt it again, and replace the encrypted vector with the result.
        * only one metadata and new tenant ID argument means each call to this needs to have one tenant's vectors.
"""
        raise NotImplementedError

VectorRotateResult(*, successes, failures) dataclass

Source code in ironcore_alloy/ironcore_alloy.py

def __init__(self, *, successes:dict[VectorId, EncryptedVector], failures:dict[VectorId, AlloyError]):
    self.successes = successes
    self.failures = failures

Attributes

failures = failures instance-attribute

successes = successes instance-attribute

VectorSecret(approximation_factor, secret)

Bases: VectorSecretProtocol

The approximation factor should be chosen in a way that balances security with search performance. A higher approximation factor is more secure, but introduces more variance into encrypted embeddings, possibly leading to degraded performance. A lower bound for the approximation factor to start with is sqrt(M), where M is the absolute value of the largest data point in the input embeddings.

Source code in ironcore_alloy/ironcore_alloy.py

    def __init__(self, approximation_factor: float,secret: RotatableSecret):
        """
        The approximation factor should be chosen in a way that balances security with search performance.
        A higher approximation factor is more secure, but introduces more variance into encrypted embeddings,
        possibly leading to degraded performance. A lower bound for the approximation factor to start with is `sqrt(M)`,
        where M is the absolute value of the largest data point in the input embeddings.
"""

        _UniffiFfiConverterFloat32.check_lower(approximation_factor)

        _UniffiFfiConverterTypeRotatableSecret.check_lower(secret)
        _uniffi_lowered_args = (
            _UniffiFfiConverterFloat32.lower(approximation_factor),
            _UniffiFfiConverterTypeRotatableSecret.lower(secret),
        )
        _uniffi_lift_return = _UniffiFfiConverterTypeVectorSecret.lift
        _uniffi_error_converter = None
        _uniffi_ffi_result = _uniffi_rust_call_with_error(
            _uniffi_error_converter,
            _UniffiLib.uniffi_ironcore_alloy_fn_constructor_vectorsecret_new,
            *_uniffi_lowered_args,
        )
        self._handle = _uniffi_ffi_result

Functions

new_with_scaling_factor(approximation_factor, secret) classmethod

Source code in ironcore_alloy/ironcore_alloy.py

@classmethod
def new_with_scaling_factor(cls, approximation_factor: float,secret: RotatableSecret) -> VectorSecret:

    _UniffiFfiConverterFloat32.check_lower(approximation_factor)

    _UniffiFfiConverterTypeRotatableSecret.check_lower(secret)
    _uniffi_lowered_args = (
        _UniffiFfiConverterFloat32.lower(approximation_factor),
        _UniffiFfiConverterTypeRotatableSecret.lower(secret),
    )
    _uniffi_lift_return = _UniffiFfiConverterTypeVectorSecret.lift
    _uniffi_error_converter = None
    _uniffi_ffi_result = _uniffi_rust_call_with_error(
        _uniffi_error_converter,
        _UniffiLib.uniffi_ironcore_alloy_fn_constructor_vectorsecret_new_with_scaling_factor,
        *_uniffi_lowered_args,
    )
    return cls._uniffi_make_instance(_uniffi_ffi_result)

VectorSecretProtocol

Bases: Protocol

Functions

uniffi_set_event_loop(eventloop)

Source code in ironcore_alloy/ironcore_alloy.py

def uniffi_set_event_loop(eventloop: asyncio.BaseEventLoop):
    global _UNIFFI_GLOBAL_EVENT_LOOP
    _UNIFFI_GLOBAL_EVENT_LOOP = eventloop