[CosmosDB] Adds support to allow partition key and id paths to be part of client encryption policy. (Azure#18633)

kr-santosh · BethanyZhou · VeryEarly · web-flow · commit 8b22c860968f · 2022-06-27T15:02:33.000+08:00
* Support client encryption policy during container creation

* Update SqlOperationsTests.ps1

* Update New-AzCosmosDBSqlContainer.md

* Update PSClientEncryptionPolicy.cs

* Update NewAzCosmosDBSqlContainer.cs

* Update ChangeLog.md

* Updated package.

* Update CosmosDB.Test.csproj

* Updated example, session records.

* updated session records.

* Fixes update container command on containers with client encryption policy.

* Update ChangeLog.md

* Update ChangeLog.md

* Support partition key and id paths to be part of client encryption policy

* Update ChangeLog.md

* Update New-AzCosmosDBSqlContainer.md

* Update PSClientEncryptionPolicy.cs

* Update src/CosmosDB/CosmosDB/ChangeLog.md

Co-authored-by: Beisi Zhou &lt;zhoubeisi@gmail.com&gt;

Co-authored-by: Beisi Zhou &lt;zhoubeisi@gmail.com&gt;
Co-authored-by: Yabo Hu &lt;yabhu@microsoft.com&gt;
diff --git a/src/CosmosDB/CosmosDB/ChangeLog.md b/src/CosmosDB/CosmosDB/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Added support for partition key and id paths to be part of client encryption policy.
 * Fixed bug related to Update-AzCosmosDBSqlContainer command on containers with Client Encryption Policy.
 
 ## Version 1.9.0
diff --git a/src/CosmosDB/CosmosDB/Models/PSClientEncryptionPolicy.cs b/src/CosmosDB/CosmosDB/Models/PSClientEncryptionPolicy.cs
@@ -36,7 +36,7 @@ public PSClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy)
 
             if (ModelHelper.IsNotNullOrEmpty(clientEncryptionPolicy.IncludedPaths))
             {
-                PSClientEncryptionPolicy.ValidateIncludedPaths(clientEncryptionPolicy.IncludedPaths);
+                PSClientEncryptionPolicy.ValidateIncludedPaths(clientEncryptionPolicy.IncludedPaths, (int)clientEncryptionPolicy.PolicyFormatVersion);
 
                 IncludedPaths = new List<PSClientEncryptionIncludedPath>();
                 foreach (ClientEncryptionIncludedPath key in clientEncryptionPolicy.IncludedPaths)
@@ -87,9 +87,12 @@ public static ClientEncryptionPolicy ToSDKModel(PSClientEncryptionPolicy pSClien
                 }
             }
 
-            PSClientEncryptionPolicy.ValidatePartitionKeyPathsAreNotEncrypted(clientEncryptionPolicy.IncludedPaths, partitionKeyPathTokens);
+            PSClientEncryptionPolicy.ValidatePartitionKeyPathsAreNotEncrypted(
+                clientEncryptionPolicy.IncludedPaths,
+                partitionKeyPathTokens,
+                pSClientEncryptionPolicy.PolicyFormatVersion);
 
