[DLP] Implemented dlp_deidentify_table_condition_masking (#9521)

* Rebase - 1

* [dlp_deidentify_table_condition_masking] Formatted

* [dlp_deidentify_table_condition_masking] Formatted

* [dlp_deidentify_table_condition_masking] Formatted

* Refactored

* Rebase - 1

* [dlp_deidentify_table_condition_masking] Formatted

* [dlp_deidentify_table_condition_masking] Formatted

* [dlp_deidentify_table_condition_masking] Formatted

* Refactored

---------

Co-authored-by: Karl Weinmeister <[email protected]>

Author: Avani-Thakker-Crest

dlp/snippets/deid.py

@@ -1277,6 +1277,139 @@ def deidentify_table_condition_replace_with_info_types(
 # [END dlp_deidentify_table_condition_infotypes]
 
 
+# [START dlp_deidentify_table_condition_masking]
+def deidentify_table_condition_masking(
+    project,
+    table_data,
+    deid_content_list,
+    condition_field=None,
+    condition_operator=None,
+    condition_value=None,
+    masking_character=None
+):
+    """ Uses the Data Loss Prevention API to de-identify sensitive data in a
+      table by masking them based on a condition.
+
+    Args:
+        project: The Google Cloud project id to use as a parent resource.
+        table_data: Json string representing table data.
+        deid_content_list: A list of fields in table to de-identify.
+        condition_field: A table Field within the record this condition is evaluated against.
+        condition_operator: Operator used to compare the field or infoType to the value. One of:
+            RELATIONAL_OPERATOR_UNSPECIFIED, EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, LESS_THAN, GREATER_THAN_OR_EQUALS,
+            LESS_THAN_OR_EQUALS, EXISTS.
+        condition_value: Value to compare against. [Mandatory, except for ``EXISTS`` tests.].
+        masking_character: The character to mask matching sensitive data with.
+
+    Returns:
+        De-identified table is returned;
+        the response from the API is also printed to the terminal.
+
+    Example:
+    table_data = {
+        "header":[
+            "email",
+            "phone number",
+            "age",
+            "happiness_score"
+        ],
+        "rows":[
+            [
+                "[email protected]",
+                "4232342345",
+                "35",
+                "21"
+            ],
+            [
+                "[email protected]",
+                "4253458383",
+                "64",
+                "34"
+            ]
+        ]
+    }
+
+    >> $ python deid.py deid_table_condition_mask \
+    '{"header": ["email", "phone number", "age", "happiness_score"],
+    "rows": [["[email protected]", "4232342345", "35", "21"],
+    ["[email protected]", "4253458383", "64", "34"]]}' \
+    ["happiness_score"] "age" "GREATER_THAN" 50
+    >> '{"header": ["email", "phone number", "age", "happiness_score"],
+        "rows": [["[email protected]", "4232342345", "35", "21"],
+        ["[email protected]", "4253458383", "64", "**"]]}'
+    """
+
+    # Import the client library
+    import google.cloud.dlp
+
+    # Instantiate a client.
+    dlp = google.cloud.dlp_v2.DlpServiceClient()
+
+    # Construct the `table`. For more details on the table schema, please see
+    # https://cloud.google.com/dlp/docs/reference/rest/v2/ContentItem#Table
+    headers = [{"name": val} for val in table_data["header"]]
+    rows = []
+    for row in table_data["rows"]:
+        rows.append({"values": [{"string_value": cell_val} for cell_val in row]})
+
+    table = {"headers": headers, "rows": rows}
+
+    # Construct the `item`
+    item = {"table": table}
+
+    # Specify fields to be de-identified
+    deid_content_list = [{"name": _i} for _i in deid_content_list]
+
+    # Construct condition list
+    condition = [
+        {
+            "field": {"name": condition_field},
+            "operator": condition_operator,
+            "value": {"integer_value": condition_value}
+        }
+    ]
+
+    # Construct deidentify configuration dictionary
+    deidentify_config = {
+        "record_transformations": {
+            "field_transformations": [
+                {
+                    "primitive_transformation": {
+                        "character_mask_config": {
+                            "masking_character": masking_character
+                        }
+                    },
+                    "fields": deid_content_list,
+                    "condition": {
+                        "expressions": {
+                            "conditions": {"conditions": condition}
+                        }
+                    }
+                }
+            ]
+        }
+    }
+
+    # Convert the project id into a full resource id.
+    parent = f"projects/{project}"
+
+    # Call the API.
+    response = dlp.deidentify_content(
+        request={
+            "parent": parent,
+            "deidentify_config": deidentify_config,
+            "item": item
+        })
+
+    # Print the result
+    print("Table after de-identification: {}".format(response.item.table))
+
+    # Return the response
+    return response.item.table
+
+# [END dlp_deidentify_table_condition_masking]
+
+
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description=__doc__)
     subparsers = parser.add_subparsers(
@@ -1607,6 +1740,45 @@ def deidentify_table_condition_replace_with_info_types(
         help="Value to compare against. [Mandatory, except for ``EXISTS`` tests.].",
     )
 
