Transform findings using a cryptographic hash transformation

using System;
using System.Collections.Generic;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;

public class DeidentifyTableWithCryptoHash
{
    public static Table Deidentify(
        string projectId,
        Table tableToDeidentify = null,
        IEnumerable<InfoType> infoTypes = null,
        string transientKeyName = null)
    {
        // Instantiate the client.
        var dlp = DlpServiceClient.Create();

        // Construct the table if null.
        if (tableToDeidentify == null)
        {
            var row1 = new Value[]
            {
                new Value { StringValue = "user1@example.org" },
                new Value { StringValue = "my email is user1@example.org and phone is 858-555-0222" }
            };
            var row2 = new Value[]
            {
                new Value { StringValue = "user2@example.org" },
                new Value { StringValue = "my email is user2@example.org and phone is 858-555-0223" }
            };
            var row3 = new Value[]
            {
                new Value { StringValue = "user3@example.org" },
                new Value { StringValue = "my email is user3@example.org and phone is 858-555-0224" }
            };

            tableToDeidentify = new Table
            {
                Headers =
                {
                    new FieldId { Name = "User ID" },
                    new FieldId { Name = "comments" }
                },
                Rows =
                {
                    new Table.Types.Row { Values = { row1 } },
                    new Table.Types.Row { Values = { row2 } },
                    new Table.Types.Row { Values = { row3 } }
                }
            };
        }

        // Specify the table and construct the content item.
        var contentItem = new ContentItem { Table = tableToDeidentify };

        // Construct the infoTypes by specifying the type of info to be inspected if null.
        var infotypes = infoTypes ?? new InfoType[]
        {
            new InfoType { Name = "EMAIL_ADDRESS" },
            new InfoType { Name = "PHONE_NUMBER" }
        };

        // Construct the crypto hash config using transient crypto key name.
        var cryptoHashConfig = new CryptoHashConfig
        {
            CryptoKey = new CryptoKey
            {
                Transient = new TransientCryptoKey
                {
                    Name = transientKeyName ?? "[TRANSIENT-CRYPTO-KEY]"
                }
            }
        };

        // Construct the de-identify config using crypto hash config.
        var deidentifyConfig = new DeidentifyConfig
        {
            InfoTypeTransformations = new InfoTypeTransformations
            {
                Transformations =
                {
                    new InfoTypeTransformations.Types.InfoTypeTransformation
                    {
                        PrimitiveTransformation = new PrimitiveTransformation
                        {
                            CryptoHashConfig = cryptoHashConfig
                        },
                        InfoTypes = { infotypes }
                    }
                }
            }
        };

        // Construct the inspect config.
        var inspectConfig = new InspectConfig
        {
            InfoTypes = { infotypes },
            IncludeQuote = true
        };

        // Construct the request.
        var request = new DeidentifyContentRequest
        {
            ParentAsLocationName = new LocationName(projectId, "global"),
            DeidentifyConfig = deidentifyConfig,
            Item = contentItem,
            InspectConfig = inspectConfig
        };

        // Call the API.
        DeidentifyContentResponse response = dlp.DeidentifyContent(request);

        // Print the table.
        Console.WriteLine(response.Item.Table);

        return response.Item.Table;
    }
}

import (
	"context"
	"fmt"
	"io"

	dlp "cloud.google.com/go/dlp/apiv2"
	"cloud.google.com/go/dlp/apiv2/dlppb"
)

// deIdentifyTableWithCryptoHash transforms findings using a cryptographic hash transformation.
func deIdentifyTableWithCryptoHash(w io.Writer, projectID, transientKeyName string) error {
	// projectId := "your-project-id"
	// transientKeyName := "YOUR_TRANSIENT_CRYPTO_KEY_NAME"

	row1 := &dlppb.Table_Row{
		Values: []*dlppb.Value{
			{Type: &dlppb.Value_StringValue{StringValue: "user1@example.org"}},
			{Type: &dlppb.Value_StringValue{StringValue: "my email is user1@example.org and phone is 858-555-0222"}},
		},
	}

	row2 := &dlppb.Table_Row{
		Values: []*dlppb.Value{
			{Type: &dlppb.Value_StringValue{StringValue: "user2@example.org"}},
			{Type: &dlppb.Value_StringValue{StringValue: "my email is user2@example.org and phone is 858-555-0232"}},
		},
	}

