Add Always Encrypted column encryption key support

- Add AST types for CREATE/ALTER/DROP COLUMN ENCRYPTION KEY statements
- Add ColumnEncryptionKeyValue and parameter types
- Add parsing for column encryption key statements
- Add ALTER COLUMN ENCRYPTION KEY ADD/DROP VALUE parsing
- Add JSON marshaling for new statement types
- Add TokenMaster, TokenKey, TokenEncryption to GRANT/DENY permission parsing
- Add IsIfExists field to DropColumnMasterKeyStatement

Enables AlwaysEncryptedTests130 and Baselines130_AlwaysEncryptedTests130.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kyleconroy

ast/column_encryption.go

@@ -35,3 +35,70 @@ type ColumnEncryptionAlgorithmParameter struct {
 }
 
 func (c *ColumnEncryptionAlgorithmParameter) columnEncryptionParameter() {}
+
+// ColumnEncryptionKeyValueParameter represents a parameter in column encryption key values
+type ColumnEncryptionKeyValueParameter interface {
+	columnEncryptionKeyValueParameter()
+}
+
+// ColumnMasterKeyNameParameter represents COLUMN_MASTER_KEY parameter in CEK
+type ColumnMasterKeyNameParameter struct {
+	Name          *Identifier
+	ParameterKind string // "ColumnMasterKeyName"
+}
+
+func (c *ColumnMasterKeyNameParameter) node()                             {}
+func (c *ColumnMasterKeyNameParameter) columnEncryptionKeyValueParameter() {}
+
+// ColumnEncryptionAlgorithmNameParameter represents ALGORITHM parameter in CEK
+type ColumnEncryptionAlgorithmNameParameter struct {
+	Algorithm     ScalarExpression
+	ParameterKind string // "EncryptionAlgorithmName"
+}
+
+func (c *ColumnEncryptionAlgorithmNameParameter) node()                             {}
+func (c *ColumnEncryptionAlgorithmNameParameter) columnEncryptionKeyValueParameter() {}
+
+// EncryptedValueParameter represents ENCRYPTED_VALUE parameter
+type EncryptedValueParameter struct {
+	Value         ScalarExpression
+	ParameterKind string // "EncryptedValue"
+}
+
+func (e *EncryptedValueParameter) node()                             {}
+func (e *EncryptedValueParameter) columnEncryptionKeyValueParameter() {}
+
+// ColumnEncryptionKeyValue represents a value in CREATE/ALTER COLUMN ENCRYPTION KEY
+type ColumnEncryptionKeyValue struct {
+	Parameters []ColumnEncryptionKeyValueParameter
+}
+
+func (c *ColumnEncryptionKeyValue) node() {}
+
+// CreateColumnEncryptionKeyStatement represents CREATE COLUMN ENCRYPTION KEY statement
+type CreateColumnEncryptionKeyStatement struct {
+	Name                      *Identifier
+	ColumnEncryptionKeyValues []*ColumnEncryptionKeyValue
+}
+
+func (c *CreateColumnEncryptionKeyStatement) node()      {}
+func (c *CreateColumnEncryptionKeyStatement) statement() {}
+
+// AlterColumnEncryptionKeyStatement represents ALTER COLUMN ENCRYPTION KEY statement
+type AlterColumnEncryptionKeyStatement struct {
+	Name                      *Identifier
+	AlterType                 string // "Add" or "Drop"
+	ColumnEncryptionKeyValues []*ColumnEncryptionKeyValue
+}
+
+func (a *AlterColumnEncryptionKeyStatement) node()      {}
+func (a *AlterColumnEncryptionKeyStatement) statement() {}
+
+// DropColumnEncryptionKeyStatement represents DROP COLUMN ENCRYPTION KEY statement
+type DropColumnEncryptionKeyStatement struct {
+	Name       *Identifier
+	IsIfExists bool
+}
+
+func (d *DropColumnEncryptionKeyStatement) node()      {}
+func (d *DropColumnEncryptionKeyStatement) statement() {}

ast/column_master_key_statement.go

@@ -44,7 +44,8 @@ func (c *ColumnMasterKeyEnclaveComputationsParameter) columnMasterKeyParameter()
 