-            if(clientEncryptionPolicy.PolicyFormatVersion != 1)
+            if(clientEncryptionPolicy.PolicyFormatVersion < 1 || clientEncryptionPolicy.PolicyFormatVersion > 2)
             {
                 throw new InvalidOperationException($"Invalid PolicyFormatVersion:{clientEncryptionPolicy.PolicyFormatVersion} used in Client Encryption Policy. ");
             }
@@ -102,26 +105,44 @@ public static ClientEncryptionPolicy ToSDKModel(PSClientEncryptionPolicy pSClien
         /// </summary>
         /// <param name="clientEncryptionIncludedPath">Included paths of the client encryption policy.</param>
         /// <param name="partitionKeyPathTokens">Tokens corresponding to validated partition key.</param>
-        private static void ValidatePartitionKeyPathsAreNotEncrypted(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath, List<string> partitionKeyPathTokens)
+        /// <param name="policyFormatVersion">Client encryption policy format version.</param>
+        private static void ValidatePartitionKeyPathsAreNotEncrypted(
+            IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath,
+            List<string> partitionKeyPathTokens,
+            int policyFormatVersion)
         {
             Debug.Assert(partitionKeyPathTokens != null);
-            IEnumerable<string> propertiesToEncrypt = clientEncryptionIncludedPath.Select(p => p.Path.Substring(1));
+
             foreach (string tokenInPath in partitionKeyPathTokens)
             {
-                Debug.Assert(String.IsNullOrEmpty(tokenInPath));                
-                if (propertiesToEncrypt.Contains(tokenInPath.Substring(1)))
+                Debug.Assert(String.IsNullOrEmpty(tokenInPath));
+
+                string topLevelPath = tokenInPath.Split('/')[1];
+                // paths in included paths start with "/". Get the ClientEncryptionIncludedPath and validate.
+                IEnumerable<ClientEncryptionIncludedPath> encryptedPartitionKeyPath = clientEncryptionIncludedPath.Where(p => p.Path.Substring(1).Equals(topLevelPath));
+
+                if (encryptedPartitionKeyPath.Any())
                 {
-                    throw new ArgumentException($"Paths which are part of the partition key({tokenInPath}) may not be included in the Client Encryption Policy. ");
+                    if (policyFormatVersion < 2)
+                    {
+                        throw new ArgumentException($"Path: {encryptedPartitionKeyPath.Select(et => et.Path).FirstOrDefault()} which is part of the partition key cannot be encrypted with PolicyFormatVersion: {policyFormatVersion}. Please use PolicyFormatVersion: 2. ");
+                    }
+
+                    // for the ClientEncryptionIncludedPath found check the encryption type.
+                    if (encryptedPartitionKeyPath.Select(et => et.EncryptionType).FirstOrDefault() != "Deterministic")
+                    {
+                        throw new ArgumentException($"Path: {encryptedPartitionKeyPath.Select(et => et.Path).FirstOrDefault()} which is part of the partition key has to be encrypted with Deterministic type Encryption.");
+                    }
                 }
             }
         }
 
-        private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath)
+        private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath, int policyFormatVersion)
         {
             List<string> includedPathsList = new List<string>();
             foreach (ClientEncryptionIncludedPath path in clientEncryptionIncludedPath)
             {
-                PSClientEncryptionPolicy.ValidateClientEncryptionIncludedPath(path);
+                PSClientEncryptionPolicy.ValidateClientEncryptionIncludedPath(path, policyFormatVersion);
                 if (includedPathsList.Contains(path.Path))
                 {
                     throw new ArgumentException($"Duplicate Path({path.Path}) found.", nameof(clientEncryptionIncludedPath));
@@ -131,7 +152,7 @@ private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPa
             }
         }
 
-        private static void ValidateClientEncryptionIncludedPath(ClientEncryptionIncludedPath clientEncryptionIncludedPath)
+        private static void ValidateClientEncryptionIncludedPath(ClientEncryptionIncludedPath clientEncryptionIncludedPath, int policyFormatVersion)
         {
             if (clientEncryptionIncludedPath == null)
             {
@@ -144,8 +165,7 @@ private static void ValidateClientEncryptionIncludedPath(ClientEncryptionInclude
             }
 
             if (clientEncryptionIncludedPath.Path[0] != '/'
-                || clientEncryptionIncludedPath.Path.LastIndexOf('/') != 0
-                || string.Equals(clientEncryptionIncludedPath.Path.Substring(1), "id"))
+                || clientEncryptionIncludedPath.Path.LastIndexOf('/') != 0)
             {
                 throw new ArgumentException($"Invalid path '{clientEncryptionIncludedPath.Path ?? string.Empty}'.");
             }
@@ -160,6 +180,19 @@ private static void ValidateClientEncryptionIncludedPath(ClientEncryptionInclude
                 throw new ArgumentNullException(nameof(clientEncryptionIncludedPath.EncryptionType));
             }
 
