Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / dd49464a6262c0d1f71efcf11f131e2f591fe5f6 / . / docs / dyn / dlp_v2.projects.content.html
blob: 588cb8908f532aa5e528d88e35b75f1c686122cf [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.content.html">content</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]78 <code><a href="#deidentify">deidentify(parent, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]79<p class="firstline">De-identifies potentially sensitive info from a ContentItem.</p>
80<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]81 <code><a href="#inspect">inspect(parent, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]82<p class="firstline">Finds potentially sensitive info in content.</p>
83<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]84 <code><a href="#reidentify">reidentify(parent, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]85<p class="firstline">Re-identifies content that has been de-identified.</p>
86<h3>Method Details</h3>
87<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]88 <code class="details" id="deidentify">deidentify(parent, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]89 <pre>De-identifies potentially sensitive info from a ContentItem.
90This method has limits on input size and output size.
91See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to
92learn more.
93
94When no InfoTypes or CustomInfoTypes are specified in this request, the
95system will automatically choose what detectors to run. By default this may
96be all types, but may change over time as detectors are updated.
97
98Args:
99 parent: string, The parent resource name, for example projects/my-project-id. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]100 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]101 The object takes the form of:
102
103{ # Request to de-identify a list of items.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]104 "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
105 # Items specified here will override the template referenced by the
106 # inspect_template_name argument.
107 # When used with redactContent only info_types and min_likelihood are currently
108 # used.
109 "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
110 "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
111 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
112 # When set within `InspectContentRequest`, the maximum returned is 2000
113 # regardless if this is set higher.
114 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
115 { # Max findings configuration per infoType, per content item or long
116 # running DlpJob.
117 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
118 # info_type should be provided. If InfoTypeLimit does not have an
119 # info_type, the DLP API applies the limit against all info_types that
120 # are found but not specified in another InfoTypeLimit.
121 "name": "A String", # Name of the information type. Either a name of your choosing when
122 # creating a CustomInfoType, or one of the names listed
123 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
124 # a built-in type. InfoType names should conform to the pattern
125 # `[a-zA-Z0-9_]{1,64}`.
126 },
127 "maxFindings": 42, # Max findings limit for the given infoType.
128 },
129 ],
130 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
131 # When set within `InspectJobConfig`,
132 # the maximum returned is 2000 regardless if this is set higher.
133 # When set within `InspectContentRequest`, this field is ignored.
134 },
135 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
136 # POSSIBLE.
137 # See https://cloud.google.com/dlp/docs/likelihood to learn more.
138 "customInfoTypes": [ # CustomInfoTypes provided by the user. See
139 # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
140 { # Custom information type provided by the user. Used to find domain-specific
141 # sensitive information configurable to the data in question.
142 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
143 "pattern": "A String", # Pattern defining the regular expression. Its syntax
144 # (https://github.com/google/re2/wiki/Syntax) can be found under the
145 # google/re2 repository on GitHub.
146 "groupIndexes": [ # The index of the submatch to extract as findings. When not
147 # specified, the entire match is returned. No more than 3 may be included.
148 42,
149 ],
150 },
151 "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
152 # support reversing.
153 # such as
154 # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
155 # These types of transformations are
156 # those that perform pseudonymization, thereby producing a "surrogate" as
157 # output. This should be used in conjunction with a field on the
158 # transformation such as `surrogate_info_type`. This CustomInfoType does
159 # not support the use of `detection_rules`.
160 },
161 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
162 # infoType, when the name matches one of existing infoTypes and that infoType
163 # is specified in `InspectContent.info_types` field. Specifying the latter
164 # adds findings to the one detected by the system. If built-in info type is
165 # not specified in `InspectContent.info_types` list then the name is treated
166 # as a custom info type.
167 "name": "A String", # Name of the information type. Either a name of your choosing when
168 # creating a CustomInfoType, or one of the names listed
169 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
170 # a built-in type. InfoType names should conform to the pattern
171 # `[a-zA-Z0-9_]{1,64}`.
172 },
173 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
174 # be used to match sensitive information specific to the data, such as a list
175 # of employee IDs or job titles.
176 #
177 # Dictionary words are case-insensitive and all characters other than letters
178 # and digits in the unicode [Basic Multilingual
179 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
180 # will be replaced with whitespace when scanning for matches, so the
181 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
182 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
183 # surrounding any match must be of a different type than the adjacent
184 # characters within the word, so letters must be next to non-letters and
185 # digits next to non-digits. For example, the dictionary word "jen" will
186 # match the first three letters of the text "jen123" but will return no
187 # matches for "jennifer".
188 #
189 # Dictionary words containing a large number of characters that are not
190 # letters or digits may result in unexpected findings because such characters
191 # are treated as whitespace. The
192 # [limits](https://cloud.google.com/dlp/limits) page contains details about
193 # the size limits of dictionaries. For dictionaries that do not fit within
194 # these constraints, consider using `LargeCustomDictionaryConfig` in the
195 # `StoredInfoType` API.
196 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
197 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
198 # at least one phrase and every phrase must contain at least 2 characters
199 # that are letters or digits. [required]
200 "A String",
201 ],
202 },
203 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
204 # is accepted.
205 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
206 # Example: gs://[BUCKET_NAME]/dictionary.txt
207 },
208 },
209 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
210 # `InspectDataSource`. Not currently supported in `InspectContent`.
211 "name": "A String", # Resource name of the requested `StoredInfoType`, for example
212 # `organizations/433245324/storedInfoTypes/432452342` or
213 # `projects/project-id/storedInfoTypes/432452342`.
214 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
215 # inspection was created. Output-only field, populated by the system.
216 },
217 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
218 # Rules are applied in order that they are specified. Not supported for the
219 # `surrogate_type` CustomInfoType.
220 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
221 # `CustomInfoType` to alter behavior under certain circumstances, depending
222 # on the specific details of the rule. Not supported for the `surrogate_type`
223 # custom infoType.
224 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
225 # proximity of hotwords.
226 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
227 # The total length of the window cannot exceed 1000 characters. Note that
228 # the finding itself will be included in the window, so that hotwords may
229 # be used to match substrings of the finding itself. For example, the
230 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
231 # adjusted upwards if the area code is known to be the local area code of
232 # a company office using the hotword regex "\(xxx\)", where "xxx"
233 # is the area code in question.
234 # rule.
235 "windowBefore": 42, # Number of characters before the finding to consider.
236 "windowAfter": 42, # Number of characters after the finding to consider.
237 },
238 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
239 "pattern": "A String", # Pattern defining the regular expression. Its syntax
240 # (https://github.com/google/re2/wiki/Syntax) can be found under the
241 # google/re2 repository on GitHub.
242 "groupIndexes": [ # The index of the submatch to extract as findings. When not
243 # specified, the entire match is returned. No more than 3 may be included.
244 42,
245 ],
246 },
247 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
248 # part of a detection rule.
249 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
250 # levels. For example, if a finding would be `POSSIBLE` without the
251 # detection rule and `relative_likelihood` is 1, then it is upgraded to
252 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
253 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
254 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
255 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
256 # a final likelihood of `LIKELY`.
257 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
258 },
259 },
260 },
261 ],
262 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
263 # to be returned. It still can be used for rules matching.
264 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
265 # altered by a detection rule if the finding meets the criteria specified by
266 # the rule. Defaults to `VERY_LIKELY` if not specified.
267 },
268 ],
269 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
270 # included in the response; see Finding.quote.
271 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
272 # Exclusion rules, contained in the set are executed in the end, other
273 # rules are executed in the order they are specified for each info type.
274 { # Rule set for modifying a set of infoTypes to alter behavior under certain
275 # circumstances, depending on the specific details of the rules within the set.
276 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
277 { # A single inspection rule to be applied to infoTypes, specified in
278 # `InspectionRuleSet`.
279 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
280 # proximity of hotwords.
281 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
282 # The total length of the window cannot exceed 1000 characters. Note that
283 # the finding itself will be included in the window, so that hotwords may
284 # be used to match substrings of the finding itself. For example, the
285 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
286 # adjusted upwards if the area code is known to be the local area code of
287 # a company office using the hotword regex "\(xxx\)", where "xxx"
288 # is the area code in question.
289 # rule.
290 "windowBefore": 42, # Number of characters before the finding to consider.
291 "windowAfter": 42, # Number of characters after the finding to consider.
292 },
293 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
294 "pattern": "A String", # Pattern defining the regular expression. Its syntax
295 # (https://github.com/google/re2/wiki/Syntax) can be found under the
296 # google/re2 repository on GitHub.
297 "groupIndexes": [ # The index of the submatch to extract as findings. When not
298 # specified, the entire match is returned. No more than 3 may be included.
299 42,
300 ],
301 },
302 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
303 # part of a detection rule.
304 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
305 # levels. For example, if a finding would be `POSSIBLE` without the
306 # detection rule and `relative_likelihood` is 1, then it is upgraded to
307 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
308 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
309 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
310 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
311 # a final likelihood of `LIKELY`.
312 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
313 },
314 },
315 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
316 # `InspectionRuleSet` are removed from results.
317 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
318 "pattern": "A String", # Pattern defining the regular expression. Its syntax
319 # (https://github.com/google/re2/wiki/Syntax) can be found under the
320 # google/re2 repository on GitHub.
321 "groupIndexes": [ # The index of the submatch to extract as findings. When not
322 # specified, the entire match is returned. No more than 3 may be included.
323 42,
324 ],
325 },
326 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
327 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
328 # contained within with a finding of an infoType from this list. For
329 # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
330 # `exclusion_rule` containing `exclude_info_types.info_types` with
331 # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
332 # with EMAIL_ADDRESS finding.
333 # That leads to "555-222-2222@example.org" to generate only a single
334 # finding, namely email address.
335 { # Type of information detected by the API.
336 "name": "A String", # Name of the information type. Either a name of your choosing when
337 # creating a CustomInfoType, or one of the names listed
338 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
339 # a built-in type. InfoType names should conform to the pattern
340 # `[a-zA-Z0-9_]{1,64}`.
341 },
342 ],
343 },
344 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
345 # be used to match sensitive information specific to the data, such as a list
346 # of employee IDs or job titles.
347 #
348 # Dictionary words are case-insensitive and all characters other than letters
349 # and digits in the unicode [Basic Multilingual
350 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
351 # will be replaced with whitespace when scanning for matches, so the
352 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
353 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
354 # surrounding any match must be of a different type than the adjacent
355 # characters within the word, so letters must be next to non-letters and
356 # digits next to non-digits. For example, the dictionary word "jen" will
357 # match the first three letters of the text "jen123" but will return no
358 # matches for "jennifer".
359 #
360 # Dictionary words containing a large number of characters that are not
361 # letters or digits may result in unexpected findings because such characters
362 # are treated as whitespace. The
363 # [limits](https://cloud.google.com/dlp/limits) page contains details about
364 # the size limits of dictionaries. For dictionaries that do not fit within
365 # these constraints, consider using `LargeCustomDictionaryConfig` in the
366 # `StoredInfoType` API.
367 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
368 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
369 # at least one phrase and every phrase must contain at least 2 characters
370 # that are letters or digits. [required]
371 "A String",
372 ],
373 },
374 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
375 # is accepted.
376 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
377 # Example: gs://[BUCKET_NAME]/dictionary.txt
378 },
379 },
380 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
381 },
382 },
383 ],
384 "infoTypes": [ # List of infoTypes this rule set is applied to.
385 { # Type of information detected by the API.
386 "name": "A String", # Name of the information type. Either a name of your choosing when
387 # creating a CustomInfoType, or one of the names listed
388 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
389 # a built-in type. InfoType names should conform to the pattern
390 # `[a-zA-Z0-9_]{1,64}`.
391 },
392 ],
393 },
394 ],
395 "contentOptions": [ # List of options defining data content to scan.
396 # If empty, text, images, and other content will be included.
397 "A String",
398 ],
399 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to
400 # InfoType values returned by ListInfoTypes or listed at
401 # https://cloud.google.com/dlp/docs/infotypes-reference.
402 #
403 # When no InfoTypes or CustomInfoTypes are specified in a request, the
404 # system may automatically choose what detectors to run. By default this may
405 # be all types, but may change over time as detectors are updated.
406 #
407 # If you need precise control and predictability as to what detectors are
408 # run you should specify specific InfoTypes listed in the reference,
409 # otherwise a default list will be used, which may change over time.
410 { # Type of information detected by the API.
411 "name": "A String", # Name of the information type. Either a name of your choosing when
412 # creating a CustomInfoType, or one of the names listed
413 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
414 # a built-in type. InfoType names should conform to the pattern
415 # `[a-zA-Z0-9_]{1,64}`.
416 },
417 ],
418 },
419 "deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]420 # deidentify_config will override those set in the template. Singular fields
421 # that are set in this request will replace their corresponding fields in the
422 # template. Repeated fields are appended. Singular sub-messages and groups
423 # are recursively merged.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]424 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]425 # inspect_config will override those set in the template. Singular fields
426 # that are set in this request will replace their corresponding fields in the
427 # template. Repeated fields are appended. Singular sub-messages and groups
428 # are recursively merged.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]429 "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
430 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
431 # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
432 # learn more.
433 # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
434 # learn more.
435 "headers": [ # Headers of the table.
436 { # General identifier of a data field in a storage service.
437 "name": "A String", # Name describing the field.
438 },
439 ],
440 "rows": [ # Rows of the table.
441 { # Values of the row.
442 "values": [ # Individual cells.
443 { # Set of primitive values supported by the system.
444 # Note that for the purposes of inspection or transformation, the number
445 # of bytes considered to comprise a 'Value' is based on its representation
446 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
447 # 123456789, the number of bytes would be counted as 9, even though an
448 # int64 only holds up to 8 bytes of data.
449 "floatValue": 3.14, # float
450 "timestampValue": "A String", # timestamp
451 "dayOfWeekValue": "A String", # day of week
452 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
453 # or are specified elsewhere. An API may choose to allow leap seconds. Related
454 # types are google.type.Date and `google.protobuf.Timestamp`.
455 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
456 # to allow the value "24:00:00" for scenarios like business closing time.
457 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
458 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
459 # allow the value 60 if it allows leap-seconds.
460 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
461 },
462 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
463 # and time zone are either specified elsewhere or are not significant. The date
464 # is relative to the Proleptic Gregorian Calendar. This can represent:
465 #
466 # * A full date, with non-zero year, month and day values
467 # * A month and day value, with a zero year, e.g. an anniversary
468 # * A year on its own, with zero month and day values
469 # * A year and month value, with a zero day, e.g. a credit card expiration date
470 #
471 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
472 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
473 # month and day.
474 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
475 # if specifying a year by itself or a year and month where the day is not
476 # significant.
477 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
478 # a year.
479 },
480 "stringValue": "A String", # string
481 "booleanValue": True or False, # boolean
482 "integerValue": "A String", # integer
483 },
484 ],
485 },
486 ],
487 },
488 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
489 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
490 "data": "A String", # Content data to inspect or redact.
491 },
492 "value": "A String", # String data to inspect or redact.
493 },
494 "locationId": "A String", # The geographic location to process de-identification. Reserved for future
495 # extensions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]496 "deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item.
497 # Items specified here will override the template referenced by the
498 # deidentify_template_name argument.
499 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
500 # transformation everywhere.
501 # apply various `PrimitiveTransformation`s to each finding, where the
502 # transformation is applied to only values that were identified as a specific
503 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]504 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
505 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]506 { # A transformation to apply to text that is identified as a specific
507 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]508 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
509 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]510 # input. Outputs a base64 encoded representation of the encrypted output.
511 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
512 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
513 # a key encryption key (KEK) stored by KMS).
514 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
515 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
516 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]517 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]518 # The wrapped key must be a 128/192/256 bit key.
519 # Authorization requires the following IAM permissions when sending a request
520 # to perform a crypto transformation using a kms-wrapped crypto key:
521 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]522 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
523 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]524 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]525 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]526 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]527 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]528 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]529 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]530 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]531 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]532 # This is an arbitrary string used to differentiate different keys.
533 # A unique key is generated per name: two separate `TransientCryptoKey`
534 # protos share the same generated key if their names are the same.
535 # When the data crypto key is generated, this name is not used in any way
536 # (repeating the api call will result in a different key being generated).
537 },
538 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]539 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]540 # referential integrity such that the same identifier in two different
541 # contexts will be given a distinct surrogate. The context is appended to
542 # plaintext value being encrypted. On decryption the provided context is
543 # validated against the value used during encryption. If a context was
544 # provided during encryption, same context must be provided during decryption
545 # as well.
546 #
547 # If the context is not set, plaintext would be used as is for encryption.
548 # If the context is set but:
549 #
550 # 1. there is no record present when transforming a given value or
551 # 2. the field is not present when transforming a given value,
552 #
553 # plaintext would be used as is for encryption.
554 #
555 # Note that case (1) is expected when an `InfoTypeTransformation` is
556 # applied to both structured and non-structured `ContentItem`s.
557 "name": "A String", # Name describing the field.
558 },
559 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
560 # This annotation will be applied to the surrogate by prefixing it with
561 # the name of the custom info type followed by the number of
562 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]563 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]564 #
565 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
566 # the surrogate is 'abc', the full replacement value
567 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
568 #
569 # This annotation identifies the surrogate when inspecting content using the
570 # custom info type 'Surrogate'. This facilitates reversal of the
571 # surrogate when it occurs in free text.
572 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]573 # Note: For record transformations where the entire cell in a table is being
574 # transformed, surrogates are not mandatory. Surrogates are used to denote
575 # the location of the token and are necessary for re-identification in free
576 # form text.
577 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]578 # In order for inspection to work properly, the name of this info type must
579 # not occur naturally anywhere in your data; otherwise, inspection may either
580 #
581 # - reverse a surrogate that does not correspond to an actual identifier
582 # - be unable to parse the surrogate and result in an error
583 #
584 # Therefore, choose your custom info type name carefully after considering
585 # what your data looks like. One way to select a name that has a high chance
586 # of yielding reliable detection is to include one or more unicode characters
587 # that are highly improbable to exist in your data.
588 # For example, assuming your data is entered from a regular ASCII keyboard,
589 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]590 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]591 "name": "A String", # Name of the information type. Either a name of your choosing when
592 # creating a CustomInfoType, or one of the names listed
593 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
594 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]595 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]596 },
597 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]598 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
599 # fixed character. Masking can start from the beginning or end of the string.
600 # This can be used on data of any type (numbers, longs, and so on) and when
601 # de-identifying structured data we'll attempt to preserve the original data's
602 # type. (This allows you to take a long like 123 and modify it to a string like
603 # **3.
604 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
605 # characters. For example, if the input string is `555-555-5555` and you
606 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
607 # returns `***-**5-5555`.
608 { # Characters to skip when doing deidentification of a value. These will be left
609 # alone and skipped.
610 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
611 # punctuation.
612 "charactersToSkip": "A String", # Characters to not transform when masking.
613 },
614 ],
615 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
616 # masked. Skipped characters do not count towards this tally.
617 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
618 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
619 # code or credit card number. This string must have a length of 1. If not
620 # supplied, this value defaults to `*` for strings, and `0` for digits.
621 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
622 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
623 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
624 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
625 # is `true`, then the string `12345` is masked as `12***`.
626 },
627 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
628 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
629 # output would be 'My phone number is '.
630 },
631 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
632 },
633 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]634 # Bucketing transformation can provide all of this functionality,
635 # but requires more configuration. This message is provided as a convenience to
636 # the user for simple bucketing strategies.
637 #
638 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]639 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]640 # all values that are within this bucket will be replaced with "10-20".
641 #
642 # This can be used on data of type: double, long.
643 #
644 # If the bound Value type differs from the type of data
645 # being transformed, we will first attempt converting the type of the data to
646 # be transformed to match the type of the bound before comparing.
647 #
648 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]649 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]650 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]651 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]652 # Note that for the purposes of inspection or transformation, the number
653 # of bytes considered to comprise a 'Value' is based on its representation
654 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
655 # 123456789, the number of bytes would be counted as 9, even though an
656 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]657 "floatValue": 3.14, # float
658 "timestampValue": "A String", # timestamp
659 "dayOfWeekValue": "A String", # day of week
660 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]661 # or are specified elsewhere. An API may choose to allow leap seconds. Related
662 # types are google.type.Date and `google.protobuf.Timestamp`.
663 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
664 # to allow the value "24:00:00" for scenarios like business closing time.
665 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
666 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
667 # allow the value 60 if it allows leap-seconds.
668 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
669 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]670 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]671 # and time zone are either specified elsewhere or are not significant. The date
672 # is relative to the Proleptic Gregorian Calendar. This can represent:
673 #
674 # * A full date, with non-zero year, month and day values
675 # * A month and day value, with a zero year, e.g. an anniversary
676 # * A year on its own, with zero month and day values
677 # * A year and month value, with a zero day, e.g. a credit card expiration date
678 #
679 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]680 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
681 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]682 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
683 # if specifying a year by itself or a year and month where the day is not
684 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]685 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
686 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]687 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]688 "stringValue": "A String", # string
689 "booleanValue": True or False, # boolean
690 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]691 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]692 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]693 # grouped together into a single bucket; for example if `upper_bound` = 89,
694 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]695 # Note that for the purposes of inspection or transformation, the number
696 # of bytes considered to comprise a 'Value' is based on its representation
697 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
698 # 123456789, the number of bytes would be counted as 9, even though an
699 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]700 "floatValue": 3.14, # float
701 "timestampValue": "A String", # timestamp
702 "dayOfWeekValue": "A String", # day of week
703 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]704 # or are specified elsewhere. An API may choose to allow leap seconds. Related
705 # types are google.type.Date and `google.protobuf.Timestamp`.
