libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001

data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/binding.py

@@ -15,25 +15,23 @@
 import os
 import os.path
 import sys
+from pathlib import Path
 
 import cffi
+from packaging.version import Version
 
-from pymongocrypt.compat import PY3
 from pymongocrypt.version import _MIN_LIBMONGOCRYPT_VERSION
 
-try:
-    from pkg_resources import parse_version as _parse_version
-except ImportError:
-    from distutils.version import LooseVersion as _LooseVersion
 
-    def _parse_version(version):
-        return _LooseVersion(version)
+def _parse_version(version):
+    return Version(version)
 
 
 ffi = cffi.FFI()
 
 # Generated with strip_header.py
-ffi.cdef("""/*
+ffi.cdef(
+    """/*
  * Copyright 2019-present MongoDB, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -67,6 +65,16 @@ ffi.cdef("""/*
  */
 const char *mongocrypt_version(uint32_t *len);
 
+/**
+ * Returns true if libmongocrypt was built with native crypto support.
+ *
+ * If libmongocrypt was not built with native crypto support, setting crypto
+ * hooks is required.
+ *
+ * @returns True if libmongocrypt was built with native crypto support.
+ */
+bool mongocrypt_is_crypto_available(void);
+
 /**
  * A non-owning view of a byte buffer.
  *
@@ -88,8 +96,14 @@ const char *mongocrypt_version(uint32_t *len);
  * mongocrypt_ctx_mongo_op guarantees that the viewed data of
  * mongocrypt_binary_t is valid until the parent ctx is destroyed with @ref
  * mongocrypt_ctx_destroy.
+ *
+ * The `mongocrypt_binary_t` struct definition is public.
+ * Consumers may rely on the struct layout.
  */
-typedef struct _mongocrypt_binary_t mongocrypt_binary_t;
+typedef struct _mongocrypt_binary_t {
+    void *data;
+    uint32_t len;
+} mongocrypt_binary_t;
 
 /**
  * Create a new non-owning view of a buffer (data + length).
@@ -453,6 +467,17 @@ void mongocrypt_setopt_set_crypt_shared_lib_path_override(mongocrypt_t *crypt, c
  */
 void mongocrypt_setopt_use_need_kms_credentials_state(mongocrypt_t *crypt);
 
+/**
+ * @brief Opt-into handling the MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB state.
+ *
+ * A context enters the MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB state when
+ * processing a `bulkWrite` command. The target database of the `bulkWrite` may differ from the command database
+ * ("admin").
+ *
+ * @param[in] crypt The @ref mongocrypt_t object to update
+ */
+void mongocrypt_setopt_use_need_mongo_collinfo_with_db_state(mongocrypt_t *crypt);
+
 /**
  * Initialize new @ref mongocrypt_t object.
  *
@@ -510,7 +535,7 @@ const char *mongocrypt_crypt_shared_lib_version_string(const mongocrypt_t *crypt
  * @brief Obtain a 64-bit constant encoding the version of the loaded
  * crypt_shared library, if available.
  *
- * @param[in] crypt The mongocrypt_t object after a successul call to
+ * @param[in] crypt The mongocrypt_t object after a successful call to
  * mongocrypt_init.
  *
  * @return A 64-bit encoded version number, with the version encoded as four
@@ -639,9 +664,8 @@ bool mongocrypt_ctx_setopt_algorithm(mongocrypt_ctx_t *ctx, const char *algorith
 /// String constant for setopt_algorithm "Random" encryption
 /// String constant for setopt_algorithm "Indexed" explicit encryption
 /// String constant for setopt_algorithm "Unindexed" explicit encryption
-/// String constant for setopt_algorithm "rangePreview" explicit encryption
-/// NOTE: The RangePreview algorithm is experimental only. It is not intended
-/// for public use.
+// DEPRECATED: support "RangePreview" has been removed in favor of "range".
+// NOTE: "Range" is currently unstable API and subject to backwards breaking changes.
 