+            if (string.Equals(clientEncryptionIncludedPath.Path.Substring(1), "id"))
+            {
+                if (policyFormatVersion < 2)
+                {
+                    throw new ArgumentException($"Path: {clientEncryptionIncludedPath.Path} cannot be encrypted with PolicyFormatVersion: {policyFormatVersion}. Please use PolicyFormatVersion: 2. ");
+                }
+
+                if (clientEncryptionIncludedPath.EncryptionType != "Deterministic")
+                {
+                    throw new ArgumentException($"Only Deterministic encryption type is supported for path: {clientEncryptionIncludedPath.Path}. ");
+                }
+            }
+
             if (!string.Equals(clientEncryptionIncludedPath.EncryptionType, "Deterministic") &&
                 !string.Equals(clientEncryptionIncludedPath.EncryptionType, "Randomized"))
             {
diff --git a/src/CosmosDB/CosmosDB/Models/Sql/PSSqlClientEncryptionPolicy.cs b/src/CosmosDB/CosmosDB/Models/Sql/PSSqlClientEncryptionPolicy.cs
@@ -12,6 +12,7 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 using Microsoft.Azure.Management.CosmosDB.Models;
+using System;
 
 namespace Microsoft.Azure.Commands.CosmosDB.Models
 {
@@ -20,15 +21,28 @@ public class PSSqlClientEncryptionPolicy : PSClientEncryptionPolicy
     {
         public PSSqlClientEncryptionPolicy() : base()
         {
-        }        
+        }
 
-        public PSSqlClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy) : base(PSSqlClientEncryptionPolicy.SetSupportedPolicyVersionOnClientEncryptionPolicy(clientEncryptionPolicy))
+        public PSSqlClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy) : base(PSSqlClientEncryptionPolicy.SetSupportedPolicyVersionOnClientEncryptionPolicy(clientEncryptionPolicy, clientEncryptionPolicy.PolicyFormatVersion))
         {
         }
 
-        private static ClientEncryptionPolicy SetSupportedPolicyVersionOnClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy)
+        private static ClientEncryptionPolicy SetSupportedPolicyVersionOnClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy, int? policyFormatVersion = null)
         {
-            clientEncryptionPolicy.PolicyFormatVersion = 1;
+            if (policyFormatVersion == null)
+            {
+                clientEncryptionPolicy.PolicyFormatVersion = 1;
+            }
+            else
+            {
+                if(policyFormatVersion > 2 || policyFormatVersion < 1)
+                {
+                    throw new ArgumentException($"Supported versions of client encryption policy are 1 and 2. ");
+                }
+
+                clientEncryptionPolicy.PolicyFormatVersion = policyFormatVersion;
+            }
+
             return clientEncryptionPolicy;
         }
     }
diff --git a/src/CosmosDB/CosmosDB/help/New-AzCosmosDBSqlContainer.md b/src/CosmosDB/CosmosDB/help/New-AzCosmosDBSqlContainer.md
@@ -57,15 +57,14 @@ Resource : Microsoft.Azure.Commands.CosmosDB.Models.PSSqlContainerGetPropertiesR
 
