@google-cloud/dlp 3.2.1 → 3.3.0

package/CHANGELOG.md

@@ -4,6 +4,13 @@
 
 [1]: https://www.npmjs.com/package/PACKAGE NAME?activeTab=versions
 
+## [3.3.0](https://www.github.com/googleapis/nodejs-dlp/compare/v3.2.1...v3.3.0) (2021-12-03)
+
+
+### Features
+
+* added deidentify replacement dictionaries feat: added field for BigQuery inspect template inclusion lists feat: added field to support infotype versioning ([#667](https://www.github.com/googleapis/nodejs-dlp/issues/667)) ([7f8b9d6](https://www.github.com/googleapis/nodejs-dlp/commit/7f8b9d6dc33837f5b93a0b2269ca79572520b14c))
+
 ### [3.2.1](https://www.github.com/googleapis/nodejs-dlp/compare/v3.2.0...v3.2.1) (2021-11-03)
 
 

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2021 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -360,6 +360,10 @@ service DlpService {
         post: "/v2/{parent=projects/*/locations/*}/jobTriggers"
         body: "*"
       }
+      additional_bindings {
+        post: "/v2/{parent=organizations/*/locations/*}/jobTriggers"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "parent,job_trigger";
   }
@@ -374,6 +378,10 @@ service DlpService {
         patch: "/v2/{name=projects/*/locations/*/jobTriggers/*}"
         body: "*"
       }
+      additional_bindings {
+        patch: "/v2/{name=organizations/*/locations/*/jobTriggers/*}"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "name,job_trigger,update_mask";
   }
@@ -381,9 +389,6 @@ service DlpService {
   // Inspect hybrid content and store findings to a trigger. The inspection
   // will be processed asynchronously. To review the findings monitor the
   // jobs within the trigger.
-  // Early access feature is in a pre-release state and might change or have
-  // limited support. For more information, see
-  // https://cloud.google.com/products#product-launch-stages.
   rpc HybridInspectJobTrigger(HybridInspectJobTriggerRequest) returns (HybridInspectResponse) {
     option (google.api.http) = {
       post: "/v2/{name=projects/*/locations/*/jobTriggers/*}:hybridInspect"
@@ -400,6 +405,9 @@ service DlpService {
       additional_bindings {
         get: "/v2/{name=projects/*/locations/*/jobTriggers/*}"
       }
+      additional_bindings {
+        get: "/v2/{name=organizations/*/locations/*/jobTriggers/*}"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -412,6 +420,9 @@ service DlpService {
       additional_bindings {
         get: "/v2/{parent=projects/*/locations/*}/jobTriggers"
       }
+      additional_bindings {
+        get: "/v2/{parent=organizations/*/locations/*}/jobTriggers"
+      }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -424,6 +435,9 @@ service DlpService {
       additional_bindings {
         delete: "/v2/{name=projects/*/locations/*/jobTriggers/*}"
       }
+      additional_bindings {
+        delete: "/v2/{name=organizations/*/locations/*/jobTriggers/*}"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -470,6 +484,9 @@ service DlpService {
       additional_bindings {
         get: "/v2/{parent=projects/*/locations/*}/dlpJobs"
       }
+      additional_bindings {
+        get: "/v2/{parent=organizations/*/locations/*}/dlpJobs"
+      }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -623,11 +640,8 @@ service DlpService {
   }
 
   // Inspect hybrid content and store findings to a job.
-  // To review the findings inspect the job. Inspection will occur
+  // To review the findings, inspect the job. Inspection will occur
   // asynchronously.
-  // Early access feature is in a pre-release state and might change or have
-  // limited support. For more information, see
-  // https://cloud.google.com/products#product-launch-stages.
   rpc HybridInspectDlpJob(HybridInspectDlpJobRequest) returns (HybridInspectResponse) {
     option (google.api.http) = {
       post: "/v2/{name=projects/*/locations/*/dlpJobs/*}:hybridInspect"
@@ -638,9 +652,6 @@ service DlpService {
 
