Add Table Properties for Encryption Configuration

This PR introduces table-level encryption properties to enable configuration of encryption settings for Iceberg tables. These properties lay the groundwork for future encryption implementation while maintaining compatibility with the Java implementation's property names and structure.

Table-level encryption is a critical security feature in Apache Iceberg's Java implementation. To support encryption in iceberg-rust and ensure interoperability between Java and Rust implementations, we need to start by adding the configuration properties that control encryption behavior. This PR adds the property definitions and parsing logic without implementing the actual encryption, keeping the change focused and reviewable.

**Modified:** `crates/iceberg/src/spec/table_properties.rs`

Added encryption-related properties to the `TableProperties` struct:

- `PROPERTY_ENCRYPTION_KEY_ID` (`"encryption.key-id"`) - Master key ID for encrypting data encryption keys
- `PROPERTY_ENCRYPTION_DEK_LENGTH` (`"encryption.data-key-length"`) - Data encryption key length (default: 16 bytes)
- `PROPERTY_ENCRYPTION_AAD_LENGTH` (`"encryption.aad-length"`) - AAD prefix length for GCM (default: 16 bytes)
- `PROPERTY_ENCRYPTION_KMS_TYPE` (`"encryption.kms-type"`) - KMS type (e.g., "aws", "gcp", "azure")

All `Option<T>` as encryption is optional:
- `encryption_key_id: Option<String>`
- `encryption_dek_length: Option<usize>`
- `encryption_aad_length: Option<usize>`
- `encryption_kms_type: Option<String>`

Extended `TryFrom<&HashMap<String, String>>` implementation to parse encryption properties

Property names match exactly with Java's implementation:
- Java: `TableProperties.ENCRYPTION_TABLE_KEY` → Rust: `PROPERTY_ENCRYPTION_KEY_ID`
- Java: `TableProperties.ENCRYPTION_DEK_LENGTH` → Rust: `PROPERTY_ENCRYPTION_DEK_LENGTH`
- Java: `CatalogProperties.ENCRYPTION_KMS_TYPE` → Rust: `PROPERTY_ENCRYPTION_KMS_TYPE`

**Note:** Java's `ENCRYPTION_KMS_IMPL` property (for custom KMS implementations via reflection) is intentionally not included since Rust doesn't support runtime reflection. KMS implementations will be selected based on the `encryption.kms-type` property with compiled-in implementations.

Added comprehensive test coverage:

1. `test_table_properties_default`: Verifies encryption properties are None by default
2. `test_encryption_properties_valid`: Tests parsing all encryption properties with valid values
3. `test_encryption_properties_partial`: Tests partial encryption configuration
4. `test_encryption_properties_invalid_numeric`: Verifies invalid numeric values are handled gracefully (parsed as None)
5. `test_encryption_properties_with_other_properties`: Tests encryption properties alongside existing table properties

All tests pass:
```
running 7 tests
test spec::table_properties::tests::test_table_properties_default ... ok
test spec::table_properties::tests::test_encryption_properties_partial ... ok
test spec::table_properties::tests::test_encryption_properties_invalid_numeric ... ok
test spec::table_properties::tests::test_encryption_properties_valid ... ok
test spec::table_properties::tests::test_encryption_properties_with_other_properties ... ok
test spec::table_properties::tests::test_table_properties_valid ... ok
test spec::table_properties::tests::test_table_properties_invalid ... ok
```

1. **Optional Fields**: All encryption properties are `Option<T>` since encryption is an optional feature
2. **Silent Failure for Invalid Numbers**: Invalid numeric values for `dek_length` and `aad_length` are parsed as None rather than failing, matching the pattern for optional properties
3. **No Validation**: This PR doesn't validate property values (e.g., valid key lengths), leaving that for the encryption implementation
4. **No Custom KMS**: Omitted `encryption.kms-impl` property since Rust lacks reflection - KMS type selection will use `encryption.kms-type` with a factory pattern
5. **Independent PR**: No dependencies on other encryption code, can be merged independently

This PR is part of a series to implement encryption support:
- ✅ PR 1: Core encryption primitives (AES-GCM operations)
- ✅ PR 2: Table properties for encryption (this PR)
- PR 3: Key management interfaces
- PR 4: EncryptionManager implementation
- PR 5: Native Parquet encryption support
- PR 6: Integration with Table and FileIO