+    table_condition_mask_parser = subparsers.add_parser(
+        "deid_table_condition_mask",
+        help="De-identify sensitive data in a table by masking"
+        "them based on a condition.",
+    )
+    table_condition_mask_parser.add_argument(
+        "project",
+        help="The Google Cloud project id to use as a parent resource.",
+    )
+    table_condition_mask_parser.add_argument(
+        "table_data",
+        help="Json string representing table data",
+    )
+    table_condition_mask_parser.add_argument(
+        "deid_content_list",
+        help="A list of fields in table to de-identify."
+    )
+    table_condition_mask_parser.add_argument(
+        "--condition_field",
+        help="A table Field within the record this condition is evaluated "
+        "against.",
+    )
+    table_condition_mask_parser.add_argument(
+        "--condition_operator",
+        help="Operator used to compare the field or infoType to the value. "
+        "One of: RELATIONAL_OPERATOR_UNSPECIFIED, EQUAL_TO, NOT_EQUAL_TO, "
+        "GREATER_THAN, LESS_THAN, GREATER_THAN_OR_EQUALS, LESS_THAN_OR_EQUALS, "
+        "EXISTS.",
+    )
+    table_condition_mask_parser.add_argument(
+        "--condition_value",
+        help="Value to compare against. [Mandatory, except for ``EXISTS`` tests.].",
+    )
+    table_condition_mask_parser.add_argument(
+        "-m",
+        "--masking_character",
+        help="The character to mask matching sensitive data with.",
+    )
+
     args = parser.parse_args()
 
     if args.content == "deid_mask":
@@ -1687,3 +1859,13 @@ def deidentify_table_condition_replace_with_info_types(
             condition_operator=args.condition_operator,
             condition_value=args.condition_value
         )
+    elif args.content == "deid_table_condition_mask":
+        deidentify_table_condition_masking(
+            args.project,
+            args.table_data,
+            args.deid_content_list,
+            condition_field=args.condition_field,
+            condition_operator=args.condition_operator,
+            condition_value=args.condition_value,
+            masking_character=args.masking_character
+        )

dlp/snippets/deid_test.py

@@ -39,10 +39,14 @@
 DATE_SHIFTED_AMOUNT = 30
 DATE_FIELDS = ["birth_date", "register_date"]
 CSV_CONTEXT_FIELD = "name"
-TABLE_DATA = {"header": ["age", "patient", "happiness_score"],
-              "rows": [["101", "Charles Dickens", "95"],
-                       ["22", "Jane Austen", "21"],
-                       ["90", "Mark Twain", "75"]]}
+TABLE_DATA = {
+    "header": ["age", "patient", "happiness_score"],
+    "rows": [
+        ["101", "Charles Dickens", "95"],
+        ["22", "Jane Austen", "21"],
+        ["90", "Mark Twain", "75"]
+    ]
+}
 
 
 @pytest.fixture(scope="module")
@@ -356,3 +360,34 @@ def test_deidentify_table_condition_replace_with_info_types(capsys):
     assert "[PERSON_NAME] name was a curse invented by [PERSON_NAME]." in out
     assert "There are 14 kisses in Jane Austen\\\'s novels." in out
     assert "[PERSON_NAME] loved cats." in out
+
+
+def test_deidentify_table_condition_masking(capsys):
+    deid_list = ["happiness_score"]
+    deid.deidentify_table_condition_masking(
+        GCLOUD_PROJECT,
+        TABLE_DATA,
+        deid_list,
+        condition_field="age",
+        condition_operator="GREATER_THAN",
+        condition_value=89,
+    )
+    out, _ = capsys.readouterr()
+    assert "string_value: \"**\"" in out
+    assert "string_value: \"21\"" in out
+
+
+def test_deidentify_table_condition_masking_with_masking_character_specified(capsys):
+    deid_list = ["happiness_score"]
+    deid.deidentify_table_condition_masking(
+        GCLOUD_PROJECT,
+        TABLE_DATA,
+        deid_list,
+        condition_field="age",
+        condition_operator="GREATER_THAN",
+        condition_value=89,
+        masking_character="#"
+    )
+    out, _ = capsys.readouterr()
+    assert "string_value: \"##\"" in out
+    assert "string_value: \"21\"" in out