protegrity-ai-developer-python 1.2.1__py3-none-any.whl

appython/service/auth_provider.py

@@ -0,0 +1,273 @@
+"""
+Pluggable authentication providers for the Protegrity SDK.
+
+Each provider implements authenticate_request() to sign/authenticate outgoing
+HTTP requests according to a specific auth mechanism.
+"""
+
+import os
+import requests as http_requests
+
+from appython.utils.exceptions import InitializationError
+
+
+class AuthProvider:
+    """Base class for authentication providers."""
+
+    def authenticate_request(self, method, url, headers, body):
+        """Sign/authenticate an outgoing request.
+
+        Args:
+            method: HTTP method (e.g., "POST").
+            url: Full request URL.
+            headers: Existing headers dict (will be mutated).
+            body: Request body (dict).
+
+        Returns:
+            dict: Updated headers with auth credentials added.
+        """
+        raise NotImplementedError
+
+    def initialize(self):
+        """Perform any upfront auth (login, token fetch, etc.)."""
+        pass
+
+    def get_request_kwargs(self):
+        """Return extra kwargs to pass to requests.post() (e.g., cert for mTLS).
+
+        Returns:
+            dict: Extra keyword arguments for requests.
+        """
+        return {}
+
+
+class CognitoAuthProvider(AuthProvider):
+    """Authenticates via Cognito login (Developer Edition behavior).
+
+    Performs a login call to get a JWT token, then attaches
+    the JWT and API key to every request.
+    """
+
+    def __init__(self, config):
+        self._email = config.get("de_email")
+        self._password = config.get("de_password")
+        self._api_key = config.get("de_api_key")
+        self._protect_host = config.get("protect_host")
+        self._jwt_token = None
+
+    def initialize(self):
+        if not self._email or not self._password:
+            raise InitializationError(
+                err_msg="Authentication failed: Both DEV_EDITION_EMAIL and DEV_EDITION_PASSWORD must be provided."
+            )
+        if not self._api_key:
+            raise InitializationError(
+                err_msg="Authentication failed: DEV_EDITION_API_KEY must be provided."
+            )
+
+        headers = {
+            "Content-Type": "application/json",
+            "x-api-key": self._api_key,
+        }
+        login_url = f"{self._protect_host}/auth/login"
+        payload = {"email": self._email, "password": self._password}
+        # Cap the login call so a stalled DE auth endpoint does not hang init.
+        response = http_requests.post(login_url, json=payload, headers=headers, timeout=30)
+        if response.status_code != 200:
+            raise InitializationError(
+                err_msg=f"{response.json().get('error', 'Could not authenticate user.')}"
+            )
+        self._jwt_token = response.json().get("jwt_token", None)
+
+    def authenticate_request(self, method, url, headers, body):
+        headers["x-api-key"] = self._api_key
+        headers["Authorization"] = self._jwt_token
+        return headers
+
+
+class AWSIAMAuthProvider(AuthProvider):
+    """Authenticates requests using AWS SigV4 signing.
+
+    Requires botocore to be installed: pip install appython[aws]
+    """
+
+    def __init__(self, config):
+        self._protect_host = config.get("protect_host")
+        self._session = None
+        self._credentials = None
+        self._signer = None
+
+    def initialize(self):
+        try:
+            import botocore.session
+            import botocore.auth
+            import botocore.awsrequest
+        except ImportError:
+            raise InitializationError(
+                err_msg="aws_iam auth mode requires botocore. Install with: pip install appython[aws]"
+            )
+
+        session = botocore.session.get_session()
+        self._credentials = session.get_credentials()
+        if not self._credentials:
+            raise InitializationError(
+                err_msg="AWS credentials not found. Configure via AWS_PROFILE, "
+                "AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or instance role."
+            )
+        self._credentials = self._credentials.get_frozen_credentials()
+
+    def authenticate_request(self, method, url, headers, body):
+        import botocore.auth
+        import botocore.awsrequest
+        import json
+
+        # Build an AWSRequest for signing
+        body_bytes = json.dumps(body).encode("utf-8") if isinstance(body, dict) else body
+        aws_request = botocore.awsrequest.AWSRequest(
+            method=method, url=url, headers=headers, data=body_bytes
+        )
+
+        # Sign with SigV4 for execute-api service
+        signer = botocore.auth.SigV4Auth(self._credentials, "execute-api", self._region)
+        signer.add_auth(aws_request)
+
+        # Copy signed headers back
+        headers.update(dict(aws_request.headers))
+        return headers
+
+    @property
+    def _region(self):
+        """Extract region from the protect host URL or fall back to env/default."""