Author: xanderbailey

crates/iceberg/src/spec/table_properties.rs

@@ -51,6 +51,14 @@ pub struct TableProperties {
     pub write_target_file_size_bytes: usize,
     /// Whether to use `FanoutWriter` for partitioned tables.
     pub write_datafusion_fanout_enabled: bool,
+    /// Master key ID for encryption. When set, all data and manifest files will be encrypted.
+    pub encryption_key_id: Option<String>,
+    /// Length of data encryption keys in bytes.
+    pub encryption_dek_length: Option<usize>,
+    /// Length of AAD (Additional Authenticated Data) prefix for GCM encryption.
+    pub encryption_aad_length: Option<usize>,
+    /// KMS type for encryption (e.g., "aws", "gcp", "azure").
+    pub encryption_kms_type: Option<String>,
 }
 
 impl TableProperties {
@@ -144,6 +152,37 @@ impl TableProperties {
     pub const PROPERTY_DATAFUSION_WRITE_FANOUT_ENABLED: &str = "write.datafusion.fanout.enabled";
     /// Default value for fanout writer enabled
     pub const PROPERTY_DATAFUSION_WRITE_FANOUT_ENABLED_DEFAULT: bool = true;
+
+    // Encryption properties
+
+    /// Master key ID for encrypting data encryption keys.
+    ///
+    /// When set, enables table-level encryption where all data and manifest
+    /// files are encrypted using data encryption keys (DEKs) that are
+    /// themselves encrypted with this master key.
+    pub const PROPERTY_ENCRYPTION_KEY_ID: &str = "encryption.key-id";
+
+    /// Length of data encryption keys in bytes.
+    ///
+    /// Controls the key size for AES encryption. Common values are 16 (AES-128)
+    /// and 32 (AES-256).
+    pub const PROPERTY_ENCRYPTION_DEK_LENGTH: &str = "encryption.data-key-length";
+    /// Default length for data encryption keys (16 bytes = AES-128).
+    pub const PROPERTY_ENCRYPTION_DEK_LENGTH_DEFAULT: usize = 16;
+
+    /// Length of AAD (Additional Authenticated Data) prefix for GCM encryption.
+    ///
+    /// Used to provide additional context for authenticated encryption modes
+    /// like AES-GCM.
+    pub const PROPERTY_ENCRYPTION_AAD_LENGTH: &str = "encryption.aad-length";
+    /// Default AAD length (16 bytes).
+    pub const PROPERTY_ENCRYPTION_AAD_LENGTH_DEFAULT: usize = 16;
+
+    /// KMS type for encryption.
+    ///
+    /// Specifies which Key Management System to use. Common values include
+    /// "aws" for AWS KMS, "gcp" for Google Cloud KMS, "azure" for Azure Key Vault.
+    pub const PROPERTY_ENCRYPTION_KMS_TYPE: &str = "encryption.kms-type";
 }
 
 impl TryFrom<&HashMap<String, String>> for TableProperties {
@@ -187,6 +226,17 @@ impl TryFrom<&HashMap<String, String>> for TableProperties {
                 TableProperties::PROPERTY_DATAFUSION_WRITE_FANOUT_ENABLED,
                 TableProperties::PROPERTY_DATAFUSION_WRITE_FANOUT_ENABLED_DEFAULT,
             )?,
+            // Encryption properties - all optional
+            encryption_key_id: props.get(TableProperties::PROPERTY_ENCRYPTION_KEY_ID).cloned(),
+            encryption_dek_length: props
+                .get(TableProperties::PROPERTY_ENCRYPTION_DEK_LENGTH)
+                .and_then(|v| v.parse().ok()),
+            encryption_aad_length: props
+                .get(TableProperties::PROPERTY_ENCRYPTION_AAD_LENGTH)
+                .and_then(|v| v.parse().ok()),
+            encryption_kms_type: props
+                .get(TableProperties::PROPERTY_ENCRYPTION_KMS_TYPE)
+                .cloned(),
         })
     }
 }
@@ -219,6 +269,11 @@ mod tests {
             table_properties.write_target_file_size_bytes,
             TableProperties::PROPERTY_WRITE_TARGET_FILE_SIZE_BYTES_DEFAULT
         );
+        // Encryption properties should be None by default
+        assert_eq!(table_properties.encryption_key_id, None);
+        assert_eq!(table_properties.encryption_dek_length, None);
+        assert_eq!(table_properties.encryption_aad_length, None);
+        assert_eq!(table_properties.encryption_kms_type, None);
     }
 
