azure-storage-blob 12.25.1__py3-none-any.whl → 12.27.0b1__py3-none-any.whl

azure/storage/blob/_encryption.py

@@ -38,51 +38,46 @@ if TYPE_CHECKING:
     from cryptography.hazmat.primitives.padding import PaddingContext
 
 
-_ENCRYPTION_PROTOCOL_V1 = '1.0'
-_ENCRYPTION_PROTOCOL_V2 = '2.0'
-_ENCRYPTION_PROTOCOL_V2_1 = '2.1'
+_ENCRYPTION_PROTOCOL_V1 = "1.0"
+_ENCRYPTION_PROTOCOL_V2 = "2.0"
+_ENCRYPTION_PROTOCOL_V2_1 = "2.1"
 _VALID_ENCRYPTION_PROTOCOLS = [_ENCRYPTION_PROTOCOL_V1, _ENCRYPTION_PROTOCOL_V2, _ENCRYPTION_PROTOCOL_V2_1]
 _ENCRYPTION_V2_PROTOCOLS = [_ENCRYPTION_PROTOCOL_V2, _ENCRYPTION_PROTOCOL_V2_1]
 _GCM_REGION_DATA_LENGTH = 4 * 1024 * 1024
 _GCM_NONCE_LENGTH = 12
 _GCM_TAG_LENGTH = 16
 
-_ERROR_OBJECT_INVALID = \
-    '{0} does not define a complete interface. Value of {1} is either missing or invalid.'
+_ERROR_OBJECT_INVALID = "{0} does not define a complete interface. Value of {1} is either missing or invalid."
 
 _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION = (
-    'The require_encryption flag is set, but encryption is not supported'
-    ' for this method.')
+    "The require_encryption flag is set, but encryption is not supported for this method."
+)
 
 
 class KeyEncryptionKey(Protocol):
 
-    def wrap_key(self, key: bytes) -> bytes:
-        ...
+    def wrap_key(self, key: bytes) -> bytes: ...
 
-    def unwrap_key(self, key: bytes, algorithm: str) -> bytes:
-        ...
+    def unwrap_key(self, key: bytes, algorithm: str) -> bytes: ...
 
-    def get_kid(self) -> str:
-        ...
+    def get_kid(self) -> str: ...
 
-    def get_key_wrap_algorithm(self) -> str:
-        ...
+    def get_key_wrap_algorithm(self) -> str: ...
 
 
 def _validate_not_none(param_name: str, param: Any):
     if param is None:
-        raise ValueError(f'{param_name} should not be None.')
+        raise ValueError(f"{param_name} should not be None.")
 
 
 def _validate_key_encryption_key_wrap(kek: KeyEncryptionKey):
     # Note that None is not callable and so will fail the second clause of each check.
-    if not hasattr(kek, 'wrap_key') or not callable(kek.wrap_key):
-        raise AttributeError(_ERROR_OBJECT_INVALID.format('key encryption key', 'wrap_key'))
-    if not hasattr(kek, 'get_kid') or not callable(kek.get_kid):
-        raise AttributeError(_ERROR_OBJECT_INVALID.format('key encryption key', 'get_kid'))
-    if not hasattr(kek, 'get_key_wrap_algorithm') or not callable(kek.get_key_wrap_algorithm):
-        raise AttributeError(_ERROR_OBJECT_INVALID.format('key encryption key', 'get_key_wrap_algorithm'))
+    if not hasattr(kek, "wrap_key") or not callable(kek.wrap_key):
+        raise AttributeError(_ERROR_OBJECT_INVALID.format("key encryption key", "wrap_key"))
+    if not hasattr(kek, "get_kid") or not callable(kek.get_kid):
+        raise AttributeError(_ERROR_OBJECT_INVALID.format("key encryption key", "get_kid"))
+    if not hasattr(kek, "get_key_wrap_algorithm") or not callable(kek.get_key_wrap_algorithm):
+        raise AttributeError(_ERROR_OBJECT_INVALID.format("key encryption key", "get_key_wrap_algorithm"))
 
 
 class StorageEncryptionMixin(object):
@@ -91,19 +86,22 @@ class StorageEncryptionMixin(object):
         self.encryption_version = kwargs.get("encryption_version", "1.0")
         self.key_encryption_key = kwargs.get("key_encryption_key")
         self.key_resolver_function = kwargs.get("key_resolver_function")
-        if self.key_encryption_key and self.encryption_version == '1.0':
-            warnings.warn("This client has been configured to use encryption with version 1.0. " +
-                          "Version 1.0 is deprecated and no longer considered secure. It is highly " +
-                          "recommended that you switch to using version 2.0. The version can be " +
-                          "specified using the 'encryption_version' keyword.")
+        if self.key_encryption_key and self.encryption_version == "1.0":
+            warnings.warn(
+                "This client has been configured to use encryption with version 1.0. "
+                + "Version 1.0 is deprecated and no longer considered secure. It is highly "
+                + "recommended that you switch to using version 2.0. The version can be "
+                + "specified using the 'encryption_version' keyword."
+            )
 