+        # Try to extract from URL like https://xxx.execute-api.us-east-1.amazonaws.com/...
+        host = self._protect_host or ""
+        parts = host.split(".")
+        for i, part in enumerate(parts):
+            if part == "execute-api" and i + 1 < len(parts):
+                return parts[i + 1]
+        # AWS_REGION is set by Lambda and honored by boto3/awscli;
+        # AWS_DEFAULT_REGION is the older variant. Accept either.
+        return os.getenv("AWS_DEFAULT_REGION") or os.getenv("AWS_REGION") or "us-east-1"
+
+
+class BearerTokenAuthProvider(AuthProvider):
+    """Authenticates with a Bearer token (static or fetched via OAuth2 client_credentials)."""
+
+    def __init__(self, config):
+        self._static_token = config.get("static_token")
+        self._token_endpoint = config.get("token_endpoint")
+        self._client_id = config.get("client_id")
+        self._client_secret = config.get("client_secret")
+        self._access_token = None
+
+    def initialize(self):
+        if self._static_token:
+            self._access_token = self._static_token
+            return
+
+        if not self._token_endpoint:
+            raise InitializationError(
+                err_msg="bearer_token mode requires PTY_STATIC_TOKEN or "
+                "PTY_TOKEN_ENDPOINT + PTY_CLIENT_ID + PTY_CLIENT_SECRET."
+            )
+        self._fetch_token()
+
+    def _fetch_token(self):
+        """Fetch access token from OAuth2 token endpoint using client_credentials grant."""
+        data = {
+            "grant_type": "client_credentials",
+            "client_id": self._client_id,
+            "client_secret": self._client_secret,
+        }
+        response = http_requests.post(
+            self._token_endpoint,
+            data=data,
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+            timeout=30,
+        )
+        if response.status_code != 200:
+            raise InitializationError(
+                err_msg=f"Failed to fetch OAuth2 token: {response.status_code} {response.text}"
+            )
+        self._access_token = response.json().get("access_token")
+
+    def authenticate_request(self, method, url, headers, body):
+        headers["Authorization"] = f"Bearer {self._access_token}"
+        return headers
+
+
+class NoneAuthProvider(AuthProvider):
+    """No authentication — for internal/trusted networks."""
+
+    def __init__(self, config):
+        pass
+
+    def authenticate_request(self, method, url, headers, body):
+        return headers
+
+
+class MTLSAuthProvider(AuthProvider):
+    """Mutual TLS authentication via client certificates.
+
+    Auth is at the TLS layer, not HTTP headers.
+    """
+
+    def __init__(self, config):
+        self._client_cert = config.get("client_cert")
+        self._client_key = config.get("client_key")
+        self._ca_cert = config.get("ca_cert")
+
+    def initialize(self):
+        if not self._client_cert or not self._client_key:
+            raise InitializationError(
+                err_msg="mtls mode requires PTY_CLIENT_CERT and PTY_CLIENT_KEY."
+            )
+
+    def authenticate_request(self, method, url, headers, body):
+        # mTLS auth is at TLS handshake layer — no header changes needed
+        return headers
+
+    def get_request_kwargs(self):
+        kwargs = {"cert": (self._client_cert, self._client_key)}
+        if self._ca_cert:
+            kwargs["verify"] = self._ca_cert
+        return kwargs
+
+
+# Registry of auth mode string → provider class
+_PROVIDER_REGISTRY = {
+    "cognito": CognitoAuthProvider,
+    "aws_iam": AWSIAMAuthProvider,
+    "bearer_token": BearerTokenAuthProvider,
+    "none": NoneAuthProvider,
+    "mtls": MTLSAuthProvider,
+}
+
+
+def create_auth_provider(config):
+    """Factory: create and initialize the appropriate auth provider from config.
+
+    Args:
+        config: Configuration dict from load_config().
+
+    Returns:
+        AuthProvider: An initialized auth provider instance.
+
+    Raises:
+        InitializationError: If auth mode is missing or invalid.