   // Finish a running hybrid DlpJob. Triggers the finalization steps and running
   // of any enabled actions that have not yet run.
-  // Early access feature is in a pre-release state and might change or have
-  // limited support. For more information, see
-  // https://cloud.google.com/products#product-launch-stages.
   rpc FinishDlpJob(FinishDlpJobRequest) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       post: "/v2/{name=projects/*/locations/*/dlpJobs/*}:finish"
@@ -708,7 +719,8 @@ message InspectionRuleSet {
 // When used with redactContent only info_types and min_likelihood are currently
 // used.
 message InspectConfig {
-  // Configuration to control the number of findings returned.
+  // Configuration to control the number of findings returned. Cannot be set if
+  // de-identification is requested.
   message FindingLimits {
     // Max findings configuration per infoType, per content item or long
     // running DlpJob.
@@ -782,7 +794,9 @@ message InspectConfig {
 
 // Container for bytes to inspect or redact.
 message ByteContentItem {
-  // The type of data being sent for inspection.
+  // The type of data being sent for inspection. To learn more, see
+  // [Supported file
+  // types](https://cloud.google.com/dlp/docs/supported-file-types).
   enum BytesType {
     // Unused
     BYTES_TYPE_UNSPECIFIED = 0;
@@ -845,9 +859,9 @@ message ContentItem {
   }
 }
 
-// Structured content to inspect. Up to 50,000 `Value`s per request allowed.
-// See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
-// learn more.
+// Structured content to inspect. Up to 50,000 `Value`s per request allowed. See
+// https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table
+// to learn more.
 message Table {
   // Values of the row.
   message Row {
@@ -945,6 +959,9 @@ message Finding {
   string job_name = 13 [(google.api.resource_reference) = {
                           type: "dlp.googleapis.com/DlpJob"
                         }];
+
+  // The unique finding id.
+  string finding_id = 15;
 }
 
 // Specifies the location of the finding.
@@ -1488,16 +1505,13 @@ message InspectDataSourceDetails {
     repeated InfoTypeStats info_type_stats = 3;
 
     // Statistics related to the processing of hybrid inspect.
-    // Early access feature is in a pre-release state and might change or have
-    // limited support. For more information, see
-    // https://cloud.google.com/products#product-launch-stages.
     HybridInspectStatistics hybrid_stats = 7;
   }
 
   // The configuration used for this job.
   RequestedOptions requested_options = 2;
 
-  // A summary of the outcome of this inspect job.
+  // A summary of the outcome of this inspection job.
   Result result = 3;
 }
 
@@ -2200,7 +2214,7 @@ message TransformationErrorHandling {
 // A rule for transforming a value.
 message PrimitiveTransformation {
   oneof transformation {
-    // Replace
+    // Replace with a specified value.
     ReplaceValueConfig replace_config = 1;
 
     // Redact
@@ -2232,6 +2246,9 @@ message PrimitiveTransformation {
 
     // Deterministic Crypto
     CryptoDeterministicConfig crypto_deterministic_config = 12;
+
+    // Replace with a value randomly drawn (with replacement) from a dictionary.
+    ReplaceDictionaryConfig replace_dictionary_config = 13;
   }
 }
 
@@ -2282,7 +2299,9 @@ message CryptoHashConfig {
 // input. Outputs a base64 encoded representation of the encrypted output.
 // Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
 message CryptoDeterministicConfig {
-  // The key used by the encryption function.
+  // The key used by the encryption function. For deterministic encryption
+  // using AES-SIV, the provided key is internally expanded to 64 bytes prior to
+  // use.
   CryptoKey crypto_key = 1;
 
   // The custom info type to annotate the surrogate with.
@@ -2346,6 +2365,16 @@ message ReplaceValueConfig {
   Value new_value = 1;
 }
 
+// Replace each input value with a value randomly selected from the dictionary.
+message ReplaceDictionaryConfig {
+  oneof type {
+    // A list of words to select from for random replacement. The
+    // [limits](https://cloud.google.com/dlp/limits) page contains details about
+    // the size limits of dictionaries.
+    CustomInfoType.Dictionary.WordList word_list = 1;
+  }
+}
+
 // Replace each matching finding with the name of the info_type.
 message ReplaceWithInfoTypeConfig {
 