 /**
  * Identify the AWS KMS master key to use for creating a data key.
@@ -823,9 +847,9 @@ bool mongocrypt_ctx_explicit_encrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_bina
 /**
  * Explicit helper method to encrypt a Match Expression or Aggregate Expression.
  * Contexts created for explicit encryption will not go through mongocryptd.
- * Requires query_type to be "rangePreview".
- * NOTE: The RangePreview algorithm is experimental only. It is not intended for
- * public use.
+ * Requires query_type to be "range".
+ *
+ * NOTE: "range" is currently unstable API and subject to backwards breaking changes.
  *
  * This method expects the passed-in BSON to be of the form:
  * { "v" : FLE2RangeFindDriverSpec }
@@ -918,9 +942,10 @@ bool mongocrypt_ctx_rewrap_many_datakey_init(mongocrypt_ctx_t *ctx, mongocrypt_b
  */
 typedef enum {
     MONGOCRYPT_CTX_ERROR = 0,
-    MONGOCRYPT_CTX_NEED_MONGO_COLLINFO = 1, /* run on main MongoClient */
-    MONGOCRYPT_CTX_NEED_MONGO_MARKINGS = 2, /* run on mongocryptd. */
-    MONGOCRYPT_CTX_NEED_MONGO_KEYS = 3,     /* run on key vault */
+    MONGOCRYPT_CTX_NEED_MONGO_COLLINFO = 1,         /* run on main MongoClient */
+    MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB = 8, /* run on main MongoClient */
+    MONGOCRYPT_CTX_NEED_MONGO_MARKINGS = 2,         /* run on mongocryptd. */
+    MONGOCRYPT_CTX_NEED_MONGO_KEYS = 3,             /* run on key vault */
     MONGOCRYPT_CTX_NEED_KMS = 4,
     MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS = 7, /* fetch/renew KMS credentials */
     MONGOCRYPT_CTX_READY = 5,                /* ready for encryption/decryption */
@@ -940,7 +965,7 @@ mongocrypt_ctx_state_t mongocrypt_ctx_state(mongocrypt_ctx_t *ctx);
  * is in MONGOCRYPT_CTX_NEED_MONGO_* states.
  *
  * @p op_bson is a BSON document to be used for the operation.
- * - For MONGOCRYPT_CTX_NEED_MONGO_COLLINFO it is a listCollections filter.
+ * - For MONGOCRYPT_CTX_NEED_MONGO_COLLINFO(_WITH_DB) it is a listCollections filter.
  * - For MONGOCRYPT_CTX_NEED_MONGO_KEYS it is a find filter.
  * - For MONGOCRYPT_CTX_NEED_MONGO_MARKINGS it is a command to send to
  * mongocryptd.
@@ -957,13 +982,28 @@ mongocrypt_ctx_state_t mongocrypt_ctx_state(mongocrypt_ctx_t *ctx);
  */
 bool mongocrypt_ctx_mongo_op(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *op_bson);
 