 
 class _EncryptionAlgorithm(object):
     """
     Specifies which client encryption algorithm is used.
     """
-    AES_CBC_256 = 'AES_CBC_256'
-    AES_GCM_256 = 'AES_GCM_256'
+
+    AES_CBC_256 = "AES_CBC_256"
+    AES_GCM_256 = "AES_GCM_256"
 
 
 class _WrappedContentKey:
@@ -120,9 +118,9 @@ class _WrappedContentKey:
         :param str key_id:
             The key-encryption-key identifier string.
         """
-        _validate_not_none('algorithm', algorithm)
-        _validate_not_none('encrypted_key', encrypted_key)
-        _validate_not_none('key_id', key_id)
+        _validate_not_none("algorithm", algorithm)
+        _validate_not_none("encrypted_key", encrypted_key)
+        _validate_not_none("key_id", key_id)
 
         self.algorithm = algorithm
         self.encrypted_key = encrypted_key
@@ -144,9 +142,9 @@ class _EncryptedRegionInfo:
         :param int tag_length:
             The length of the encryption tag.
         """
-        _validate_not_none('data_length', data_length)
-        _validate_not_none('nonce_length', nonce_length)
-        _validate_not_none('tag_length', tag_length)
+        _validate_not_none("data_length", data_length)
+        _validate_not_none("nonce_length", nonce_length)
+        _validate_not_none("tag_length", tag_length)
 
         self.data_length = data_length
         self.nonce_length = nonce_length
@@ -166,8 +164,8 @@ class _EncryptionAgent:
         :param str protocol:
             The protocol version used for encryption.
         """
-        _validate_not_none('encryption_algorithm', encryption_algorithm)
-        _validate_not_none('protocol', protocol)
+        _validate_not_none("encryption_algorithm", encryption_algorithm)
+        _validate_not_none("protocol", protocol)
 
         self.encryption_algorithm = str(encryption_algorithm)
         self.protocol = protocol
@@ -179,11 +177,12 @@ class _EncryptionData:
     """
 
     def __init__(
-        self, content_encryption_IV: Optional[bytes],
+        self,
+        content_encryption_IV: Optional[bytes],
         encrypted_region_info: Optional[_EncryptedRegionInfo],
         encryption_agent: _EncryptionAgent,
         wrapped_content_key: _WrappedContentKey,
-        key_wrapping_metadata: Dict[str, Any]
+        key_wrapping_metadata: Dict[str, Any],
     ) -> None:
         """
         :param Optional[bytes] content_encryption_IV:
@@ -200,14 +199,14 @@ class _EncryptionData:
         :param Dict[str, Any] key_wrapping_metadata:
             A dict containing metadata related to the key wrapping.
         """
-        _validate_not_none('encryption_agent', encryption_agent)
-        _validate_not_none('wrapped_content_key', wrapped_content_key)
+        _validate_not_none("encryption_agent", encryption_agent)
+        _validate_not_none("wrapped_content_key", wrapped_content_key)
 
         # Validate we have the right matching optional parameter for the specified algorithm
         if encryption_agent.encryption_algorithm == _EncryptionAlgorithm.AES_CBC_256:
-            _validate_not_none('content_encryption_IV', content_encryption_IV)
+            _validate_not_none("content_encryption_IV", content_encryption_IV)
         elif encryption_agent.encryption_algorithm == _EncryptionAlgorithm.AES_GCM_256:
-            _validate_not_none('encrypted_region_info', encrypted_region_info)
+            _validate_not_none("encrypted_region_info", encrypted_region_info)
         else:
             raise ValueError("Invalid encryption algorithm.")
 
@@ -225,8 +224,10 @@ class GCMBlobEncryptionStream:
     will use the same encryption key and will generate a guaranteed unique
     nonce for each encryption region.
     """
+
     def __init__(
-        self, content_encryption_key: bytes,
+        self,
+        content_encryption_key: bytes,
         data_stream: IO[bytes],
     ) -> None:
         """
@@ -237,7 +238,7 @@ class GCMBlobEncryptionStream:
         self.data_stream = data_stream
 
         self.offset = 0
-        self.current = b''
+        self.current = b""
         self.nonce_counter = 0
 
     def read(self, size: int = -1) -> bytes:
@@ -286,7 +287,7 @@ def encrypt_data_v2(data: bytes, nonce: int, key: bytes) -> bytes:
     :return: The encrypted bytes in the form: nonce + ciphertext + tag.
     :rtype: bytes
     """
-    nonce_bytes = nonce.to_bytes(_GCM_NONCE_LENGTH, 'big')
+    nonce_bytes = nonce.to_bytes(_GCM_NONCE_LENGTH, "big")
     aesgcm = AESGCM(key)
 