706 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
707 # to allow the value "24:00:00" for scenarios like business closing time.
708 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
709 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
710 # allow the value 60 if it allows leap-seconds.
711 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
712 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]713 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]714 # and time zone are either specified elsewhere or are not significant. The date
715 # is relative to the Proleptic Gregorian Calendar. This can represent:
716 #
717 # * A full date, with non-zero year, month and day values
718 # * A month and day value, with a zero year, e.g. an anniversary
719 # * A year on its own, with zero month and day values
720 # * A year and month value, with a zero day, e.g. a credit card expiration date
721 #
722 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]723 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
724 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]725 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
726 # if specifying a year by itself or a year and month where the day is not
727 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]728 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
729 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]730 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]731 "stringValue": "A String", # string
732 "booleanValue": True or False, # boolean
733 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]734 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]735 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]736 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
737 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]738 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]739 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]740 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]741 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]742 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]743 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]744 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]745 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
746 # to learn more.
747 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]748 # results in the same shift for the same context and crypto_key. If
749 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]750 # a key encryption key (KEK) stored by KMS).
751 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
752 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
753 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]754 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]755 # The wrapped key must be a 128/192/256 bit key.
756 # Authorization requires the following IAM permissions when sending a request
757 # to perform a crypto transformation using a kms-wrapped crypto key:
758 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]759 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
760 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]761 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]762 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]763 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]764 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]765 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]766 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]767 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]768 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]769 # This is an arbitrary string used to differentiate different keys.
770 # A unique key is generated per name: two separate `TransientCryptoKey`
771 # protos share the same generated key if their names are the same.
772 # When the data crypto key is generated, this name is not used in any way
773 # (repeating the api call will result in a different key being generated).
774 },
775 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]776 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
777 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]778 # range (inclusive ends). Negative means shift to earlier in time. Must not
779 # be more than 365250 days (1000 years) each direction.
780 #
781 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]782 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]783 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]784 # given context.
785 "name": "A String", # Name describing the field.
786 },
787 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]788 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]789 # (FPE) with the FFX mode of operation; however when used in the
790 # `ReidentifyContent` API method, it serves the opposite function by reversing
791 # the surrogate back into the original identifier. The identifier must be
792 # encoded as ASCII. For a given crypto key and context, the same identifier
793 # will be replaced with the same surrogate. Identifiers must be at least two
794 # characters long. In the case that the identifier is the empty string, it will
795 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
796 # more.
797 #
798 # Note: We recommend using CryptoDeterministicConfig for all use cases which
799 # do not require preserving the input alphabet space and size, plus warrant
800 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]801 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]802 # a key encryption key (KEK) stored by KMS).
803 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
804 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
805 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]806 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]807 # The wrapped key must be a 128/192/256 bit key.
808 # Authorization requires the following IAM permissions when sending a request
809 # to perform a crypto transformation using a kms-wrapped crypto key:
810 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]811 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
812 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]813 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]814 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]815 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]816 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]817 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]818 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]819 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]820 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]821 # This is an arbitrary string used to differentiate different keys.
822 # A unique key is generated per name: two separate `TransientCryptoKey`
823 # protos share the same generated key if their names are the same.
824 # When the data crypto key is generated, this name is not used in any way
825 # (repeating the api call will result in a different key being generated).
826 },
827 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]828 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
829 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]830 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
831 # that the FFX mode natively supports. This happens before/after
832 # encryption/decryption.
833 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]834 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]835 # This must be encoded as ASCII.
836 # The order of characters does not matter.
837 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
838 # identifier in two different contexts won't be given the same surrogate. If
839 # the context is not set, a default tweak will be used.
840 #
841 # If the context is set but:
842 #
843 # 1. there is no record present when transforming a given value or
844 # 1. the field is not present when transforming a given value,
845 #
846 # a default tweak will be used.
847 #
848 # Note that case (1) is expected when an `InfoTypeTransformation` is
849 # applied to both structured and non-structured `ContentItem`s.
850 # Currently, the referenced field may be of value type integer or string.
851 #
852 # The tweak is constructed as a sequence of bytes in big endian byte order
853 # such that:
854 #
855 # - a 64 bit integer is encoded followed by a single byte of value 1
856 # - a string is encoded in UTF-8 format followed by a single byte of value 2
857 "name": "A String", # Name describing the field.
858 },
859 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
860 # This annotation will be applied to the surrogate by prefixing it with
861 # the name of the custom infoType followed by the number of
862 # characters comprising the surrogate. The following scheme defines the
863 # format: info_type_name(surrogate_character_count):surrogate
864 #
865 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
866 # the surrogate is 'abc', the full replacement value
867 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
868 #
869 # This annotation identifies the surrogate when inspecting content using the
870 # custom infoType
871 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
872 # This facilitates reversal of the surrogate when it occurs in free text.
873 #
874 # In order for inspection to work properly, the name of this infoType must
875 # not occur naturally anywhere in your data; otherwise, inspection may
876 # find a surrogate that does not correspond to an actual identifier.
877 # Therefore, choose your custom infoType name carefully after considering
878 # what your data looks like. One way to select a name that has a high chance
879 # of yielding reliable detection is to include one or more unicode characters
880 # that are highly improbable to exist in your data.
881 # For example, assuming your data is entered from a regular ASCII keyboard,
882 # the symbol with the hex code point 29DD might be used like so:
883 # ⧝MY_TOKEN_TYPE
884 "name": "A String", # Name of the information type. Either a name of your choosing when
885 # creating a CustomInfoType, or one of the names listed
886 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
887 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]888 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]889 },
890 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]891 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
892 # replacement values are dynamically provided by the user for custom behavior,
893 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
894 # This can be used on
895 # data of type: number, long, string, timestamp.
896 # If the bound `Value` type differs from the type of data being transformed, we
897 # will first attempt converting the type of the data to be transformed to match
898 # the type of the bound before comparing.
899 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
900 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
901 { # Bucket is represented as a range, along with replacement values.
902 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
903 # Note that for the purposes of inspection or transformation, the number
904 # of bytes considered to comprise a 'Value' is based on its representation
905 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
906 # 123456789, the number of bytes would be counted as 9, even though an
907 # int64 only holds up to 8 bytes of data.
908 "floatValue": 3.14, # float
909 "timestampValue": "A String", # timestamp
910 "dayOfWeekValue": "A String", # day of week
911 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
912 # or are specified elsewhere. An API may choose to allow leap seconds. Related
913 # types are google.type.Date and `google.protobuf.Timestamp`.
914 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
915 # to allow the value "24:00:00" for scenarios like business closing time.
916 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
917 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
918 # allow the value 60 if it allows leap-seconds.
919 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
920 },
921 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
922 # and time zone are either specified elsewhere or are not significant. The date
923 # is relative to the Proleptic Gregorian Calendar. This can represent:
924 #
925 # * A full date, with non-zero year, month and day values
926 # * A month and day value, with a zero year, e.g. an anniversary
927 # * A year on its own, with zero month and day values
928 # * A year and month value, with a zero day, e.g. a credit card expiration date
929 #
930 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
931 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
932 # month and day.
933 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
934 # if specifying a year by itself or a year and month where the day is not
935 # significant.
936 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
937 # a year.
938 },
939 "stringValue": "A String", # string
940 "booleanValue": True or False, # boolean
941 "integerValue": "A String", # integer
942 },
943 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
944 # the default behavior will be to hyphenate the min-max range.
945 # Note that for the purposes of inspection or transformation, the number
946 # of bytes considered to comprise a 'Value' is based on its representation
947 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
948 # 123456789, the number of bytes would be counted as 9, even though an
949 # int64 only holds up to 8 bytes of data.
950 "floatValue": 3.14, # float
951 "timestampValue": "A String", # timestamp
952 "dayOfWeekValue": "A String", # day of week
953 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
954 # or are specified elsewhere. An API may choose to allow leap seconds. Related
955 # types are google.type.Date and `google.protobuf.Timestamp`.
956 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
957 # to allow the value "24:00:00" for scenarios like business closing time.
958 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
959 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
960 # allow the value 60 if it allows leap-seconds.
961 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
962 },
963 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
964 # and time zone are either specified elsewhere or are not significant. The date
965 # is relative to the Proleptic Gregorian Calendar. This can represent:
966 #
967 # * A full date, with non-zero year, month and day values
968 # * A month and day value, with a zero year, e.g. an anniversary
969 # * A year on its own, with zero month and day values
970 # * A year and month value, with a zero day, e.g. a credit card expiration date
971 #
972 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
973 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
974 # month and day.
975 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
976 # if specifying a year by itself or a year and month where the day is not
977 # significant.
978 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
979 # a year.
980 },
981 "stringValue": "A String", # string
982 "booleanValue": True or False, # boolean
983 "integerValue": "A String", # integer
984 },
985 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
986 # used.
987 # Note that for the purposes of inspection or transformation, the number
988 # of bytes considered to comprise a 'Value' is based on its representation
989 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
990 # 123456789, the number of bytes would be counted as 9, even though an
991 # int64 only holds up to 8 bytes of data.
992 "floatValue": 3.14, # float
993 "timestampValue": "A String", # timestamp
994 "dayOfWeekValue": "A String", # day of week
995 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
996 # or are specified elsewhere. An API may choose to allow leap seconds. Related
997 # types are google.type.Date and `google.protobuf.Timestamp`.
998 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
999 # to allow the value "24:00:00" for scenarios like business closing time.
1000 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1001 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1002 # allow the value 60 if it allows leap-seconds.
1003 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1004 },
1005 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1006 # and time zone are either specified elsewhere or are not significant. The date
1007 # is relative to the Proleptic Gregorian Calendar. This can represent:
1008 #
1009 # * A full date, with non-zero year, month and day values
1010 # * A month and day value, with a zero year, e.g. an anniversary
1011 # * A year on its own, with zero month and day values
1012 # * A year and month value, with a zero day, e.g. a credit card expiration date
1013 #
1014 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1015 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1016 # month and day.
1017 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1018 # if specifying a year by itself or a year and month where the day is not
1019 # significant.
1020 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1021 # a year.
1022 },
1023 "stringValue": "A String", # string
1024 "booleanValue": True or False, # boolean
1025 "integerValue": "A String", # integer
1026 },
1027 },
1028 ],
1029 },
1030 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
1031 # Uses SHA-256.
1032 # The key size must be either 32 or 64 bytes.
1033 # Outputs a base64 encoded representation of the hashed output
1034 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
1035 # Currently, only string and integer values can be hashed.
1036 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
1037 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
1038 # a key encryption key (KEK) stored by KMS).
1039 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1040 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1041 # unwrap the data crypto key.
1042 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1043 # The wrapped key must be a 128/192/256 bit key.
1044 # Authorization requires the following IAM permissions when sending a request
1045 # to perform a crypto transformation using a kms-wrapped crypto key:
1046 # dlp.kms.encrypt
1047 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1048 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1049 },
1050 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1051 # leaking the key. Choose another type of key if possible.
1052 "key": "A String", # Required. A 128/192/256 bit key.
1053 },
1054 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1055 # It will be discarded after the request finishes.
1056 "name": "A String", # Required. Name of the key.
1057 # This is an arbitrary string used to differentiate different keys.
1058 # A unique key is generated per name: two separate `TransientCryptoKey`
1059 # protos share the same generated key if their names are the same.
1060 # When the data crypto key is generated, this name is not used in any way
1061 # (repeating the api call will result in a different key being generated).
1062 },
1063 },
1064 },
1065 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1066 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
1067 # Note that for the purposes of inspection or transformation, the number
1068 # of bytes considered to comprise a 'Value' is based on its representation
1069 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1070 # 123456789, the number of bytes would be counted as 9, even though an
1071 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1072 "floatValue": 3.14, # float
1073 "timestampValue": "A String", # timestamp
1074 "dayOfWeekValue": "A String", # day of week
1075 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1076 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1077 # types are google.type.Date and `google.protobuf.Timestamp`.
1078 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1079 # to allow the value "24:00:00" for scenarios like business closing time.
1080 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1081 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1082 # allow the value 60 if it allows leap-seconds.
1083 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1084 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1085 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1086 # and time zone are either specified elsewhere or are not significant. The date
1087 # is relative to the Proleptic Gregorian Calendar. This can represent:
1088 #
1089 # * A full date, with non-zero year, month and day values
1090 # * A month and day value, with a zero year, e.g. an anniversary
1091 # * A year on its own, with zero month and day values
1092 # * A year and month value, with a zero day, e.g. a credit card expiration date
1093 #
1094 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1095 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1096 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1097 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1098 # if specifying a year by itself or a year and month where the day is not
1099 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1100 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1101 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1102 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1103 "stringValue": "A String", # string
1104 "booleanValue": True or False, # boolean
1105 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1106 },
1107 },
1108 },
1109 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
1110 # this transformation to apply to all findings that correspond to
1111 # infoTypes that were requested in `InspectConfig`.
1112 { # Type of information detected by the API.
1113 "name": "A String", # Name of the information type. Either a name of your choosing when
1114 # creating a CustomInfoType, or one of the names listed
1115 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1116 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1117 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1118 },
1119 ],
1120 },
1121 ],
1122 },
1123 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
1124 # specific locations within structured datasets, such as transforming
1125 # a column within a table.
1126 # table.
1127 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1128 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1129 { # Configuration to suppress records whose suppression conditions evaluate to
1130 # true.
1131 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
1132 # evaluated to be suppressed from the transformed content.
1133 # a field.
1134 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1135 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
1136 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1137 { # The field type of `value` and `field` do not need to match to be
1138 # considered equal, but not all comparisons are possible.
1139 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
1140 # but all other comparisons are invalid with incompatible types.
1141 # A `value` of type:
1142 #
1143 # - `string` can be compared against all other types
1144 # - `boolean` can only be compared against other booleans
1145 # - `integer` can be compared against doubles or a string if the string value
1146 # can be parsed as an integer.
1147 # - `double` can be compared against integers or a string if the string can
1148 # be parsed as a double.
1149 # - `Timestamp` can be compared against strings in RFC 3339 date string
1150 # format.
1151 # - `TimeOfDay` can be compared against timestamps and strings in the format
1152 # of 'HH:mm:ss'.
1153 #
1154 # If we fail to compare do to type mismatch, a warning will be given and
1155 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1156 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
1157 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1158 "name": "A String", # Name describing the field.
1159 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1160 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1161 # Note that for the purposes of inspection or transformation, the number
1162 # of bytes considered to comprise a 'Value' is based on its representation
1163 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1164 # 123456789, the number of bytes would be counted as 9, even though an
1165 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1166 "floatValue": 3.14, # float
1167 "timestampValue": "A String", # timestamp
1168 "dayOfWeekValue": "A String", # day of week
1169 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1170 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1171 # types are google.type.Date and `google.protobuf.Timestamp`.
1172 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1173 # to allow the value "24:00:00" for scenarios like business closing time.
1174 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1175 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1176 # allow the value 60 if it allows leap-seconds.
1177 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1178 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1179 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1180 # and time zone are either specified elsewhere or are not significant. The date
1181 # is relative to the Proleptic Gregorian Calendar. This can represent:
1182 #
1183 # * A full date, with non-zero year, month and day values
1184 # * A month and day value, with a zero year, e.g. an anniversary
1185 # * A year on its own, with zero month and day values
1186 # * A year and month value, with a zero day, e.g. a credit card expiration date
1187 #
1188 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1189 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1190 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1191 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1192 # if specifying a year by itself or a year and month where the day is not
1193 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1194 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1195 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1196 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1197 "stringValue": "A String", # string
1198 "booleanValue": True or False, # boolean
1199 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1200 },
1201 },
1202 ],
1203 },
1204 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
1205 # only supported value is `AND`.
1206 },
1207 },
1208 },
1209 ],
1210 "fieldTransformations": [ # Transform the record by applying various field transformations.
1211 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1212 "fields": [ # Required. Input field(s) to apply the transformation to.
1213 { # General identifier of a data field in a storage service.
1214 "name": "A String", # Name describing the field.
1215 },
1216 ],
1217 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
1218 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
1219 # input. Outputs a base64 encoded representation of the encrypted output.
1220 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
1221 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
1222 # a key encryption key (KEK) stored by KMS).
1223 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1224 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1225 # unwrap the data crypto key.
1226 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1227 # The wrapped key must be a 128/192/256 bit key.
1228 # Authorization requires the following IAM permissions when sending a request
1229 # to perform a crypto transformation using a kms-wrapped crypto key:
1230 # dlp.kms.encrypt
1231 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1232 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1233 },
1234 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1235 # leaking the key. Choose another type of key if possible.
1236 "key": "A String", # Required. A 128/192/256 bit key.
1237 },
1238 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1239 # It will be discarded after the request finishes.
1240 "name": "A String", # Required. Name of the key.
1241 # This is an arbitrary string used to differentiate different keys.
1242 # A unique key is generated per name: two separate `TransientCryptoKey`
1243 # protos share the same generated key if their names are the same.
1244 # When the data crypto key is generated, this name is not used in any way
1245 # (repeating the api call will result in a different key being generated).
1246 },
1247 },
1248 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
1249 # referential integrity such that the same identifier in two different
1250 # contexts will be given a distinct surrogate. The context is appended to
1251 # plaintext value being encrypted. On decryption the provided context is
1252 # validated against the value used during encryption. If a context was
1253 # provided during encryption, same context must be provided during decryption
1254 # as well.
1255 #
1256 # If the context is not set, plaintext would be used as is for encryption.
1257 # If the context is set but:
1258 #
1259 # 1. there is no record present when transforming a given value or
1260 # 2. the field is not present when transforming a given value,
1261 #
1262 # plaintext would be used as is for encryption.
1263 #
1264 # Note that case (1) is expected when an `InfoTypeTransformation` is
1265 # applied to both structured and non-structured `ContentItem`s.
1266 "name": "A String", # Name describing the field.
1267 },
1268 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
1269 # This annotation will be applied to the surrogate by prefixing it with
1270 # the name of the custom info type followed by the number of
1271 # characters comprising the surrogate. The following scheme defines the
1272 # format: {info type name}({surrogate character count}):{surrogate}
1273 #
1274 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
1275 # the surrogate is 'abc', the full replacement value
1276 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1277 #
1278 # This annotation identifies the surrogate when inspecting content using the
1279 # custom info type 'Surrogate'. This facilitates reversal of the
1280 # surrogate when it occurs in free text.
1281 #
1282 # Note: For record transformations where the entire cell in a table is being
1283 # transformed, surrogates are not mandatory. Surrogates are used to denote
1284 # the location of the token and are necessary for re-identification in free
1285 # form text.
1286 #
1287 # In order for inspection to work properly, the name of this info type must
1288 # not occur naturally anywhere in your data; otherwise, inspection may either
1289 #
1290 # - reverse a surrogate that does not correspond to an actual identifier
1291 # - be unable to parse the surrogate and result in an error
1292 #
1293 # Therefore, choose your custom info type name carefully after considering
1294 # what your data looks like. One way to select a name that has a high chance
1295 # of yielding reliable detection is to include one or more unicode characters
1296 # that are highly improbable to exist in your data.
1297 # For example, assuming your data is entered from a regular ASCII keyboard,
1298 # the symbol with the hex code point 29DD might be used like so:
1299 # ⧝MY_TOKEN_TYPE.
1300 "name": "A String", # Name of the information type. Either a name of your choosing when
1301 # creating a CustomInfoType, or one of the names listed
1302 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1303 # a built-in type. InfoType names should conform to the pattern
1304 # `[a-zA-Z0-9_]{1,64}`.
1305 },
1306 },
1307 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
1308 # fixed character. Masking can start from the beginning or end of the string.
1309 # This can be used on data of any type (numbers, longs, and so on) and when
1310 # de-identifying structured data we'll attempt to preserve the original data's
1311 # type. (This allows you to take a long like 123 and modify it to a string like
1312 # **3.
1313 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
1314 # characters. For example, if the input string is `555-555-5555` and you
1315 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
1316 # returns `***-**5-5555`.
1317 { # Characters to skip when doing deidentification of a value. These will be left
1318 # alone and skipped.
1319 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
1320 # punctuation.
1321 "charactersToSkip": "A String", # Characters to not transform when masking.
1322 },
1323 ],
1324 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
1325 # masked. Skipped characters do not count towards this tally.
1326 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
1327 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
1328 # code or credit card number. This string must have a length of 1. If not
1329 # supplied, this value defaults to `*` for strings, and `0` for digits.
1330 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
1331 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
1332 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
1333 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
1334 # is `true`, then the string `12345` is masked as `12***`.
1335 },
1336 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
1337 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
1338 # output would be 'My phone number is '.
