Add OPEN SYMMETRIC KEY DECRYPTION BY clause parsing

claude · claude · commit e1514d0e16a8 · 2025-12-31T15:52:15.000Z
- Update OpenSymmetricKeyStatement to use CryptoMechanism for DecryptionMechanism
- Parse DECRYPTION BY with CERTIFICATE, ASYMMETRIC KEY, SYMMETRIC KEY, PASSWORD
- Handle optional WITH PASSWORD clause for CERTIFICATE and ASYMMETRIC KEY
- Support both regular strings and national strings (N'...') for passwords

Enables: Baselines90_OpenSymmetricKeyStatementTests
diff --git a/ast/trivial_statements.go b/ast/trivial_statements.go
@@ -77,8 +77,7 @@ func (s *OpenMasterKeyStatement) statement() {}
 // OpenSymmetricKeyStatement represents OPEN SYMMETRIC KEY statement
 type OpenSymmetricKeyStatement struct {
 	Name                *Identifier
-	DecryptionMechanism string // "Key", "Certificate", "Password", "AsymmetricKey"
-	DecryptionKey       ScalarExpression
+	DecryptionMechanism *CryptoMechanism
 }
 
 func (s *OpenSymmetricKeyStatement) node()      {}
diff --git a/parser/marshal.go b/parser/marshal.go
@@ -4559,11 +4559,8 @@ func openSymmetricKeyStatementToJSON(s *ast.OpenSymmetricKeyStatement) jsonNode
 	if s.Name != nil {
 		node["Name"] = identifierToJSON(s.Name)
 	}
-	if s.DecryptionMechanism != "" {
-		node["DecryptionMechanism"] = s.DecryptionMechanism
-	}
-	if s.DecryptionKey != nil {
-		node["DecryptionKey"] = scalarExpressionToJSON(s.DecryptionKey)
+	if s.DecryptionMechanism != nil {
+		node["DecryptionMechanism"] = cryptoMechanismToJSON(s.DecryptionMechanism)
 	}
 	return node
 }
diff --git a/parser/parse_statements.go b/parser/parse_statements.go
@@ -4980,6 +4980,86 @@ func (p *Parser) parseOpenStatement() (ast.Statement, error) {
 		}
 		p.nextToken() // consume KEY
 		stmt := &ast.OpenSymmetricKeyStatement{Name: p.parseIdentifier()}
+
+		// Parse DECRYPTION BY <mechanism>
+		if p.curTok.Type == TokenDecryption {
+			p.nextToken() // consume DECRYPTION
+			if p.curTok.Type == TokenBy {
+				p.nextToken() // consume BY
+			}
+			mechanism := &ast.CryptoMechanism{}
+			upperLit := strings.ToUpper(p.curTok.Literal)
+
+			switch upperLit {
+			case "CERTIFICATE":
+				p.nextToken() // consume CERTIFICATE
+				mechanism.CryptoMechanismType = "Certificate"
+				mechanism.Identifier = p.parseIdentifier()
+				// Check for optional WITH PASSWORD
+				if p.curTok.Type == TokenWith {
+					p.nextToken() // consume WITH
+					if p.curTok.Type == TokenPassword {
+						p.nextToken() // consume PASSWORD
+						if p.curTok.Type == TokenEquals {
+							p.nextToken() // consume =
+						}
+						if p.curTok.Type == TokenNationalString {
+							str, _ := p.parseNationalStringFromToken()
+							mechanism.PasswordOrSignature = str
+						} else if p.curTok.Type == TokenString {
+							mechanism.PasswordOrSignature = p.parseStringLiteralValue()
+							p.nextToken()
+						}
+					}
+				}
+			case "ASYMMETRIC":
+				p.nextToken() // consume ASYMMETRIC
+				if p.curTok.Type == TokenKey {
+					p.nextToken() // consume KEY
+				}
+				mechanism.CryptoMechanismType = "AsymmetricKey"
+				mechanism.Identifier = p.parseIdentifier()
+				// Check for optional WITH PASSWORD
+				if p.curTok.Type == TokenWith {
+					p.nextToken() // consume WITH
+					if p.curTok.Type == TokenPassword {
+						p.nextToken() // consume PASSWORD
+						if p.curTok.Type == TokenEquals {
+							p.nextToken() // consume =
+						}
+						if p.curTok.Type == TokenNationalString {
+							str, _ := p.parseNationalStringFromToken()
+							mechanism.PasswordOrSignature = str
+						} else if p.curTok.Type == TokenString {
+							mechanism.PasswordOrSignature = p.parseStringLiteralValue()
+							p.nextToken()
+						}
+					}
+				}
+			case "SYMMETRIC":
+				p.nextToken() // consume SYMMETRIC
+				if p.curTok.Type == TokenKey {
+					p.nextToken() // consume KEY
+				}
+				mechanism.CryptoMechanismType = "SymmetricKey"
+				mechanism.Identifier = p.parseIdentifier()
+			case "PASSWORD":
+				p.nextToken() // consume PASSWORD
+				if p.curTok.Type == TokenEquals {
+					p.nextToken() // consume =
+				}
+				mechanism.CryptoMechanismType = "Password"
+				if p.curTok.Type == TokenNationalString {
+					str, _ := p.parseNationalStringFromToken()
+					mechanism.PasswordOrSignature = str
+				} else if p.curTok.Type == TokenString {
+					mechanism.PasswordOrSignature = p.parseStringLiteralValue()
+					p.nextToken()
+				}
+			}
+			stmt.DecryptionMechanism = mechanism
+		}
+
 		if p.curTok.Type == TokenSemicolon {
 			p.nextToken()
 		}
diff --git a/parser/testdata/Baselines90_OpenSymmetricKeyStatementTests/metadata.json b/parser/testdata/Baselines90_OpenSymmetricKeyStatementTests/metadata.json
@@ -1 +1 @@
-{"todo": true}
+{}
diff --git a/parser/testdata/OpenSymmetricKeyStatementTests/metadata.json b/parser/testdata/OpenSymmetricKeyStatementTests/metadata.json
@@ -1 +1 @@
-{"todo": true}
+{}

Original file line number	Diff line number	Diff line change
`@@ -77,8 +77,7 @@ func (s *OpenMasterKeyStatement) statement() {}`
`77`	`77`	`// OpenSymmetricKeyStatement represents OPEN SYMMETRIC KEY statement`
`78`	`78`	`type OpenSymmetricKeyStatement struct {`
`79`	`79`	`Name *Identifier`
`80`		`- DecryptionMechanism string // "Key", "Certificate", "Password", "AsymmetricKey"`
`81`		`- DecryptionKey ScalarExpression`
	`80`	`+ DecryptionMechanism *CryptoMechanism`
`82`	`81`	`}`
`83`	`82`
`84`	`83`	`func (s *OpenSymmetricKeyStatement) node() {}`
Original file line number	Diff line number	Diff line change
`@@ -4559,11 +4559,8 @@ func openSymmetricKeyStatementToJSON(s *ast.OpenSymmetricKeyStatement) jsonNode`
`4559`	`4559`	`if s.Name != nil {`
`4560`	`4560`	`node["Name"] = identifierToJSON(s.Name)`
`4561`	`4561`	`}`
`4562`		`- if s.DecryptionMechanism != "" {`
`4563`		`- node["DecryptionMechanism"] = s.DecryptionMechanism`
`4564`		`- }`
`4565`		`- if s.DecryptionKey != nil {`
`4566`		`- node["DecryptionKey"] = scalarExpressionToJSON(s.DecryptionKey)`
	`4562`	`+ if s.DecryptionMechanism != nil {`
	`4563`	`+ node["DecryptionMechanism"] = cryptoMechanismToJSON(s.DecryptionMechanism)`
`4567`	`4564`	`}`
`4568`	`4565`	`return node`
`4569`	`4566`	`}`