     # Returns ciphertext + tag
@@ -307,11 +308,8 @@ def is_encryption_v2(encryption_data: Optional[_EncryptionData]) -> bool:
 
 
 def modify_user_agent_for_encryption(
-        user_agent: str,
-        moniker: str,
-        encryption_version: str,
-        request_options: Dict[str, Any]
-    ) -> None:
+    user_agent: str, moniker: str, encryption_version: str, request_options: Dict[str, Any]
+) -> None:
     """
     Modifies the request options to contain a user agent string updated with encryption information.
     Adds azstorage-clientsideencryption/<version> immediately proceeding the SDK descriptor.
@@ -322,7 +320,7 @@ def modify_user_agent_for_encryption(
     :param Dict[str, Any] request_options: The reuqest options to add the user agent override to.
     """
     # If the user has specified user_agent_overwrite=True, don't make any modifications
-    if request_options.get('user_agent_overwrite'):
+    if request_options.get("user_agent_overwrite"):
         return
 
     # If the feature flag is already present, don't add it again
@@ -333,11 +331,11 @@ def modify_user_agent_for_encryption(
     index = user_agent.find(f"azsdk-python-{moniker}")
     user_agent = f"{user_agent[:index]}{feature_flag} {user_agent[index:]}"
     # Since we are using user_agent_overwrite=True, we must prepend the user's user_agent if there is one
-    if request_options.get('user_agent'):
+    if request_options.get("user_agent"):
         user_agent = f"{request_options.get('user_agent')} {user_agent}"
 
-    request_options['user_agent'] = user_agent
-    request_options['user_agent_overwrite'] = True
+    request_options["user_agent"] = user_agent
+    request_options["user_agent_overwrite"] = True
 
 
 def get_adjusted_upload_size(length: int, encryption_version: str) -> int:
@@ -362,10 +360,8 @@ def get_adjusted_upload_size(length: int, encryption_version: str) -> int:
 
 
 def get_adjusted_download_range_and_offset(
-        start: int,
-        end: int,
-        length: Optional[int],
-        encryption_data: Optional[_EncryptionData]) -> Tuple[Tuple[int, int], Tuple[int, int]]:
+    start: int, end: int, length: Optional[int], encryption_data: Optional[_EncryptionData]
+) -> Tuple[Tuple[int, int], Tuple[int, int]]:
     """
     Gets the new download range and offsets into the decrypted data for
     the given user-specified range. The new download range will include all
@@ -453,7 +449,7 @@ def parse_encryption_data(metadata: Dict[str, Any]) -> Optional[_EncryptionData]
     try:
         # Use case insensitive dict as key needs to be case-insensitive
         case_insensitive_metadata = CaseInsensitiveDict(metadata)
-        return _dict_to_encryption_data(loads(case_insensitive_metadata['encryptiondata']))
+        return _dict_to_encryption_data(loads(case_insensitive_metadata["encryptiondata"]))
     except:  # pylint: disable=bare-except
         return None
 
@@ -468,9 +464,11 @@ def adjust_blob_size_for_encryption(size: int, encryption_data: Optional[_Encryp
     :return: The new blob size.
     :rtype: int
     """
-    if (encryption_data is not None and
-        encryption_data.encrypted_region_info is not None and
-        is_encryption_v2(encryption_data)):
+    if (
+        encryption_data is not None
+        and encryption_data.encrypted_region_info is not None
+        and is_encryption_v2(encryption_data)
+    ):
 
         nonce_length = encryption_data.encrypted_region_info.nonce_length
         data_length = encryption_data.encrypted_region_info.data_length
@@ -485,11 +483,8 @@ def adjust_blob_size_for_encryption(size: int, encryption_data: Optional[_Encryp
 
 
 def _generate_encryption_data_dict(
-        kek: KeyEncryptionKey,
-        cek: bytes,
-        iv: Optional[bytes],
-        version: str
-    ) -> TypedOrderedDict[str, Any]:
+    kek: KeyEncryptionKey, cek: bytes, iv: Optional[bytes], version: str
+) -> TypedOrderedDict[str, Any]:
     """
     Generates and returns the encryption metadata as a dict.
 