+/**
+ * Get the database to run the mongo operation.
+ *
+ * Only applies when mongocrypt_ctx_t is in the state:
+ * MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB.
+ *
+ * The lifetime of the returned string is tied to the lifetime of @p ctx. It is
+ * valid until @ref mongocrypt_ctx_destroy is called.
+ *
+ * @param[in] ctx The @ref mongocrypt_ctx_t object.
+ * @returns A string or NULL. If NULL, an error status is set. Retrieve it with
+ * @ref mongocrypt_ctx_status
+ */
+const char *mongocrypt_ctx_mongo_db(mongocrypt_ctx_t *ctx);
+
 /**
  * Feed a BSON reply or result when mongocrypt_ctx_t is in
  * MONGOCRYPT_CTX_NEED_MONGO_* states. This may be called multiple times
  * depending on the operation.
  *
  * reply is a BSON document result being fed back for this operation.
- * - For MONGOCRYPT_CTX_NEED_MONGO_COLLINFO it is a doc from a listCollections
+ * - For MONGOCRYPT_CTX_NEED_MONGO_COLLINFO(_WITH_DB) it is a doc from a listCollections
  * cursor. (Note, if listCollections returned no result, do not call this
  * function.)
  * - For MONGOCRYPT_CTX_NEED_MONGO_KEYS it is a doc from a find cursor.
@@ -1176,7 +1216,7 @@ void mongocrypt_ctx_destroy(mongocrypt_ctx_t *ctx);
  * @param[out] status An optional status to pass error messages. See @ref
  * mongocrypt_status_set.
  * @returns A boolean indicating success. If returning false, set @p status
- * with a message indiciating the error using @ref mongocrypt_status_set.
+ * with a message indicating the error using @ref mongocrypt_status_set.
  */
 typedef bool (*mongocrypt_crypto_fn)(void *ctx,
                                      mongocrypt_binary_t *key,
@@ -1201,7 +1241,7 @@ typedef bool (*mongocrypt_crypto_fn)(void *ctx,
  * @param[out] status An optional status to pass error messages. See @ref
  * mongocrypt_status_set.
  * @returns A boolean indicating success. If returning false, set @p status
- * with a message indiciating the error using @ref mongocrypt_status_set.
+ * with a message indicating the error using @ref mongocrypt_status_set.
  */
 typedef bool (*mongocrypt_hmac_fn)(void *ctx,
                                    mongocrypt_binary_t *key,
@@ -1220,7 +1260,7 @@ typedef bool (*mongocrypt_hmac_fn)(void *ctx,
  * @param[out] status An optional status to pass error messages. See @ref
  * mongocrypt_status_set.
  * @returns A boolean indicating success. If returning false, set @p status
- * with a message indiciating the error using @ref mongocrypt_status_set.
+ * with a message indicating the error using @ref mongocrypt_status_set.
  */
 typedef bool (*mongocrypt_hash_fn)(void *ctx,
                                    mongocrypt_binary_t *in,
@@ -1238,7 +1278,7 @@ typedef bool (*mongocrypt_hash_fn)(void *ctx,
  * @param[out] status An optional status to pass error messages. See @ref
  * mongocrypt_status_set.
  * @returns A boolean indicating success. If returning false, set @p status
- * with a message indiciating the error using @ref mongocrypt_status_set.
+ * with a message indicating the error using @ref mongocrypt_status_set.
  */
 typedef bool (*mongocrypt_random_fn)(void *ctx, mongocrypt_binary_t *out, uint32_t count, mongocrypt_status_t *status);
 
@@ -1259,8 +1299,7 @@ bool mongocrypt_setopt_crypto_hooks(mongocrypt_t *crypt,
  * operation.
  * @param[in] aes_256_ctr_decrypt The crypto callback function for decrypt
  * operation.
- * @param[in] ctx A context passed as an argument to the crypto callback
- * every invocation.
+ * @param[in] ctx Unused.
  * @pre @ref mongocrypt_init has not been called on @p crypt.
  * @returns A boolean indicating success. If false, an error status is set.
  * Retrieve it with @ref mongocrypt_status
@@ -1279,8 +1318,7 @@ bool mongocrypt_setopt_aes_256_ctr(mongocrypt_t *crypt,
  * @param[in] crypt The @ref mongocrypt_t object.
  * @param[in] aes_256_ecb_encrypt The crypto callback function for encrypt
  * operation.
- * @param[in] ctx A context passed as an argument to the crypto callback
- * every invocation.
+ * @param[in] ctx Unused.
  * @pre @ref mongocrypt_init has not been called on @p crypt.
  * @returns A boolean indicating success. If false, an error status is set.
  * Retrieve it with @ref mongocrypt_status
@@ -1320,6 +1358,17 @@ bool mongocrypt_setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(mongocrypt_t *crypt,
  */
 void mongocrypt_setopt_bypass_query_analysis(mongocrypt_t *crypt);
 
+/**
+ * DEPRECATED: Use of `mongocrypt_setopt_use_range_v2` is deprecated. Range V2 is always enabled.
+ * NOTE: "range" is currently unstable API and subject to backwards breaking changes.
+ *
+ * @param[in] crypt The @ref mongocrypt_t object.
+ *
+ * @returns A boolean indicating success. If false, an error status is set.
+ * Retrieve it with @ref mongocrypt_status
+ */
+bool mongocrypt_setopt_use_range_v2(mongocrypt_t *crypt);
+
 /**
  * Set the contention factor used for explicit encryption.
  * The contention factor is only used for indexed Queryable Encryption.
@@ -1362,16 +1411,16 @@ bool mongocrypt_ctx_setopt_index_key_id(mongocrypt_ctx_t *ctx, mongocrypt_binary
 bool mongocrypt_ctx_setopt_query_type(mongocrypt_ctx_t *ctx, const char *query_type, int len);
 