     #[test]
@@ -293,4 +348,131 @@ mod tests {
             "Invalid value for write.target-file-size-bytes: invalid digit found in string"
         ));
     }
+
+    #[test]
+    fn test_encryption_properties_valid() {
+        let props = HashMap::from([
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KEY_ID.to_string(),
+                "test-key-123".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_DEK_LENGTH.to_string(),
+                "32".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_AAD_LENGTH.to_string(),
+                "24".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KMS_TYPE.to_string(),
+                "aws".to_string(),
+            ),
+        ]);
+        let table_properties = TableProperties::try_from(&props).unwrap();
+        assert_eq!(
+            table_properties.encryption_key_id,
+            Some("test-key-123".to_string())
+        );
+        assert_eq!(table_properties.encryption_dek_length, Some(32));
+        assert_eq!(table_properties.encryption_aad_length, Some(24));
+        assert_eq!(
+            table_properties.encryption_kms_type,
+            Some("aws".to_string())
+        );
+    }
+
+    #[test]
+    fn test_encryption_properties_partial() {
+        // Test with only some encryption properties set
+        let props = HashMap::from([
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KEY_ID.to_string(),
+                "my-master-key".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KMS_TYPE.to_string(),
+                "gcp".to_string(),
+            ),
+        ]);
+        let table_properties = TableProperties::try_from(&props).unwrap();
+        assert_eq!(
+            table_properties.encryption_key_id,
+            Some("my-master-key".to_string())
+        );
+        assert_eq!(table_properties.encryption_dek_length, None);
+        assert_eq!(table_properties.encryption_aad_length, None);
+        assert_eq!(
+            table_properties.encryption_kms_type,
+            Some("gcp".to_string())
+        );
+    }
+
+    #[test]
+    fn test_encryption_properties_invalid_numeric() {
+        // Test that invalid numeric values are silently ignored (parsed as None)
+        let props = HashMap::from([
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KEY_ID.to_string(),
+                "key-456".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_DEK_LENGTH.to_string(),
+                "not-a-number".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_AAD_LENGTH.to_string(),
+                "also-not-a-number".to_string(),
+            ),
+        ]);
+        let table_properties = TableProperties::try_from(&props).unwrap();
+        assert_eq!(
+            table_properties.encryption_key_id,
+            Some("key-456".to_string())
+        );
+        // Invalid numeric values should be parsed as None
+        assert_eq!(table_properties.encryption_dek_length, None);
+        assert_eq!(table_properties.encryption_aad_length, None);
+    }
+
+    #[test]
+    fn test_encryption_properties_with_other_properties() {
+        // Test encryption properties alongside other table properties
+        let props = HashMap::from([
+            (
+                TableProperties::PROPERTY_COMMIT_NUM_RETRIES.to_string(),
+                "8".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_DEFAULT_FILE_FORMAT.to_string(),
+                "orc".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KEY_ID.to_string(),
+                "combined-test-key".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_DEK_LENGTH.to_string(),
+                "16".to_string(),
+            ),
+            (
+                TableProperties::PROPERTY_ENCRYPTION_KMS_TYPE.to_string(),
+                "azure".to_string(),
+            ),
+        ]);
+        let table_properties = TableProperties::try_from(&props).unwrap();
+        // Check regular properties
+        assert_eq!(table_properties.commit_num_retries, 8);
+        assert_eq!(table_properties.write_format_default, "orc".to_string());
+        // Check encryption properties
+        assert_eq!(
+            table_properties.encryption_key_id,
+            Some("combined-test-key".to_string())
+        );
+        assert_eq!(table_properties.encryption_dek_length, Some(16));
+        assert_eq!(
+            table_properties.encryption_kms_type,
+            Some("azure".to_string())
+        );
+    }
 }