@@ -506,7 +501,7 @@ def _generate_encryption_data_dict(
     # For V2, we include the encryption version in the wrapped key.
     elif version == _ENCRYPTION_PROTOCOL_V2:
         # We must pad the version to 8 bytes for AES Keywrap algorithms
-        to_wrap = _ENCRYPTION_PROTOCOL_V2.encode().ljust(8, b'\0') + cek
+        to_wrap = _ENCRYPTION_PROTOCOL_V2.encode().ljust(8, b"\0") + cek
         wrapped_cek = kek.wrap_key(to_wrap)
     else:
         raise ValueError("Invalid encryption version specified.")
@@ -514,31 +509,31 @@ def _generate_encryption_data_dict(
     # Build the encryption_data dict.
     # Use OrderedDict to comply with Java's ordering requirement.
     wrapped_content_key = OrderedDict()
-    wrapped_content_key['KeyId'] = kek.get_kid()
-    wrapped_content_key['EncryptedKey'] = encode_base64(wrapped_cek)
-    wrapped_content_key['Algorithm'] = kek.get_key_wrap_algorithm()
+    wrapped_content_key["KeyId"] = kek.get_kid()
+    wrapped_content_key["EncryptedKey"] = encode_base64(wrapped_cek)
+    wrapped_content_key["Algorithm"] = kek.get_key_wrap_algorithm()
 
     encryption_agent = OrderedDict()
-    encryption_agent['Protocol'] = version
+    encryption_agent["Protocol"] = version
 
     if version == _ENCRYPTION_PROTOCOL_V1:
-        encryption_agent['EncryptionAlgorithm'] = _EncryptionAlgorithm.AES_CBC_256
+        encryption_agent["EncryptionAlgorithm"] = _EncryptionAlgorithm.AES_CBC_256
 
     elif version == _ENCRYPTION_PROTOCOL_V2:
-        encryption_agent['EncryptionAlgorithm'] = _EncryptionAlgorithm.AES_GCM_256
+        encryption_agent["EncryptionAlgorithm"] = _EncryptionAlgorithm.AES_GCM_256
 
         encrypted_region_info = OrderedDict()
-        encrypted_region_info['DataLength'] = _GCM_REGION_DATA_LENGTH
-        encrypted_region_info['NonceLength'] = _GCM_NONCE_LENGTH
+        encrypted_region_info["DataLength"] = _GCM_REGION_DATA_LENGTH
+        encrypted_region_info["NonceLength"] = _GCM_NONCE_LENGTH
 
     encryption_data_dict: TypedOrderedDict[str, Any] = OrderedDict()
-    encryption_data_dict['WrappedContentKey'] = wrapped_content_key
-    encryption_data_dict['EncryptionAgent'] = encryption_agent
+    encryption_data_dict["WrappedContentKey"] = wrapped_content_key
+    encryption_data_dict["EncryptionAgent"] = encryption_agent
     if version == _ENCRYPTION_PROTOCOL_V1:
-        encryption_data_dict['ContentEncryptionIV'] = encode_base64(iv)
+        encryption_data_dict["ContentEncryptionIV"] = encode_base64(iv)
     elif version == _ENCRYPTION_PROTOCOL_V2:
-        encryption_data_dict['EncryptedRegionInfo'] = encrypted_region_info
-    encryption_data_dict['KeyWrappingMetadata'] = OrderedDict({'EncryptionLibrary': 'Python ' + VERSION})
+        encryption_data_dict["EncryptedRegionInfo"] = encrypted_region_info
+    encryption_data_dict["KeyWrappingMetadata"] = OrderedDict({"EncryptionLibrary": "Python " + VERSION})
 
     return encryption_data_dict
 
@@ -554,43 +549,42 @@ def _dict_to_encryption_data(encryption_data_dict: Dict[str, Any]) -> _Encryptio
     :rtype: _EncryptionData
     """
     try:
-        protocol = encryption_data_dict['EncryptionAgent']['Protocol']
+        protocol = encryption_data_dict["EncryptionAgent"]["Protocol"]
         if protocol not in _VALID_ENCRYPTION_PROTOCOLS:
             raise ValueError("Unsupported encryption version.")
     except KeyError as exc:
         raise ValueError("Unsupported encryption version.") from exc
-    wrapped_content_key = encryption_data_dict['WrappedContentKey']
-    wrapped_content_key = _WrappedContentKey(wrapped_content_key['Algorithm'],
-                                             decode_base64_to_bytes(wrapped_content_key['EncryptedKey']),
-                                             wrapped_content_key['KeyId'])
-
-    encryption_agent = encryption_data_dict['EncryptionAgent']
-    encryption_agent = _EncryptionAgent(encryption_agent['EncryptionAlgorithm'],
-                                        encryption_agent['Protocol'])
-
-    if 'KeyWrappingMetadata' in encryption_data_dict:
-        key_wrapping_metadata = encryption_data_dict['KeyWrappingMetadata']
+    wrapped_content_key = encryption_data_dict["WrappedContentKey"]
+    wrapped_content_key = _WrappedContentKey(
+        wrapped_content_key["Algorithm"],
+        decode_base64_to_bytes(wrapped_content_key["EncryptedKey"]),
+        wrapped_content_key["KeyId"],
+    )
+
+    encryption_agent = encryption_data_dict["EncryptionAgent"]
+    encryption_agent = _EncryptionAgent(encryption_agent["EncryptionAlgorithm"], encryption_agent["Protocol"])
+
+    if "KeyWrappingMetadata" in encryption_data_dict:
+        key_wrapping_metadata = encryption_data_dict["KeyWrappingMetadata"]
     else:
         key_wrapping_metadata = None
 