1339 },
1340 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
1341 },
1342 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
1343 # Bucketing transformation can provide all of this functionality,
1344 # but requires more configuration. This message is provided as a convenience to
1345 # the user for simple bucketing strategies.
1346 #
1347 # The transformed value will be a hyphenated string of
1348 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
1349 # all values that are within this bucket will be replaced with "10-20".
1350 #
1351 # This can be used on data of type: double, long.
1352 #
1353 # If the bound Value type differs from the type of data
1354 # being transformed, we will first attempt converting the type of the data to
1355 # be transformed to match the type of the bound before comparing.
1356 #
1357 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1358 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
1359 # grouped together into a single bucket; for example if `lower_bound` = 10,
1360 # then all values less than 10 are replaced with the value “-10”.
1361 # Note that for the purposes of inspection or transformation, the number
1362 # of bytes considered to comprise a 'Value' is based on its representation
1363 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1364 # 123456789, the number of bytes would be counted as 9, even though an
1365 # int64 only holds up to 8 bytes of data.
1366 "floatValue": 3.14, # float
1367 "timestampValue": "A String", # timestamp
1368 "dayOfWeekValue": "A String", # day of week
1369 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1370 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1371 # types are google.type.Date and `google.protobuf.Timestamp`.
1372 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1373 # to allow the value "24:00:00" for scenarios like business closing time.
1374 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1375 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1376 # allow the value 60 if it allows leap-seconds.
1377 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1378 },
1379 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1380 # and time zone are either specified elsewhere or are not significant. The date
1381 # is relative to the Proleptic Gregorian Calendar. This can represent:
1382 #
1383 # * A full date, with non-zero year, month and day values
1384 # * A month and day value, with a zero year, e.g. an anniversary
1385 # * A year on its own, with zero month and day values
1386 # * A year and month value, with a zero day, e.g. a credit card expiration date
1387 #
1388 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1389 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1390 # month and day.
1391 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1392 # if specifying a year by itself or a year and month where the day is not
1393 # significant.
1394 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1395 # a year.
1396 },
1397 "stringValue": "A String", # string
1398 "booleanValue": True or False, # boolean
1399 "integerValue": "A String", # integer
1400 },
1401 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
1402 # grouped together into a single bucket; for example if `upper_bound` = 89,
1403 # then all values greater than 89 are replaced with the value “89+”.
1404 # Note that for the purposes of inspection or transformation, the number
1405 # of bytes considered to comprise a 'Value' is based on its representation
1406 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1407 # 123456789, the number of bytes would be counted as 9, even though an
1408 # int64 only holds up to 8 bytes of data.
1409 "floatValue": 3.14, # float
1410 "timestampValue": "A String", # timestamp
1411 "dayOfWeekValue": "A String", # day of week
1412 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1413 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1414 # types are google.type.Date and `google.protobuf.Timestamp`.
1415 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1416 # to allow the value "24:00:00" for scenarios like business closing time.
1417 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1418 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1419 # allow the value 60 if it allows leap-seconds.
1420 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1421 },
1422 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1423 # and time zone are either specified elsewhere or are not significant. The date
1424 # is relative to the Proleptic Gregorian Calendar. This can represent:
1425 #
1426 # * A full date, with non-zero year, month and day values
1427 # * A month and day value, with a zero year, e.g. an anniversary
1428 # * A year on its own, with zero month and day values
1429 # * A year and month value, with a zero day, e.g. a credit card expiration date
1430 #
1431 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1432 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1433 # month and day.
1434 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1435 # if specifying a year by itself or a year and month where the day is not
1436 # significant.
1437 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1438 # a year.
1439 },
1440 "stringValue": "A String", # string
1441 "booleanValue": True or False, # boolean
1442 "integerValue": "A String", # integer
1443 },
1444 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
1445 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
1446 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
1447 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1448 },
1449 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
1450 # portion of the value.
1451 "partToExtract": "A String", # The part of the time to keep.
1452 },
1453 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
1454 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
1455 # to learn more.
1456 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
1457 # results in the same shift for the same context and crypto_key. If
1458 # set, must also set context. Can only be applied to table items.
1459 # a key encryption key (KEK) stored by KMS).
1460 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1461 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1462 # unwrap the data crypto key.
1463 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1464 # The wrapped key must be a 128/192/256 bit key.
1465 # Authorization requires the following IAM permissions when sending a request
1466 # to perform a crypto transformation using a kms-wrapped crypto key:
1467 # dlp.kms.encrypt
1468 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1469 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1470 },
1471 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1472 # leaking the key. Choose another type of key if possible.
1473 "key": "A String", # Required. A 128/192/256 bit key.
1474 },
1475 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1476 # It will be discarded after the request finishes.
1477 "name": "A String", # Required. Name of the key.
1478 # This is an arbitrary string used to differentiate different keys.
1479 # A unique key is generated per name: two separate `TransientCryptoKey`
1480 # protos share the same generated key if their names are the same.
1481 # When the data crypto key is generated, this name is not used in any way
1482 # (repeating the api call will result in a different key being generated).
1483 },
1484 },
1485 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1486 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
1487 # range (inclusive ends). Negative means shift to earlier in time. Must not
1488 # be more than 365250 days (1000 years) each direction.
1489 #
1490 # For example, 3 means shift date to at most 3 days into the future.
1491 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
1492 # If set, must also set cryptoKey. If set, shift will be consistent for the
1493 # given context.
1494 "name": "A String", # Name describing the field.
1495 },
1496 },
1497 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
1498 # (FPE) with the FFX mode of operation; however when used in the
1499 # `ReidentifyContent` API method, it serves the opposite function by reversing
1500 # the surrogate back into the original identifier. The identifier must be
1501 # encoded as ASCII. For a given crypto key and context, the same identifier
1502 # will be replaced with the same surrogate. Identifiers must be at least two
1503 # characters long. In the case that the identifier is the empty string, it will
1504 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
1505 # more.
1506 #
1507 # Note: We recommend using CryptoDeterministicConfig for all use cases which
1508 # do not require preserving the input alphabet space and size, plus warrant
1509 # referential integrity.
1510 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
1511 # a key encryption key (KEK) stored by KMS).
1512 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1513 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1514 # unwrap the data crypto key.
1515 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1516 # The wrapped key must be a 128/192/256 bit key.
1517 # Authorization requires the following IAM permissions when sending a request
1518 # to perform a crypto transformation using a kms-wrapped crypto key:
1519 # dlp.kms.encrypt
1520 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1521 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1522 },
1523 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1524 # leaking the key. Choose another type of key if possible.
1525 "key": "A String", # Required. A 128/192/256 bit key.
1526 },
1527 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1528 # It will be discarded after the request finishes.
1529 "name": "A String", # Required. Name of the key.
1530 # This is an arbitrary string used to differentiate different keys.
1531 # A unique key is generated per name: two separate `TransientCryptoKey`
1532 # protos share the same generated key if their names are the same.
1533 # When the data crypto key is generated, this name is not used in any way
1534 # (repeating the api call will result in a different key being generated).
1535 },
1536 },
1537 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
1538 "commonAlphabet": "A String", # Common alphabets.
1539 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
1540 # that the FFX mode natively supports. This happens before/after
1541 # encryption/decryption.
1542 # Each character listed must appear only once.
1543 # Number of characters must be in the range [2, 95].
1544 # This must be encoded as ASCII.
1545 # The order of characters does not matter.
1546 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
1547 # identifier in two different contexts won't be given the same surrogate. If
1548 # the context is not set, a default tweak will be used.
1549 #
1550 # If the context is set but:
1551 #
1552 # 1. there is no record present when transforming a given value or
1553 # 1. the field is not present when transforming a given value,
1554 #
1555 # a default tweak will be used.
1556 #
1557 # Note that case (1) is expected when an `InfoTypeTransformation` is
1558 # applied to both structured and non-structured `ContentItem`s.
1559 # Currently, the referenced field may be of value type integer or string.
1560 #
1561 # The tweak is constructed as a sequence of bytes in big endian byte order
1562 # such that:
1563 #
1564 # - a 64 bit integer is encoded followed by a single byte of value 1
1565 # - a string is encoded in UTF-8 format followed by a single byte of value 2
1566 "name": "A String", # Name describing the field.
1567 },
1568 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
1569 # This annotation will be applied to the surrogate by prefixing it with
1570 # the name of the custom infoType followed by the number of
1571 # characters comprising the surrogate. The following scheme defines the
1572 # format: info_type_name(surrogate_character_count):surrogate
1573 #
1574 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
1575 # the surrogate is 'abc', the full replacement value
1576 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1577 #
1578 # This annotation identifies the surrogate when inspecting content using the
1579 # custom infoType
1580 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
1581 # This facilitates reversal of the surrogate when it occurs in free text.
1582 #
1583 # In order for inspection to work properly, the name of this infoType must
1584 # not occur naturally anywhere in your data; otherwise, inspection may
1585 # find a surrogate that does not correspond to an actual identifier.
1586 # Therefore, choose your custom infoType name carefully after considering
1587 # what your data looks like. One way to select a name that has a high chance
1588 # of yielding reliable detection is to include one or more unicode characters
1589 # that are highly improbable to exist in your data.
1590 # For example, assuming your data is entered from a regular ASCII keyboard,
1591 # the symbol with the hex code point 29DD might be used like so:
1592 # ⧝MY_TOKEN_TYPE
1593 "name": "A String", # Name of the information type. Either a name of your choosing when
1594 # creating a CustomInfoType, or one of the names listed
1595 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1596 # a built-in type. InfoType names should conform to the pattern
1597 # `[a-zA-Z0-9_]{1,64}`.
1598 },
1599 },
1600 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
1601 # replacement values are dynamically provided by the user for custom behavior,
1602 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
1603 # This can be used on
1604 # data of type: number, long, string, timestamp.
1605 # If the bound `Value` type differs from the type of data being transformed, we
1606 # will first attempt converting the type of the data to be transformed to match
1607 # the type of the bound before comparing.
1608 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1609 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
1610 { # Bucket is represented as a range, along with replacement values.
1611 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
1612 # Note that for the purposes of inspection or transformation, the number
1613 # of bytes considered to comprise a 'Value' is based on its representation
1614 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1615 # 123456789, the number of bytes would be counted as 9, even though an
1616 # int64 only holds up to 8 bytes of data.
1617 "floatValue": 3.14, # float
1618 "timestampValue": "A String", # timestamp
1619 "dayOfWeekValue": "A String", # day of week
1620 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1621 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1622 # types are google.type.Date and `google.protobuf.Timestamp`.
1623 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1624 # to allow the value "24:00:00" for scenarios like business closing time.
1625 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1626 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1627 # allow the value 60 if it allows leap-seconds.
1628 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1629 },
1630 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1631 # and time zone are either specified elsewhere or are not significant. The date
1632 # is relative to the Proleptic Gregorian Calendar. This can represent:
1633 #
1634 # * A full date, with non-zero year, month and day values
1635 # * A month and day value, with a zero year, e.g. an anniversary
1636 # * A year on its own, with zero month and day values
1637 # * A year and month value, with a zero day, e.g. a credit card expiration date
1638 #
1639 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1640 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1641 # month and day.
1642 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1643 # if specifying a year by itself or a year and month where the day is not
1644 # significant.
1645 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1646 # a year.
1647 },
1648 "stringValue": "A String", # string
1649 "booleanValue": True or False, # boolean
1650 "integerValue": "A String", # integer
1651 },
1652 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
1653 # the default behavior will be to hyphenate the min-max range.
1654 # Note that for the purposes of inspection or transformation, the number
1655 # of bytes considered to comprise a 'Value' is based on its representation
1656 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1657 # 123456789, the number of bytes would be counted as 9, even though an
1658 # int64 only holds up to 8 bytes of data.
1659 "floatValue": 3.14, # float
1660 "timestampValue": "A String", # timestamp
1661 "dayOfWeekValue": "A String", # day of week
1662 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1663 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1664 # types are google.type.Date and `google.protobuf.Timestamp`.
1665 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1666 # to allow the value "24:00:00" for scenarios like business closing time.
1667 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1668 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1669 # allow the value 60 if it allows leap-seconds.
1670 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1671 },
1672 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1673 # and time zone are either specified elsewhere or are not significant. The date
1674 # is relative to the Proleptic Gregorian Calendar. This can represent:
1675 #
1676 # * A full date, with non-zero year, month and day values
1677 # * A month and day value, with a zero year, e.g. an anniversary
1678 # * A year on its own, with zero month and day values
1679 # * A year and month value, with a zero day, e.g. a credit card expiration date
1680 #
1681 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1682 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1683 # month and day.
1684 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1685 # if specifying a year by itself or a year and month where the day is not
1686 # significant.
1687 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1688 # a year.
1689 },
1690 "stringValue": "A String", # string
1691 "booleanValue": True or False, # boolean
1692 "integerValue": "A String", # integer
1693 },
1694 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
1695 # used.
1696 # Note that for the purposes of inspection or transformation, the number
1697 # of bytes considered to comprise a 'Value' is based on its representation
1698 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1699 # 123456789, the number of bytes would be counted as 9, even though an
1700 # int64 only holds up to 8 bytes of data.
1701 "floatValue": 3.14, # float
1702 "timestampValue": "A String", # timestamp
1703 "dayOfWeekValue": "A String", # day of week
1704 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1705 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1706 # types are google.type.Date and `google.protobuf.Timestamp`.
1707 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1708 # to allow the value "24:00:00" for scenarios like business closing time.
1709 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1710 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1711 # allow the value 60 if it allows leap-seconds.
1712 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1713 },
1714 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1715 # and time zone are either specified elsewhere or are not significant. The date
1716 # is relative to the Proleptic Gregorian Calendar. This can represent:
1717 #
1718 # * A full date, with non-zero year, month and day values
1719 # * A month and day value, with a zero year, e.g. an anniversary
1720 # * A year on its own, with zero month and day values
1721 # * A year and month value, with a zero day, e.g. a credit card expiration date
1722 #
1723 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1724 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1725 # month and day.
1726 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1727 # if specifying a year by itself or a year and month where the day is not
1728 # significant.
1729 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1730 # a year.
1731 },
1732 "stringValue": "A String", # string
1733 "booleanValue": True or False, # boolean
1734 "integerValue": "A String", # integer
1735 },
1736 },
1737 ],
1738 },
1739 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
1740 # Uses SHA-256.
1741 # The key size must be either 32 or 64 bytes.
1742 # Outputs a base64 encoded representation of the hashed output
1743 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
1744 # Currently, only string and integer values can be hashed.
1745 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
1746 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
1747 # a key encryption key (KEK) stored by KMS).
1748 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1749 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1750 # unwrap the data crypto key.
1751 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1752 # The wrapped key must be a 128/192/256 bit key.
1753 # Authorization requires the following IAM permissions when sending a request
1754 # to perform a crypto transformation using a kms-wrapped crypto key:
1755 # dlp.kms.encrypt
1756 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1757 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1758 },
1759 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1760 # leaking the key. Choose another type of key if possible.
1761 "key": "A String", # Required. A 128/192/256 bit key.
1762 },
1763 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1764 # It will be discarded after the request finishes.
1765 "name": "A String", # Required. Name of the key.
1766 # This is an arbitrary string used to differentiate different keys.
1767 # A unique key is generated per name: two separate `TransientCryptoKey`
1768 # protos share the same generated key if their names are the same.
1769 # When the data crypto key is generated, this name is not used in any way
1770 # (repeating the api call will result in a different key being generated).
1771 },
1772 },
1773 },
1774 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
1775 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
1776 # Note that for the purposes of inspection or transformation, the number
1777 # of bytes considered to comprise a 'Value' is based on its representation
1778 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1779 # 123456789, the number of bytes would be counted as 9, even though an
1780 # int64 only holds up to 8 bytes of data.
1781 "floatValue": 3.14, # float
1782 "timestampValue": "A String", # timestamp
1783 "dayOfWeekValue": "A String", # day of week
1784 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1785 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1786 # types are google.type.Date and `google.protobuf.Timestamp`.
1787 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1788 # to allow the value "24:00:00" for scenarios like business closing time.
1789 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1790 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1791 # allow the value 60 if it allows leap-seconds.
1792 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1793 },
1794 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1795 # and time zone are either specified elsewhere or are not significant. The date
1796 # is relative to the Proleptic Gregorian Calendar. This can represent:
1797 #
1798 # * A full date, with non-zero year, month and day values
1799 # * A month and day value, with a zero year, e.g. an anniversary
1800 # * A year on its own, with zero month and day values
1801 # * A year and month value, with a zero day, e.g. a credit card expiration date
1802 #
1803 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1804 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1805 # month and day.
1806 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1807 # if specifying a year by itself or a year and month where the day is not
1808 # significant.
1809 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1810 # a year.
1811 },
1812 "stringValue": "A String", # string
1813 "booleanValue": True or False, # boolean
1814 "integerValue": "A String", # integer
1815 },
1816 },
1817 },
1818 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
1819 # given `RecordCondition`. The conditions are allowed to reference fields
1820 # that are not used in the actual transformation.
1821 #
1822 # Example Use Cases:
1823 #
1824 # - Apply a different bucket transformation to an age column if the zip code
1825 # column for the same record is within a specific range.
1826 # - Redact a field if the date of birth field is greater than 85.
1827 # a field.
1828 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
1829 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
1830 "conditions": [ # A collection of conditions.
1831 { # The field type of `value` and `field` do not need to match to be
1832 # considered equal, but not all comparisons are possible.
1833 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
1834 # but all other comparisons are invalid with incompatible types.
1835 # A `value` of type:
1836 #
1837 # - `string` can be compared against all other types
1838 # - `boolean` can only be compared against other booleans
1839 # - `integer` can be compared against doubles or a string if the string value
1840 # can be parsed as an integer.
1841 # - `double` can be compared against integers or a string if the string can
1842 # be parsed as a double.
1843 # - `Timestamp` can be compared against strings in RFC 3339 date string
1844 # format.
1845 # - `TimeOfDay` can be compared against timestamps and strings in the format
1846 # of 'HH:mm:ss'.
1847 #
1848 # If we fail to compare do to type mismatch, a warning will be given and
1849 # the condition will evaluate to false.
1850 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
1851 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
1852 "name": "A String", # Name describing the field.
1853 },
1854 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
1855 # Note that for the purposes of inspection or transformation, the number
1856 # of bytes considered to comprise a 'Value' is based on its representation
1857 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1858 # 123456789, the number of bytes would be counted as 9, even though an
1859 # int64 only holds up to 8 bytes of data.
1860 "floatValue": 3.14, # float
1861 "timestampValue": "A String", # timestamp
1862 "dayOfWeekValue": "A String", # day of week
1863 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1864 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1865 # types are google.type.Date and `google.protobuf.Timestamp`.
1866 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1867 # to allow the value "24:00:00" for scenarios like business closing time.
1868 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1869 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1870 # allow the value 60 if it allows leap-seconds.
1871 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1872 },
1873 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1874 # and time zone are either specified elsewhere or are not significant. The date
1875 # is relative to the Proleptic Gregorian Calendar. This can represent:
1876 #
1877 # * A full date, with non-zero year, month and day values
1878 # * A month and day value, with a zero year, e.g. an anniversary
1879 # * A year on its own, with zero month and day values
1880 # * A year and month value, with a zero day, e.g. a credit card expiration date
1881 #
1882 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1883 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1884 # month and day.
1885 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1886 # if specifying a year by itself or a year and month where the day is not
1887 # significant.
1888 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1889 # a year.
1890 },
1891 "stringValue": "A String", # string
1892 "booleanValue": True or False, # boolean
1893 "integerValue": "A String", # integer
1894 },
1895 },
1896 ],
1897 },
1898 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
1899 # only supported value is `AND`.
1900 },
1901 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1902 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
1903 # transform content that matches an `InfoType`.
1904 # apply various `PrimitiveTransformation`s to each finding, where the
1905 # transformation is applied to only values that were identified as a specific
1906 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1907 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
1908 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1909 { # A transformation to apply to text that is identified as a specific
1910 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1911 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
1912 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1913 # input. Outputs a base64 encoded representation of the encrypted output.
1914 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
1915 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
1916 # a key encryption key (KEK) stored by KMS).
1917 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1918 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1919 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1920 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1921 # The wrapped key must be a 128/192/256 bit key.
1922 # Authorization requires the following IAM permissions when sending a request
1923 # to perform a crypto transformation using a kms-wrapped crypto key:
1924 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1925 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1926 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1927 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1928 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1929 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1930 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1931 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1932 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1933 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1934 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1935 # This is an arbitrary string used to differentiate different keys.
1936 # A unique key is generated per name: two separate `TransientCryptoKey`
1937 # protos share the same generated key if their names are the same.
1938 # When the data crypto key is generated, this name is not used in any way
1939 # (repeating the api call will result in a different key being generated).
1940 },
1941 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1942 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1943 # referential integrity such that the same identifier in two different
1944 # contexts will be given a distinct surrogate. The context is appended to
1945 # plaintext value being encrypted. On decryption the provided context is
1946 # validated against the value used during encryption. If a context was
1947 # provided during encryption, same context must be provided during decryption
1948 # as well.
1949 #
1950 # If the context is not set, plaintext would be used as is for encryption.
1951 # If the context is set but:
1952 #
1953 # 1. there is no record present when transforming a given value or
1954 # 2. the field is not present when transforming a given value,
1955 #
1956 # plaintext would be used as is for encryption.
1957 #
1958 # Note that case (1) is expected when an `InfoTypeTransformation` is
1959 # applied to both structured and non-structured `ContentItem`s.
1960 "name": "A String", # Name describing the field.
1961 },
1962 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
1963 # This annotation will be applied to the surrogate by prefixing it with
1964 # the name of the custom info type followed by the number of
1965 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1966 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1967 #
1968 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
1969 # the surrogate is 'abc', the full replacement value
1970 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1971 #
1972 # This annotation identifies the surrogate when inspecting content using the
1973 # custom info type 'Surrogate'. This facilitates reversal of the
1974 # surrogate when it occurs in free text.
1975 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1976 # Note: For record transformations where the entire cell in a table is being
1977 # transformed, surrogates are not mandatory. Surrogates are used to denote
1978 # the location of the token and are necessary for re-identification in free
1979 # form text.
1980 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1981 # In order for inspection to work properly, the name of this info type must
1982 # not occur naturally anywhere in your data; otherwise, inspection may either
1983 #
1984 # - reverse a surrogate that does not correspond to an actual identifier
1985 # - be unable to parse the surrogate and result in an error
1986 #
1987 # Therefore, choose your custom info type name carefully after considering
1988 # what your data looks like. One way to select a name that has a high chance
1989 # of yielding reliable detection is to include one or more unicode characters
1990 # that are highly improbable to exist in your data.
1991 # For example, assuming your data is entered from a regular ASCII keyboard,
1992 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1993 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1994 "name": "A String", # Name of the information type. Either a name of your choosing when
1995 # creating a CustomInfoType, or one of the names listed
1996 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1997 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1998 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1999 },
2000 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2001 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
2002 # fixed character. Masking can start from the beginning or end of the string.
2003 # This can be used on data of any type (numbers, longs, and so on) and when
2004 # de-identifying structured data we'll attempt to preserve the original data's
2005 # type. (This allows you to take a long like 123 and modify it to a string like
2006 # **3.
2007 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
2008 # characters. For example, if the input string is `555-555-5555` and you
2009 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
2010 # returns `***-**5-5555`.
2011 { # Characters to skip when doing deidentification of a value. These will be left
2012 # alone and skipped.
2013 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
2014 # punctuation.
2015 "charactersToSkip": "A String", # Characters to not transform when masking.
2016 },
2017 ],
2018 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
2019 # masked. Skipped characters do not count towards this tally.
2020 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
2021 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
2022 # code or credit card number. This string must have a length of 1. If not
2023 # supplied, this value defaults to `*` for strings, and `0` for digits.
2024 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
2025 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
2026 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
2027 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
2028 # is `true`, then the string `12345` is masked as `12***`.
2029 },
2030 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
2031 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
2032 # output would be 'My phone number is '.
2033 },
2034 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
2035 },
2036 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2037 # Bucketing transformation can provide all of this functionality,
2038 # but requires more configuration. This message is provided as a convenience to
2039 # the user for simple bucketing strategies.
2040 #
2041 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2042 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2043 # all values that are within this bucket will be replaced with "10-20".
2044 #
2045 # This can be used on data of type: double, long.
2046 #
2047 # If the bound Value type differs from the type of data
2048 # being transformed, we will first attempt converting the type of the data to
2049 # be transformed to match the type of the bound before comparing.
2050 #
2051 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2052 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2053 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2054 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2055 # Note that for the purposes of inspection or transformation, the number
2056 # of bytes considered to comprise a 'Value' is based on its representation
2057 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2058 # 123456789, the number of bytes would be counted as 9, even though an
2059 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2060 "floatValue": 3.14, # float
2061 "timestampValue": "A String", # timestamp
2062 "dayOfWeekValue": "A String", # day of week
2063 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2064 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2065 # types are google.type.Date and `google.protobuf.Timestamp`.
2066 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2067 # to allow the value "24:00:00" for scenarios like business closing time.
2068 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2069 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2070 # allow the value 60 if it allows leap-seconds.
2071 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2072 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2073 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2074 # and time zone are either specified elsewhere or are not significant. The date
2075 # is relative to the Proleptic Gregorian Calendar. This can represent:
2076 #
2077 # * A full date, with non-zero year, month and day values
2078 # * A month and day value, with a zero year, e.g. an anniversary
2079 # * A year on its own, with zero month and day values
2080 # * A year and month value, with a zero day, e.g. a credit card expiration date
2081 #
2082 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2083 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2084 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2085 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2086 # if specifying a year by itself or a year and month where the day is not
2087 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2088 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2089 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2090 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2091 "stringValue": "A String", # string
2092 "booleanValue": True or False, # boolean
2093 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2094 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2095 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2096 # grouped together into a single bucket; for example if `upper_bound` = 89,
2097 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2098 # Note that for the purposes of inspection or transformation, the number
2099 # of bytes considered to comprise a 'Value' is based on its representation
2100 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2101 # 123456789, the number of bytes would be counted as 9, even though an
2102 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2103 "floatValue": 3.14, # float
2104 "timestampValue": "A String", # timestamp
2105 "dayOfWeekValue": "A String", # day of week
2106 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2107 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2108 # types are google.type.Date and `google.protobuf.Timestamp`.
2109 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2110 # to allow the value "24:00:00" for scenarios like business closing time.
2111 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2112 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2113 # allow the value 60 if it allows leap-seconds.
2114 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2115 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2116 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2117 # and time zone are either specified elsewhere or are not significant. The date
2118 # is relative to the Proleptic Gregorian Calendar. This can represent:
2119 #
2120 # * A full date, with non-zero year, month and day values
2121 # * A month and day value, with a zero year, e.g. an anniversary
2122 # * A year on its own, with zero month and day values
2123 # * A year and month value, with a zero day, e.g. a credit card expiration date
2124 #
2125 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2126 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2127 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2128 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2129 # if specifying a year by itself or a year and month where the day is not
2130 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2131 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2132 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2133 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2134 "stringValue": "A String", # string
2135 "booleanValue": True or False, # boolean
2136 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2137 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2138 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2139 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
2140 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2141 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2142 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2143 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2144 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2145 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2146 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2147 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2148 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
2149 # to learn more.
2150 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2151 # results in the same shift for the same context and crypto_key. If
2152 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2153 # a key encryption key (KEK) stored by KMS).
2154 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2155 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2156 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2157 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2158 # The wrapped key must be a 128/192/256 bit key.
2159 # Authorization requires the following IAM permissions when sending a request
2160 # to perform a crypto transformation using a kms-wrapped crypto key:
2161 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2162 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2163 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2164 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2165 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2166 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2167 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2168 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2169 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2170 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2171 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2172 # This is an arbitrary string used to differentiate different keys.
2173 # A unique key is generated per name: two separate `TransientCryptoKey`
2174 # protos share the same generated key if their names are the same.
2175 # When the data crypto key is generated, this name is not used in any way
2176 # (repeating the api call will result in a different key being generated).
2177 },
2178 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2179 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2180 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2181 # range (inclusive ends). Negative means shift to earlier in time. Must not
2182 # be more than 365250 days (1000 years) each direction.
2183 #
2184 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2185 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2186 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2187 # given context.
2188 "name": "A String", # Name describing the field.
2189 },
2190 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2191 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2192 # (FPE) with the FFX mode of operation; however when used in the
2193 # `ReidentifyContent` API method, it serves the opposite function by reversing
2194 # the surrogate back into the original identifier. The identifier must be
2195 # encoded as ASCII. For a given crypto key and context, the same identifier
2196 # will be replaced with the same surrogate. Identifiers must be at least two
2197 # characters long. In the case that the identifier is the empty string, it will
2198 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
2199 # more.
2200 #
2201 # Note: We recommend using CryptoDeterministicConfig for all use cases which
2202 # do not require preserving the input alphabet space and size, plus warrant
2203 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2204 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2205 # a key encryption key (KEK) stored by KMS).
2206 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2207 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2208 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2209 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2210 # The wrapped key must be a 128/192/256 bit key.
2211 # Authorization requires the following IAM permissions when sending a request
2212 # to perform a crypto transformation using a kms-wrapped crypto key:
2213 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2214 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2215 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2216 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2217 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2218 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2219 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2220 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2221 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2222 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2223 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2224 # This is an arbitrary string used to differentiate different keys.
2225 # A unique key is generated per name: two separate `TransientCryptoKey`
2226 # protos share the same generated key if their names are the same.
2227 # When the data crypto key is generated, this name is not used in any way
2228 # (repeating the api call will result in a different key being generated).
2229 },
2230 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2231 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
2232 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2233 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
2234 # that the FFX mode natively supports. This happens before/after
2235 # encryption/decryption.
2236 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2237 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2238 # This must be encoded as ASCII.
2239 # The order of characters does not matter.
2240 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
2241 # identifier in two different contexts won't be given the same surrogate. If
2242 # the context is not set, a default tweak will be used.
2243 #
2244 # If the context is set but:
2245 #
2246 # 1. there is no record present when transforming a given value or
2247 # 1. the field is not present when transforming a given value,
2248 #
2249 # a default tweak will be used.
2250 #
2251 # Note that case (1) is expected when an `InfoTypeTransformation` is
2252 # applied to both structured and non-structured `ContentItem`s.
2253 # Currently, the referenced field may be of value type integer or string.
2254 #
2255 # The tweak is constructed as a sequence of bytes in big endian byte order
2256 # such that:
2257 #
2258 # - a 64 bit integer is encoded followed by a single byte of value 1
2259 # - a string is encoded in UTF-8 format followed by a single byte of value 2
2260 "name": "A String", # Name describing the field.
2261 },
2262 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
2263 # This annotation will be applied to the surrogate by prefixing it with
2264 # the name of the custom infoType followed by the number of
2265 # characters comprising the surrogate. The following scheme defines the
2266 # format: info_type_name(surrogate_character_count):surrogate
2267 #
2268 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
2269 # the surrogate is 'abc', the full replacement value
2270 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2271 #
2272 # This annotation identifies the surrogate when inspecting content using the
2273 # custom infoType
2274 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
2275 # This facilitates reversal of the surrogate when it occurs in free text.
2276 #
2277 # In order for inspection to work properly, the name of this infoType must
2278 # not occur naturally anywhere in your data; otherwise, inspection may
2279 # find a surrogate that does not correspond to an actual identifier.
2280 # Therefore, choose your custom infoType name carefully after considering
2281 # what your data looks like. One way to select a name that has a high chance
2282 # of yielding reliable detection is to include one or more unicode characters
2283 # that are highly improbable to exist in your data.
2284 # For example, assuming your data is entered from a regular ASCII keyboard,
2285 # the symbol with the hex code point 29DD might be used like so:
2286 # ⧝MY_TOKEN_TYPE
2287 "name": "A String", # Name of the information type. Either a name of your choosing when
2288 # creating a CustomInfoType, or one of the names listed
2289 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2290 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2291 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2292 },
2293 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2294 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
2295 # replacement values are dynamically provided by the user for custom behavior,
2296 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
2297 # This can be used on
2298 # data of type: number, long, string, timestamp.
2299 # If the bound `Value` type differs from the type of data being transformed, we
2300 # will first attempt converting the type of the data to be transformed to match
2301 # the type of the bound before comparing.
2302 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
2303 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
2304 { # Bucket is represented as a range, along with replacement values.
2305 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
2306 # Note that for the purposes of inspection or transformation, the number
2307 # of bytes considered to comprise a 'Value' is based on its representation
2308 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2309 # 123456789, the number of bytes would be counted as 9, even though an
2310 # int64 only holds up to 8 bytes of data.
2311 "floatValue": 3.14, # float
2312 "timestampValue": "A String", # timestamp
2313 "dayOfWeekValue": "A String", # day of week
2314 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2315 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2316 # types are google.type.Date and `google.protobuf.Timestamp`.
2317 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2318 # to allow the value "24:00:00" for scenarios like business closing time.
2319 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2320 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2321 # allow the value 60 if it allows leap-seconds.
2322 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2323 },
2324 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2325 # and time zone are either specified elsewhere or are not significant. The date
2326 # is relative to the Proleptic Gregorian Calendar. This can represent:
2327 #
2328 # * A full date, with non-zero year, month and day values
2329 # * A month and day value, with a zero year, e.g. an anniversary
2330 # * A year on its own, with zero month and day values
2331 # * A year and month value, with a zero day, e.g. a credit card expiration date
2332 #
2333 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2334 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2335 # month and day.
2336 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2337 # if specifying a year by itself or a year and month where the day is not
2338 # significant.
2339 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2340 # a year.
2341 },
2342 "stringValue": "A String", # string
2343 "booleanValue": True or False, # boolean
2344 "integerValue": "A String", # integer
2345 },
2346 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
2347 # the default behavior will be to hyphenate the min-max range.
2348 # Note that for the purposes of inspection or transformation, the number
2349 # of bytes considered to comprise a 'Value' is based on its representation
2350 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2351 # 123456789, the number of bytes would be counted as 9, even though an
2352 # int64 only holds up to 8 bytes of data.
2353 "floatValue": 3.14, # float
2354 "timestampValue": "A String", # timestamp
2355 "dayOfWeekValue": "A String", # day of week
2356 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2357 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2358 # types are google.type.Date and `google.protobuf.Timestamp`.
2359 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2360 # to allow the value "24:00:00" for scenarios like business closing time.
2361 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2362 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2363 # allow the value 60 if it allows leap-seconds.
2364 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2365 },
2366 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2367 # and time zone are either specified elsewhere or are not significant. The date
2368 # is relative to the Proleptic Gregorian Calendar. This can represent:
2369 #
2370 # * A full date, with non-zero year, month and day values
2371 # * A month and day value, with a zero year, e.g. an anniversary
2372 # * A year on its own, with zero month and day values
2373 # * A year and month value, with a zero day, e.g. a credit card expiration date
2374 #
2375 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2376 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2377 # month and day.
2378 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2379 # if specifying a year by itself or a year and month where the day is not
2380 # significant.
2381 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2382 # a year.
2383 },
2384 "stringValue": "A String", # string
2385 "booleanValue": True or False, # boolean
2386 "integerValue": "A String", # integer
2387 },
2388 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
2389 # used.
2390 # Note that for the purposes of inspection or transformation, the number
2391 # of bytes considered to comprise a 'Value' is based on its representation
2392 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2393 # 123456789, the number of bytes would be counted as 9, even though an
2394 # int64 only holds up to 8 bytes of data.
2395 "floatValue": 3.14, # float
2396 "timestampValue": "A String", # timestamp
2397 "dayOfWeekValue": "A String", # day of week
2398 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2399 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2400 # types are google.type.Date and `google.protobuf.Timestamp`.
2401 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2402 # to allow the value "24:00:00" for scenarios like business closing time.
2403 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2404 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2405 # allow the value 60 if it allows leap-seconds.
2406 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2407 },
2408 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2409 # and time zone are either specified elsewhere or are not significant. The date
2410 # is relative to the Proleptic Gregorian Calendar. This can represent:
2411 #
2412 # * A full date, with non-zero year, month and day values
2413 # * A month and day value, with a zero year, e.g. an anniversary
2414 # * A year on its own, with zero month and day values
2415 # * A year and month value, with a zero day, e.g. a credit card expiration date
2416 #
2417 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2418 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2419 # month and day.
2420 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2421 # if specifying a year by itself or a year and month where the day is not
2422 # significant.
2423 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2424 # a year.
2425 },
2426 "stringValue": "A String", # string
2427 "booleanValue": True or False, # boolean
2428 "integerValue": "A String", # integer
2429 },
2430 },
2431 ],
2432 },
2433 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
2434 # Uses SHA-256.
2435 # The key size must be either 32 or 64 bytes.
2436 # Outputs a base64 encoded representation of the hashed output
2437 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
2438 # Currently, only string and integer values can be hashed.
2439 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
2440 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
2441 # a key encryption key (KEK) stored by KMS).
2442 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2443 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2444 # unwrap the data crypto key.
2445 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
2446 # The wrapped key must be a 128/192/256 bit key.
2447 # Authorization requires the following IAM permissions when sending a request
2448 # to perform a crypto transformation using a kms-wrapped crypto key:
2449 # dlp.kms.encrypt
2450 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2451 "wrappedKey": "A String", # Required. The wrapped data crypto key.
2452 },
2453 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
2454 # leaking the key. Choose another type of key if possible.
2455 "key": "A String", # Required. A 128/192/256 bit key.
2456 },
2457 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
2458 # It will be discarded after the request finishes.
2459 "name": "A String", # Required. Name of the key.
2460 # This is an arbitrary string used to differentiate different keys.
2461 # A unique key is generated per name: two separate `TransientCryptoKey`
2462 # protos share the same generated key if their names are the same.
2463 # When the data crypto key is generated, this name is not used in any way
2464 # (repeating the api call will result in a different key being generated).
2465 },
2466 },
2467 },
2468 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2469 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
2470 # Note that for the purposes of inspection or transformation, the number
2471 # of bytes considered to comprise a 'Value' is based on its representation
2472 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2473 # 123456789, the number of bytes would be counted as 9, even though an
2474 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2475 "floatValue": 3.14, # float
2476 "timestampValue": "A String", # timestamp
2477 "dayOfWeekValue": "A String", # day of week
2478 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2479 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2480 # types are google.type.Date and `google.protobuf.Timestamp`.
2481 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2482 # to allow the value "24:00:00" for scenarios like business closing time.
2483 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2484 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2485 # allow the value 60 if it allows leap-seconds.
2486 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2487 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2488 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2489 # and time zone are either specified elsewhere or are not significant. The date
2490 # is relative to the Proleptic Gregorian Calendar. This can represent:
2491 #
2492 # * A full date, with non-zero year, month and day values
2493 # * A month and day value, with a zero year, e.g. an anniversary
2494 # * A year on its own, with zero month and day values
2495 # * A year and month value, with a zero day, e.g. a credit card expiration date
2496 #
2497 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2498 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2499 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2500 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2501 # if specifying a year by itself or a year and month where the day is not
2502 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2503 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2504 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2505 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2506 "stringValue": "A String", # string
2507 "booleanValue": True or False, # boolean
2508 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2509 },
2510 },
2511 },
2512 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
2513 # this transformation to apply to all findings that correspond to
2514 # infoTypes that were requested in `InspectConfig`.
2515 { # Type of information detected by the API.
2516 "name": "A String", # Name of the information type. Either a name of your choosing when
2517 # creating a CustomInfoType, or one of the names listed
2518 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2519 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2520 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2521 },
2522 ],
2523 },
2524 ],
2525 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2526 },
2527 ],
2528 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2529 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
2530 # mode is `TransformationErrorHandling.ThrowError`.
2531 # transformation error occurs when the requested transformation is incompatible
2532 # with the data. For example, trying to de-identify an IP address using a
2533 # `DateShift` transformation would result in a transformation error, since date
2534 # info cannot be extracted from an IP address.
2535 # Information about any incompatible transformations, and how they were
2536 # handled, is returned in the response as part of the
2537 # `TransformationOverviews`.
2538 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2539 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2540 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
2541 # cause an error. For example, if a `DateShift` transformation were applied
2542 # an an IP address, this mode would leave the IP address unchanged in the
2543 # response.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2544 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2545 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2546 },
2547 }
2548
2549 x__xgafv: string, V1 error format.
2550 Allowed values
2551 1 - v1 error format
2552 2 - v2 error format
2553
2554Returns:
2555 An object of the form:
2556
2557 { # Results of de-identifying a ContentItem.
2558 "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.
2559 "transformationSummaries": [ # Transformations applied to the dataset.
2560 { # Summary of a single transformation.
2561 # Only one of 'transformation', 'field_transformation', or 'record_suppress'
2562 # will be set.
2563 "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
2564 "name": "A String", # Name of the information type. Either a name of your choosing when
2565 # creating a CustomInfoType, or one of the names listed
2566 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2567 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2568 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2569 },
2570 "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
2571 # true.
2572 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
2573 # evaluated to be suppressed from the transformed content.
2574 # a field.
2575 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2576 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
2577 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2578 { # The field type of `value` and `field` do not need to match to be
2579 # considered equal, but not all comparisons are possible.
2580 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
2581 # but all other comparisons are invalid with incompatible types.
2582 # A `value` of type:
2583 #
2584 # - `string` can be compared against all other types
2585 # - `boolean` can only be compared against other booleans
2586 # - `integer` can be compared against doubles or a string if the string value
2587 # can be parsed as an integer.
2588 # - `double` can be compared against integers or a string if the string can
2589 # be parsed as a double.
2590 # - `Timestamp` can be compared against strings in RFC 3339 date string
2591 # format.
2592 # - `TimeOfDay` can be compared against timestamps and strings in the format
2593 # of 'HH:mm:ss'.
2594 #
2595 # If we fail to compare do to type mismatch, a warning will be given and
2596 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2597 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
2598 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2599 "name": "A String", # Name describing the field.
2600 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2601 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2602 # Note that for the purposes of inspection or transformation, the number
2603 # of bytes considered to comprise a 'Value' is based on its representation
2604 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2605 # 123456789, the number of bytes would be counted as 9, even though an
2606 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2607 "floatValue": 3.14, # float
2608 "timestampValue": "A String", # timestamp
2609 "dayOfWeekValue": "A String", # day of week
2610 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2611 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2612 # types are google.type.Date and `google.protobuf.Timestamp`.