 // DropColumnMasterKeyStatement represents a DROP COLUMN MASTER KEY statement.
 type DropColumnMasterKeyStatement struct {
-	Name *Identifier
+	Name       *Identifier
+	IsIfExists bool
 }
 
 func (d *DropColumnMasterKeyStatement) node()      {}

parser/marshal.go

@@ -175,6 +175,12 @@ func statementToJSON(stmt ast.Statement) jsonNode {
 		return createColumnMasterKeyStatementToJSON(s)
 	case *ast.DropColumnMasterKeyStatement:
 		return dropColumnMasterKeyStatementToJSON(s)
+	case *ast.CreateColumnEncryptionKeyStatement:
+		return createColumnEncryptionKeyStatementToJSON(s)
+	case *ast.AlterColumnEncryptionKeyStatement:
+		return alterColumnEncryptionKeyStatementToJSON(s)
+	case *ast.DropColumnEncryptionKeyStatement:
+		return dropColumnEncryptionKeyStatementToJSON(s)
 	case *ast.AlterCryptographicProviderStatement:
 		return alterCryptographicProviderStatementToJSON(s)
 	case *ast.DropCryptographicProviderStatement:
@@ -8466,7 +8472,8 @@ func (p *Parser) parseGrantStatement() (*ast.GrantStatement, error) {
 			p.curTok.Type == TokenDatabase || p.curTok.Type == TokenTable ||
 			p.curTok.Type == TokenFunction || p.curTok.Type == TokenBackup ||
 			p.curTok.Type == TokenDefault || p.curTok.Type == TokenTrigger ||
-			p.curTok.Type == TokenSchema {
+			p.curTok.Type == TokenSchema || p.curTok.Type == TokenMaster ||
+			p.curTok.Type == TokenKey || p.curTok.Type == TokenEncryption {
 			perm.Identifiers = append(perm.Identifiers, &ast.Identifier{
 				Value:     p.curTok.Literal,
 				QuoteType: "NotQuoted",
@@ -9040,7 +9047,8 @@ func (p *Parser) parseDenyStatement() (*ast.DenyStatement, error) {
 			p.curTok.Type == TokenDatabase || p.curTok.Type == TokenTable ||
 			p.curTok.Type == TokenFunction || p.curTok.Type == TokenBackup ||
 			p.curTok.Type == TokenDefault || p.curTok.Type == TokenTrigger ||
-			p.curTok.Type == TokenSchema {
+			p.curTok.Type == TokenSchema || p.curTok.Type == TokenMaster ||
+			p.curTok.Type == TokenKey || p.curTok.Type == TokenEncryption {
 			perm.Identifiers = append(perm.Identifiers, &ast.Identifier{
 				Value:     p.curTok.Literal,
 				QuoteType: "NotQuoted",
@@ -20827,9 +20835,106 @@ func dropColumnMasterKeyStatementToJSON(s *ast.DropColumnMasterKeyStatement) jso
 	if s.Name != nil {
 		node["Name"] = identifierToJSON(s.Name)
 	}
+	node["IsIfExists"] = s.IsIfExists
+	return node
+}
+
+func createColumnEncryptionKeyStatementToJSON(s *ast.CreateColumnEncryptionKeyStatement) jsonNode {
+	node := jsonNode{
+		"$type": "CreateColumnEncryptionKeyStatement",
+	}
+	if s.Name != nil {
+		node["Name"] = identifierToJSON(s.Name)
+	}
+	if len(s.ColumnEncryptionKeyValues) > 0 {
+		values := make([]jsonNode, len(s.ColumnEncryptionKeyValues))
+		for i, v := range s.ColumnEncryptionKeyValues {
+			values[i] = columnEncryptionKeyValueToJSON(v)
+		}
+		node["ColumnEncryptionKeyValues"] = values
+	}
+	return node
+}
+
+func alterColumnEncryptionKeyStatementToJSON(s *ast.AlterColumnEncryptionKeyStatement) jsonNode {
+	node := jsonNode{
+		"$type": "AlterColumnEncryptionKeyStatement",
+	}
+	if s.AlterType != "" {
+		node["AlterType"] = s.AlterType
+	}
+	if s.Name != nil {
+		node["Name"] = identifierToJSON(s.Name)
+	}
+	if len(s.ColumnEncryptionKeyValues) > 0 {
+		values := make([]jsonNode, len(s.ColumnEncryptionKeyValues))
+		for i, v := range s.ColumnEncryptionKeyValues {
+			values[i] = columnEncryptionKeyValueToJSON(v)
+		}
+		node["ColumnEncryptionKeyValues"] = values
+	}
 	return node
 }
 