     # AES-CBC only
     encryption_iv = None
-    if 'ContentEncryptionIV' in encryption_data_dict:
-        encryption_iv = decode_base64_to_bytes(encryption_data_dict['ContentEncryptionIV'])
+    if "ContentEncryptionIV" in encryption_data_dict:
+        encryption_iv = decode_base64_to_bytes(encryption_data_dict["ContentEncryptionIV"])
 
     # AES-GCM only
     region_info = None
-    if 'EncryptedRegionInfo' in encryption_data_dict:
-        encrypted_region_info = encryption_data_dict['EncryptedRegionInfo']
-        region_info = _EncryptedRegionInfo(encrypted_region_info['DataLength'],
-                                           encrypted_region_info['NonceLength'],
-                                           _GCM_TAG_LENGTH)
-
-    encryption_data = _EncryptionData(encryption_iv,
-                                      region_info,
-                                      encryption_agent,
-                                      wrapped_content_key,
-                                      key_wrapping_metadata)
+    if "EncryptedRegionInfo" in encryption_data_dict:
+        encrypted_region_info = encryption_data_dict["EncryptedRegionInfo"]
+        region_info = _EncryptedRegionInfo(
+            encrypted_region_info["DataLength"], encrypted_region_info["NonceLength"], _GCM_TAG_LENGTH
+        )
+
+    encryption_data = _EncryptionData(
+        encryption_iv, region_info, encryption_agent, wrapped_content_key, key_wrapping_metadata
+    )
 
     return encryption_data
 
@@ -614,7 +608,7 @@ def _generate_AES_CBC_cipher(cek: bytes, iv: bytes) -> Cipher:
 def _validate_and_unwrap_cek(
     encryption_data: _EncryptionData,
     key_encryption_key: Optional[KeyEncryptionKey] = None,
-    key_resolver: Optional[Callable[[str], KeyEncryptionKey]] = None
+    key_resolver: Optional[Callable[[str], KeyEncryptionKey]] = None,
 ) -> bytes:
     """
     Extracts and returns the content_encryption_key stored in the encryption_data object
@@ -636,15 +630,15 @@ def _validate_and_unwrap_cek(
     :rtype: bytes
     """
 
-    _validate_not_none('encrypted_key', encryption_data.wrapped_content_key.encrypted_key)
+    _validate_not_none("encrypted_key", encryption_data.wrapped_content_key.encrypted_key)
 
     # Validate we have the right info for the specified version
     if encryption_data.encryption_agent.protocol == _ENCRYPTION_PROTOCOL_V1:
-        _validate_not_none('content_encryption_IV', encryption_data.content_encryption_IV)
+        _validate_not_none("content_encryption_IV", encryption_data.content_encryption_IV)
     elif encryption_data.encryption_agent.protocol in _ENCRYPTION_V2_PROTOCOLS:
-        _validate_not_none('encrypted_region_info', encryption_data.encrypted_region_info)
+        _validate_not_none("encrypted_region_info", encryption_data.encrypted_region_info)
     else:
-        raise ValueError('Specified encryption version is not supported.')
+        raise ValueError("Specified encryption version is not supported.")
 
     content_encryption_key: Optional[bytes] = None
 
@@ -654,29 +648,29 @@ def _validate_and_unwrap_cek(
 
     if key_encryption_key is None:
         raise ValueError("Unable to decrypt. key_resolver and key_encryption_key cannot both be None.")
-    if not hasattr(key_encryption_key, 'get_kid') or not callable(key_encryption_key.get_kid):
-        raise AttributeError(_ERROR_OBJECT_INVALID.format('key encryption key', 'get_kid'))
-    if not hasattr(key_encryption_key, 'unwrap_key') or not callable(key_encryption_key.unwrap_key):
-        raise AttributeError(_ERROR_OBJECT_INVALID.format('key encryption key', 'unwrap_key'))
+    if not hasattr(key_encryption_key, "get_kid") or not callable(key_encryption_key.get_kid):
+        raise AttributeError(_ERROR_OBJECT_INVALID.format("key encryption key", "get_kid"))
+    if not hasattr(key_encryption_key, "unwrap_key") or not callable(key_encryption_key.unwrap_key):
+        raise AttributeError(_ERROR_OBJECT_INVALID.format("key encryption key", "unwrap_key"))
     if encryption_data.wrapped_content_key.key_id != key_encryption_key.get_kid():
-        raise ValueError('Provided or resolved key-encryption-key does not match the id of key used to encrypt.')
+        raise ValueError("Provided or resolved key-encryption-key does not match the id of key used to encrypt.")
     # Will throw an exception if the specified algorithm is not supported.
     content_encryption_key = key_encryption_key.unwrap_key(
-        encryption_data.wrapped_content_key.encrypted_key,
-        encryption_data.wrapped_content_key.algorithm)
+        encryption_data.wrapped_content_key.encrypted_key, encryption_data.wrapped_content_key.algorithm
+    )
 