 /**
- * Set options for explicit encryption with the "rangePreview" algorithm.
- * NOTE: The RangePreview algorithm is experimental only. It is not intended for
- * public use.
+ * Set options for explicit encryption with the "range" algorithm.
+ * NOTE: "range" is currently unstable API and subject to backwards breaking changes.
  *
  * @p opts is a BSON document of the form:
  * {
  *    "min": Optional<BSON value>,
  *    "max": Optional<BSON value>,
  *    "sparsity": Int64,
- *    "precision": Optional<Int32>
+ *    "precision": Optional<Int32>,
+ *    "trimFactor": Optional<Int32>
  * }
  *
  * @param[in] ctx The @ref mongocrypt_ctx_t object.
@@ -1383,18 +1432,15 @@ bool mongocrypt_ctx_setopt_query_type(mongocrypt_ctx_t *ctx, const char *query_t
 bool mongocrypt_ctx_setopt_algorithm_range(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *opts);
 
 /// String constants for setopt_query_type
-// NOTE: The RangePreview algorithm is experimental only. It is not intended for
-// public use.
-""")
-
-if PY3:
-    def _to_string(cdata):
-        """Decode a cdata c-string to a Python str."""
-        return ffi.string(cdata).decode()
-else:
-    def _to_string(cdata):
-        """Decode a cdata c-string to a Python str."""
-        return ffi.string(cdata)
+// DEPRECATED: Support "rangePreview" has been removed in favor of "range".
+/// NOTE: "range" is currently unstable API and subject to backwards breaking changes.
+"""
+)
+
+
+def _to_string(cdata):
+    """Decode a cdata c-string to a Python str."""
+    return ffi.string(cdata).decode()
 
 
 def libmongocrypt_version():
@@ -1408,18 +1454,19 @@ def libmongocrypt_version():
 # export PYMONGOCRYPT_LIB='/path/to/libmongocrypt.so'
 # If the PYMONGOCRYPT_LIB is not set then load the embedded library and
 # fallback to the relying on a system installed library.
-_base = os.path.dirname(os.path.realpath(__file__))
-if sys.platform == 'win32':
-    _path = os.path.join(_base, 'mongocrypt.dll')
-elif sys.platform == 'darwin':
-    _path = os.path.join(_base, 'libmongocrypt.dylib')
+_base = Path(os.path.realpath(__file__)).parent
+if sys.platform == "win32":
+    _path = Path(_base) / "mongocrypt.dll"
+elif sys.platform == "darwin":
+    _path = Path(_base) / "libmongocrypt.dylib"
 else:
-    _path = os.path.join(_base, 'libmongocrypt.so')
+    _path = Path(_base) / "libmongocrypt.so"
 
 
-class _Library(object):
+class _Library:
     """Helper class for delaying errors that would usually be raised at
     import time until the library is actually used."""
+
     def __init__(self, error):
         self._error = error
 
@@ -1427,25 +1474,24 @@ class _Library(object):
         raise self._error
 
 
-_PYMONGOCRYPT_LIB = os.environ.get('PYMONGOCRYPT_LIB')
+_PYMONGOCRYPT_LIB = os.environ.get("PYMONGOCRYPT_LIB")
 try:
     if _PYMONGOCRYPT_LIB:
         lib = ffi.dlopen(_PYMONGOCRYPT_LIB)
     else:
         try:
-            lib = ffi.dlopen(_path)
-        except OSError as exc:
+            lib = ffi.dlopen(str(_path))
+        except OSError:
             # Fallback to libmongocrypt installed on the system.
-            lib = ffi.dlopen('mongocrypt')
+            lib = ffi.dlopen("mongocrypt")
 except OSError as exc:
     # dlopen raises OSError when the library cannot be found.
     # Delay the error until the library is actually used.
     lib = _Library(exc)
 else:
-    # Check the libmongocrypt version when the library is found.
-    _limongocrypt_version = _parse_version(libmongocrypt_version())
-    if _limongocrypt_version < _parse_version(_MIN_LIBMONGOCRYPT_VERSION):
+    _limongocrypt_version = Version(libmongocrypt_version())
+    if _limongocrypt_version < Version(_MIN_LIBMONGOCRYPT_VERSION):
         exc = RuntimeError(
-            "Expected libmongocrypt version %s or greater, found %s" % (
-                _MIN_LIBMONGOCRYPT_VERSION, libmongocrypt_version()))
+            f"Expected libmongocrypt version %s or greater, found {_MIN_LIBMONGOCRYPT_VERSION, libmongocrypt_version()}"
+        )
         lib = _Library(exc)