@@ -2429,8 +2458,8 @@ message CharacterMaskConfig {
 // the user for simple bucketing strategies.
 //
 // The transformed value will be a hyphenated string of
-// {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
-// all values that are within this bucket will be replaced with "10-20".
+// {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound
+// = 20, all values that are within this bucket will be replaced with "10-20".
 //
 // This can be used on data of type: double, long.
 //
@@ -2593,10 +2622,11 @@ message CryptoReplaceFfxFpeConfig {
 }
 
 // This is a data encryption key (DEK) (as opposed to
-// a key encryption key (KEK) stored by KMS).
-// When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
-// IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
-// unwrap the data crypto key.
+// a key encryption key (KEK) stored by Cloud Key Management Service
+// (Cloud KMS).
+// When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate
+// IAM policy on the KEK to ensure an attacker cannot
+// unwrap the DEK.
 message CryptoKey {
   // Sources of crypto keys.
   oneof source {
@@ -2606,7 +2636,7 @@ message CryptoKey {
     // Unwrapped crypto key
     UnwrappedCryptoKey unwrapped = 2;
 
-    // Kms wrapped key
+    // Key wrapped using Cloud KMS
     KmsWrappedCryptoKey kms_wrapped = 3;
   }
 }
@@ -2631,10 +2661,16 @@ message UnwrappedCryptoKey {
 }
 
 // Include to use an existing data crypto key wrapped by KMS.
-// The wrapped key must be a 128/192/256 bit key.
+// The wrapped key must be a 128-, 192-, or 256-bit key.
 // Authorization requires the following IAM permissions when sending a request
-// to perform a crypto transformation using a kms-wrapped crypto key:
+// to perform a crypto transformation using a KMS-wrapped crypto key:
 // dlp.kms.encrypt
+//
+// For more information, see [Creating a wrapped key]
+// (https://cloud.google.com/dlp/docs/create-wrapped-key).
+//
+// Note: When you use Cloud KMS for cryptographic operations,
+// [charges apply](https://cloud.google.com/kms/pricing).
 message KmsWrappedCryptoKey {
   // Required. The wrapped data crypto key.
   bytes wrapped_key = 1 [(google.api.field_behavior) = REQUIRED];
@@ -2697,6 +2733,9 @@ message InfoTypeTransformations {
 // The transformation to apply to the field.
 message FieldTransformation {
   // Required. Input field(s) to apply the transformation to.
+  // When you have columns that reference their position within a list,
+  // omit the index from the FieldId. FieldId name matching ignores the index.
+  // For example, instead of "contact.nums[0].type", use "contact.nums.type".
   repeated FieldId fields = 1 [(google.api.field_behavior) = REQUIRED];
 
   // Only apply the transformation if the condition evaluates to true for the
@@ -2868,7 +2907,7 @@ message TransformationSummary {
   int64 transformed_bytes = 7;
 }
 
-// Schedule for triggeredJobs.
+// Schedule for inspect job triggers.
 message Schedule {
   oneof option {
     // With this option a job is started a regular periodic basis. For
@@ -2955,7 +2994,7 @@ message DeidentifyTemplate {
   // Output only. The last update timestamp of an inspectTemplate.
   google.protobuf.Timestamp update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // ///////////// // The core content of the template  // ///////////////
+  // The core content of the template.
   DeidentifyConfig deidentify_config = 6;
 }
 
@@ -2985,9 +3024,6 @@ message JobTrigger {
       Schedule schedule = 1;
 
       // For use with hybrid jobs. Jobs must be manually created and finished.
-      // Early access feature is in a pre-release state and might change or have
-      // limited support. For more information, see
-      // https://cloud.google.com/products#product-launch-stages.
       Manual manual = 2;
     }
   }
@@ -3090,11 +3126,11 @@ message Action {
 