 ### Example 2: Create a new CosmosDB Sql Container with Client Encryption Policy
 ```powershell
-$includedPath1 = [Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]::new("/path1","key1","Deterministic","AEAD_AES_256_CBC_HMAC_SHA256");
-$includedPath2 = [Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]::new("/path2","key2","Randomized","AEAD_AES_256_CBC_HMAC_SHA256");
-$listofIncludedPaths = New-Object Collections.Generic.List[Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]
-$listofIncludedPaths.Add($includedPath1)
-$listofIncludedPaths.Add($includedPath2)
-$newClientEncryptionPolicy = New-Object Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionPolicy
-$newClientEncryptionPolicy.IncludedPaths = $listofIncludedPaths
-$newPSSqlClientEncryptionPolicy = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionPolicy]::new($newClientEncryptionPolicy)
-New-AzCosmosDBSqlContainer -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myContainerName -PartitionKeyPath /a/b/c -PartitionKeyKind Hash -ClientEncryptionPolicy $newPSSqlClientEncryptionPolicy
+PS C:\> $includedPath1 = [Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]::new("/path1","key1","Deterministic","AEAD_AES_256_CBC_HMAC_SHA256");
+PS C:\> $includedPath2 = [Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]::new("/path2","key2","Randomized","AEAD_AES_256_CBC_HMAC_SHA256");
+PS C:\> $listofIncludedPaths = New-Object Collections.Generic.List[Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionIncludedPath]
+PS C:\> $listofIncludedPaths.Add($includedPath1)
+PS C:\> $listofIncludedPaths.Add($includedPath2)
+PS C:\> $newClientEncryptionPolicy =  [Microsoft.Azure.Management.CosmosDB.Models.ClientEncryptionPolicy]::new($listofIncludedPaths, 2)
+PS C:\> $newPSSqlClientEncryptionPolicy = [Microsoft.Azure.Commands.CosmosDB.Models.PSSqlClientEncryptionPolicy]::new($newClientEncryptionPolicy)
+PS C:\> New-AzCosmosDBSqlContainer -AccountName myAccountName -DatabaseName myDatabaseName -ResourceGroupName myRgName -Name myContainerName -PartitionKeyPath /a/b/c -PartitionKeyKind Hash -ClientEncryptionPolicy $newPSSqlClientEncryptionPolicy
 ```
 
 ```output

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public PSClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy)`
`36`	`36`
`37`	`37`	`if (ModelHelper.IsNotNullOrEmpty(clientEncryptionPolicy.IncludedPaths))`
`38`	`38`	`{`
`39`		`- PSClientEncryptionPolicy.ValidateIncludedPaths(clientEncryptionPolicy.IncludedPaths);`
	`39`	`+ PSClientEncryptionPolicy.ValidateIncludedPaths(clientEncryptionPolicy.IncludedPaths, (int)clientEncryptionPolicy.PolicyFormatVersion);`
`40`	`40`
`41`	`41`	`IncludedPaths = new List<PSClientEncryptionIncludedPath>();`
`42`	`42`	`foreach (ClientEncryptionIncludedPath key in clientEncryptionPolicy.IncludedPaths)`
`@@ -87,9 +87,12 @@ public static ClientEncryptionPolicy ToSDKModel(PSClientEncryptionPolicy pSClien`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`
`90`		`- PSClientEncryptionPolicy.ValidatePartitionKeyPathsAreNotEncrypted(clientEncryptionPolicy.IncludedPaths, partitionKeyPathTokens);`
	`90`	`+ PSClientEncryptionPolicy.ValidatePartitionKeyPathsAreNotEncrypted(`
	`91`	`+ clientEncryptionPolicy.IncludedPaths,`
	`92`	`+ partitionKeyPathTokens,`
	`93`	`+ pSClientEncryptionPolicy.PolicyFormatVersion);`
`91`	`94`
`92`		`- if(clientEncryptionPolicy.PolicyFormatVersion != 1)`
	`95`	`+ if(clientEncryptionPolicy.PolicyFormatVersion < 1 \|\| clientEncryptionPolicy.PolicyFormatVersion > 2)`
`93`	`96`	`{`
`94`	`97`	`throw new InvalidOperationException($"Invalid PolicyFormatVersion:{clientEncryptionPolicy.PolicyFormatVersion} used in Client Encryption Policy. ");`
`95`	`98`	`}`
`@@ -102,26 +105,44 @@ public static ClientEncryptionPolicy ToSDKModel(PSClientEncryptionPolicy pSClien`