data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/compat.py

@@ -16,19 +16,21 @@
 
 import sys
 
-PY3 = sys.version_info[0] == 3
+PY3 = sys.version_info[0] >= 3
 
 if PY3:
     from abc import ABC
+
     unicode_type = str
 else:
     from abc import ABCMeta as _ABCMeta
-    ABC = _ABCMeta('ABC', (object,), {})
-    unicode_type = unicode
+
+    ABC = _ABCMeta("ABC", (object,), {})
+    unicode_type = "unicode"
 
 
 def str_to_bytes(string):
     """Convert a str (or unicode) to bytes."""
     if isinstance(string, bytes):
         return string
-    return string.encode('utf-8')
+    return string.encode("utf-8")

data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/credentials.py

@@ -11,126 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import os
-from collections import namedtuple
-from datetime import datetime, timedelta
 
-try:
-    from pymongo_auth_aws.auth import aws_temp_credentials
-    _HAVE_AUTH_AWS = True
-except ImportError:
-    _HAVE_AUTH_AWS = False
+# Alias file for import compatibility
 
-from pymongocrypt.errors import MongoCryptError
-
-import requests
-
-
-_azure_creds = namedtuple("_azure_creds", ["access_token", "expires_in"])
-_azure_creds_cache = None
-
-
-def _get_gcp_credentials():
-    """Get on-demand GCP credentials"""
-    metadata_host = os.getenv("GCE_METADATA_HOST") or "metadata.google.internal"
-    url = "http://%s/computeMetadata/v1/instance/service-accounts/default/token" % metadata_host
-
-    headers = {"Metadata-Flavor": "Google"}
-    try:
-        response = requests.get(url, headers=headers)
-    except Exception as e:
-        msg = "unable to retrieve GCP credentials: %s" % e
-        raise MongoCryptError(msg)
-
-    if response.status_code != 200:
-        msg = "Unable to retrieve GCP credentials: expected StatusCode 200, got StatusCode: %s. Response body:\n%s" % (response.status_code, response.content)
-        raise MongoCryptError(msg)
-    try:
-        data = response.json()
-    except Exception:
-        raise MongoCryptError("unable to retrieve GCP credentials: error reading response body\n%s" % response.content)
-
-    if not data.get("access_token"):
-        msg = "unable to retrieve GCP credentials: got unexpected empty accessToken from GCP Metadata Server. Response body: %s" % response.content
-        raise MongoCryptError(msg)
-
-    return {'accessToken': data['access_token']}
-
-
-def _get_azure_credentials():
-    """Get on-demand Azure credentials"""
-    global _azure_creds_cache
-    # Credentials are considered expired when: Expiration - now < 1 mins.
-    creds = _azure_creds_cache
-    if creds:
-        if creds.expires_in - datetime.utcnow() < timedelta(seconds=60):
-            _azure_creds_cache = None
-        else:
-            return { 'accessToken': creds.access_token }
-
-    url = "http://169.254.169.254/metadata/identity/oauth2/token"
-    url += "?api-version=2018-02-01"
-    url += "&resource=https://vault.azure.net"
-    headers = { "Metadata": "true", "Accept": "application/json" }
-    try:
-        response = requests.get(url, headers=headers)
-    except Exception as e:
-        msg = "Failed to acquire IMDS access token: %s" % e
-        raise MongoCryptError(msg)
-
-    if response.status_code != 200:
-        msg = "Failed to acquire IMDS access token."
-        raise MongoCryptError(msg)
-    try:
-        data = response.json()
-    except Exception:
-        raise MongoCryptError("Azure IMDS response must be in JSON format.")
-
-    for key in ["access_token", "expires_in"]:
-        if not data.get(key):
-            msg = "Azure IMDS response must contain %s, but was %s."
-            msg = msg % (key, response.content)
-            raise MongoCryptError(msg)
-
-    try:
-        expires_in = int(data["expires_in"])
-    except ValueError:
-        raise MongoCryptError('Azure IMDS response must contain "expires_in" integer, but was %s.' % response.content)
-
-    expiration_time = datetime.utcnow() + timedelta(seconds=expires_in)
-    _azure_creds_cache = _azure_creds(data['access_token'], expiration_time)
-    return { 'accessToken': data['access_token'] }
-
-
-def _ask_for_kms_credentials(kms_providers):
-    """Get on-demand kms credentials.
-
-    This is a separate function so it can be overridden in unit tests."""
-    global _azure_creds_cache
-    on_demand_aws = 'aws' in kms_providers and not len(kms_providers['aws'])
-    on_demand_gcp = 'gcp' in kms_providers and not len(kms_providers['gcp'])
-    on_demand_azure = 'azure' in kms_providers and not len(kms_providers['azure'])
-
-    if not any([on_demand_aws, on_demand_gcp, on_demand_azure]):
-        return {}
-    creds = {}
-    if on_demand_aws:
-        if not _HAVE_AUTH_AWS:
-            raise RuntimeError(
-                "On-demand AWS credentials require pymongo-auth-aws: "
-                "install with: python -m pip install 'pymongo[aws]'"
-            )
-        aws_creds = aws_temp_credentials()
-        creds_dict = {"accessKeyId": aws_creds.username, "secretAccessKey": aws_creds.password}
-        if aws_creds.token:
-            creds_dict["sessionToken"] = aws_creds.token
-        creds['aws'] = creds_dict
-    if on_demand_gcp:
-        creds['gcp'] = _get_gcp_credentials()
-    if on_demand_azure:
-        try:
-            creds['azure'] = _get_azure_credentials()
-        except Exception:
-            _azure_creds_cache = None
-            raise
-    return creds
+from pymongocrypt.synchronous.credentials import *