2613 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2614 # to allow the value "24:00:00" for scenarios like business closing time.
2615 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2616 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2617 # allow the value 60 if it allows leap-seconds.
2618 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2619 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2620 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2621 # and time zone are either specified elsewhere or are not significant. The date
2622 # is relative to the Proleptic Gregorian Calendar. This can represent:
2623 #
2624 # * A full date, with non-zero year, month and day values
2625 # * A month and day value, with a zero year, e.g. an anniversary
2626 # * A year on its own, with zero month and day values
2627 # * A year and month value, with a zero day, e.g. a credit card expiration date
2628 #
2629 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2630 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2631 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2632 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2633 # if specifying a year by itself or a year and month where the day is not
2634 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2635 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2636 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2637 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2638 "stringValue": "A String", # string
2639 "booleanValue": True or False, # boolean
2640 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2641 },
2642 },
2643 ],
2644 },
2645 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
2646 # only supported value is `AND`.
2647 },
2648 },
2649 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2650 "results": [ # Collection of all transformations that took place or had an error.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2651 { # A collection that informs the user the number of times a particular
2652 # `TransformationResultCode` and error details occurred.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2653 "count": "A String", # Number of transformations counted by this result.
2654 "code": "A String", # Outcome of the transformation.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2655 "details": "A String", # A place for warnings or errors to show up if a transformation didn't
2656 # work as expected.
2657 },
2658 ],
2659 "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
2660 "name": "A String", # Name describing the field.
2661 },
2662 "fieldTransformations": [ # The field transformation that was applied.
2663 # If multiple field transformations are requested for a single field,
2664 # this list will contain all of them; otherwise, only one is supplied.
2665 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2666 "fields": [ # Required. Input field(s) to apply the transformation to.
2667 { # General identifier of a data field in a storage service.
2668 "name": "A String", # Name describing the field.
2669 },
2670 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2671 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2672 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2673 # input. Outputs a base64 encoded representation of the encrypted output.
2674 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
2675 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
2676 # a key encryption key (KEK) stored by KMS).
2677 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2678 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2679 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2680 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2681 # The wrapped key must be a 128/192/256 bit key.
2682 # Authorization requires the following IAM permissions when sending a request
2683 # to perform a crypto transformation using a kms-wrapped crypto key:
2684 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2685 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2686 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2687 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2688 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2689 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2690 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2691 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2692 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2693 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2694 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2695 # This is an arbitrary string used to differentiate different keys.
2696 # A unique key is generated per name: two separate `TransientCryptoKey`
2697 # protos share the same generated key if their names are the same.
2698 # When the data crypto key is generated, this name is not used in any way
2699 # (repeating the api call will result in a different key being generated).
2700 },
2701 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2702 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2703 # referential integrity such that the same identifier in two different
2704 # contexts will be given a distinct surrogate. The context is appended to
2705 # plaintext value being encrypted. On decryption the provided context is
2706 # validated against the value used during encryption. If a context was
2707 # provided during encryption, same context must be provided during decryption
2708 # as well.
2709 #
2710 # If the context is not set, plaintext would be used as is for encryption.
2711 # If the context is set but:
2712 #
2713 # 1. there is no record present when transforming a given value or
2714 # 2. the field is not present when transforming a given value,
2715 #
2716 # plaintext would be used as is for encryption.
2717 #
2718 # Note that case (1) is expected when an `InfoTypeTransformation` is
2719 # applied to both structured and non-structured `ContentItem`s.
2720 "name": "A String", # Name describing the field.
2721 },
2722 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
2723 # This annotation will be applied to the surrogate by prefixing it with
2724 # the name of the custom info type followed by the number of
2725 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2726 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2727 #
2728 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
2729 # the surrogate is 'abc', the full replacement value
2730 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2731 #
2732 # This annotation identifies the surrogate when inspecting content using the
2733 # custom info type 'Surrogate'. This facilitates reversal of the
2734 # surrogate when it occurs in free text.
2735 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2736 # Note: For record transformations where the entire cell in a table is being
2737 # transformed, surrogates are not mandatory. Surrogates are used to denote
2738 # the location of the token and are necessary for re-identification in free
2739 # form text.
2740 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2741 # In order for inspection to work properly, the name of this info type must
2742 # not occur naturally anywhere in your data; otherwise, inspection may either
2743 #
2744 # - reverse a surrogate that does not correspond to an actual identifier
2745 # - be unable to parse the surrogate and result in an error
2746 #
2747 # Therefore, choose your custom info type name carefully after considering
2748 # what your data looks like. One way to select a name that has a high chance
2749 # of yielding reliable detection is to include one or more unicode characters
2750 # that are highly improbable to exist in your data.
2751 # For example, assuming your data is entered from a regular ASCII keyboard,
2752 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2753 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2754 "name": "A String", # Name of the information type. Either a name of your choosing when
2755 # creating a CustomInfoType, or one of the names listed
2756 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2757 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2758 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2759 },
2760 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2761 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
2762 # fixed character. Masking can start from the beginning or end of the string.
2763 # This can be used on data of any type (numbers, longs, and so on) and when
2764 # de-identifying structured data we'll attempt to preserve the original data's
2765 # type. (This allows you to take a long like 123 and modify it to a string like
2766 # **3.
2767 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
2768 # characters. For example, if the input string is `555-555-5555` and you
2769 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
2770 # returns `***-**5-5555`.
2771 { # Characters to skip when doing deidentification of a value. These will be left
2772 # alone and skipped.
2773 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
2774 # punctuation.
2775 "charactersToSkip": "A String", # Characters to not transform when masking.
2776 },
2777 ],
2778 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
2779 # masked. Skipped characters do not count towards this tally.
2780 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
2781 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
2782 # code or credit card number. This string must have a length of 1. If not
2783 # supplied, this value defaults to `*` for strings, and `0` for digits.
2784 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
2785 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
2786 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
2787 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
2788 # is `true`, then the string `12345` is masked as `12***`.
2789 },
2790 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
2791 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
2792 # output would be 'My phone number is '.
2793 },
2794 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
2795 },
2796 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2797 # Bucketing transformation can provide all of this functionality,
2798 # but requires more configuration. This message is provided as a convenience to
2799 # the user for simple bucketing strategies.
2800 #
2801 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2802 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2803 # all values that are within this bucket will be replaced with "10-20".
2804 #
2805 # This can be used on data of type: double, long.
2806 #
2807 # If the bound Value type differs from the type of data
2808 # being transformed, we will first attempt converting the type of the data to
2809 # be transformed to match the type of the bound before comparing.
2810 #
2811 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2812 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2813 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2814 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2815 # Note that for the purposes of inspection or transformation, the number
2816 # of bytes considered to comprise a 'Value' is based on its representation
2817 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2818 # 123456789, the number of bytes would be counted as 9, even though an
2819 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2820 "floatValue": 3.14, # float
2821 "timestampValue": "A String", # timestamp
2822 "dayOfWeekValue": "A String", # day of week
2823 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2824 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2825 # types are google.type.Date and `google.protobuf.Timestamp`.
2826 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2827 # to allow the value "24:00:00" for scenarios like business closing time.
2828 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2829 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2830 # allow the value 60 if it allows leap-seconds.
2831 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2832 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2833 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2834 # and time zone are either specified elsewhere or are not significant. The date
2835 # is relative to the Proleptic Gregorian Calendar. This can represent:
2836 #
2837 # * A full date, with non-zero year, month and day values
2838 # * A month and day value, with a zero year, e.g. an anniversary
2839 # * A year on its own, with zero month and day values
2840 # * A year and month value, with a zero day, e.g. a credit card expiration date
2841 #
2842 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2843 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2844 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2845 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2846 # if specifying a year by itself or a year and month where the day is not
2847 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2848 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2849 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2850 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2851 "stringValue": "A String", # string
2852 "booleanValue": True or False, # boolean
2853 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2854 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2855 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2856 # grouped together into a single bucket; for example if `upper_bound` = 89,
2857 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2858 # Note that for the purposes of inspection or transformation, the number
2859 # of bytes considered to comprise a 'Value' is based on its representation
2860 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2861 # 123456789, the number of bytes would be counted as 9, even though an
2862 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2863 "floatValue": 3.14, # float
2864 "timestampValue": "A String", # timestamp
2865 "dayOfWeekValue": "A String", # day of week
2866 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2867 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2868 # types are google.type.Date and `google.protobuf.Timestamp`.
2869 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2870 # to allow the value "24:00:00" for scenarios like business closing time.
2871 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2872 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2873 # allow the value 60 if it allows leap-seconds.
2874 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2875 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2876 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2877 # and time zone are either specified elsewhere or are not significant. The date
2878 # is relative to the Proleptic Gregorian Calendar. This can represent:
2879 #
2880 # * A full date, with non-zero year, month and day values
2881 # * A month and day value, with a zero year, e.g. an anniversary
2882 # * A year on its own, with zero month and day values
2883 # * A year and month value, with a zero day, e.g. a credit card expiration date
2884 #
2885 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2886 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2887 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2888 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2889 # if specifying a year by itself or a year and month where the day is not
2890 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2891 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2892 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2893 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2894 "stringValue": "A String", # string
2895 "booleanValue": True or False, # boolean
2896 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2897 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2898 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2899 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
2900 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2901 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2902 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2903 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2904 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2905 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2906 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2907 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2908 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
2909 # to learn more.
2910 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2911 # results in the same shift for the same context and crypto_key. If
2912 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2913 # a key encryption key (KEK) stored by KMS).
2914 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2915 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2916 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2917 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2918 # The wrapped key must be a 128/192/256 bit key.
2919 # Authorization requires the following IAM permissions when sending a request
2920 # to perform a crypto transformation using a kms-wrapped crypto key:
2921 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2922 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2923 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2924 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2925 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2926 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2927 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2928 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2929 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2930 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2931 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2932 # This is an arbitrary string used to differentiate different keys.
2933 # A unique key is generated per name: two separate `TransientCryptoKey`
2934 # protos share the same generated key if their names are the same.
2935 # When the data crypto key is generated, this name is not used in any way
2936 # (repeating the api call will result in a different key being generated).
2937 },
2938 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2939 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2940 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2941 # range (inclusive ends). Negative means shift to earlier in time. Must not
2942 # be more than 365250 days (1000 years) each direction.
2943 #
2944 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2945 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2946 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2947 # given context.
2948 "name": "A String", # Name describing the field.
2949 },
2950 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2951 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2952 # (FPE) with the FFX mode of operation; however when used in the
2953 # `ReidentifyContent` API method, it serves the opposite function by reversing
2954 # the surrogate back into the original identifier. The identifier must be
2955 # encoded as ASCII. For a given crypto key and context, the same identifier
2956 # will be replaced with the same surrogate. Identifiers must be at least two
2957 # characters long. In the case that the identifier is the empty string, it will
2958 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
2959 # more.
2960 #
2961 # Note: We recommend using CryptoDeterministicConfig for all use cases which
2962 # do not require preserving the input alphabet space and size, plus warrant
2963 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2964 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2965 # a key encryption key (KEK) stored by KMS).
2966 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2967 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2968 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2969 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2970 # The wrapped key must be a 128/192/256 bit key.
2971 # Authorization requires the following IAM permissions when sending a request
2972 # to perform a crypto transformation using a kms-wrapped crypto key:
2973 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2974 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2975 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2976 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2977 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2978 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2979 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2980 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2981 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2982 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2983 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2984 # This is an arbitrary string used to differentiate different keys.
2985 # A unique key is generated per name: two separate `TransientCryptoKey`
2986 # protos share the same generated key if their names are the same.
2987 # When the data crypto key is generated, this name is not used in any way
2988 # (repeating the api call will result in a different key being generated).
2989 },
2990 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2991 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
2992 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2993 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
2994 # that the FFX mode natively supports. This happens before/after
2995 # encryption/decryption.
2996 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2997 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2998 # This must be encoded as ASCII.
2999 # The order of characters does not matter.
3000 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3001 # identifier in two different contexts won't be given the same surrogate. If
3002 # the context is not set, a default tweak will be used.
3003 #
3004 # If the context is set but:
3005 #
3006 # 1. there is no record present when transforming a given value or
3007 # 1. the field is not present when transforming a given value,
3008 #
3009 # a default tweak will be used.
3010 #
3011 # Note that case (1) is expected when an `InfoTypeTransformation` is
3012 # applied to both structured and non-structured `ContentItem`s.
3013 # Currently, the referenced field may be of value type integer or string.
3014 #
3015 # The tweak is constructed as a sequence of bytes in big endian byte order
3016 # such that:
3017 #
3018 # - a 64 bit integer is encoded followed by a single byte of value 1
3019 # - a string is encoded in UTF-8 format followed by a single byte of value 2
3020 "name": "A String", # Name describing the field.
3021 },
3022 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
3023 # This annotation will be applied to the surrogate by prefixing it with
3024 # the name of the custom infoType followed by the number of
3025 # characters comprising the surrogate. The following scheme defines the
3026 # format: info_type_name(surrogate_character_count):surrogate
3027 #
3028 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
3029 # the surrogate is 'abc', the full replacement value
3030 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3031 #
3032 # This annotation identifies the surrogate when inspecting content using the
3033 # custom infoType
3034 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
3035 # This facilitates reversal of the surrogate when it occurs in free text.
3036 #
3037 # In order for inspection to work properly, the name of this infoType must
3038 # not occur naturally anywhere in your data; otherwise, inspection may
3039 # find a surrogate that does not correspond to an actual identifier.
3040 # Therefore, choose your custom infoType name carefully after considering
3041 # what your data looks like. One way to select a name that has a high chance
3042 # of yielding reliable detection is to include one or more unicode characters
3043 # that are highly improbable to exist in your data.
3044 # For example, assuming your data is entered from a regular ASCII keyboard,
3045 # the symbol with the hex code point 29DD might be used like so:
3046 # ⧝MY_TOKEN_TYPE
3047 "name": "A String", # Name of the information type. Either a name of your choosing when
3048 # creating a CustomInfoType, or one of the names listed
3049 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3050 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3051 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3052 },
3053 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3054 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
3055 # replacement values are dynamically provided by the user for custom behavior,
3056 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
3057 # This can be used on
3058 # data of type: number, long, string, timestamp.
3059 # If the bound `Value` type differs from the type of data being transformed, we
3060 # will first attempt converting the type of the data to be transformed to match
3061 # the type of the bound before comparing.
3062 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3063 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3064 { # Bucket is represented as a range, along with replacement values.
3065 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
3066 # Note that for the purposes of inspection or transformation, the number
3067 # of bytes considered to comprise a 'Value' is based on its representation
3068 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3069 # 123456789, the number of bytes would be counted as 9, even though an
3070 # int64 only holds up to 8 bytes of data.
3071 "floatValue": 3.14, # float
3072 "timestampValue": "A String", # timestamp
3073 "dayOfWeekValue": "A String", # day of week
3074 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3075 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3076 # types are google.type.Date and `google.protobuf.Timestamp`.
3077 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3078 # to allow the value "24:00:00" for scenarios like business closing time.
3079 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3080 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3081 # allow the value 60 if it allows leap-seconds.
3082 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3083 },
3084 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3085 # and time zone are either specified elsewhere or are not significant. The date
3086 # is relative to the Proleptic Gregorian Calendar. This can represent:
3087 #
3088 # * A full date, with non-zero year, month and day values
3089 # * A month and day value, with a zero year, e.g. an anniversary
3090 # * A year on its own, with zero month and day values
3091 # * A year and month value, with a zero day, e.g. a credit card expiration date
3092 #
3093 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3094 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3095 # month and day.
3096 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3097 # if specifying a year by itself or a year and month where the day is not
3098 # significant.
3099 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3100 # a year.
3101 },
3102 "stringValue": "A String", # string
3103 "booleanValue": True or False, # boolean
3104 "integerValue": "A String", # integer
3105 },
3106 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
3107 # the default behavior will be to hyphenate the min-max range.
3108 # Note that for the purposes of inspection or transformation, the number
3109 # of bytes considered to comprise a 'Value' is based on its representation
3110 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3111 # 123456789, the number of bytes would be counted as 9, even though an
3112 # int64 only holds up to 8 bytes of data.
3113 "floatValue": 3.14, # float
3114 "timestampValue": "A String", # timestamp
3115 "dayOfWeekValue": "A String", # day of week
3116 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3117 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3118 # types are google.type.Date and `google.protobuf.Timestamp`.
3119 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3120 # to allow the value "24:00:00" for scenarios like business closing time.
3121 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3122 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3123 # allow the value 60 if it allows leap-seconds.
3124 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3125 },
3126 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3127 # and time zone are either specified elsewhere or are not significant. The date
3128 # is relative to the Proleptic Gregorian Calendar. This can represent:
3129 #
3130 # * A full date, with non-zero year, month and day values
3131 # * A month and day value, with a zero year, e.g. an anniversary
3132 # * A year on its own, with zero month and day values
3133 # * A year and month value, with a zero day, e.g. a credit card expiration date
3134 #
3135 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3136 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3137 # month and day.
3138 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3139 # if specifying a year by itself or a year and month where the day is not
3140 # significant.
3141 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3142 # a year.
3143 },
3144 "stringValue": "A String", # string
3145 "booleanValue": True or False, # boolean
3146 "integerValue": "A String", # integer
3147 },
3148 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
3149 # used.
3150 # Note that for the purposes of inspection or transformation, the number
3151 # of bytes considered to comprise a 'Value' is based on its representation
3152 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3153 # 123456789, the number of bytes would be counted as 9, even though an
3154 # int64 only holds up to 8 bytes of data.
3155 "floatValue": 3.14, # float
3156 "timestampValue": "A String", # timestamp
3157 "dayOfWeekValue": "A String", # day of week
3158 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3159 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3160 # types are google.type.Date and `google.protobuf.Timestamp`.
3161 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3162 # to allow the value "24:00:00" for scenarios like business closing time.
3163 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3164 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3165 # allow the value 60 if it allows leap-seconds.
3166 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3167 },
3168 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3169 # and time zone are either specified elsewhere or are not significant. The date
3170 # is relative to the Proleptic Gregorian Calendar. This can represent:
3171 #
3172 # * A full date, with non-zero year, month and day values
3173 # * A month and day value, with a zero year, e.g. an anniversary
3174 # * A year on its own, with zero month and day values
3175 # * A year and month value, with a zero day, e.g. a credit card expiration date
3176 #
3177 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3178 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3179 # month and day.
3180 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3181 # if specifying a year by itself or a year and month where the day is not
3182 # significant.
3183 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3184 # a year.
3185 },
3186 "stringValue": "A String", # string
3187 "booleanValue": True or False, # boolean
3188 "integerValue": "A String", # integer
3189 },
3190 },
3191 ],
3192 },
3193 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
3194 # Uses SHA-256.
3195 # The key size must be either 32 or 64 bytes.
3196 # Outputs a base64 encoded representation of the hashed output
3197 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
3198 # Currently, only string and integer values can be hashed.
3199 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
3200 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
3201 # a key encryption key (KEK) stored by KMS).
3202 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3203 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3204 # unwrap the data crypto key.
3205 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3206 # The wrapped key must be a 128/192/256 bit key.
3207 # Authorization requires the following IAM permissions when sending a request
3208 # to perform a crypto transformation using a kms-wrapped crypto key:
3209 # dlp.kms.encrypt
3210 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3211 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3212 },
3213 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3214 # leaking the key. Choose another type of key if possible.
3215 "key": "A String", # Required. A 128/192/256 bit key.
3216 },
3217 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3218 # It will be discarded after the request finishes.
3219 "name": "A String", # Required. Name of the key.
3220 # This is an arbitrary string used to differentiate different keys.
3221 # A unique key is generated per name: two separate `TransientCryptoKey`
3222 # protos share the same generated key if their names are the same.
3223 # When the data crypto key is generated, this name is not used in any way
3224 # (repeating the api call will result in a different key being generated).
3225 },
3226 },
3227 },
3228 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3229 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
3230 # Note that for the purposes of inspection or transformation, the number
3231 # of bytes considered to comprise a 'Value' is based on its representation
3232 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3233 # 123456789, the number of bytes would be counted as 9, even though an
3234 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3235 "floatValue": 3.14, # float
3236 "timestampValue": "A String", # timestamp
3237 "dayOfWeekValue": "A String", # day of week
3238 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3239 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3240 # types are google.type.Date and `google.protobuf.Timestamp`.
3241 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3242 # to allow the value "24:00:00" for scenarios like business closing time.
3243 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3244 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3245 # allow the value 60 if it allows leap-seconds.