+    """
+    auth_mode = config.get("auth_mode")
+    if not auth_mode:
+        raise InitializationError(
+            err_msg="Cannot determine auth mode. Set PTY_AUTH_MODE or provide DEV_EDITION_* variables."
+        )
+
+    provider_class = _PROVIDER_REGISTRY.get(auth_mode)
+    if not provider_class:
+        valid_modes = ", ".join(_PROVIDER_REGISTRY.keys())
+        raise InitializationError(
+            err_msg=f"Invalid PTY_AUTH_MODE='{auth_mode}'. Valid modes: {valid_modes}"
+        )
+
+    provider = provider_class(config)
+    provider.initialize()
+    return provider

appython/service/auth_token_provider.py

@@ -0,0 +1,45 @@
+"""
+This module provides the AuthTokenProvider class, which is responsible for authenticating user credentials
+and retrieving JWT tokens from the authentication endpoint.
+"""
+
+import os
+import requests
+from appython.utils.constants import HOST as host
+
+
+class AuthTokenProvider:
+    def get_jwt_token(email: str, password: str,api_key:str):
+        """
+        Authenticate user credentials and retrieve a JWT token.
+
+        This method sends a POST request to the authentication endpoint with the provided
+        email and password credentials. Upon successful authentication, it returns the
+        server response containing the JWT token and related authentication data.
+
+        Args:
+            email (str): User's email address for authentication.
+            password (str): User's password for authentication.
+
+        Returns:
+            requests.Response: HTTP response object from the authentication request.
+                - On success (200): Contains JWT token in response body
+                - On failure (401, 403, etc.): Contains error details
+
+        Raises:
+            requests.exceptions.RequestException: If the HTTP request fails due to network issues.
+            requests.exceptions.ConnectionError: If unable to connect to the authentication server.
+            requests.exceptions.Timeout: If the request times out.
+        """
+        runtime_host = os.getenv('DEV_EDITION_HOST', host)
+        headers = {
+            "Content-Type": "application/json",
+            "x-api-key": api_key,
+        }
+        base_url = f"https://{runtime_host}/auth/login"
+        payload = {"email": email, "password": password}
+        # Bound the login call so a hung auth endpoint does not stall SDK init.
+        # Retries are intentionally NOT applied here — auth errors are usually
+        # credential issues, not transient, and we do not want to amplify them.
+        response = requests.post(base_url, json=payload, headers=headers, timeout=30)
+        return response

appython/service/config.py

@@ -0,0 +1,209 @@
+"""
+SDK configuration loader.
+
+Resolution order (highest priority wins):
+1. Environment variables (PTY_*, DEV_EDITION_*, AWS_*)
+2. Config file (~/.protegrity/config.yaml or PTY_CONFIG_FILE path)
+3. Built-in defaults
+"""
+
+import os
+import stat
+import sys
+from pathlib import Path
+
+_DEFAULTS = {
+    "version": "1",
+    "request_timeout": "30",
+    "max_retries": "3",
+}
+
+# Legacy DE host
+_DE_HOST = "api.developer-edition.protegrity.com"
+
+# Keys that hold secrets-at-rest. Dropped from file_config if the file is
+# group/world readable (POSIX). Mirrors `~/.pgpass` behavior.
+_SECRET_FILE_KEYS = ("static_token", "client_secret")
+
+
+def _file_is_secure(path):
+    """True if `path` is readable only by the owner (mode & 077 == 0).
+
+    On Windows we can't check POSIX bits, so we trust the filesystem ACL.
+    """
+    try:
+        mode = os.stat(path).st_mode
+    except OSError:
+        return False
+    if os.name == "nt":
+        return True
+    return (mode & (stat.S_IRWXG | stat.S_IRWXO)) == 0
+
+
+def _load_file_config():
+    """Load optional YAML config file. Returns empty dict if not found or yaml unavailable.
+
+    Secret-bearing keys (see `_SECRET_FILE_KEYS`) are dropped with a stderr
+    warning if the file is group/world readable. Non-secret keys are still
+    returned so the rest of the SDK config keeps working.