	row3 := &dlppb.Table_Row{
		Values: []*dlppb.Value{
			{Type: &dlppb.Value_StringValue{StringValue: "user3@example.org"}},
			{Type: &dlppb.Value_StringValue{StringValue: "my email is user3@example.org and phone is 858-555-0224"}},
		},
	}

	tableToDeidentify := &dlppb.Table{
		Headers: []*dlppb.FieldId{
			{Name: "userid"},
			{Name: "comments"},
		},
		Rows: []*dlppb.Table_Row{
			{Values: row1.Values},
			{Values: row2.Values},
			{Values: row3.Values},
		},
	}

	ctx := context.Background()

	// Initialize a client once and reuse it to send multiple requests. Clients
	// are safe to use across goroutines. When the client is no longer needed,
	// call the Close method to cleanup its resources.
	client, err := dlp.NewClient(ctx)
	if err != nil {
		return err
	}

	// Closing the client safely cleans up background resources.
	defer client.Close()

	// Specify what content you want the service to de-identify.
	contentItem := &dlppb.ContentItem{
		DataItem: &dlppb.ContentItem_Table{
			Table: tableToDeidentify,
		},
	}

	// Specify the type of info the inspection will look for.
	// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
	infoTypes := []*dlppb.InfoType{
		{Name: "PHONE_NUMBER"},
		{Name: "EMAIL_ADDRESS"},
	}

	inspectConfig := &dlppb.InspectConfig{
		InfoTypes: infoTypes,
	}

	// Specify the transient key which will encrypt the data.
	if transientKeyName == "" {
		transientKeyName = "YOUR_TRANSIENT_CRYPTO_KEY_NAME"
	}

	// Specify the transient key which will encrypt the data.
	cryptoKey := &dlppb.CryptoKey{
		Source: &dlppb.CryptoKey_Transient{
			Transient: &dlppb.TransientCryptoKey{
				Name: transientKeyName,
			},
		},
	}

	// Specify how the info from the inspection should be encrypted.
	cryptoHashConfig := &dlppb.CryptoHashConfig{
		CryptoKey: cryptoKey,
	}

	// Define type of de-identification as cryptographic hash transformation.
	primitiveTransformation := &dlppb.PrimitiveTransformation_CryptoHashConfig{
		CryptoHashConfig: cryptoHashConfig,
	}

	infoTypeTransformation := &dlppb.InfoTypeTransformations_InfoTypeTransformation{
		InfoTypes: infoTypes,
		PrimitiveTransformation: &dlppb.PrimitiveTransformation{
			Transformation: primitiveTransformation,
		},
	}

	transformations := &dlppb.InfoTypeTransformations{
		Transformations: []*dlppb.InfoTypeTransformations_InfoTypeTransformation{
			infoTypeTransformation,
		},
	}

	// Specify the config for the de-identify request.
	deidentifyConfig := &dlppb.DeidentifyConfig{
		Transformation: &dlppb.DeidentifyConfig_InfoTypeTransformations{
			InfoTypeTransformations: transformations,
		},
	}

	// Construct the de-identification request to be sent by the client.
	req := &dlppb.DeidentifyContentRequest{
		Parent:           fmt.Sprintf("projects/%s/locations/global", projectID),
		DeidentifyConfig: deidentifyConfig,
		InspectConfig:    inspectConfig,
		Item:             contentItem,
	}

	// Send the request.
	resp, err := client.DeidentifyContent(ctx, req)
	if err != nil {
		return err
	}

	// Print the results.
	fmt.Fprintf(w, "Table after de-identification : %v", resp.GetItem().GetTable())
	return nil
}

import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoHashConfig;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.DeidentifyContentRequest;
import com.google.privacy.dlp.v2.DeidentifyContentResponse;
import com.google.privacy.dlp.v2.FieldId;
import com.google.privacy.dlp.v2.InfoType;
import com.google.privacy.dlp.v2.InfoTypeTransformations;
import com.google.privacy.dlp.v2.InspectConfig;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.Table;
import com.google.privacy.dlp.v2.TransientCryptoKey;
import com.google.privacy.dlp.v2.Value;
import java.io.IOException;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;

public class DeIdentifyTableWithCryptoHash {

  public static void main(String[] args) throws Exception {
    // TODO(developer): Replace these variables before running the sample.