   }
 
-  // Publish findings of a DlpJob to Cloud Data Catalog. Labels summarizing the
+  // Publish findings of a DlpJob to Data Catalog. Labels summarizing the
   // results of the DlpJob will be applied to the entry for the resource scanned
-  // in Cloud Data Catalog. Any labels previously written by another DlpJob will
+  // in Data Catalog. Any labels previously written by another DlpJob will
   // be deleted. InfoType naming patterns are strictly enforced when using this
-  // feature. Note that the findings will be persisted in Cloud Data Catalog
+  // feature. Note that the findings will be persisted in Data Catalog
   // storage and are governed by Data Catalog service-specific policy, see
   // https://cloud.google.com/terms/service-terms
   // Only a single instance of this action can be specified and only allowed if
@@ -3402,10 +3438,11 @@ message CreateDlpJobRequest {
 
   // The configuration details for the specific type of job to run.
   oneof job {
-    // Set to control what and how to inspect.
+    // An inspection job scans a storage repository for InfoTypes.
     InspectJobConfig inspect_job = 2;
 
-    // Set to choose what metric to calculate.
+    // A risk analysis job calculates re-identification risk metrics for a
+    // BigQuery table.
     RiskAnalysisJobConfig risk_job = 3;
   }
 
@@ -3477,7 +3514,7 @@ message ListJobTriggersRequest {
   // * Restrictions can be combined by `AND` or `OR` logical operators. A
   // sequence of restrictions implicitly uses `AND`.
   // * A restriction has the form of `{field} {operator} {value}`.
-  // * Supported fields/values for inspect jobs:
+  // * Supported fields/values for inspect triggers:
   //     - `status` - HEALTHY|PAUSED|CANCELLED
   //     - `inspected_storage` - DATASTORE|CLOUD_STORAGE|BIGQUERY
   //     - 'last_run_time` - RFC 3339 formatted timestamp, surrounded by
@@ -3495,6 +3532,9 @@ message ListJobTriggersRequest {
   // The length of this field should be no more than 500 characters.
   string filter = 5;
 
+  // The type of jobs. Will use `DlpJobType.INSPECT` if not set.
+  DlpJobType type = 6;
+
   // Deprecated. This field has no effect.
   string location_id = 7;
 }
@@ -4347,7 +4387,7 @@ enum InfoTypeSupportedBy {
 
 // An enum to represent the various types of DLP jobs.
 enum DlpJobType {
-  // Unused
+  // Defaults to INSPECT_JOB.
   DLP_JOB_TYPE_UNSPECIFIED = 0;
 
   // The job inspected Google Cloud for sensitive data.

package/build/protos/google/privacy/dlp/v2/storage.proto

@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2021 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,9 +16,9 @@ syntax = "proto3";
 
 package google.privacy.dlp.v2;
 
+import "google/api/annotations.proto";
 import "google/api/resource.proto";
 import "google/protobuf/timestamp.proto";
-import "google/api/annotations.proto";
 
 option csharp_namespace = "Google.Cloud.Dlp.V2";
 option go_package = "google.golang.org/genproto/googleapis/privacy/dlp/v2;dlp";
@@ -36,6 +36,9 @@ message InfoType {
   // a built-in type.  When sending Cloud DLP results to Data Catalog, infoType
   // names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
   string name = 1;
+
+  // Optional version name for this InfoType.
+  string version = 2;
 }
 
 // A reference to a StoredInfoType to use with scanning.
@@ -82,7 +85,7 @@ message CustomInfoType {
   // Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
   // will be replaced with whitespace when scanning for matches, so the
   // dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
-  // "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
+  // Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
   // surrounding any match must be of a different type than the adjacent
   // characters within the word, so letters must be next to non-letters and
   // digits next to non-digits. For example, the dictionary word "jen" will
@@ -95,7 +98,7 @@ message CustomInfoType {
   // [limits](https://cloud.google.com/dlp/limits) page contains details about
   // the size limits of dictionaries. For dictionaries that do not fit within
   // these constraints, consider using `LargeCustomDictionaryConfig` in the
-  // `StoredInfoType` API.
+  // [limits](https://cloud.google.com/dlp/limits) page contains details about
   message Dictionary {
     // Message defining a list of words or phrases to search for in the data.
     message WordList {
@@ -121,7 +124,7 @@ message CustomInfoType {
     // (https://github.com/google/re2/wiki/Syntax) can be found under the
     // google/re2 repository on GitHub.
     string pattern = 1;
-
+    // (https://github.com/google/re2/wiki/Syntax) can be found under the
     // The index of the submatch to extract as findings. When not
     // specified, the entire match is returned. No more than 3 may be included.
     repeated int32 group_indexes = 2;
@@ -132,12 +135,10 @@ message CustomInfoType {
   // [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
   // These types of transformations are
   // those that perform pseudonymization, thereby producing a "surrogate" as
-  // output. This should be used in conjunction with a field on the
+  // [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
   // transformation such as `surrogate_info_type`. This CustomInfoType does
   // not support the use of `detection_rules`.
-  message SurrogateType {
-
-  }
+  message SurrogateType {}
 
   // Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
   // `CustomInfoType` to alter behavior under certain circumstances, depending
@@ -329,7 +330,7 @@ message CloudStorageRegexFileSet {
   // [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
   // under the google/re2 repository on GitHub.
   repeated string include_regex = 2;
-
+  // [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
   // A list of regular expressions matching file paths to exclude. All files in
   // the bucket that match at least one of these regular expressions will be
   // excluded from the scan.
@@ -338,6 +339,7 @@ message CloudStorageRegexFileSet {
   // [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
   // under the google/re2 repository on GitHub.
   repeated string exclude_regex = 3;
+  // [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
 }
 
 // Options defining a file or a set of files within a Google Cloud Storage
@@ -382,12 +384,14 @@ message CloudStorageOptions {
   // Max number of bytes to scan from a file. If a scanned file's size is bigger
   // than this value then the rest of the bytes are omitted. Only one
   // of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.
+  // Cannot be set if de-identification is requested.
   int64 bytes_limit_per_file = 4;
 
   // Max percentage of bytes to scan from a file. The rest are omitted. The
   // number of bytes scanned is rounded down. Must be between 0 and 100,
   // inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one
   // of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.
+  // Cannot be set if de-identification is requested.
   int32 bytes_limit_per_file_percent = 8;
 
   // List of file type groups to include in the scan.
@@ -466,6 +470,9 @@ message BigQueryOptions {
   // References to fields excluded from scanning. This allows you to skip
   // inspection of entire columns which you know have no findings.
   repeated FieldId excluded_fields = 5;
+
+  // Limit scanning only to these fields.
+  repeated FieldId included_fields = 7;
 }
 
 // Shared message indicating Cloud storage type.
@@ -518,9 +525,6 @@ message StorageConfig {
     BigQueryOptions big_query_options = 4;
 
     // Hybrid inspection options.
-    // Early access feature is in a pre-release state and might change or have
-    // limited support. For more information, see
-    // https://cloud.google.com/products#product-launch-stages.
     HybridOptions hybrid_options = 9;
   }
 
@@ -541,11 +545,12 @@ enum FileType {
   BINARY_FILE = 1;
 
   // Included file extensions:
-  //   asc, brf, c, cc, cpp, csv, cxx, c++, cs, css, dart, eml, go, h, hh, hpp,
-  //   hxx, h++, hs, html, htm, shtml, shtm, xhtml, lhs, ini, java, js, json,
-  //   ocaml, md, mkd, markdown, m, ml, mli, pl, pm, php, phtml, pht, py, pyw,
-  //   rb, rbw, rs, rc, scala, sh, sql, tex, txt, text, tsv, vcard, vcs, wml,
-  //   xml, xsl, xsd, yml, yaml.
+  //   asc,asp, aspx, brf, c, cc,cfm, cgi, cpp, csv, cxx, c++, cs, css, dart,
+  //   dat, dot, eml,, epbub, ged, go, h, hh, hpp, hxx, h++, hs, html, htm,
+  //   mkd, markdown, m, ml, mli, perl, pl, plist, pm, php, phtml, pht,
+  //   properties, py, pyw, rb, rbw, rs, rss,  rc, scala, sh, sql, swift, tex,
+  //   shtml, shtm, xhtml, lhs, ics, ini, java, js, json, kix, kml, ocaml, md,
+  //   txt, text, tsv, vb, vcard, vcs, wml, xcodeproj, xml, xsl, xsd, yml, yaml.
   TEXT_FILE = 2;
 
   // Included file extensions: