Add ALTER TABLE ALTER COLUMN HIDDEN and encryption support

claude · claude · commit e1a195cbf76c · 2026-01-03T19:20:07.000Z
- Support ADD HIDDEN and DROP HIDDEN column options
- Parse HIDDEN modifier in column definitions
- Add ColumnEncryptionDefinition and related parameter types
- Parse ENCRYPTED WITH (...) specifications
- Parse MASKED WITH (FUNCTION = ...) specifications
- Add MaskingFunction and Encryption fields to AlterTableAlterColumnStatement
- Add marshaling for encryption parameter types
- Enable 2 passing tests
diff --git a/ast/alter_table_alter_column_statement.go b/ast/alter_table_alter_column_statement.go
@@ -10,6 +10,8 @@ type AlterTableAlterColumnStatement struct {
 	IsHidden                    bool
 	Collation                   *Identifier
 	IsMasked                    bool
+	Encryption                  *ColumnEncryptionDefinition
+	MaskingFunction             ScalarExpression
 }
 
 func (a *AlterTableAlterColumnStatement) node()      {}
diff --git a/ast/column_encryption.go b/ast/column_encryption.go
@@ -0,0 +1,37 @@
+package ast
+
+// ColumnEncryptionDefinition represents the ENCRYPTED WITH specification
+type ColumnEncryptionDefinition struct {
+	Parameters []ColumnEncryptionParameter
+}
+
+func (c *ColumnEncryptionDefinition) node() {}
+
+// ColumnEncryptionParameter is an interface for encryption parameters
+type ColumnEncryptionParameter interface {
+	columnEncryptionParameter()
+}
+
+// ColumnEncryptionKeyNameParameter represents COLUMN_ENCRYPTION_KEY = key_name
+type ColumnEncryptionKeyNameParameter struct {
+	Name          *Identifier
+	ParameterKind string // "ColumnEncryptionKey"
+}
+
+func (c *ColumnEncryptionKeyNameParameter) columnEncryptionParameter() {}
+
+// ColumnEncryptionTypeParameter represents ENCRYPTION_TYPE = DETERMINISTIC|RANDOMIZED
+type ColumnEncryptionTypeParameter struct {
+	EncryptionType string // "Deterministic", "Randomized"
+	ParameterKind  string // "EncryptionType"
+}
+
+func (c *ColumnEncryptionTypeParameter) columnEncryptionParameter() {}
+
+// ColumnEncryptionAlgorithmParameter represents ALGORITHM = 'algorithm_name'
+type ColumnEncryptionAlgorithmParameter struct {
+	EncryptionAlgorithm ScalarExpression // StringLiteral
+	ParameterKind       string           // "Algorithm"
+}
+
+func (c *ColumnEncryptionAlgorithmParameter) columnEncryptionParameter() {}
diff --git a/parser/marshal.go b/parser/marshal.go
@@ -887,16 +887,67 @@ func alterTableAlterColumnStatementToJSON(s *ast.AlterTableAlterColumnStatement)
 		node["StorageOptions"] = columnStorageOptionsToJSON(s.StorageOptions)
 	}
 	node["IsHidden"] = s.IsHidden
+	if s.Encryption != nil {
+		node["Encryption"] = columnEncryptionDefinitionToJSON(s.Encryption)
+	}
 	if s.Collation != nil {
 		node["Collation"] = identifierToJSON(s.Collation)
 	}
 	node["IsMasked"] = s.IsMasked
+	if s.MaskingFunction != nil {
+		node["MaskingFunction"] = scalarExpressionToJSON(s.MaskingFunction)
+	}
 	if s.SchemaObjectName != nil {
 		node["SchemaObjectName"] = schemaObjectNameToJSON(s.SchemaObjectName)
 	}
 	return node
 }
 
+func columnEncryptionDefinitionToJSON(e *ast.ColumnEncryptionDefinition) jsonNode {
+	node := jsonNode{
+		"$type": "ColumnEncryptionDefinition",
+	}
+	if len(e.Parameters) > 0 {
+		params := make([]jsonNode, len(e.Parameters))
+		for i, p := range e.Parameters {
+			params[i] = columnEncryptionParameterToJSON(p)
+		}
+		node["Parameters"] = params
+	}
+	return node
+}
+
+func columnEncryptionParameterToJSON(p ast.ColumnEncryptionParameter) jsonNode {
+	switch param := p.(type) {
+	case *ast.ColumnEncryptionKeyNameParameter:
+		node := jsonNode{
+			"$type":         "ColumnEncryptionKeyNameParameter",
+			"ParameterKind": param.ParameterKind,
+		}
+		if param.Name != nil {
+			node["Name"] = identifierToJSON(param.Name)
+		}
+		return node
+	case *ast.ColumnEncryptionTypeParameter:
+		return jsonNode{
+			"$type":          "ColumnEncryptionTypeParameter",
+			"EncryptionType": param.EncryptionType,
+			"ParameterKind":  param.ParameterKind,
+		}
+	case *ast.ColumnEncryptionAlgorithmParameter:
+		node := jsonNode{
+			"$type":         "ColumnEncryptionAlgorithmParameter",
+			"ParameterKind": param.ParameterKind,
+		}
+		if param.EncryptionAlgorithm != nil {
+			node["EncryptionAlgorithm"] = scalarExpressionToJSON(param.EncryptionAlgorithm)
+		}
+		return node
+	default:
+		return jsonNode{"$type": "Unknown"}
+	}
+}
+
 func alterMessageTypeStatementToJSON(s *ast.AlterMessageTypeStatement) jsonNode {
 	node := jsonNode{
 		"$type":            "AlterMessageTypeStatement",
diff --git a/parser/parse_ddl.go b/parser/parse_ddl.go
@@ -3487,6 +3487,9 @@ func (p *Parser) parseAlterTableAlterColumnStatement(tableName *ast.SchemaObject
 		} else if nextLit == "SPARSE" {
 			stmt.AlterTableAlterColumnOption = "AddSparse"
 			p.nextToken()
+		} else if nextLit == "HIDDEN" {
+			stmt.AlterTableAlterColumnOption = "AddHidden"
+			p.nextToken()
 		} else if nextLit == "NOT" {
 			p.nextToken() // consume NOT
 			if strings.ToUpper(p.curTok.Literal) == "FOR" {
@@ -3514,6 +3517,9 @@ func (p *Parser) parseAlterTableAlterColumnStatement(tableName *ast.SchemaObject
 		} else if nextLit == "SPARSE" {
 			stmt.AlterTableAlterColumnOption = "DropSparse"
 			p.nextToken()
+		} else if nextLit == "HIDDEN" {
+			stmt.AlterTableAlterColumnOption = "DropHidden"
+			p.nextToken()
 		} else if nextLit == "NOT" {
 			p.nextToken() // consume NOT
 			if strings.ToUpper(p.curTok.Literal) == "FOR" {
@@ -3547,7 +3553,7 @@ func (p *Parser) parseAlterTableAlterColumnStatement(tableName *ast.SchemaObject
 		stmt.Collation = p.parseIdentifier()
 	}
 
-	// Parse optional SPARSE, FILESTREAM, COLUMN_SET FOR ALL_SPARSE_COLUMNS
+	// Parse optional SPARSE, FILESTREAM, COLUMN_SET FOR ALL_SPARSE_COLUMNS, HIDDEN, ENCRYPTED WITH, MASKED WITH
 	for {
 		upperLit := strings.ToUpper(p.curTok.Literal)
 		if upperLit == "SPARSE" {
@@ -3574,6 +3580,48 @@ func (p *Parser) parseAlterTableAlterColumnStatement(tableName *ast.SchemaObject
 				stmt.StorageOptions = &ast.ColumnStorageOptions{}
 			}
 			stmt.StorageOptions.SparseOption = "ColumnSetForAllSparseColumns"
+		} else if upperLit == "HIDDEN" {
+			stmt.IsHidden = true
+			p.nextToken()
+		} else if upperLit == "ENCRYPTED" {
+			p.nextToken() // consume ENCRYPTED
+			if strings.ToUpper(p.curTok.Literal) == "WITH" {
+				p.nextToken() // consume WITH
+			}
+			// Parse encryption specification: (COLUMN_ENCRYPTION_KEY = key1, ENCRYPTION_TYPE = ..., ALGORITHM = ...)
+			if p.curTok.Type == TokenLParen {
+				encSpec, err := p.parseColumnEncryptionSpecification()
+				if err != nil {
+					return nil, err
+				}
+				stmt.Encryption = encSpec
+			}
+		} else if upperLit == "MASKED" {
+			stmt.IsMasked = true
+			p.nextToken() // consume MASKED
+			if strings.ToUpper(p.curTok.Literal) == "WITH" {
+				p.nextToken() // consume WITH
+			}
+			// Parse masking function: (function = 'default()')
+			if p.curTok.Type == TokenLParen {
+				p.nextToken() // consume (
+				if strings.ToUpper(p.curTok.Literal) == "FUNCTION" {
+					p.nextToken() // consume FUNCTION
+					if p.curTok.Type == TokenEquals {
+						p.nextToken() // consume =
+					}
+					if p.curTok.Type == TokenString {
+						maskFunc, err := p.parseStringLiteral()
+						if err != nil {
+							return nil, err
+						}
+						stmt.MaskingFunction = maskFunc
+					}
+				}
+				if p.curTok.Type == TokenRParen {
+					p.nextToken() // consume )
+				}
+			}
 		} else {
 			break
 		}
@@ -3599,6 +3647,65 @@ func (p *Parser) parseAlterTableAlterColumnStatement(tableName *ast.SchemaObject
 	return stmt, nil
 }
 