    // The Google Cloud project id to use as a parent resource.
    String projectId = "your-project-id";

    // The table to de-identify.
    Table tableToDeIdentify =
        Table.newBuilder()
            .addHeaders(FieldId.newBuilder().setName("userid").build())
            .addHeaders(FieldId.newBuilder().setName("comments").build())
            .addRows(
                Table.Row.newBuilder()
                    .addValues(Value.newBuilder().setStringValue("user1@example.org").build())
                    .addValues(
                        Value.newBuilder()
                            .setStringValue(
                                "my email is user1@example.org and phone is 858-555-0222")
                            .build())
                    .build())
            .addRows(
                Table.Row.newBuilder()
                    .addValues(Value.newBuilder().setStringValue("user2@example.org").build())
                    .addValues(
                        Value.newBuilder()
                            .setStringValue(
                                "my email is user2@example.org and phone is 858-555-0223")
                            .build())
                    .build())
            .addRows(
                Table.Row.newBuilder()
                    .addValues(Value.newBuilder().setStringValue("user3@example.org").build())
                    .addValues(
                        Value.newBuilder()
                            .setStringValue(
                                "my email is user3@example.org and phone is 858-555-0224")
                            .build())
                    .build())
            .build();

    // The randomly generated crypto key to encrypt the data.
    String transientKeyName = "YOUR_TRANSIENT_CRYPTO_KEY";
    deIdentifyWithCryptHashTransformation(projectId, tableToDeIdentify, transientKeyName);
  }

  // Transforms findings using a cryptographic hash transformation.
  public static void deIdentifyWithCryptHashTransformation(
      String projectId, Table tableToDeIdentify, String transientKeyName) throws IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (DlpServiceClient dlp = DlpServiceClient.create()) {
      // Specify what content you want the service to DeIdentify
      ContentItem contentItem = ContentItem.newBuilder().setTable(tableToDeIdentify).build();

      // Specify the type of info the inspection will look for.
      // See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
      List<InfoType> infoTypes =
          Stream.of("PHONE_NUMBER", "EMAIL_ADDRESS")
              .map(it -> InfoType.newBuilder().setName(it).build())
              .collect(Collectors.toList());

      InspectConfig inspectConfig = InspectConfig.newBuilder()
              .addAllInfoTypes(infoTypes)
              .build();

      // Specify the transient key which will encrypt the data.
      TransientCryptoKey transientCryptoKey = TransientCryptoKey.newBuilder()
              .setName(transientKeyName)
              .build();

      CryptoKey cryptoKey = CryptoKey.newBuilder()
              .setTransient(transientCryptoKey)
              .build();

      // Specify how the info from the inspection should be encrypted.
      CryptoHashConfig cryptoHashConfig = CryptoHashConfig.newBuilder()
              .setCryptoKey(cryptoKey)
              .build();

      // Define type of de-identification as cryptographic hash transformation.
      PrimitiveTransformation primitiveTransformation = PrimitiveTransformation.newBuilder()
              .setCryptoHashConfig(cryptoHashConfig)
              .build();

      InfoTypeTransformations.InfoTypeTransformation infoTypeTransformation =
          InfoTypeTransformations.InfoTypeTransformation.newBuilder()
              .setPrimitiveTransformation(primitiveTransformation)
              .addAllInfoTypes(infoTypes)
              .build();

      InfoTypeTransformations transformations = InfoTypeTransformations.newBuilder()
              .addTransformations(infoTypeTransformation)
              .build();

      // Specify the config for the de-identify request
      DeidentifyConfig deidentifyConfig = DeidentifyConfig.newBuilder()
              .setInfoTypeTransformations(transformations)
              .build();

      // Combine configurations into a request for the service.
      DeidentifyContentRequest request =
          DeidentifyContentRequest.newBuilder()
              .setParent(LocationName.of(projectId, "global").toString())
              .setItem(contentItem)
              .setInspectConfig(inspectConfig)
              .setDeidentifyConfig(deidentifyConfig)
              .build();

      // Send the request and receive response from the service
      DeidentifyContentResponse response = dlp.deidentifyContent(request);

      // Print the results
      System.out.println("Table after de-identification: " + response.getItem().getTable());
    }
  }
}

// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');

// Instantiates a client
const dlp = new DLP.DlpServiceClient();