3246 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3247 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3248 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3249 # and time zone are either specified elsewhere or are not significant. The date
3250 # is relative to the Proleptic Gregorian Calendar. This can represent:
3251 #
3252 # * A full date, with non-zero year, month and day values
3253 # * A month and day value, with a zero year, e.g. an anniversary
3254 # * A year on its own, with zero month and day values
3255 # * A year and month value, with a zero day, e.g. a credit card expiration date
3256 #
3257 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3258 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3259 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3260 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3261 # if specifying a year by itself or a year and month where the day is not
3262 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3263 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3264 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3265 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3266 "stringValue": "A String", # string
3267 "booleanValue": True or False, # boolean
3268 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3269 },
3270 },
3271 },
3272 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
3273 # given `RecordCondition`. The conditions are allowed to reference fields
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3274 # that are not used in the actual transformation.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3275 #
3276 # Example Use Cases:
3277 #
3278 # - Apply a different bucket transformation to an age column if the zip code
3279 # column for the same record is within a specific range.
3280 # - Redact a field if the date of birth field is greater than 85.
3281 # a field.
3282 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3283 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
3284 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3285 { # The field type of `value` and `field` do not need to match to be
3286 # considered equal, but not all comparisons are possible.
3287 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
3288 # but all other comparisons are invalid with incompatible types.
3289 # A `value` of type:
3290 #
3291 # - `string` can be compared against all other types
3292 # - `boolean` can only be compared against other booleans
3293 # - `integer` can be compared against doubles or a string if the string value
3294 # can be parsed as an integer.
3295 # - `double` can be compared against integers or a string if the string can
3296 # be parsed as a double.
3297 # - `Timestamp` can be compared against strings in RFC 3339 date string
3298 # format.
3299 # - `TimeOfDay` can be compared against timestamps and strings in the format
3300 # of 'HH:mm:ss'.
3301 #
3302 # If we fail to compare do to type mismatch, a warning will be given and
3303 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3304 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
3305 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3306 "name": "A String", # Name describing the field.
3307 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3308 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3309 # Note that for the purposes of inspection or transformation, the number
3310 # of bytes considered to comprise a 'Value' is based on its representation
3311 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3312 # 123456789, the number of bytes would be counted as 9, even though an
3313 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3314 "floatValue": 3.14, # float
3315 "timestampValue": "A String", # timestamp
3316 "dayOfWeekValue": "A String", # day of week
3317 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3318 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3319 # types are google.type.Date and `google.protobuf.Timestamp`.
3320 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3321 # to allow the value "24:00:00" for scenarios like business closing time.
3322 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3323 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3324 # allow the value 60 if it allows leap-seconds.
3325 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3326 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3327 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3328 # and time zone are either specified elsewhere or are not significant. The date
3329 # is relative to the Proleptic Gregorian Calendar. This can represent:
3330 #
3331 # * A full date, with non-zero year, month and day values
3332 # * A month and day value, with a zero year, e.g. an anniversary
3333 # * A year on its own, with zero month and day values
3334 # * A year and month value, with a zero day, e.g. a credit card expiration date
3335 #
3336 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3337 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3338 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3339 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3340 # if specifying a year by itself or a year and month where the day is not
3341 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3342 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3343 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3344 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3345 "stringValue": "A String", # string
3346 "booleanValue": True or False, # boolean
3347 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3348 },
3349 },
3350 ],
3351 },
3352 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
3353 # only supported value is `AND`.
3354 },
3355 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3356 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
3357 # transform content that matches an `InfoType`.
3358 # apply various `PrimitiveTransformation`s to each finding, where the
3359 # transformation is applied to only values that were identified as a specific
3360 # info_type.
3361 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
3362 # for a given infoType.
3363 { # A transformation to apply to text that is identified as a specific
3364 # info_type.
3365 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
3366 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
3367 # input. Outputs a base64 encoded representation of the encrypted output.
3368 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
3369 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
3370 # a key encryption key (KEK) stored by KMS).
3371 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3372 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3373 # unwrap the data crypto key.
3374 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3375 # The wrapped key must be a 128/192/256 bit key.
3376 # Authorization requires the following IAM permissions when sending a request
3377 # to perform a crypto transformation using a kms-wrapped crypto key:
3378 # dlp.kms.encrypt
3379 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3380 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3381 },
3382 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3383 # leaking the key. Choose another type of key if possible.
3384 "key": "A String", # Required. A 128/192/256 bit key.
3385 },
3386 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3387 # It will be discarded after the request finishes.
3388 "name": "A String", # Required. Name of the key.
3389 # This is an arbitrary string used to differentiate different keys.
3390 # A unique key is generated per name: two separate `TransientCryptoKey`
3391 # protos share the same generated key if their names are the same.
3392 # When the data crypto key is generated, this name is not used in any way
3393 # (repeating the api call will result in a different key being generated).
3394 },
3395 },
3396 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
3397 # referential integrity such that the same identifier in two different
3398 # contexts will be given a distinct surrogate. The context is appended to
3399 # plaintext value being encrypted. On decryption the provided context is
3400 # validated against the value used during encryption. If a context was
3401 # provided during encryption, same context must be provided during decryption
3402 # as well.
3403 #
3404 # If the context is not set, plaintext would be used as is for encryption.
3405 # If the context is set but:
3406 #
3407 # 1. there is no record present when transforming a given value or
3408 # 2. the field is not present when transforming a given value,
3409 #
3410 # plaintext would be used as is for encryption.
3411 #
3412 # Note that case (1) is expected when an `InfoTypeTransformation` is
3413 # applied to both structured and non-structured `ContentItem`s.
3414 "name": "A String", # Name describing the field.
3415 },
3416 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
3417 # This annotation will be applied to the surrogate by prefixing it with
3418 # the name of the custom info type followed by the number of
3419 # characters comprising the surrogate. The following scheme defines the
3420 # format: {info type name}({surrogate character count}):{surrogate}
3421 #
3422 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
3423 # the surrogate is 'abc', the full replacement value
3424 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3425 #
3426 # This annotation identifies the surrogate when inspecting content using the
3427 # custom info type 'Surrogate'. This facilitates reversal of the
3428 # surrogate when it occurs in free text.
3429 #
3430 # Note: For record transformations where the entire cell in a table is being
3431 # transformed, surrogates are not mandatory. Surrogates are used to denote
3432 # the location of the token and are necessary for re-identification in free
3433 # form text.
3434 #
3435 # In order for inspection to work properly, the name of this info type must
3436 # not occur naturally anywhere in your data; otherwise, inspection may either
3437 #
3438 # - reverse a surrogate that does not correspond to an actual identifier
3439 # - be unable to parse the surrogate and result in an error
3440 #
3441 # Therefore, choose your custom info type name carefully after considering
3442 # what your data looks like. One way to select a name that has a high chance
3443 # of yielding reliable detection is to include one or more unicode characters
3444 # that are highly improbable to exist in your data.
3445 # For example, assuming your data is entered from a regular ASCII keyboard,
3446 # the symbol with the hex code point 29DD might be used like so:
3447 # ⧝MY_TOKEN_TYPE.
3448 "name": "A String", # Name of the information type. Either a name of your choosing when
3449 # creating a CustomInfoType, or one of the names listed
3450 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3451 # a built-in type. InfoType names should conform to the pattern
3452 # `[a-zA-Z0-9_]{1,64}`.
3453 },
3454 },
3455 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
3456 # fixed character. Masking can start from the beginning or end of the string.
3457 # This can be used on data of any type (numbers, longs, and so on) and when
3458 # de-identifying structured data we'll attempt to preserve the original data's
3459 # type. (This allows you to take a long like 123 and modify it to a string like
3460 # **3.
3461 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
3462 # characters. For example, if the input string is `555-555-5555` and you
3463 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
3464 # returns `***-**5-5555`.
3465 { # Characters to skip when doing deidentification of a value. These will be left
3466 # alone and skipped.
3467 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
3468 # punctuation.
3469 "charactersToSkip": "A String", # Characters to not transform when masking.
3470 },
3471 ],
3472 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
3473 # masked. Skipped characters do not count towards this tally.
3474 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
3475 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
3476 # code or credit card number. This string must have a length of 1. If not
3477 # supplied, this value defaults to `*` for strings, and `0` for digits.
3478 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
3479 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
3480 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
3481 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
3482 # is `true`, then the string `12345` is masked as `12***`.
3483 },
3484 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
3485 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
3486 # output would be 'My phone number is '.
3487 },
3488 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
3489 },
3490 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
3491 # Bucketing transformation can provide all of this functionality,
3492 # but requires more configuration. This message is provided as a convenience to
3493 # the user for simple bucketing strategies.
3494 #
3495 # The transformed value will be a hyphenated string of
3496 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
3497 # all values that are within this bucket will be replaced with "10-20".
3498 #
3499 # This can be used on data of type: double, long.
3500 #
3501 # If the bound Value type differs from the type of data
3502 # being transformed, we will first attempt converting the type of the data to
3503 # be transformed to match the type of the bound before comparing.
3504 #
3505 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3506 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
3507 # grouped together into a single bucket; for example if `lower_bound` = 10,
3508 # then all values less than 10 are replaced with the value “-10”.
3509 # Note that for the purposes of inspection or transformation, the number
3510 # of bytes considered to comprise a 'Value' is based on its representation
3511 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3512 # 123456789, the number of bytes would be counted as 9, even though an
3513 # int64 only holds up to 8 bytes of data.
3514 "floatValue": 3.14, # float
3515 "timestampValue": "A String", # timestamp
3516 "dayOfWeekValue": "A String", # day of week
3517 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3518 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3519 # types are google.type.Date and `google.protobuf.Timestamp`.
3520 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3521 # to allow the value "24:00:00" for scenarios like business closing time.
3522 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3523 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3524 # allow the value 60 if it allows leap-seconds.
3525 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3526 },
3527 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3528 # and time zone are either specified elsewhere or are not significant. The date
3529 # is relative to the Proleptic Gregorian Calendar. This can represent:
3530 #
3531 # * A full date, with non-zero year, month and day values
3532 # * A month and day value, with a zero year, e.g. an anniversary
3533 # * A year on its own, with zero month and day values
3534 # * A year and month value, with a zero day, e.g. a credit card expiration date
3535 #
3536 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3537 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3538 # month and day.
3539 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3540 # if specifying a year by itself or a year and month where the day is not
3541 # significant.
3542 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3543 # a year.
3544 },
3545 "stringValue": "A String", # string
3546 "booleanValue": True or False, # boolean
3547 "integerValue": "A String", # integer
3548 },
3549 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
3550 # grouped together into a single bucket; for example if `upper_bound` = 89,
3551 # then all values greater than 89 are replaced with the value “89+”.
3552 # Note that for the purposes of inspection or transformation, the number
3553 # of bytes considered to comprise a 'Value' is based on its representation
3554 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3555 # 123456789, the number of bytes would be counted as 9, even though an
3556 # int64 only holds up to 8 bytes of data.
3557 "floatValue": 3.14, # float
3558 "timestampValue": "A String", # timestamp
3559 "dayOfWeekValue": "A String", # day of week
3560 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3561 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3562 # types are google.type.Date and `google.protobuf.Timestamp`.
3563 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3564 # to allow the value "24:00:00" for scenarios like business closing time.
3565 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3566 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3567 # allow the value 60 if it allows leap-seconds.
3568 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3569 },
3570 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3571 # and time zone are either specified elsewhere or are not significant. The date
3572 # is relative to the Proleptic Gregorian Calendar. This can represent:
3573 #
3574 # * A full date, with non-zero year, month and day values
3575 # * A month and day value, with a zero year, e.g. an anniversary
3576 # * A year on its own, with zero month and day values
3577 # * A year and month value, with a zero day, e.g. a credit card expiration date
3578 #
3579 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3580 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3581 # month and day.
3582 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3583 # if specifying a year by itself or a year and month where the day is not
3584 # significant.
3585 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3586 # a year.
3587 },
3588 "stringValue": "A String", # string
3589 "booleanValue": True or False, # boolean
3590 "integerValue": "A String", # integer
3591 },
3592 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
3593 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
3594 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
3595 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3596 },
3597 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
3598 # portion of the value.
3599 "partToExtract": "A String", # The part of the time to keep.
3600 },
3601 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
3602 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
3603 # to learn more.
3604 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
3605 # results in the same shift for the same context and crypto_key. If
3606 # set, must also set context. Can only be applied to table items.
3607 # a key encryption key (KEK) stored by KMS).
3608 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3609 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3610 # unwrap the data crypto key.
3611 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3612 # The wrapped key must be a 128/192/256 bit key.
3613 # Authorization requires the following IAM permissions when sending a request
3614 # to perform a crypto transformation using a kms-wrapped crypto key:
3615 # dlp.kms.encrypt
3616 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3617 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3618 },
3619 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3620 # leaking the key. Choose another type of key if possible.
3621 "key": "A String", # Required. A 128/192/256 bit key.
3622 },
3623 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3624 # It will be discarded after the request finishes.
3625 "name": "A String", # Required. Name of the key.
3626 # This is an arbitrary string used to differentiate different keys.
3627 # A unique key is generated per name: two separate `TransientCryptoKey`
3628 # protos share the same generated key if their names are the same.
3629 # When the data crypto key is generated, this name is not used in any way
3630 # (repeating the api call will result in a different key being generated).
3631 },
3632 },
3633 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3634 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
3635 # range (inclusive ends). Negative means shift to earlier in time. Must not
3636 # be more than 365250 days (1000 years) each direction.
3637 #
3638 # For example, 3 means shift date to at most 3 days into the future.
3639 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
3640 # If set, must also set cryptoKey. If set, shift will be consistent for the
3641 # given context.
3642 "name": "A String", # Name describing the field.
3643 },
3644 },
3645 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
3646 # (FPE) with the FFX mode of operation; however when used in the
3647 # `ReidentifyContent` API method, it serves the opposite function by reversing
3648 # the surrogate back into the original identifier. The identifier must be
3649 # encoded as ASCII. For a given crypto key and context, the same identifier
3650 # will be replaced with the same surrogate. Identifiers must be at least two
3651 # characters long. In the case that the identifier is the empty string, it will
3652 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
3653 # more.
3654 #
3655 # Note: We recommend using CryptoDeterministicConfig for all use cases which
3656 # do not require preserving the input alphabet space and size, plus warrant
3657 # referential integrity.
3658 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
3659 # a key encryption key (KEK) stored by KMS).
3660 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3661 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3662 # unwrap the data crypto key.
3663 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3664 # The wrapped key must be a 128/192/256 bit key.
3665 # Authorization requires the following IAM permissions when sending a request
3666 # to perform a crypto transformation using a kms-wrapped crypto key:
3667 # dlp.kms.encrypt
3668 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3669 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3670 },
3671 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3672 # leaking the key. Choose another type of key if possible.
3673 "key": "A String", # Required. A 128/192/256 bit key.
3674 },
3675 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3676 # It will be discarded after the request finishes.
3677 "name": "A String", # Required. Name of the key.
3678 # This is an arbitrary string used to differentiate different keys.
3679 # A unique key is generated per name: two separate `TransientCryptoKey`
3680 # protos share the same generated key if their names are the same.
3681 # When the data crypto key is generated, this name is not used in any way
3682 # (repeating the api call will result in a different key being generated).
3683 },
3684 },
3685 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
3686 "commonAlphabet": "A String", # Common alphabets.
3687 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
3688 # that the FFX mode natively supports. This happens before/after
3689 # encryption/decryption.
3690 # Each character listed must appear only once.
3691 # Number of characters must be in the range [2, 95].
3692 # This must be encoded as ASCII.
3693 # The order of characters does not matter.
3694 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3695 # identifier in two different contexts won't be given the same surrogate. If
3696 # the context is not set, a default tweak will be used.
3697 #
3698 # If the context is set but:
3699 #
3700 # 1. there is no record present when transforming a given value or
3701 # 1. the field is not present when transforming a given value,
3702 #
3703 # a default tweak will be used.
3704 #
3705 # Note that case (1) is expected when an `InfoTypeTransformation` is
3706 # applied to both structured and non-structured `ContentItem`s.
3707 # Currently, the referenced field may be of value type integer or string.
3708 #
3709 # The tweak is constructed as a sequence of bytes in big endian byte order
3710 # such that:
3711 #
3712 # - a 64 bit integer is encoded followed by a single byte of value 1
3713 # - a string is encoded in UTF-8 format followed by a single byte of value 2
3714 "name": "A String", # Name describing the field.
3715 },
3716 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
3717 # This annotation will be applied to the surrogate by prefixing it with
3718 # the name of the custom infoType followed by the number of
3719 # characters comprising the surrogate. The following scheme defines the
3720 # format: info_type_name(surrogate_character_count):surrogate
3721 #
3722 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
3723 # the surrogate is 'abc', the full replacement value
3724 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3725 #
3726 # This annotation identifies the surrogate when inspecting content using the
3727 # custom infoType
3728 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
3729 # This facilitates reversal of the surrogate when it occurs in free text.
3730 #
3731 # In order for inspection to work properly, the name of this infoType must
3732 # not occur naturally anywhere in your data; otherwise, inspection may
3733 # find a surrogate that does not correspond to an actual identifier.
3734 # Therefore, choose your custom infoType name carefully after considering
3735 # what your data looks like. One way to select a name that has a high chance
3736 # of yielding reliable detection is to include one or more unicode characters
3737 # that are highly improbable to exist in your data.
3738 # For example, assuming your data is entered from a regular ASCII keyboard,
3739 # the symbol with the hex code point 29DD might be used like so:
3740 # ⧝MY_TOKEN_TYPE
3741 "name": "A String", # Name of the information type. Either a name of your choosing when
3742 # creating a CustomInfoType, or one of the names listed
3743 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3744 # a built-in type. InfoType names should conform to the pattern
3745 # `[a-zA-Z0-9_]{1,64}`.
3746 },
3747 },
3748 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
3749 # replacement values are dynamically provided by the user for custom behavior,
3750 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
3751 # This can be used on
3752 # data of type: number, long, string, timestamp.
3753 # If the bound `Value` type differs from the type of data being transformed, we
3754 # will first attempt converting the type of the data to be transformed to match
3755 # the type of the bound before comparing.
3756 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3757 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3758 { # Bucket is represented as a range, along with replacement values.
3759 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
3760 # Note that for the purposes of inspection or transformation, the number
3761 # of bytes considered to comprise a 'Value' is based on its representation
3762 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3763 # 123456789, the number of bytes would be counted as 9, even though an
3764 # int64 only holds up to 8 bytes of data.
3765 "floatValue": 3.14, # float
3766 "timestampValue": "A String", # timestamp
3767 "dayOfWeekValue": "A String", # day of week
3768 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3769 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3770 # types are google.type.Date and `google.protobuf.Timestamp`.
3771 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3772 # to allow the value "24:00:00" for scenarios like business closing time.
3773 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3774 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3775 # allow the value 60 if it allows leap-seconds.
3776 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3777 },
3778 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3779 # and time zone are either specified elsewhere or are not significant. The date
3780 # is relative to the Proleptic Gregorian Calendar. This can represent:
3781 #
3782 # * A full date, with non-zero year, month and day values
3783 # * A month and day value, with a zero year, e.g. an anniversary
3784 # * A year on its own, with zero month and day values
3785 # * A year and month value, with a zero day, e.g. a credit card expiration date
3786 #
3787 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3788 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3789 # month and day.
3790 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3791 # if specifying a year by itself or a year and month where the day is not
3792 # significant.
3793 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3794 # a year.
3795 },
3796 "stringValue": "A String", # string
3797 "booleanValue": True or False, # boolean
3798 "integerValue": "A String", # integer
3799 },
3800 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
3801 # the default behavior will be to hyphenate the min-max range.
3802 # Note that for the purposes of inspection or transformation, the number
3803 # of bytes considered to comprise a 'Value' is based on its representation
3804 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3805 # 123456789, the number of bytes would be counted as 9, even though an
3806 # int64 only holds up to 8 bytes of data.
3807 "floatValue": 3.14, # float
3808 "timestampValue": "A String", # timestamp
3809 "dayOfWeekValue": "A String", # day of week
3810 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3811 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3812 # types are google.type.Date and `google.protobuf.Timestamp`.
3813 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3814 # to allow the value "24:00:00" for scenarios like business closing time.
3815 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3816 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3817 # allow the value 60 if it allows leap-seconds.
3818 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3819 },
3820 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3821 # and time zone are either specified elsewhere or are not significant. The date
3822 # is relative to the Proleptic Gregorian Calendar. This can represent:
3823 #
3824 # * A full date, with non-zero year, month and day values
3825 # * A month and day value, with a zero year, e.g. an anniversary
3826 # * A year on its own, with zero month and day values
3827 # * A year and month value, with a zero day, e.g. a credit card expiration date
3828 #
3829 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3830 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3831 # month and day.
3832 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3833 # if specifying a year by itself or a year and month where the day is not
3834 # significant.
3835 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3836 # a year.
3837 },
3838 "stringValue": "A String", # string
3839 "booleanValue": True or False, # boolean
3840 "integerValue": "A String", # integer
3841 },
3842 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
3843 # used.
3844 # Note that for the purposes of inspection or transformation, the number
3845 # of bytes considered to comprise a 'Value' is based on its representation
3846 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3847 # 123456789, the number of bytes would be counted as 9, even though an
3848 # int64 only holds up to 8 bytes of data.
3849 "floatValue": 3.14, # float
3850 "timestampValue": "A String", # timestamp
3851 "dayOfWeekValue": "A String", # day of week
3852 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3853 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3854 # types are google.type.Date and `google.protobuf.Timestamp`.
3855 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3856 # to allow the value "24:00:00" for scenarios like business closing time.
3857 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3858 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3859 # allow the value 60 if it allows leap-seconds.
3860 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3861 },
3862 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3863 # and time zone are either specified elsewhere or are not significant. The date
3864 # is relative to the Proleptic Gregorian Calendar. This can represent:
3865 #
3866 # * A full date, with non-zero year, month and day values
3867 # * A month and day value, with a zero year, e.g. an anniversary
3868 # * A year on its own, with zero month and day values
3869 # * A year and month value, with a zero day, e.g. a credit card expiration date
3870 #
3871 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3872 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3873 # month and day.
3874 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3875 # if specifying a year by itself or a year and month where the day is not
3876 # significant.
3877 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3878 # a year.
3879 },
3880 "stringValue": "A String", # string
3881 "booleanValue": True or False, # boolean
3882 "integerValue": "A String", # integer
3883 },
3884 },
3885 ],
3886 },
3887 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
3888 # Uses SHA-256.
3889 # The key size must be either 32 or 64 bytes.
3890 # Outputs a base64 encoded representation of the hashed output
3891 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
3892 # Currently, only string and integer values can be hashed.
3893 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
3894 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
3895 # a key encryption key (KEK) stored by KMS).
3896 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3897 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3898 # unwrap the data crypto key.
3899 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3900 # The wrapped key must be a 128/192/256 bit key.
3901 # Authorization requires the following IAM permissions when sending a request
3902 # to perform a crypto transformation using a kms-wrapped crypto key:
3903 # dlp.kms.encrypt
3904 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3905 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3906 },
3907 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3908 # leaking the key. Choose another type of key if possible.
3909 "key": "A String", # Required. A 128/192/256 bit key.
3910 },
3911 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3912 # It will be discarded after the request finishes.
3913 "name": "A String", # Required. Name of the key.
3914 # This is an arbitrary string used to differentiate different keys.
3915 # A unique key is generated per name: two separate `TransientCryptoKey`
3916 # protos share the same generated key if their names are the same.
3917 # When the data crypto key is generated, this name is not used in any way
3918 # (repeating the api call will result in a different key being generated).
3919 },
3920 },
3921 },
3922 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
3923 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
3924 # Note that for the purposes of inspection or transformation, the number
3925 # of bytes considered to comprise a 'Value' is based on its representation
3926 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3927 # 123456789, the number of bytes would be counted as 9, even though an
3928 # int64 only holds up to 8 bytes of data.
3929 "floatValue": 3.14, # float
3930 "timestampValue": "A String", # timestamp
3931 "dayOfWeekValue": "A String", # day of week
3932 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3933 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3934 # types are google.type.Date and `google.protobuf.Timestamp`.
3935 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3936 # to allow the value "24:00:00" for scenarios like business closing time.
3937 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3938 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3939 # allow the value 60 if it allows leap-seconds.
3940 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3941 },
3942 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3943 # and time zone are either specified elsewhere or are not significant. The date
3944 # is relative to the Proleptic Gregorian Calendar. This can represent:
3945 #
3946 # * A full date, with non-zero year, month and day values
3947 # * A month and day value, with a zero year, e.g. an anniversary
3948 # * A year on its own, with zero month and day values
3949 # * A year and month value, with a zero day, e.g. a credit card expiration date
3950 #
3951 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3952 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3953 # month and day.
3954 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3955 # if specifying a year by itself or a year and month where the day is not
3956 # significant.
3957 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3958 # a year.
3959 },
3960 "stringValue": "A String", # string
3961 "booleanValue": True or False, # boolean
3962 "integerValue": "A String", # integer
3963 },
3964 },
3965 },
3966 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
3967 # this transformation to apply to all findings that correspond to
3968 # infoTypes that were requested in `InspectConfig`.
3969 { # Type of information detected by the API.
3970 "name": "A String", # Name of the information type. Either a name of your choosing when
3971 # creating a CustomInfoType, or one of the names listed
3972 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3973 # a built-in type. InfoType names should conform to the pattern
3974 # `[a-zA-Z0-9_]{1,64}`.
3975 },
3976 ],
3977 },
3978 ],
3979 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3980 },
3981 ],
3982 "transformedBytes": "A String", # Total size in bytes that were transformed in some way.
3983 "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3984 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3985 # input. Outputs a base64 encoded representation of the encrypted output.
3986 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
3987 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
3988 # a key encryption key (KEK) stored by KMS).
3989 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3990 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3991 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3992 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3993 # The wrapped key must be a 128/192/256 bit key.
3994 # Authorization requires the following IAM permissions when sending a request
3995 # to perform a crypto transformation using a kms-wrapped crypto key:
3996 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3997 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3998 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3999 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4000 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4001 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4002 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4003 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4004 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4005 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4006 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4007 # This is an arbitrary string used to differentiate different keys.
4008 # A unique key is generated per name: two separate `TransientCryptoKey`
4009 # protos share the same generated key if their names are the same.
4010 # When the data crypto key is generated, this name is not used in any way
4011 # (repeating the api call will result in a different key being generated).
4012 },
4013 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4014 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4015 # referential integrity such that the same identifier in two different
4016 # contexts will be given a distinct surrogate. The context is appended to
4017 # plaintext value being encrypted. On decryption the provided context is
4018 # validated against the value used during encryption. If a context was
4019 # provided during encryption, same context must be provided during decryption
4020 # as well.
4021 #
4022 # If the context is not set, plaintext would be used as is for encryption.
4023 # If the context is set but:
4024 #
4025 # 1. there is no record present when transforming a given value or
4026 # 2. the field is not present when transforming a given value,
4027 #
4028 # plaintext would be used as is for encryption.
4029 #
4030 # Note that case (1) is expected when an `InfoTypeTransformation` is
4031 # applied to both structured and non-structured `ContentItem`s.
4032 "name": "A String", # Name describing the field.
4033 },
4034 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
4035 # This annotation will be applied to the surrogate by prefixing it with
4036 # the name of the custom info type followed by the number of
4037 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4038 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4039 #
4040 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
4041 # the surrogate is 'abc', the full replacement value
4042 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4043 #
4044 # This annotation identifies the surrogate when inspecting content using the
4045 # custom info type 'Surrogate'. This facilitates reversal of the
4046 # surrogate when it occurs in free text.
4047 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4048 # Note: For record transformations where the entire cell in a table is being
4049 # transformed, surrogates are not mandatory. Surrogates are used to denote
4050 # the location of the token and are necessary for re-identification in free
4051 # form text.
4052 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4053 # In order for inspection to work properly, the name of this info type must
4054 # not occur naturally anywhere in your data; otherwise, inspection may either
4055 #
4056 # - reverse a surrogate that does not correspond to an actual identifier
4057 # - be unable to parse the surrogate and result in an error
4058 #
4059 # Therefore, choose your custom info type name carefully after considering
4060 # what your data looks like. One way to select a name that has a high chance
4061 # of yielding reliable detection is to include one or more unicode characters
4062 # that are highly improbable to exist in your data.
4063 # For example, assuming your data is entered from a regular ASCII keyboard,
4064 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4065 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4066 "name": "A String", # Name of the information type. Either a name of your choosing when
4067 # creating a CustomInfoType, or one of the names listed
4068 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4069 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4070 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4071 },
4072 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4073 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
4074 # fixed character. Masking can start from the beginning or end of the string.
4075 # This can be used on data of any type (numbers, longs, and so on) and when
4076 # de-identifying structured data we'll attempt to preserve the original data's
4077 # type. (This allows you to take a long like 123 and modify it to a string like
4078 # **3.
4079 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
4080 # characters. For example, if the input string is `555-555-5555` and you
4081 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
4082 # returns `***-**5-5555`.
4083 { # Characters to skip when doing deidentification of a value. These will be left
4084 # alone and skipped.
4085 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
4086 # punctuation.
4087 "charactersToSkip": "A String", # Characters to not transform when masking.
4088 },
4089 ],
4090 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
4091 # masked. Skipped characters do not count towards this tally.
4092 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
4093 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
4094 # code or credit card number. This string must have a length of 1. If not
4095 # supplied, this value defaults to `*` for strings, and `0` for digits.
4096 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
4097 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
4098 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
4099 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
4100 # is `true`, then the string `12345` is masked as `12***`.
4101 },
4102 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
4103 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
4104 # output would be 'My phone number is '.
4105 },
4106 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
4107 },
4108 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4109 # Bucketing transformation can provide all of this functionality,
4110 # but requires more configuration. This message is provided as a convenience to
4111 # the user for simple bucketing strategies.
4112 #
4113 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4114 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4115 # all values that are within this bucket will be replaced with "10-20".
4116 #
4117 # This can be used on data of type: double, long.
4118 #
4119 # If the bound Value type differs from the type of data
4120 # being transformed, we will first attempt converting the type of the data to
4121 # be transformed to match the type of the bound before comparing.
4122 #
4123 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4124 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4125 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4126 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4127 # Note that for the purposes of inspection or transformation, the number
4128 # of bytes considered to comprise a 'Value' is based on its representation
4129 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4130 # 123456789, the number of bytes would be counted as 9, even though an
4131 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4132 "floatValue": 3.14, # float
4133 "timestampValue": "A String", # timestamp
4134 "dayOfWeekValue": "A String", # day of week
4135 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4136 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4137 # types are google.type.Date and `google.protobuf.Timestamp`.
4138 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4139 # to allow the value "24:00:00" for scenarios like business closing time.
4140 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4141 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4142 # allow the value 60 if it allows leap-seconds.
4143 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4144 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4145 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4146 # and time zone are either specified elsewhere or are not significant. The date
4147 # is relative to the Proleptic Gregorian Calendar. This can represent:
4148 #
4149 # * A full date, with non-zero year, month and day values
4150 # * A month and day value, with a zero year, e.g. an anniversary
4151 # * A year on its own, with zero month and day values
4152 # * A year and month value, with a zero day, e.g. a credit card expiration date
4153 #
4154 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4155 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4156 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4157 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4158 # if specifying a year by itself or a year and month where the day is not
4159 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4160 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4161 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4162 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4163 "stringValue": "A String", # string
4164 "booleanValue": True or False, # boolean
4165 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4166 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4167 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4168 # grouped together into a single bucket; for example if `upper_bound` = 89,
4169 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4170 # Note that for the purposes of inspection or transformation, the number
4171 # of bytes considered to comprise a 'Value' is based on its representation
4172 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4173 # 123456789, the number of bytes would be counted as 9, even though an
4174 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4175 "floatValue": 3.14, # float
4176 "timestampValue": "A String", # timestamp
4177 "dayOfWeekValue": "A String", # day of week
4178 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4179 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4180 # types are google.type.Date and `google.protobuf.Timestamp`.
4181 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4182 # to allow the value "24:00:00" for scenarios like business closing time.
4183 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4184 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4185 # allow the value 60 if it allows leap-seconds.
4186 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4187 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4188 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4189 # and time zone are either specified elsewhere or are not significant. The date
4190 # is relative to the Proleptic Gregorian Calendar. This can represent:
4191 #
4192 # * A full date, with non-zero year, month and day values
4193 # * A month and day value, with a zero year, e.g. an anniversary
4194 # * A year on its own, with zero month and day values
4195 # * A year and month value, with a zero day, e.g. a credit card expiration date
4196 #
4197 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4198 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4199 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4200 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4201 # if specifying a year by itself or a year and month where the day is not
4202 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4203 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4204 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4205 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4206 "stringValue": "A String", # string
4207 "booleanValue": True or False, # boolean
4208 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4209 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4210 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4211 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
4212 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4213 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4214 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4215 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4216 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4217 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4218 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4219 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4220 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
4221 # to learn more.
4222 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4223 # results in the same shift for the same context and crypto_key. If
4224 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4225 # a key encryption key (KEK) stored by KMS).
4226 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4227 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4228 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4229 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4230 # The wrapped key must be a 128/192/256 bit key.
4231 # Authorization requires the following IAM permissions when sending a request
4232 # to perform a crypto transformation using a kms-wrapped crypto key:
4233 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4234 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4235 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4236 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4237 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4238 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4239 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4240 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4241 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4242 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4243 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4244 # This is an arbitrary string used to differentiate different keys.
4245 # A unique key is generated per name: two separate `TransientCryptoKey`
4246 # protos share the same generated key if their names are the same.
4247 # When the data crypto key is generated, this name is not used in any way
4248 # (repeating the api call will result in a different key being generated).
4249 },
4250 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4251 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4252 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4253 # range (inclusive ends). Negative means shift to earlier in time. Must not
4254 # be more than 365250 days (1000 years) each direction.
4255 #
4256 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4257 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4258 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4259 # given context.
4260 "name": "A String", # Name describing the field.
4261 },
4262 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4263 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4264 # (FPE) with the FFX mode of operation; however when used in the
4265 # `ReidentifyContent` API method, it serves the opposite function by reversing
4266 # the surrogate back into the original identifier. The identifier must be
4267 # encoded as ASCII. For a given crypto key and context, the same identifier
4268 # will be replaced with the same surrogate. Identifiers must be at least two
4269 # characters long. In the case that the identifier is the empty string, it will
4270 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
4271 # more.
4272 #
4273 # Note: We recommend using CryptoDeterministicConfig for all use cases which
4274 # do not require preserving the input alphabet space and size, plus warrant
4275 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4276 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4277 # a key encryption key (KEK) stored by KMS).
4278 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4279 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4280 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4281 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4282 # The wrapped key must be a 128/192/256 bit key.
4283 # Authorization requires the following IAM permissions when sending a request
4284 # to perform a crypto transformation using a kms-wrapped crypto key:
4285 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4286 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4287 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4288 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4289 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4290 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4291 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4292 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4293 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4294 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4295 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4296 # This is an arbitrary string used to differentiate different keys.
4297 # A unique key is generated per name: two separate `TransientCryptoKey`
4298 # protos share the same generated key if their names are the same.
4299 # When the data crypto key is generated, this name is not used in any way
4300 # (repeating the api call will result in a different key being generated).
4301 },
4302 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4303 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
4304 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4305 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
4306 # that the FFX mode natively supports. This happens before/after
4307 # encryption/decryption.
4308 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4309 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4310 # This must be encoded as ASCII.
4311 # The order of characters does not matter.
4312 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
4313 # identifier in two different contexts won't be given the same surrogate. If
4314 # the context is not set, a default tweak will be used.
4315 #
4316 # If the context is set but:
4317 #
4318 # 1. there is no record present when transforming a given value or
4319 # 1. the field is not present when transforming a given value,
4320 #
4321 # a default tweak will be used.
4322 #
4323 # Note that case (1) is expected when an `InfoTypeTransformation` is
4324 # applied to both structured and non-structured `ContentItem`s.
4325 # Currently, the referenced field may be of value type integer or string.
4326 #
4327 # The tweak is constructed as a sequence of bytes in big endian byte order
4328 # such that:
4329 #
4330 # - a 64 bit integer is encoded followed by a single byte of value 1
4331 # - a string is encoded in UTF-8 format followed by a single byte of value 2
4332 "name": "A String", # Name describing the field.
4333 },
4334 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
4335 # This annotation will be applied to the surrogate by prefixing it with
4336 # the name of the custom infoType followed by the number of
4337 # characters comprising the surrogate. The following scheme defines the
4338 # format: info_type_name(surrogate_character_count):surrogate
4339 #
4340 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
4341 # the surrogate is 'abc', the full replacement value
4342 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4343 #
4344 # This annotation identifies the surrogate when inspecting content using the
4345 # custom infoType
4346 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
4347 # This facilitates reversal of the surrogate when it occurs in free text.
4348 #
4349 # In order for inspection to work properly, the name of this infoType must
4350 # not occur naturally anywhere in your data; otherwise, inspection may
4351 # find a surrogate that does not correspond to an actual identifier.
4352 # Therefore, choose your custom infoType name carefully after considering
4353 # what your data looks like. One way to select a name that has a high chance
4354 # of yielding reliable detection is to include one or more unicode characters
4355 # that are highly improbable to exist in your data.
4356 # For example, assuming your data is entered from a regular ASCII keyboard,
4357 # the symbol with the hex code point 29DD might be used like so:
4358 # ⧝MY_TOKEN_TYPE
4359 "name": "A String", # Name of the information type. Either a name of your choosing when
4360 # creating a CustomInfoType, or one of the names listed
4361 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4362 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4363 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4364 },
4365 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4366 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
4367 # replacement values are dynamically provided by the user for custom behavior,
4368 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
4369 # This can be used on
4370 # data of type: number, long, string, timestamp.
4371 # If the bound `Value` type differs from the type of data being transformed, we
4372 # will first attempt converting the type of the data to be transformed to match
4373 # the type of the bound before comparing.
4374 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
4375 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
4376 { # Bucket is represented as a range, along with replacement values.
4377 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
4378 # Note that for the purposes of inspection or transformation, the number
4379 # of bytes considered to comprise a 'Value' is based on its representation
4380 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4381 # 123456789, the number of bytes would be counted as 9, even though an
4382 # int64 only holds up to 8 bytes of data.
4383 "floatValue": 3.14, # float
4384 "timestampValue": "A String", # timestamp
4385 "dayOfWeekValue": "A String", # day of week
4386 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4387 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4388 # types are google.type.Date and `google.protobuf.Timestamp`.
4389 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4390 # to allow the value "24:00:00" for scenarios like business closing time.
4391 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4392 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4393 # allow the value 60 if it allows leap-seconds.
4394 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4395 },
4396 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4397 # and time zone are either specified elsewhere or are not significant. The date
4398 # is relative to the Proleptic Gregorian Calendar. This can represent:
4399 #
4400 # * A full date, with non-zero year, month and day values
4401 # * A month and day value, with a zero year, e.g. an anniversary
4402 # * A year on its own, with zero month and day values
4403 # * A year and month value, with a zero day, e.g. a credit card expiration date
4404 #
4405 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4406 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4407 # month and day.
4408 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4409 # if specifying a year by itself or a year and month where the day is not
4410 # significant.
4411 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4412 # a year.
4413 },
4414 "stringValue": "A String", # string
4415 "booleanValue": True or False, # boolean
4416 "integerValue": "A String", # integer
4417 },
4418 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
4419 # the default behavior will be to hyphenate the min-max range.
4420 # Note that for the purposes of inspection or transformation, the number
4421 # of bytes considered to comprise a 'Value' is based on its representation
4422 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4423 # 123456789, the number of bytes would be counted as 9, even though an
4424 # int64 only holds up to 8 bytes of data.
4425 "floatValue": 3.14, # float
4426 "timestampValue": "A String", # timestamp
4427 "dayOfWeekValue": "A String", # day of week
4428 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4429 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4430 # types are google.type.Date and `google.protobuf.Timestamp`.
4431 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4432 # to allow the value "24:00:00" for scenarios like business closing time.
4433 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4434 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4435 # allow the value 60 if it allows leap-seconds.
4436 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4437 },
4438 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4439 # and time zone are either specified elsewhere or are not significant. The date
4440 # is relative to the Proleptic Gregorian Calendar. This can represent:
4441 #
4442 # * A full date, with non-zero year, month and day values
4443 # * A month and day value, with a zero year, e.g. an anniversary
4444 # * A year on its own, with zero month and day values
4445 # * A year and month value, with a zero day, e.g. a credit card expiration date
4446 #
4447 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4448 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4449 # month and day.
4450 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4451 # if specifying a year by itself or a year and month where the day is not
4452 # significant.
4453 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4454 # a year.
4455 },
4456 "stringValue": "A String", # string
4457 "booleanValue": True or False, # boolean
4458 "integerValue": "A String", # integer
4459 },
4460 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
4461 # used.
4462 # Note that for the purposes of inspection or transformation, the number
4463 # of bytes considered to comprise a 'Value' is based on its representation
4464 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4465 # 123456789, the number of bytes would be counted as 9, even though an
4466 # int64 only holds up to 8 bytes of data.
4467 "floatValue": 3.14, # float
4468 "timestampValue": "A String", # timestamp
4469 "dayOfWeekValue": "A String", # day of week
4470 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4471 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4472 # types are google.type.Date and `google.protobuf.Timestamp`.
4473 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4474 # to allow the value "24:00:00" for scenarios like business closing time.
4475 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4476 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4477 # allow the value 60 if it allows leap-seconds.
4478 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4479 },
4480 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4481 # and time zone are either specified elsewhere or are not significant. The date
4482 # is relative to the Proleptic Gregorian Calendar. This can represent:
4483 #
4484 # * A full date, with non-zero year, month and day values
4485 # * A month and day value, with a zero year, e.g. an anniversary
4486 # * A year on its own, with zero month and day values
4487 # * A year and month value, with a zero day, e.g. a credit card expiration date
4488 #
4489 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4490 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4491 # month and day.
4492 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4493 # if specifying a year by itself or a year and month where the day is not
4494 # significant.
4495 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4496 # a year.
4497 },
4498 "stringValue": "A String", # string
4499 "booleanValue": True or False, # boolean
4500 "integerValue": "A String", # integer
4501 },
4502 },
4503 ],
4504 },
4505 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
4506 # Uses SHA-256.
4507 # The key size must be either 32 or 64 bytes.