+func (p *Parser) parseColumnEncryptionSpecification() (*ast.ColumnEncryptionDefinition, error) {
+	// curTok should be (
+	p.nextToken() // consume (
+
+	encDef := &ast.ColumnEncryptionDefinition{}
+
+	for p.curTok.Type != TokenRParen && p.curTok.Type != TokenEOF {
+		paramName := strings.ToUpper(p.curTok.Literal)
+		p.nextToken()
+
+		if p.curTok.Type == TokenEquals {
+			p.nextToken() // consume =
+		}
+
+		switch paramName {
+		case "COLUMN_ENCRYPTION_KEY":
+			param := &ast.ColumnEncryptionKeyNameParameter{
+				ParameterKind: "ColumnEncryptionKey",
+				Name:          p.parseIdentifier(),
+			}
+			encDef.Parameters = append(encDef.Parameters, param)
+		case "ENCRYPTION_TYPE":
+			encType := strings.ToUpper(p.curTok.Literal)
+			param := &ast.ColumnEncryptionTypeParameter{
+				ParameterKind: "EncryptionType",
+			}
+			if encType == "DETERMINISTIC" {
+				param.EncryptionType = "Deterministic"
+			} else if encType == "RANDOMIZED" {
+				param.EncryptionType = "Randomized"
+			} else {
+				param.EncryptionType = encType
+			}
+			p.nextToken()
+			encDef.Parameters = append(encDef.Parameters, param)
+		case "ALGORITHM":
+			str, err := p.parseStringLiteral()
+			if err != nil {
+				return nil, err
+			}
+			param := &ast.ColumnEncryptionAlgorithmParameter{
+				ParameterKind:       "Algorithm",
+				EncryptionAlgorithm: str,
+			}
+			encDef.Parameters = append(encDef.Parameters, param)
+		}
+
+		if p.curTok.Type == TokenComma {
+			p.nextToken()
+		}
+	}
+
+	if p.curTok.Type == TokenRParen {
+		p.nextToken() // consume )
+	}
+
+	return encDef, nil
+}
+
 func (p *Parser) parseAlterTableAddStatement(tableName *ast.SchemaObjectName) (*ast.AlterTableAddTableElementStatement, error) {
 	// Consume ADD
 	p.nextToken()
diff --git a/parser/testdata/AlterTableAlterColumnStatementTests140/metadata.json b/parser/testdata/AlterTableAlterColumnStatementTests140/metadata.json
@@ -1 +1 @@
-{"todo": true}
+{}
diff --git a/parser/testdata/Baselines140_AlterTableAlterColumnStatementTests140/metadata.json b/parser/testdata/Baselines140_AlterTableAlterColumnStatementTests140/metadata.json
@@ -1 +1 @@
-{"todo": true}
+{}

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ type AlterTableAlterColumnStatement struct {`
`10`	`10`	`IsHidden bool`
`11`	`11`	`Collation *Identifier`
`12`	`12`	`IsMasked bool`
	`13`	`+ Encryption *ColumnEncryptionDefinition`
	`14`	`+ MaskingFunction ScalarExpression`
`13`	`15`	`}`
`14`	`16`
`15`	`17`	`func (a *AlterTableAlterColumnStatement) node() {}`