+func dropColumnEncryptionKeyStatementToJSON(s *ast.DropColumnEncryptionKeyStatement) jsonNode {
+	node := jsonNode{
+		"$type": "DropColumnEncryptionKeyStatement",
+	}
+	if s.Name != nil {
+		node["Name"] = identifierToJSON(s.Name)
+	}
+	node["IsIfExists"] = s.IsIfExists
+	return node
+}
+
+func columnEncryptionKeyValueToJSON(v *ast.ColumnEncryptionKeyValue) jsonNode {
+	node := jsonNode{
+		"$type": "ColumnEncryptionKeyValue",
+	}
+	if len(v.Parameters) > 0 {
+		params := make([]jsonNode, len(v.Parameters))
+		for i, p := range v.Parameters {
+			params[i] = columnEncryptionKeyValueParameterToJSON(p)
+		}
+		node["Parameters"] = params
+	}
+	return node
+}
+
+func columnEncryptionKeyValueParameterToJSON(p ast.ColumnEncryptionKeyValueParameter) jsonNode {
+	switch param := p.(type) {
+	case *ast.ColumnMasterKeyNameParameter:
+		node := jsonNode{
+			"$type": "ColumnMasterKeyNameParameter",
+		}
+		if param.Name != nil {
+			node["Name"] = identifierToJSON(param.Name)
+		}
+		node["ParameterKind"] = param.ParameterKind
+		return node
+	case *ast.ColumnEncryptionAlgorithmNameParameter:
+		node := jsonNode{
+			"$type": "ColumnEncryptionAlgorithmNameParameter",
+		}
+		if param.Algorithm != nil {
+			node["Algorithm"] = scalarExpressionToJSON(param.Algorithm)
+		}
+		node["ParameterKind"] = param.ParameterKind
+		return node
+	case *ast.EncryptedValueParameter:
+		node := jsonNode{
+			"$type": "EncryptedValueParameter",
+		}
+		if param.Value != nil {
+			node["Value"] = scalarExpressionToJSON(param.Value)
+		}
+		node["ParameterKind"] = param.ParameterKind
+		return node
+	default:
+		return jsonNode{"$type": "UnknownColumnEncryptionKeyValueParameter"}
+	}
+}
+
 func alterCryptographicProviderStatementToJSON(s *ast.AlterCryptographicProviderStatement) jsonNode {
 	node := jsonNode{
 		"$type": "AlterCryptographicProviderStatement",

parser/parse_ddl.go

@@ -160,6 +160,8 @@ func (p *Parser) parseDropStatement() (ast.Statement, error) {
 		return p.parseDropServiceStatement()
 	case "EVENT":
 		return p.parseDropEventNotificationStatement()
+	case "COLUMN":
+		return p.parseDropColumnStatement()
 	}
 
 	// Handle LOGIN token explicitly
@@ -2275,6 +2277,42 @@ func (p *Parser) parseDropMasterKeyStatement() (*ast.DropMasterKeyStatement, err
 	return stmt, nil
 }
 
+func (p *Parser) parseDropColumnStatement() (ast.Statement, error) {
+	// Consume COLUMN
+	p.nextToken()
+
+	keyword := strings.ToUpper(p.curTok.Literal)
+	p.nextToken() // consume MASTER or ENCRYPTION
+
+	if keyword == "MASTER" {
+		// DROP COLUMN MASTER KEY
+		if strings.ToUpper(p.curTok.Literal) == "KEY" {
+			p.nextToken() // consume KEY
+		}
+		stmt := &ast.DropColumnMasterKeyStatement{
+			Name: p.parseIdentifier(),
+		}
+		if p.curTok.Type == TokenSemicolon {
+			p.nextToken()
+		}
+		return stmt, nil
+	} else if keyword == "ENCRYPTION" {
+		// DROP COLUMN ENCRYPTION KEY
+		if strings.ToUpper(p.curTok.Literal) == "KEY" {
+			p.nextToken() // consume KEY
+		}
+		stmt := &ast.DropColumnEncryptionKeyStatement{
+			Name: p.parseIdentifier(),
+		}
+		if p.curTok.Type == TokenSemicolon {
+			p.nextToken()
+		}
+		return stmt, nil
+	}
+
+	return nil, fmt.Errorf("unexpected token after DROP COLUMN: expected MASTER or ENCRYPTION, got %s", keyword)
+}
+
 func (p *Parser) parseDropXmlSchemaCollectionStatement() (*ast.DropXmlSchemaCollectionStatement, error) {
 	// Consume XML
 	p.nextToken()
@@ -2621,6 +2659,8 @@ func (p *Parser) parseAlterStatement() (ast.Statement, error) {
 			return p.parseAlterEventSessionStatement()
 		case "SECURITY":
 			return p.parseAlterSecurityPolicyStatement()
+		case "COLUMN":
+			return p.parseAlterColumnEncryptionKeyStatement()
 		}
 		return nil, fmt.Errorf("unexpected token after ALTER: %s", p.curTok.Literal)
 	default:
@@ -12704,3 +12744,97 @@ func (p *Parser) parseAlterAuthorizationStatement() (*ast.AlterAuthorizationStat
 