+    """
+    config_path = os.getenv(
+        "PTY_CONFIG_FILE", str(Path.home() / ".protegrity" / "config.yaml")
+    )
+    if not Path(config_path).is_file():
+        return {}
+    try:
+        import yaml
+
+        with open(config_path) as f:
+            cfg = yaml.safe_load(f) or {}
+    except ImportError:
+        return {}
+
+    if not _file_is_secure(config_path):
+        for k in _SECRET_FILE_KEYS:
+            if k in cfg:
+                print(
+                    f"  ⚠ Refusing to read '{k}' from {config_path}: file is "
+                    f"group/world readable. Run: chmod 600 {config_path}",
+                    file=sys.stderr,
+                )
+                cfg.pop(k, None)
+    return cfg
+
+
+def _resolve(env_var, file_config, file_key, default=None):
+    """Resolve a config value: env > file > default."""
+    return os.getenv(env_var) or file_config.get(file_key) or _DEFAULTS.get(file_key) or default
+
+
+def _detect_auth_mode():
+    """Auto-detect auth mode from environment when PTY_AUTH_MODE is not set."""
+    # If legacy DE vars are present, use cognito
+    if os.getenv("DEV_EDITION_EMAIL") and os.getenv("DEV_EDITION_PASSWORD"):
+        return "cognito"
+
+    # If PTY_CP_HOST is set, try to detect further
+    if os.getenv("PTY_CP_HOST"):
+        # Check for AWS credentials
+        if (
+            os.getenv("AWS_ACCESS_KEY_ID")
+            or os.getenv("AWS_PROFILE")
+            or os.getenv("AWS_SESSION_TOKEN")
+        ):
+            return "aws_iam"
+
+    return None
+
+
+def _check_env_conflicts(file_config):
+    """Raise early if environment variables indicate conflicting auth configurations."""
+    explicit_mode = _resolve("PTY_AUTH_MODE", file_config, "auth_mode")
+    has_de_vars = bool(os.getenv("DEV_EDITION_EMAIL") and os.getenv("DEV_EDITION_PASSWORD"))
+    has_aws_creds = bool(
+        os.getenv("AWS_ACCESS_KEY_ID") or os.getenv("AWS_PROFILE")
+    )
+    has_te_host = bool(os.getenv("PTY_CP_HOST") or file_config.get("protect_host"))
+
+    # Conflict: PTY_AUTH_MODE=aws_iam but no PTY_CP_HOST
+    if explicit_mode == "aws_iam" and not has_te_host:
+        msg = (
+            "PTY_AUTH_MODE=aws_iam but PTY_CP_HOST is not set. "
+            "The SDK cannot use SigV4 without a Team Edition endpoint. "
+        )
+        if has_de_vars:
+            msg += (
+                "To use Developer Edition, unset: PTY_AUTH_MODE, AWS_ACCESS_KEY_ID, "
+                "AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE"
+            )
+        else:
+            msg += "Set PTY_CP_HOST to your Team Edition endpoint."
+        raise EnvironmentError(msg)
+
+    # Warning: explicit aws_iam but DE vars also present (leftover from previous session)
+    if explicit_mode == "aws_iam" and has_te_host and has_de_vars:
+        import warnings
+        warnings.warn(
+            "PTY_AUTH_MODE=aws_iam but Developer Edition variables are also set "
+            "(DEV_EDITION_*). These will be ignored. "
+            "To silence this warning, unset: DEV_EDITION_EMAIL, "
+            "DEV_EDITION_PASSWORD, DEV_EDITION_API_KEY.",
+            stacklevel=2,
+        )
+
+    # Warning: explicit cognito but TE vars also present (leftover from previous session)
+    if explicit_mode == "cognito" and has_aws_creds and has_te_host:
+        import warnings
+        warnings.warn(
+            "PTY_AUTH_MODE=cognito but Team Edition variables are also set "
+            "(PTY_CP_HOST, AWS credentials). These will be ignored. "
+            "To silence this warning, unset: PTY_CP_HOST, AWS_ACCESS_KEY_ID, "
+            "AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE.",
+            stacklevel=2,
+        )
+
+    # Conflict: both DE and TE credentials present without explicit mode
+    if not explicit_mode and has_de_vars and has_aws_creds and has_te_host:
+        raise EnvironmentError(
+            "Conflicting credentials: both DEV_EDITION_* and AWS/PTY_CP_HOST variables are set. "
+            "To use Team Edition, unset: DEV_EDITION_EMAIL, DEV_EDITION_PASSWORD, DEV_EDITION_API_KEY. "
+            "To use Developer Edition, unset: PTY_CP_HOST, AWS_ACCESS_KEY_ID, "
+            "AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE."