data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/crypto.py

@@ -20,7 +20,7 @@ import traceback
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from cryptography.hazmat.primitives.hashes import Hash, SHA256, SHA512
+from cryptography.hazmat.primitives.hashes import SHA256, SHA512, Hash
 from cryptography.hazmat.primitives.hmac import HMAC
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 
@@ -35,18 +35,19 @@ def _callback_error_handler(exception, exc_value, tb):
     # if the whole function ran successfully but there was an error converting
     # the value returned: this occurs after the call)."
     if tb is not None:
-        status = tb.tb_frame.f_locals['status']
-        msg = str_to_bytes(''.join(traceback.format_exception(
-            exception, exc_value, tb)))
+        status = tb.tb_frame.f_locals["status"]
+        msg = str_to_bytes(
+            "".join(traceback.format_exception(exception, exc_value, tb))
+        )
         lib.mongocrypt_status_set(
-            status, lib.MONGOCRYPT_STATUS_ERROR_CLIENT, 1, msg, -1)
+            status, lib.MONGOCRYPT_STATUS_ERROR_CLIENT, 1, msg, -1
+        )
 
     return False
 
 
 def _aes_256_encrypt(key, mode, input, output, bytes_written):
-    cipher = Cipher(algorithms.AES(_to_bytes(key)), mode,
-                    backend=default_backend())
+    cipher = Cipher(algorithms.AES(_to_bytes(key)), mode, backend=default_backend())
     encryptor = cipher.encryptor()
     data = encryptor.update(_to_bytes(input)) + encryptor.finalize()
     _write_bytes(output, data)
@@ -54,8 +55,7 @@ def _aes_256_encrypt(key, mode, input, output, bytes_written):
 