     # For V2, the version is included with the cek. We need to validate it
     # and remove it from the actual cek.
     if encryption_data.encryption_agent.protocol in _ENCRYPTION_V2_PROTOCOLS:
-        version_2_bytes = encryption_data.encryption_agent.protocol.encode().ljust(8, b'\0')
-        cek_version_bytes = content_encryption_key[:len(version_2_bytes)]
+        version_2_bytes = encryption_data.encryption_agent.protocol.encode().ljust(8, b"\0")
+        cek_version_bytes = content_encryption_key[: len(version_2_bytes)]
         if cek_version_bytes != version_2_bytes:
-            raise ValueError('The encryption metadata is not valid and may have been modified.')
+            raise ValueError("The encryption metadata is not valid and may have been modified.")
 
         # Remove version from the start of the cek.
-        content_encryption_key = content_encryption_key[len(version_2_bytes):]
+        content_encryption_key = content_encryption_key[len(version_2_bytes) :]
 
-    _validate_not_none('content_encryption_key', content_encryption_key)
+    _validate_not_none("content_encryption_key", content_encryption_key)
 
     return content_encryption_key
 
@@ -685,7 +679,7 @@ def _decrypt_message(
     message: bytes,
     encryption_data: _EncryptionData,
     key_encryption_key: Optional[KeyEncryptionKey] = None,
-    resolver: Optional[Callable[[str], KeyEncryptionKey]] = None
+    resolver: Optional[Callable[[str], KeyEncryptionKey]] = None,
 ) -> bytes:
     """
     Decrypts the given ciphertext using AES256 in CBC mode with 128 bit padding.
@@ -710,7 +704,7 @@ def _decrypt_message(
     :return: The decrypted plaintext.
     :rtype: bytes
     """
-    _validate_not_none('message', message)
+    _validate_not_none("message", message)
     content_encryption_key = _validate_and_unwrap_cek(encryption_data, key_encryption_key, resolver)
 
     if encryption_data.encryption_agent.protocol == _ENCRYPTION_PROTOCOL_V1:
@@ -721,11 +715,11 @@ def _decrypt_message(
 
         # decrypt data
         decryptor = cipher.decryptor()
-        decrypted_data = (decryptor.update(message) + decryptor.finalize())
+        decrypted_data = decryptor.update(message) + decryptor.finalize()
 
         # unpad data
         unpadder = PKCS7(128).unpadder()
-        decrypted_data = (unpadder.update(decrypted_data) + unpadder.finalize())
+        decrypted_data = unpadder.update(decrypted_data) + unpadder.finalize()
 
     elif encryption_data.encryption_agent.protocol in _ENCRYPTION_V2_PROTOCOLS:
         block_info = encryption_data.encrypted_region_info
@@ -745,7 +739,7 @@ def _decrypt_message(
         decrypted_data = aesgcm.decrypt(nonce, ciphertext_with_tag, None)
 
     else:
-        raise ValueError('Specified encryption version is not supported.')
+        raise ValueError("Specified encryption version is not supported.")
 
     return decrypted_data
 
@@ -773,8 +767,8 @@ def encrypt_blob(blob: bytes, key_encryption_key: KeyEncryptionKey, version: str
     :rtype: (str, bytes)
     """
 
-    _validate_not_none('blob', blob)
-    _validate_not_none('key_encryption_key', key_encryption_key)
+    _validate_not_none("blob", blob)
+    _validate_not_none("key_encryption_key", key_encryption_key)
     _validate_key_encryption_key_wrap(key_encryption_key)
 
     if version == _ENCRYPTION_PROTOCOL_V1:
@@ -805,16 +799,16 @@ def encrypt_blob(blob: bytes, key_encryption_key: KeyEncryptionKey, version: str
     else:
         raise ValueError("Invalid encryption version specified.")
 