+        )
+
+
+def load_config():
+    """Load SDK configuration with resolution order: env > file > defaults.
+
+    Returns:
+        dict: Resolved configuration dictionary.
+
+    Raises:
+        EnvironmentError: If conflicting credential variables are detected.
+    """
+    file_config = _load_file_config()
+
+    # Detect conflicting environment variables early
+    _check_env_conflicts(file_config)
+
+    auth_mode = _resolve("PTY_AUTH_MODE", file_config, "auth_mode")
+    if not auth_mode:
+        auth_mode = _detect_auth_mode()
+
+    protect_host = _resolve("PTY_CP_HOST", file_config, "protect_host")
+
+    # Backward compat: if no PTY_CP_HOST but DE vars exist, build from DE host
+    if not protect_host and auth_mode == "cognito":
+        runtime_host = os.getenv("DEV_EDITION_HOST", _DE_HOST)
+        protect_host = f"https://{runtime_host}"
+
+    return {
+        "protect_host": protect_host,
+        "auth_mode": auth_mode,
+        "version": _resolve("PTY_API_VERSION", file_config, "version", "1"),
+        "request_timeout": int(
+            _resolve("PTY_REQUEST_TIMEOUT", file_config, "request_timeout", "30")
+        ),
+        "max_retries": int(
+            _resolve("PTY_MAX_RETRIES", file_config, "max_retries", "3")
+        ),
+        # Bearer token mode
+        "token_endpoint": _resolve("PTY_TOKEN_ENDPOINT", file_config, "token_endpoint"),
+        "client_id": _resolve("PTY_CLIENT_ID", file_config, "client_id"),
+        "client_secret": _resolve("PTY_CLIENT_SECRET", file_config, "client_secret"),
+        "static_token": _resolve("PTY_STATIC_TOKEN", file_config, "static_token"),
+        # mTLS mode
+        "client_cert": _resolve("PTY_CLIENT_CERT", file_config, "client_cert"),
+        "client_key": _resolve("PTY_CLIENT_KEY", file_config, "client_key"),
+        "ca_cert": _resolve("PTY_CA_CERT", file_config, "ca_cert"),
+        # pty-migrate CLI settings (PPC admin endpoint; passwords stay env-only)
+        "ppc_host": _resolve("PTY_PPC_HOST", file_config, "ppc_host"),
+        "ppc_user": _resolve("PTY_PPC_USER", file_config, "ppc_user"),
+        "ppc_port": _resolve("PTY_PPC_PORT", file_config, "ppc_port"),
+        "workbench_user": _resolve("PTY_WORKBENCH_USER", file_config, "workbench_user"),
+        "stats_file": _resolve("PTY_STATS_FILE", file_config, "stats_file"),
+        # Legacy DE vars (for cognito provider)
+        "de_email": os.getenv("DEV_EDITION_EMAIL"),
+        "de_password": os.getenv("DEV_EDITION_PASSWORD"),
+        "de_api_key": os.getenv("DEV_EDITION_API_KEY"),
+    }

appython/service/payload_builder.py

@@ -0,0 +1,141 @@
+"""
+This module provides the PayloadBuilder class, which constructs the payload for API requests
+based on the operation type (PROTECT, UNPROTECT, REPROTECT).
+"""
+import os
+from appython.utils.constants import (
+    ErrorMessage, 
+    OP_TYPE as op_type,
+    HOST as host,
+    VERSION as version,
+    LOG_RETURN_CODE_UNSUPPORTED as log_return_code
+)
+
+def get_base_url(operation_type: str, config=None) -> str:
+    """
+    Constructs the base URL for the API endpoint based on the operation type.
+
+    Parameters:
+        operation_type (str): The type of operation (e.g., 'PROTECT', 'UNPROTECT', 'REPROTECT').
+        config (dict, optional): SDK config dict. If provided, uses protect_host and version from it.
+
+    Returns:
+        str: The constructed base URL for the API call.