`102`	`105`	`/// </summary>`
`103`	`106`	`/// <param name="clientEncryptionIncludedPath">Included paths of the client encryption policy.</param>`
`104`	`107`	`/// <param name="partitionKeyPathTokens">Tokens corresponding to validated partition key.</param>`
`105`		`- private static void ValidatePartitionKeyPathsAreNotEncrypted(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath, List<string> partitionKeyPathTokens)`
	`108`	`+ /// <param name="policyFormatVersion">Client encryption policy format version.</param>`
	`109`	`+ private static void ValidatePartitionKeyPathsAreNotEncrypted(`
	`110`	`+ IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath,`
	`111`	`+ List<string> partitionKeyPathTokens,`
	`112`	`+ int policyFormatVersion)`
`106`	`113`	`{`
`107`	`114`	`Debug.Assert(partitionKeyPathTokens != null);`
`108`		`- IEnumerable<string> propertiesToEncrypt = clientEncryptionIncludedPath.Select(p => p.Path.Substring(1));`
	`115`	`+`
`109`	`116`	`foreach (string tokenInPath in partitionKeyPathTokens)`
`110`	`117`	`{`
`111`		`- Debug.Assert(String.IsNullOrEmpty(tokenInPath));`
`112`		`- if (propertiesToEncrypt.Contains(tokenInPath.Substring(1)))`
	`118`	`+ Debug.Assert(String.IsNullOrEmpty(tokenInPath));`
	`119`	`+`
	`120`	`+ string topLevelPath = tokenInPath.Split('/')[1];`
	`121`	`+ // paths in included paths start with "/". Get the ClientEncryptionIncludedPath and validate.`
	`122`	`+ IEnumerable<ClientEncryptionIncludedPath> encryptedPartitionKeyPath = clientEncryptionIncludedPath.Where(p => p.Path.Substring(1).Equals(topLevelPath));`
	`123`	`+`
	`124`	`+ if (encryptedPartitionKeyPath.Any())`
`113`	`125`	`{`
`114`		`- throw new ArgumentException($"Paths which are part of the partition key({tokenInPath}) may not be included in the Client Encryption Policy. ");`
	`126`	`+ if (policyFormatVersion < 2)`
	`127`	`+ {`
	`128`	`+ throw new ArgumentException($"Path: {encryptedPartitionKeyPath.Select(et => et.Path).FirstOrDefault()} which is part of the partition key cannot be encrypted with PolicyFormatVersion: {policyFormatVersion}. Please use PolicyFormatVersion: 2. ");`
	`129`	`+ }`
	`130`	`+`
	`131`	`+ // for the ClientEncryptionIncludedPath found check the encryption type.`
	`132`	`+ if (encryptedPartitionKeyPath.Select(et => et.EncryptionType).FirstOrDefault() != "Deterministic")`
	`133`	`+ {`
	`134`	`+ throw new ArgumentException($"Path: {encryptedPartitionKeyPath.Select(et => et.Path).FirstOrDefault()} which is part of the partition key has to be encrypted with Deterministic type Encryption.");`
	`135`	`+ }`
`115`	`136`	`}`
`116`	`137`	`}`
`117`	`138`	`}`
`118`	`139`
`119`		`- private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath)`
	`140`	`+ private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPath> clientEncryptionIncludedPath, int policyFormatVersion)`
`120`	`141`	`{`
`121`	`142`	`List<string> includedPathsList = new List<string>();`
`122`	`143`	`foreach (ClientEncryptionIncludedPath path in clientEncryptionIncludedPath)`
`123`	`144`	`{`
`124`		`- PSClientEncryptionPolicy.ValidateClientEncryptionIncludedPath(path);`
	`145`	`+ PSClientEncryptionPolicy.ValidateClientEncryptionIncludedPath(path, policyFormatVersion);`
`125`	`146`	`if (includedPathsList.Contains(path.Path))`
`126`	`147`	`{`
`127`	`148`	`throw new ArgumentException($"Duplicate Path({path.Path}) found.", nameof(clientEncryptionIncludedPath));`
`@@ -131,7 +152,7 @@ private static void ValidateIncludedPaths(IEnumerable<ClientEncryptionIncludedPa`
`131`	`152`	`}`
`132`	`153`	`}`
`133`	`154`
`134`		`- private static void ValidateClientEncryptionIncludedPath(ClientEncryptionIncludedPath clientEncryptionIncludedPath)`