// The project ID to run the API call under
// const projectId = 'my-project';

// Crypto key
// const transientKeyName = 'YOUR_TRANSIENT_CRYPTO_KEY';

// The table to de-identify.
const tableToDeIdentify = {
  headers: [{name: 'userid'}, {name: 'comments'}],
  rows: [
    {
      values: [
        {stringValue: 'user1@example.org'},
        {
          stringValue:
            'my email is user1@example.org and phone is 858-555-0222',
        },
      ],
    },
    {
      values: [
        {stringValue: 'user2@example.org'},
        {
          stringValue:
            'my email is user2@example.org and phone is 858-555-0223',
        },
      ],
    },
    {
      values: [
        {stringValue: 'user3@example.org'},
        {
          stringValue:
            'my email is user3@example.org and phone is 858-555-0224',
        },
      ],
    },
  ],
};
async function deIdentifyTableWithCryptoHash() {
  // Specify crypto hash configuration that uses transient key.
  const cryptoHashConfig = {
    cryptoKey: {
      transient: {
        name: transientKeyName,
      },
    },
  };

  // Construct de-identify request that uses crypto hash configuration.
  const request = {
    parent: `projects/${projectId}/locations/global`,
    deidentifyConfig: {
      infoTypeTransformations: {
        transformations: [
          {
            primitiveTransformation: {
              cryptoHashConfig: cryptoHashConfig,
            },
            infoTypes: [{name: 'PHONE_NUMBER'}, {name: 'EMAIL_ADDRESS'}],
          },
        ],
      },
    },
    item: {table: tableToDeIdentify},
  };

  // Send the request and receive response from the service.
  const [response] = await dlp.deidentifyContent(request);
  const deidentifiedTable = response.item.table;

  // Print the results.
  console.log(
    `Table after de-identification:\n${JSON.stringify(
      deidentifiedTable,
      null,
      2
    )}`
  );
}

deIdentifyTableWithCryptoHash();

use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoHashConfig;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\DeidentifyContentRequest;
use Google\Cloud\Dlp\V2\FieldId;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\Table;
use Google\Cloud\Dlp\V2\Table\Row;
use Google\Cloud\Dlp\V2\TransientCryptoKey;
use Google\Cloud\Dlp\V2\Value;

/**
 * De-identify table data with crypto hash.
 * Transform findings using a cryptographic hash transformation.
 *
 * @param string $callingProjectId          The Google Cloud project id to use as a parent resource.
 * @param string $inputCsvFile              The input file(csv) path  to deidentify.
 * @param string $outputCsvFile             The oupt file path to save deidentify content.
 * @param string $transientCryptoKeyName    Specify the random string.
 */

function deidentify_table_with_crypto_hash(
    // TODO(developer): Replace sample parameters before running the code.
    string $callingProjectId,
    string $inputCsvFile = './test/data/table5.csv',
    string $outputCsvFile = './test/data/deidentify_table_with_crypto_hash_output.csv',
    string $transientCryptoKeyName = 'YOUR-TRANSIENT-CRYPTO-KEY'
): void {
    // Instantiate a client.
    $dlp = new DlpServiceClient();

    $parent = "projects/$callingProjectId/locations/global";

    // Read a CSV file.
    $csvLines = file($inputCsvFile, FILE_IGNORE_NEW_LINES);
    $csvHeaders = explode(',', $csvLines[0]);
    $csvRows = array_slice($csvLines, 1);

    // Convert CSV file into protobuf objects.
    $tableHeaders = array_map(function ($csvHeader) {
        return (new FieldId)
            ->setName($csvHeader);
    }, $csvHeaders);

    $tableRows = array_map(function ($csvRow) {
        $rowValues = array_map(function ($csvValue) {
            return (new Value())
                ->setStringValue($csvValue);
        }, explode(',', $csvRow));
        return (new Row())
            ->setValues($rowValues);
    }, $csvRows);

    // Construct the table object.
    $tableToDeIdentify = (new Table())
        ->setHeaders($tableHeaders)
        ->setRows($tableRows);

    // Specify what content you want the service to de-identify.
    $content = (new ContentItem())
        ->setTable($tableToDeIdentify);

    // Specify the type of info the inspection will look for.
    // See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
    $infoTypes = [
        (new InfoType())->setName('EMAIL_ADDRESS'),
        (new InfoType())->setName('PHONE_NUMBER')
    ];