 
 def _aes_256_decrypt(key, mode, input, output, bytes_written):
-    cipher = Cipher(algorithms.AES(_to_bytes(key)), mode,
-                    backend=default_backend())
+    cipher = Cipher(algorithms.AES(_to_bytes(key)), mode, backend=default_backend())
     decryptor = cipher.decryptor()
     data = decryptor.update(_to_bytes(input)) + decryptor.finalize()
     _write_bytes(output, data)
@@ -66,7 +66,8 @@ def _aes_256_decrypt(key, mode, input, output, bytes_written):
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *,"
     "     mongocrypt_binary_t *, mongocrypt_binary_t *, uint32_t *,"
     "     mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def aes_256_cbc_encrypt(ctx, key, iv, input, output, bytes_written, status):
     # Note that libmongocrypt pads the input before calling this method.
     _aes_256_encrypt(key, modes.CBC(_to_bytes(iv)), input, output, bytes_written)
@@ -77,7 +78,8 @@ def aes_256_cbc_encrypt(ctx, key, iv, input, output, bytes_written, status):
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *,"
     "     mongocrypt_binary_t *, mongocrypt_binary_t *, uint32_t *,"
     "     mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def aes_256_cbc_decrypt(ctx, key, iv, input, output, bytes_written, status):
     # Note that libmongocrypt pads the input before calling this method.
     _aes_256_decrypt(key, modes.CBC(_to_bytes(iv)), input, output, bytes_written)
@@ -88,7 +90,8 @@ def aes_256_cbc_decrypt(ctx, key, iv, input, output, bytes_written, status):
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *,"
     "     mongocrypt_binary_t *, mongocrypt_binary_t *, uint32_t *,"
     "     mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def aes_256_ctr_encrypt(ctx, key, iv, input, output, bytes_written, status):
     _aes_256_encrypt(key, modes.CTR(_to_bytes(iv)), input, output, bytes_written)
     return True
@@ -98,7 +101,8 @@ def aes_256_ctr_encrypt(ctx, key, iv, input, output, bytes_written, status):
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *,"
     "     mongocrypt_binary_t *, mongocrypt_binary_t *, uint32_t *,"
     "     mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def aes_256_ctr_decrypt(ctx, key, iv, input, output, bytes_written, status):
     _aes_256_decrypt(key, modes.CTR(_to_bytes(iv)), input, output, bytes_written)
     return True
@@ -107,7 +111,8 @@ def aes_256_ctr_decrypt(ctx, key, iv, input, output, bytes_written, status):
 @ffi.callback(
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *, "
     "     mongocrypt_binary_t *, mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def hmac_sha_256(ctx, key, input, output, status):
     h = HMAC(_to_bytes(key), SHA256(), backend=default_backend())
     h.update(_to_bytes(input))
@@ -119,7 +124,8 @@ def hmac_sha_256(ctx, key, input, output, status):
 @ffi.callback(
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *, "
     "     mongocrypt_binary_t *, mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def hmac_sha_512(ctx, key, input, output, status):
     h = HMAC(_to_bytes(key), SHA512(), backend=default_backend())
     h.update(_to_bytes(input))
@@ -131,7 +137,8 @@ def hmac_sha_512(ctx, key, input, output, status):
 @ffi.callback(
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *, "
     "     mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def sha_256(ctx, input, output, status):
     digest = Hash(SHA256(), backend=default_backend())
     digest.update(_to_bytes(input))
@@ -142,7 +149,8 @@ def sha_256(ctx, input, output, status):
 
 @ffi.callback(
     "bool(void *, mongocrypt_binary_t *, uint32_t, mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def secure_random(ctx, output, count, status):
     data = os.urandom(int(count))
     _write_bytes(output, data)
@@ -152,11 +160,14 @@ def secure_random(ctx, output, count, status):
 @ffi.callback(
     "bool(void *, mongocrypt_binary_t *, mongocrypt_binary_t *, "
     "     mongocrypt_binary_t *, mongocrypt_status_t *)",
-    onerror=_callback_error_handler)
+    onerror=_callback_error_handler,
+)
 def sign_rsaes_pkcs1_v1_5(ctx, key, input, output, status):
     rsa_private_key = load_der_private_key(
-        _to_bytes(key), password=None, backend=default_backend())
+        _to_bytes(key), password=None, backend=default_backend()
+    )
     signature = rsa_private_key.sign(
-        _to_bytes(input), padding=padding.PKCS1v15(), algorithm=SHA256())
+        _to_bytes(input), padding=padding.PKCS1v15(), algorithm=SHA256()
+    )
     _write_bytes(output, signature)
     return True

data/ext/libmongocrypt/libmongocrypt/bindings/python/pymongocrypt/errors.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from pymongocrypt.binding import ffi, lib, _to_string
+from pymongocrypt.binding import _to_string, ffi, lib
 
 
 class MongoCryptError(Exception):
@@ -23,7 +23,7 @@ class MongoCryptError(Exception):
           - `msg`: An error message.
           - `code`: The mongocrypt_status_t code.
         """
-        super(MongoCryptError, self).__init__(msg)
+        super().__init__(msg)
         self.code = code
 
     @classmethod