	`155`	`+ private static void ValidateClientEncryptionIncludedPath(ClientEncryptionIncludedPath clientEncryptionIncludedPath, int policyFormatVersion)`
`135`	`156`	`{`
`136`	`157`	`if (clientEncryptionIncludedPath == null)`
`137`	`158`	`{`
`@@ -144,8 +165,7 @@ private static void ValidateClientEncryptionIncludedPath(ClientEncryptionInclude`
`144`	`165`	`}`
`145`	`166`
`146`	`167`	`if (clientEncryptionIncludedPath.Path[0] != '/'`
`147`		`- \|\| clientEncryptionIncludedPath.Path.LastIndexOf('/') != 0`
`148`		`- \|\| string.Equals(clientEncryptionIncludedPath.Path.Substring(1), "id"))`
	`168`	`+ \|\| clientEncryptionIncludedPath.Path.LastIndexOf('/') != 0)`
`149`	`169`	`{`
`150`	`170`	`throw new ArgumentException($"Invalid path '{clientEncryptionIncludedPath.Path ?? string.Empty}'.");`
`151`	`171`	`}`
`@@ -160,6 +180,19 @@ private static void ValidateClientEncryptionIncludedPath(ClientEncryptionInclude`
`160`	`180`	`throw new ArgumentNullException(nameof(clientEncryptionIncludedPath.EncryptionType));`
`161`	`181`	`}`
`162`	`182`
	`183`	`+ if (string.Equals(clientEncryptionIncludedPath.Path.Substring(1), "id"))`
	`184`	`+ {`
	`185`	`+ if (policyFormatVersion < 2)`
	`186`	`+ {`
	`187`	`+ throw new ArgumentException($"Path: {clientEncryptionIncludedPath.Path} cannot be encrypted with PolicyFormatVersion: {policyFormatVersion}. Please use PolicyFormatVersion: 2. ");`
	`188`	`+ }`
	`189`	`+`
	`190`	`+ if (clientEncryptionIncludedPath.EncryptionType != "Deterministic")`
	`191`	`+ {`
	`192`	`+ throw new ArgumentException($"Only Deterministic encryption type is supported for path: {clientEncryptionIncludedPath.Path}. ");`
	`193`	`+ }`
	`194`	`+ }`
	`195`	`+`
`163`	`196`	`if (!string.Equals(clientEncryptionIncludedPath.EncryptionType, "Deterministic") &&`
`164`	`197`	`!string.Equals(clientEncryptionIncludedPath.EncryptionType, "Randomized"))`
`165`	`198`	`{`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`// limitations under the License.`
`13`	`13`	`// ----------------------------------------------------------------------------------`
`14`	`14`	`using Microsoft.Azure.Management.CosmosDB.Models;`
	`15`	`+using System;`
`15`	`16`
`16`	`17`	`namespace Microsoft.Azure.Commands.CosmosDB.Models`
`17`	`18`	`{`
`@@ -20,15 +21,28 @@ public class PSSqlClientEncryptionPolicy : PSClientEncryptionPolicy`
`20`	`21`	`{`
`21`	`22`	`public PSSqlClientEncryptionPolicy() : base()`
`22`	`23`	`{`
`23`		`- }`
	`24`	`+ }`
`24`	`25`
`25`		`- public PSSqlClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy) : base(PSSqlClientEncryptionPolicy.SetSupportedPolicyVersionOnClientEncryptionPolicy(clientEncryptionPolicy))`
	`26`	`+ public PSSqlClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy) : base(PSSqlClientEncryptionPolicy.SetSupportedPolicyVersionOnClientEncryptionPolicy(clientEncryptionPolicy, clientEncryptionPolicy.PolicyFormatVersion))`
`26`	`27`	`{`
`27`	`28`	`}`
`28`	`29`
`29`		`- private static ClientEncryptionPolicy SetSupportedPolicyVersionOnClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy)`
	`30`	`+ private static ClientEncryptionPolicy SetSupportedPolicyVersionOnClientEncryptionPolicy(ClientEncryptionPolicy clientEncryptionPolicy, int? policyFormatVersion = null)`
`30`	`31`	`{`
`31`		`- clientEncryptionPolicy.PolicyFormatVersion = 1;`
	`32`	`+ if (policyFormatVersion == null)`
	`33`	`+ {`
	`34`	`+ clientEncryptionPolicy.PolicyFormatVersion = 1;`
	`35`	`+ }`
	`36`	`+ else`
	`37`	`+ {`
	`38`	`+ if(policyFormatVersion > 2 \|\| policyFormatVersion < 1)`
	`39`	`+ {`
	`40`	`+ throw new ArgumentException($"Supported versions of client encryption policy are 1 and 2. ");`
	`41`	`+ }`
	`42`	`+`
	`43`	`+ clientEncryptionPolicy.PolicyFormatVersion = policyFormatVersion;`
	`44`	`+ }`
	`45`	`+`
`32`	`46`	`return clientEncryptionPolicy;`
`33`	`47`	`}`
`34`	`48`	`}`