    $inspectConfig = (new InspectConfig())
        ->setInfoTypes($infoTypes);

    // Specify the transient key which will encrypt the data.
    $cryptoKey = (new CryptoKey())
        ->setTransient((new TransientCryptoKey())
            ->setName($transientCryptoKeyName));

    // Specify how the info from the inspection should be encrypted.
    $cryptoHashConfig = (new CryptoHashConfig())
        ->setCryptoKey($cryptoKey);

    // Define type of de-identification as cryptographic hash transformation.
    $primitiveTransformation = (new PrimitiveTransformation())
        ->setCryptoHashConfig($cryptoHashConfig);

    $infoTypeTransformation = (new InfoTypeTransformation())
        ->setPrimitiveTransformation($primitiveTransformation)
        ->setInfoTypes($infoTypes);

    $infoTypeTransformations = (new InfoTypeTransformations())
        ->setTransformations([$infoTypeTransformation]);

    // Specify the config for the de-identify request
    $deidentifyConfig = (new DeidentifyConfig())
        ->setInfoTypeTransformations($infoTypeTransformations);

    // Send the request and receive response from the service.
    $deidentifyContentRequest = (new DeidentifyContentRequest())
        ->setParent($parent)
        ->setInspectConfig($inspectConfig)
        ->setDeidentifyConfig($deidentifyConfig)
        ->setItem($content);
    $response = $dlp->deidentifyContent($deidentifyContentRequest);

    // Print the results.
    $csvRef = fopen($outputCsvFile, 'w');
    fputcsv($csvRef, $csvHeaders);
    foreach ($response->getItem()->getTable()->getRows() as $tableRow) {
        $values = array_map(function ($tableValue) {
            return $tableValue->getStringValue();
        }, iterator_to_array($tableRow->getValues()));
        fputcsv($csvRef, $values);
    };
    printf('Table after deidentify (File Location): %s', $outputCsvFile);
}

from typing import Dict, List, Union

import google.cloud.dlp


def deidentify_table_with_crypto_hash(
    project: str,
    table_data: Dict[str, Union[List[str], List[List[str]]]],
    info_types: List[str],
    transient_key_name: str,
) -> None:
    """Uses the Data Loss Prevention API to de-identify sensitive data
    in a table using a cryptographic hash transformation.
    Args:
        project: The Google Cloud project id to use as a parent resource.
        table_data: Dictionary representing table data.
        info_types: A list of strings representing info types to look for.
            A full list of info type categories can be fetched from the API.
        transient_key_name: Name of the transient crypto key used for encryption.
            The scope of this key is a single API call. It is generated for
            the transformation and then discarded.
    """

    # Instantiate a client
    dlp = google.cloud.dlp_v2.DlpServiceClient()

    # Construct the `table`. For more details on the table schema, please see
    # https://cloud.google.com/dlp/docs/reference/rest/v2/ContentItem#Table
    headers = [{"name": val} for val in table_data["header"]]
    rows = []
    for row in table_data["rows"]:
        rows.append({"values": [{"string_value": cell_val} for cell_val in row]})

    table = {"headers": headers, "rows": rows}

    # Construct the `item` that service will de-identify.
    item = {"table": table}

    # Prepare info_types by converting the list of strings into a list of
    # dictionaries.
    info_types = [{"name": info_type} for info_type in info_types]

    # Construct cryptographic hash configuration using the transient key
    # which will encrypt the data.
    crypto_hash_config = {"crypto_key": {"transient": {"name": transient_key_name}}}

    # Specify the type of info the inspection will look for.
    inspect_config = {
        "info_types": info_types,
    }

    # Construct deidentify configuration dictionary.
    deidentify_config = {
        "info_type_transformations": {
            "transformations": [
                {
                    "info_types": info_types,
                    "primitive_transformation": {
                        "crypto_hash_config": crypto_hash_config
                    },
                }
            ]
        }
    }

    # Convert the project id into a full resource id.
    parent = f"projects/{project}/locations/global"

    # Call the API.
    response = dlp.deidentify_content(
        request={
            "parent": parent,
            "deidentify_config": deidentify_config,
            "inspect_config": inspect_config,
            "item": item,
        }
    )

    # Print the result.
    print(f"Table after de-identification: {response.item.table}")