-    encryption_data = _generate_encryption_data_dict(key_encryption_key, content_encryption_key,
-                                                     initialization_vector, version)
-    encryption_data['EncryptionMode'] = 'FullBlob'
+    encryption_data = _generate_encryption_data_dict(
+        key_encryption_key, content_encryption_key, initialization_vector, version
+    )
+    encryption_data["EncryptionMode"] = "FullBlob"
 
     return dumps(encryption_data), encrypted_data
 
 
 def generate_blob_encryption_data(
-    key_encryption_key: Optional[KeyEncryptionKey],
-    version: str
+    key_encryption_key: Optional[KeyEncryptionKey], version: str
 ) -> Tuple[Optional[bytes], Optional[bytes], Optional[str]]:
     """
     Generates the encryption_metadata for the blob.
@@ -836,24 +830,23 @@ def generate_blob_encryption_data(
         # Initialization vector only needed for V1
         if version == _ENCRYPTION_PROTOCOL_V1:
             initialization_vector = os.urandom(16)
-        encryption_data_dict = _generate_encryption_data_dict(key_encryption_key,
-                                                         content_encryption_key,
-                                                         initialization_vector,
-                                                         version)
-        encryption_data_dict['EncryptionMode'] = 'FullBlob'
+        encryption_data_dict = _generate_encryption_data_dict(
+            key_encryption_key, content_encryption_key, initialization_vector, version
+        )
+        encryption_data_dict["EncryptionMode"] = "FullBlob"
         encryption_data = dumps(encryption_data_dict)
 
     return content_encryption_key, initialization_vector, encryption_data
 
 
 def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
-        require_encryption: bool,
-        key_encryption_key: Optional[KeyEncryptionKey],
-        key_resolver: Optional[Callable[[str], KeyEncryptionKey]],
-        content: bytes,
-        start_offset: int,
-        end_offset: int,
-        response_headers: Dict[str, Any]
+    require_encryption: bool,
+    key_encryption_key: Optional[KeyEncryptionKey],
+    key_resolver: Optional[Callable[[str], KeyEncryptionKey]],
+    content: bytes,
+    start_offset: int,
+    end_offset: int,
+    response_headers: Dict[str, Any],
 ) -> bytes:
     """
     Decrypts the given blob contents and returns only the requested range.
@@ -885,39 +878,40 @@ def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
     :rtype: bytes
     """
     try:
-        encryption_data = _dict_to_encryption_data(loads(response_headers['x-ms-meta-encryptiondata']))
+        encryption_data = _dict_to_encryption_data(loads(response_headers["x-ms-meta-encryptiondata"]))
     except Exception as exc:  # pylint: disable=broad-except
         if require_encryption:
             raise ValueError(
-                'Encryption required, but received data does not contain appropriate metadata.' + \
-                'Data was either not encrypted or metadata has been lost.') from exc
+                "Encryption required, but received data does not contain appropriate metadata."
+                + "Data was either not encrypted or metadata has been lost."
+            ) from exc
 
         return content
 
     algorithm = encryption_data.encryption_agent.encryption_algorithm
-    if algorithm not in(_EncryptionAlgorithm.AES_CBC_256, _EncryptionAlgorithm.AES_GCM_256):
-        raise ValueError('Specified encryption algorithm is not supported.')
+    if algorithm not in (_EncryptionAlgorithm.AES_CBC_256, _EncryptionAlgorithm.AES_GCM_256):
+        raise ValueError("Specified encryption algorithm is not supported.")
 
     version = encryption_data.encryption_agent.protocol
     if version not in _VALID_ENCRYPTION_PROTOCOLS:
-        raise ValueError('Specified encryption version is not supported.')
+        raise ValueError("Specified encryption version is not supported.")
 
     content_encryption_key = _validate_and_unwrap_cek(encryption_data, key_encryption_key, key_resolver)
 
     if version == _ENCRYPTION_PROTOCOL_V1:
-        blob_type = response_headers['x-ms-blob-type']
+        blob_type = response_headers["x-ms-blob-type"]
 
         iv: Optional[bytes] = None
         unpad = False
-        if 'content-range' in response_headers:
-            content_range = response_headers['content-range']
+        if "content-range" in response_headers:
+            content_range = response_headers["content-range"]
             # Format: 'bytes x-y/size'
 
             # Ignore the word 'bytes'
-            content_range = content_range.split(' ')
+            content_range = content_range.split(" ")
 
-            content_range = content_range[1].split('-')
-            content_range = content_range[1].split('/')
+            content_range = content_range[1].split("-")
+            content_range = content_range[1].split("/")
             end_range = int(content_range[0])
             blob_size = int(content_range[1])
 
@@ -934,7 +928,7 @@ def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
             unpad = True
             iv = encryption_data.content_encryption_IV
 
-        if blob_type == 'PageBlob':
+        if blob_type == "PageBlob":
             unpad = False
 
         if iv is None:
@@ -948,7 +942,7 @@ def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
             unpadder = PKCS7(128).unpadder()
             content = unpadder.update(content) + unpadder.finalize()
 
-        return content[start_offset: len(content) - end_offset]
+        return content[start_offset : len(content) - end_offset]
 
     if version in _ENCRYPTION_V2_PROTOCOLS:
         # We assume the content contains only full encryption regions
@@ -967,7 +961,7 @@ def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
         while offset < total_size:
             # Process one encryption region at a time
             process_size = min(region_length, total_size)
-            encrypted_region = content[offset:offset + process_size]
+            encrypted_region = content[offset : offset + process_size]
 
             # First bytes are the nonce
             nonce = encrypted_region[:nonce_length]
@@ -982,13 +976,11 @@ def decrypt_blob(  # pylint: disable=too-many-locals,too-many-statements
         # Read the caller requested data from the decrypted content
         return decrypted_content[start_offset:end_offset]
 
-    raise ValueError('Specified encryption version is not supported.')
+    raise ValueError("Specified encryption version is not supported.")
 
 
 def get_blob_encryptor_and_padder(
-    cek: Optional[bytes],
-    iv: Optional[bytes],
-    should_pad: bool
+    cek: Optional[bytes], iv: Optional[bytes], should_pad: bool
 ) -> Tuple[Optional["AEADEncryptionContext"], Optional["PaddingContext"]]:
     encryptor = None
     padder = None
@@ -1022,13 +1014,13 @@ def encrypt_queue_message(message: str, key_encryption_key: KeyEncryptionKey, ve
     :rtype: str
     """
 
-    _validate_not_none('message', message)
-    _validate_not_none('key_encryption_key', key_encryption_key)
+    _validate_not_none("message", message)
+    _validate_not_none("key_encryption_key", key_encryption_key)
     _validate_key_encryption_key_wrap(key_encryption_key)
 
     # Queue encoding functions all return unicode strings, and encryption should
     # operate on binary strings.
-    message_as_bytes: bytes = message.encode('utf-8')
+    message_as_bytes: bytes = message.encode("utf-8")
 
     if version == _ENCRYPTION_PROTOCOL_V1:
         # AES256 CBC uses 256 bit (32 byte) keys and always with 16 byte blocks
@@ -1062,11 +1054,12 @@ def encrypt_queue_message(message: str, key_encryption_key: KeyEncryptionKey, ve
         raise ValueError("Invalid encryption version specified.")
 
     # Build the dictionary structure.
-    queue_message = {'EncryptedMessageContents': encode_base64(encrypted_data),
-                     'EncryptionData': _generate_encryption_data_dict(key_encryption_key,
-                                                                      content_encryption_key,
-                                                                      initialization_vector,
-                                                                      version)}
+    queue_message = {
+        "EncryptedMessageContents": encode_base64(encrypted_data),
+        "EncryptionData": _generate_encryption_data_dict(
+            key_encryption_key, content_encryption_key, initialization_vector, version
+        ),
+    }
 
     return dumps(queue_message)
 
@@ -1076,7 +1069,7 @@ def decrypt_queue_message(
     response: "PipelineResponse",
     require_encryption: bool,
     key_encryption_key: Optional[KeyEncryptionKey],
-    resolver: Optional[Callable[[str], KeyEncryptionKey]]
+    resolver: Optional[Callable[[str], KeyEncryptionKey]],
 ) -> str:
     """
     Returns the decrypted message contents from an EncryptedQueueMessage.
@@ -1106,22 +1099,22 @@ def decrypt_queue_message(
     try:
         deserialized_message: Dict[str, Any] = loads(message)
 
-        encryption_data = _dict_to_encryption_data(deserialized_message['EncryptionData'])
-        decoded_data = decode_base64_to_bytes(deserialized_message['EncryptedMessageContents'])
+        encryption_data = _dict_to_encryption_data(deserialized_message["EncryptionData"])
+        decoded_data = decode_base64_to_bytes(deserialized_message["EncryptedMessageContents"])
     except (KeyError, ValueError) as exc:
         # Message was not json formatted and so was not encrypted
         # or the user provided a json formatted message
         # or the metadata was malformed.
         if require_encryption:
             raise ValueError(
-                'Encryption required, but received message does not contain appropriate metatadata. ' + \
-                'Message was either not encrypted or metadata was incorrect.') from exc
+                "Encryption required, but received message does not contain appropriate metatadata. "
+                + "Message was either not encrypted or metadata was incorrect."
+            ) from exc
 
         return message
     try:
-        return _decrypt_message(decoded_data, encryption_data, key_encryption_key, resolver).decode('utf-8')
+        return _decrypt_message(decoded_data, encryption_data, key_encryption_key, resolver).decode("utf-8")
     except Exception as error:
         raise HttpResponseError(
-            message="Decryption failed.",
-            response=response, #type: ignore [arg-type]
-            error=error) from error
+            message="Decryption failed.", response=response, error=error  # type: ignore [arg-type]
+        ) from error