 	return stmt, nil
 }
+
+func (p *Parser) parseAlterColumnEncryptionKeyStatement() (ast.Statement, error) {
+	// ALTER COLUMN ENCRYPTION KEY name ADD|DROP VALUE (...)
+	// Currently on COLUMN
+	p.nextToken() // consume COLUMN
+
+	if strings.ToUpper(p.curTok.Literal) != "ENCRYPTION" {
+		return nil, fmt.Errorf("expected ENCRYPTION after COLUMN, got %s", p.curTok.Literal)
+	}
+	p.nextToken() // consume ENCRYPTION
+
+	if strings.ToUpper(p.curTok.Literal) != "KEY" {
+		return nil, fmt.Errorf("expected KEY after ENCRYPTION, got %s", p.curTok.Literal)
+	}
+	p.nextToken() // consume KEY
+
+	stmt := &ast.AlterColumnEncryptionKeyStatement{}
+
+	// Parse key name
+	stmt.Name = p.parseIdentifier()
+
+	// Parse ADD VALUE or DROP VALUE
+	keyword := strings.ToUpper(p.curTok.Literal)
+	if keyword == "ADD" {
+		stmt.AlterType = "Add"
+		p.nextToken() // consume ADD
+	} else if keyword == "DROP" {
+		stmt.AlterType = "Drop"
+		p.nextToken() // consume DROP
+	} else {
+		return nil, fmt.Errorf("expected ADD or DROP, got %s", p.curTok.Literal)
+	}
+
+	if strings.ToUpper(p.curTok.Literal) == "VALUE" {
+		p.nextToken() // consume VALUE
+	}
+
+	// Parse the value - enclosed in ( ... )
+	if p.curTok.Type == TokenLParen {
+		value := &ast.ColumnEncryptionKeyValue{}
+		p.nextToken() // consume (
+
+		// Parse parameters
+		for p.curTok.Type != TokenRParen && p.curTok.Type != TokenEOF {
+			paramName := strings.ToUpper(p.curTok.Literal)
+			p.nextToken() // consume parameter name
+
+			if p.curTok.Type == TokenEquals {
+				p.nextToken() // consume =
+			}
+
+			switch paramName {
+			case "COLUMN_MASTER_KEY":
+				value.Parameters = append(value.Parameters, &ast.ColumnMasterKeyNameParameter{
+					Name:          p.parseIdentifier(),
+					ParameterKind: "ColumnMasterKeyName",
+				})
+			case "ALGORITHM":
+				expr, _ := p.parseScalarExpression()
+				value.Parameters = append(value.Parameters, &ast.ColumnEncryptionAlgorithmNameParameter{
+					Algorithm:     expr,
+					ParameterKind: "EncryptionAlgorithmName",
+				})
+			case "ENCRYPTED_VALUE":
+				expr, _ := p.parseScalarExpression()
+				value.Parameters = append(value.Parameters, &ast.EncryptedValueParameter{
+					Value:         expr,
+					ParameterKind: "EncryptedValue",
+				})
+			default:
+				// Skip unknown parameter
+				p.nextToken()
+			}
+
+			// Skip comma if present
+			if p.curTok.Type == TokenComma {
+				p.nextToken()
+			}
+		}
+
+		// Consume closing )
+		if p.curTok.Type == TokenRParen {
+			p.nextToken()
+		}
+
+		stmt.ColumnEncryptionKeyValues = append(stmt.ColumnEncryptionKeyValues, value)
+	}
+
+	if p.curTok.Type == TokenSemicolon {
+		p.nextToken()
+	}
+
+	return stmt, nil
+}