+    """
+    if config and config.get("protect_host"):
+        # New config-driven path: PTY_CP_HOST already includes scheme + domain + base path
+        protect_host = config["protect_host"].rstrip("/")
+        api_version = config.get("version", "1")
+        return f"{protect_host}/v{api_version}/{operation_type}"
+
+    # Legacy path: build from DEV_EDITION_HOST
+    runtime_host = os.getenv('DEV_EDITION_HOST', host)
+    runtime_version = os.getenv('DEV_EDITION_VERSION', version)
+
+    return f"https://{runtime_host}/v{runtime_version}/{operation_type}"
+
+
+class PayloadBuilder:
+    def build_api_request(input: dict, arguments: dict, operation_type: str, config=None):
+        """
+        Builds the API request payload and return type metadata for a given data protection operation.
+
+        This method constructs a structured payload for the PROTECT, UNPROTECT, or REPROTECT operations,
+        including user info, data, data elements, encoding type, and optional IVs or tweaks. It also prepares
+        a return type template that describes how the response should be interpreted.
+
+        Parameters:
+            input (dict): Contains the input data, its type, charset, and whether it's bulk.
+            arguments (dict): Contains operation parameters such as user, data element, response type, and optional IVs.
+            operation_type (str): The type of operation being performed ('PROTECT', 'UNPROTECT', or 'REPROTECT').
+
+        Returns:
+            tuple: A tuple containing:
+                - payload_template (dict): The structured payload for the API request.
+                - return_type_template (dict): Metadata describing how to interpret the API response.
+                - url (str): The full API endpoint URL for the operation.
+
+        Raises:
+            Exception: If required parameters are missing, types are invalid, or unsupported operation types are used.
+        """
+
+        payload_template = {
+            "user": None,
+            "encoding": "utf8",
+            "data_element": None,
+            "data": [],
+            "external_iv": None,
+        }
+
+        return_type_template = {
+            "is_bulk": None,
+            "response_type": None,
+            "type": None,
+            "charset": None,
+            "isENC": False,
+        }
+
+        parameters = arguments["parameters"]
+        data_element = parameters["data_element"]
+        response_type = parameters["response_type"]
+ 
+        if "ENC" in data_element:
+            if op_type[operation_type] in ("PROTECT", "REPROTECT"):
+                if response_type != bytes:
+                    raise Exception(f"26, {log_return_code[26]}")
+            else:
+                if input["input_datatype"] != bytes:
+                    raise Exception(f"26, {log_return_code[26]}")
+
+        if "text" in data_element or "BYTE" in data_element:
+            return_type_template["isENC"] = True
+            payload_template["encoding"] = "base64"
+
+        if op_type[operation_type] in ("PROTECT", "UNPROTECT"):
+            payload_template["user"] = parameters["user"]
+            payload_template["data_element"] = data_element
+
+            if input["is_bulk"] is False:
+                payload_template["data"].append(input["data"])
+            elif input["is_bulk"] is True:
+                payload_template["data"] = input["data"]
+            else:
+                raise Exception(ErrorMessage.ERROR_SETTING_DATA.value)
+
+            return_type_template["type"] = input["type"]
+
+            if "external_iv" in parameters:
+                payload_template["external_iv"] = parameters["external_iv"]
+
+        elif op_type[operation_type] == "REPROTECT":
+            payload_template["user"] = parameters["user"]
+            payload_template["old_data_element"] = data_element
+            payload_template["data_element"] = parameters[
+                "new_data_element"
+            ]
+
+            if input["is_bulk"] is False:
+                payload_template["data"].append(input["data"])
+            elif input["is_bulk"] is True:
+                payload_template["data"] = input["data"]
+            else:
+                raise Exception(ErrorMessage.ERROR_SETTING_DATA.value)
+
+            return_type_template["type"] = input["type"]
+
+            if "old_external_iv_str" in parameters:
+                payload_template["old_external_iv"] = parameters[
+                    "old_external_iv_str"
+                ]
+            if "new_external_iv" in parameters:
+                payload_template["external_iv"] = parameters[
+                    "new_external_iv"
+                ]
+        else:
+            raise Exception(ErrorMessage.UNSUPPORTED_OPS_TYPE.value)
+
+        return_type_template["is_bulk"] = input["is_bulk"]
+        return_type_template["response_type"] = response_type
+        return_type_template["charset"] = input["charset"]
+
+        return payload_template, return_type_template, get_base_url(operation_type, config)