4508 # Outputs a base64 encoded representation of the hashed output
4509 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
4510 # Currently, only string and integer values can be hashed.
4511 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
4512 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
4513 # a key encryption key (KEK) stored by KMS).
4514 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4515 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4516 # unwrap the data crypto key.
4517 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
4518 # The wrapped key must be a 128/192/256 bit key.
4519 # Authorization requires the following IAM permissions when sending a request
4520 # to perform a crypto transformation using a kms-wrapped crypto key:
4521 # dlp.kms.encrypt
4522 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4523 "wrappedKey": "A String", # Required. The wrapped data crypto key.
4524 },
4525 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
4526 # leaking the key. Choose another type of key if possible.
4527 "key": "A String", # Required. A 128/192/256 bit key.
4528 },
4529 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
4530 # It will be discarded after the request finishes.
4531 "name": "A String", # Required. Name of the key.
4532 # This is an arbitrary string used to differentiate different keys.
4533 # A unique key is generated per name: two separate `TransientCryptoKey`
4534 # protos share the same generated key if their names are the same.
4535 # When the data crypto key is generated, this name is not used in any way
4536 # (repeating the api call will result in a different key being generated).
4537 },
4538 },
4539 },
4540 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4541 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
4542 # Note that for the purposes of inspection or transformation, the number
4543 # of bytes considered to comprise a 'Value' is based on its representation
4544 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4545 # 123456789, the number of bytes would be counted as 9, even though an
4546 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4547 "floatValue": 3.14, # float
4548 "timestampValue": "A String", # timestamp
4549 "dayOfWeekValue": "A String", # day of week
4550 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4551 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4552 # types are google.type.Date and `google.protobuf.Timestamp`.
4553 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4554 # to allow the value "24:00:00" for scenarios like business closing time.
4555 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4556 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4557 # allow the value 60 if it allows leap-seconds.
4558 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4559 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4560 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4561 # and time zone are either specified elsewhere or are not significant. The date
4562 # is relative to the Proleptic Gregorian Calendar. This can represent:
4563 #
4564 # * A full date, with non-zero year, month and day values
4565 # * A month and day value, with a zero year, e.g. an anniversary
4566 # * A year on its own, with zero month and day values
4567 # * A year and month value, with a zero day, e.g. a credit card expiration date
4568 #
4569 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4570 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4571 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4572 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4573 # if specifying a year by itself or a year and month where the day is not
4574 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4575 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4576 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4577 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4578 "stringValue": "A String", # string
4579 "booleanValue": True or False, # boolean
4580 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4581 },
4582 },
4583 },
4584 },
4585 ],
4586 "transformedBytes": "A String", # Total size in bytes that were transformed in some way.
4587 },
4588 "item": { # Container structure for the content to inspect. # The de-identified item.
4589 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
4590 # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
4591 # learn more.
4592 # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
4593 # learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4594 "headers": [ # Headers of the table.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4595 { # General identifier of a data field in a storage service.
4596 "name": "A String", # Name describing the field.
4597 },
4598 ],
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4599 "rows": [ # Rows of the table.
4600 { # Values of the row.
4601 "values": [ # Individual cells.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4602 { # Set of primitive values supported by the system.
4603 # Note that for the purposes of inspection or transformation, the number
4604 # of bytes considered to comprise a 'Value' is based on its representation
4605 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4606 # 123456789, the number of bytes would be counted as 9, even though an
4607 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4608 "floatValue": 3.14, # float
4609 "timestampValue": "A String", # timestamp
4610 "dayOfWeekValue": "A String", # day of week
4611 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4612 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4613 # types are google.type.Date and `google.protobuf.Timestamp`.
4614 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4615 # to allow the value "24:00:00" for scenarios like business closing time.
4616 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4617 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4618 # allow the value 60 if it allows leap-seconds.
4619 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4620 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4621 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4622 # and time zone are either specified elsewhere or are not significant. The date
4623 # is relative to the Proleptic Gregorian Calendar. This can represent:
4624 #
4625 # * A full date, with non-zero year, month and day values
4626 # * A month and day value, with a zero year, e.g. an anniversary
4627 # * A year on its own, with zero month and day values
4628 # * A year and month value, with a zero day, e.g. a credit card expiration date
4629 #
4630 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4631 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4632 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4633 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4634 # if specifying a year by itself or a year and month where the day is not
4635 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4636 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4637 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4638 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4639 "stringValue": "A String", # string
4640 "booleanValue": True or False, # boolean
4641 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4642 },
4643 ],
4644 },
4645 ],
4646 },
4647 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
4648 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
4649 "data": "A String", # Content data to inspect or redact.
4650 },
4651 "value": "A String", # String data to inspect or redact.
4652 },
4653 }</pre>
4654</div>
4655
4656<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4657 <code class="details" id="inspect">inspect(parent, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4658 <pre>Finds potentially sensitive info in content.
4659This method has limits on input size, processing time, and output size.
4660
4661When no InfoTypes or CustomInfoTypes are specified in this request, the
4662system will automatically choose what detectors to run. By default this may
4663be all types, but may change over time as detectors are updated.
4664
4665For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images
4666and https://cloud.google.com/dlp/docs/inspecting-text,
4667
4668Args:
4669 parent: string, The parent resource name, for example projects/my-project-id. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4670 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4671 The object takes the form of:
4672
4673{ # Request to search for potentially sensitive info in a ContentItem.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4674 "locationId": "A String", # The geographic location to process content inspection. Reserved for future
4675 # extensions.
4676 # When inspecting images location is restricted to 'global', 'us', 'asia',
4677 # and 'europe'.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4678 "item": { # Container structure for the content to inspect. # The item to inspect.
4679 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
4680 # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
4681 # learn more.
4682 # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
4683 # learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4684 "headers": [ # Headers of the table.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4685 { # General identifier of a data field in a storage service.
4686 "name": "A String", # Name describing the field.
4687 },
4688 ],
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4689 "rows": [ # Rows of the table.
4690 { # Values of the row.
4691 "values": [ # Individual cells.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4692 { # Set of primitive values supported by the system.
4693 # Note that for the purposes of inspection or transformation, the number
4694 # of bytes considered to comprise a 'Value' is based on its representation
4695 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4696 # 123456789, the number of bytes would be counted as 9, even though an
4697 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4698 "floatValue": 3.14, # float
4699 "timestampValue": "A String", # timestamp
4700 "dayOfWeekValue": "A String", # day of week
4701 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4702 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4703 # types are google.type.Date and `google.protobuf.Timestamp`.
4704 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4705 # to allow the value "24:00:00" for scenarios like business closing time.
4706 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4707 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4708 # allow the value 60 if it allows leap-seconds.
4709 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4710 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4711 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4712 # and time zone are either specified elsewhere or are not significant. The date
4713 # is relative to the Proleptic Gregorian Calendar. This can represent:
4714 #
4715 # * A full date, with non-zero year, month and day values
4716 # * A month and day value, with a zero year, e.g. an anniversary
4717 # * A year on its own, with zero month and day values
4718 # * A year and month value, with a zero day, e.g. a credit card expiration date
4719 #
4720 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4721 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4722 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4723 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4724 # if specifying a year by itself or a year and month where the day is not
4725 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4726 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4727 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4728 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4729 "stringValue": "A String", # string
4730 "booleanValue": True or False, # boolean
4731 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4732 },
4733 ],
4734 },
4735 ],
4736 },
4737 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
4738 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
4739 "data": "A String", # Content data to inspect or redact.
4740 },
4741 "value": "A String", # String data to inspect or redact.
4742 },
4743 "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. What specified here will override
4744 # the template referenced by the inspect_template_name argument.
4745 # When used with redactContent only info_types and min_likelihood are currently
4746 # used.
4747 "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4748 "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4749 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
4750 # When set within `InspectContentRequest`, the maximum returned is 2000
4751 # regardless if this is set higher.
4752 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
4753 { # Max findings configuration per infoType, per content item or long
4754 # running DlpJob.
4755 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
4756 # info_type should be provided. If InfoTypeLimit does not have an
4757 # info_type, the DLP API applies the limit against all info_types that
4758 # are found but not specified in another InfoTypeLimit.
4759 "name": "A String", # Name of the information type. Either a name of your choosing when
4760 # creating a CustomInfoType, or one of the names listed
4761 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4762 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4763 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4764 },
4765 "maxFindings": 42, # Max findings limit for the given infoType.
4766 },
4767 ],
4768 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4769 # When set within `InspectJobConfig`,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4770 # the maximum returned is 2000 regardless if this is set higher.
4771 # When set within `InspectContentRequest`, this field is ignored.
4772 },
4773 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
4774 # POSSIBLE.
4775 # See https://cloud.google.com/dlp/docs/likelihood to learn more.
4776 "customInfoTypes": [ # CustomInfoTypes provided by the user. See
4777 # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
4778 { # Custom information type provided by the user. Used to find domain-specific
4779 # sensitive information configurable to the data in question.
4780 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
4781 "pattern": "A String", # Pattern defining the regular expression. Its syntax
4782 # (https://github.com/google/re2/wiki/Syntax) can be found under the
4783 # google/re2 repository on GitHub.
4784 "groupIndexes": [ # The index of the submatch to extract as findings. When not
4785 # specified, the entire match is returned. No more than 3 may be included.
4786 42,
4787 ],
4788 },
4789 "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
4790 # support reversing.
4791 # such as
4792 # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
4793 # These types of transformations are
4794 # those that perform pseudonymization, thereby producing a "surrogate" as
4795 # output. This should be used in conjunction with a field on the
4796 # transformation such as `surrogate_info_type`. This CustomInfoType does
4797 # not support the use of `detection_rules`.
4798 },
4799 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
4800 # infoType, when the name matches one of existing infoTypes and that infoType
4801 # is specified in `InspectContent.info_types` field. Specifying the latter
4802 # adds findings to the one detected by the system. If built-in info type is
4803 # not specified in `InspectContent.info_types` list then the name is treated
4804 # as a custom info type.
4805 "name": "A String", # Name of the information type. Either a name of your choosing when
4806 # creating a CustomInfoType, or one of the names listed
4807 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4808 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4809 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4810 },
4811 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
4812 # be used to match sensitive information specific to the data, such as a list
4813 # of employee IDs or job titles.
4814 #
4815 # Dictionary words are case-insensitive and all characters other than letters
4816 # and digits in the unicode [Basic Multilingual
4817 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
4818 # will be replaced with whitespace when scanning for matches, so the
4819 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
4820 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
4821 # surrounding any match must be of a different type than the adjacent
4822 # characters within the word, so letters must be next to non-letters and
4823 # digits next to non-digits. For example, the dictionary word "jen" will
4824 # match the first three letters of the text "jen123" but will return no
4825 # matches for "jennifer".
4826 #
4827 # Dictionary words containing a large number of characters that are not
4828 # letters or digits may result in unexpected findings because such characters
4829 # are treated as whitespace. The
4830 # [limits](https://cloud.google.com/dlp/limits) page contains details about
4831 # the size limits of dictionaries. For dictionaries that do not fit within
4832 # these constraints, consider using `LargeCustomDictionaryConfig` in the
4833 # `StoredInfoType` API.
4834 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
4835 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
4836 # at least one phrase and every phrase must contain at least 2 characters
4837 # that are letters or digits. [required]
4838 "A String",
4839 ],
4840 },
4841 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
4842 # is accepted.
4843 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
4844 # Example: gs://[BUCKET_NAME]/dictionary.txt
4845 },
4846 },
4847 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
4848 # `InspectDataSource`. Not currently supported in `InspectContent`.
4849 "name": "A String", # Resource name of the requested `StoredInfoType`, for example
4850 # `organizations/433245324/storedInfoTypes/432452342` or
4851 # `projects/project-id/storedInfoTypes/432452342`.
4852 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
4853 # inspection was created. Output-only field, populated by the system.
4854 },
4855 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
4856 # Rules are applied in order that they are specified. Not supported for the
4857 # `surrogate_type` CustomInfoType.
4858 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
4859 # `CustomInfoType` to alter behavior under certain circumstances, depending
4860 # on the specific details of the rule. Not supported for the `surrogate_type`
4861 # custom infoType.
4862 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
4863 # proximity of hotwords.
4864 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
4865 # The total length of the window cannot exceed 1000 characters. Note that
4866 # the finding itself will be included in the window, so that hotwords may
4867 # be used to match substrings of the finding itself. For example, the
4868 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
4869 # adjusted upwards if the area code is known to be the local area code of
4870 # a company office using the hotword regex "\(xxx\)", where "xxx"
4871 # is the area code in question.
4872 # rule.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4873 "windowBefore": 42, # Number of characters before the finding to consider.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4874 "windowAfter": 42, # Number of characters after the finding to consider.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4875 },
4876 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
4877 "pattern": "A String", # Pattern defining the regular expression. Its syntax
4878 # (https://github.com/google/re2/wiki/Syntax) can be found under the
4879 # google/re2 repository on GitHub.
4880 "groupIndexes": [ # The index of the submatch to extract as findings. When not
4881 # specified, the entire match is returned. No more than 3 may be included.
4882 42,
4883 ],
4884 },
4885 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
4886 # part of a detection rule.
4887 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
4888 # levels. For example, if a finding would be `POSSIBLE` without the
4889 # detection rule and `relative_likelihood` is 1, then it is upgraded to
4890 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
4891 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
4892 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
4893 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
4894 # a final likelihood of `LIKELY`.
4895 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
4896 },
4897 },
4898 },
4899 ],
4900 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
4901 # to be returned. It still can be used for rules matching.
4902 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
4903 # altered by a detection rule if the finding meets the criteria specified by
4904 # the rule. Defaults to `VERY_LIKELY` if not specified.
4905 },
4906 ],
4907 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
4908 # included in the response; see Finding.quote.
4909 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
4910 # Exclusion rules, contained in the set are executed in the end, other
4911 # rules are executed in the order they are specified for each info type.
4912 { # Rule set for modifying a set of infoTypes to alter behavior under certain
4913 # circumstances, depending on the specific details of the rules within the set.
4914 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
4915 { # A single inspection rule to be applied to infoTypes, specified in
4916 # `InspectionRuleSet`.
4917 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
4918 # proximity of hotwords.
4919 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
4920 # The total length of the window cannot exceed 1000 characters. Note that
4921 # the finding itself will be included in the window, so that hotwords may
4922 # be used to match substrings of the finding itself. For example, the
4923 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
4924 # adjusted upwards if the area code is known to be the local area code of
4925 # a company office using the hotword regex "\(xxx\)", where "xxx"
4926 # is the area code in question.
4927 # rule.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4928 "windowBefore": 42, # Number of characters before the finding to consider.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4929 "windowAfter": 42, # Number of characters after the finding to consider.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4930 },
4931 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
4932 "pattern": "A String", # Pattern defining the regular expression. Its syntax
4933 # (https://github.com/google/re2/wiki/Syntax) can be found under the
4934 # google/re2 repository on GitHub.
4935 "groupIndexes": [ # The index of the submatch to extract as findings. When not
4936 # specified, the entire match is returned. No more than 3 may be included.
4937 42,
4938 ],
4939 },
4940 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
4941 # part of a detection rule.
4942 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
4943 # levels. For example, if a finding would be `POSSIBLE` without the
4944 # detection rule and `relative_likelihood` is 1, then it is upgraded to
4945 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
4946 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
4947 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
4948 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
4949 # a final likelihood of `LIKELY`.
4950 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
4951 },
4952 },
4953 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
4954 # `InspectionRuleSet` are removed from results.
4955 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
4956 "pattern": "A String", # Pattern defining the regular expression. Its syntax
4957 # (https://github.com/google/re2/wiki/Syntax) can be found under the
4958 # google/re2 repository on GitHub.
4959 "groupIndexes": [ # The index of the submatch to extract as findings. When not
4960 # specified, the entire match is returned. No more than 3 may be included.
4961 42,
4962 ],
4963 },
4964 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
4965 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
4966 # contained within with a finding of an infoType from this list. For
4967 # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
4968 # `exclusion_rule` containing `exclude_info_types.info_types` with
4969 # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
4970 # with EMAIL_ADDRESS finding.
4971 # That leads to "555-222-2222@example.org" to generate only a single
4972 # finding, namely email address.
4973 { # Type of information detected by the API.
4974 "name": "A String", # Name of the information type. Either a name of your choosing when
4975 # creating a CustomInfoType, or one of the names listed
4976 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4977 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4978 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4979 },
4980 ],
4981 },
4982 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
4983 # be used to match sensitive information specific to the data, such as a list
4984 # of employee IDs or job titles.
4985 #
4986 # Dictionary words are case-insensitive and all characters other than letters
4987 # and digits in the unicode [Basic Multilingual
4988 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
4989 # will be replaced with whitespace when scanning for matches, so the
4990 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
4991 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
4992 # surrounding any match must be of a different type than the adjacent
4993 # characters within the word, so letters must be next to non-letters and
4994 # digits next to non-digits. For example, the dictionary word "jen" will
4995 # match the first three letters of the text "jen123" but will return no
4996 # matches for "jennifer".
4997 #
4998 # Dictionary words containing a large number of characters that are not
4999 # letters or digits may result in unexpected findings because such characters
5000 # are treated as whitespace. The
5001 # [limits](https://cloud.google.com/dlp/limits) page contains details about
5002 # the size limits of dictionaries. For dictionaries that do not fit within
5003 # these constraints, consider using `LargeCustomDictionaryConfig` in the
5004 # `StoredInfoType` API.
5005 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
5006 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
5007 # at least one phrase and every phrase must contain at least 2 characters
5008 # that are letters or digits. [required]
5009 "A String",
5010 ],
5011 },
5012 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
5013 # is accepted.
5014 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
5015 # Example: gs://[BUCKET_NAME]/dictionary.txt
5016 },
5017 },
5018 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
5019 },
5020 },
5021 ],
5022 "infoTypes": [ # List of infoTypes this rule set is applied to.
5023 { # Type of information detected by the API.
5024 "name": "A String", # Name of the information type. Either a name of your choosing when
5025 # creating a CustomInfoType, or one of the names listed
5026 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5027 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5028 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5029 },
5030 ],
5031 },
5032 ],
5033 "contentOptions": [ # List of options defining data content to scan.
5034 # If empty, text, images, and other content will be included.
5035 "A String",
5036 ],
5037 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to
5038 # InfoType values returned by ListInfoTypes or listed at
5039 # https://cloud.google.com/dlp/docs/infotypes-reference.
5040 #
5041 # When no InfoTypes or CustomInfoTypes are specified in a request, the
5042 # system may automatically choose what detectors to run. By default this may
5043 # be all types, but may change over time as detectors are updated.
5044 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5045 # If you need precise control and predictability as to what detectors are
5046 # run you should specify specific InfoTypes listed in the reference,
5047 # otherwise a default list will be used, which may change over time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5048 { # Type of information detected by the API.
5049 "name": "A String", # Name of the information type. Either a name of your choosing when
5050 # creating a CustomInfoType, or one of the names listed
5051 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5052 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5053 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5054 },
5055 ],
5056 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5057 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5058 # inspect_config will override those set in the template. Singular fields
5059 # that are set in this request will replace their corresponding fields in the
5060 # template. Repeated fields are appended. Singular sub-messages and groups
5061 # are recursively merged.
5062 }
5063
5064 x__xgafv: string, V1 error format.
5065 Allowed values
5066 1 - v1 error format
5067 2 - v2 error format
5068
5069Returns:
5070 An object of the form:
5071
5072 { # Results of inspecting an item.
5073 "result": { # All the findings for a single scanned item. # The findings.
5074 "findingsTruncated": True or False, # If true, then this item might have more findings than were returned,
5075 # and the findings returned are an arbitrary subset of all findings.
5076 # The findings list might be truncated because the input items were too
5077 # large, or because the server reached the maximum amount of resources
5078 # allowed for a single API call. For best results, divide the input into
5079 # smaller batches.
5080 "findings": [ # List of findings for an item.
5081 { # Represents a piece of potentially sensitive content.
5082 "infoType": { # Type of information detected by the API. # The type of content that might have been found.
5083 # Provided if `excluded_types` is false.
5084 "name": "A String", # Name of the information type. Either a name of your choosing when
5085 # creating a CustomInfoType, or one of the names listed
5086 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5087 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5088 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5089 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5090 "name": "A String", # Resource name in format
5091 # projects/{project}/locations/{location}/findings/{finding} Populated only
5092 # when viewing persisted findings.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5093 "quote": "A String", # The content that was found. Even if the content is not textual, it
5094 # may be converted to a textual representation here.
5095 # Provided if `include_quote` is true and the finding is
5096 # less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes
5097 # in length, the quote may be omitted.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5098 "labels": { # The labels associated with this `Finding`.
5099 #
5100 # Label keys must be between 1 and 63 characters long and must conform
5101 # to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`.
5102 #
5103 # Label values must be between 0 and 63 characters long and must conform
5104 # to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`.
5105 #
5106 # No more than 10 labels can be associated with a given finding.
5107 #
5108 # Examples:
5109 # * `"environment" : "production"`
5110 # * `"pipeline" : "etl"`
5111 "a_key": "A String",
5112 },
5113 "jobName": "A String", # The job that stored the finding.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5114 "quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set
5115 # to true and a supported infoType was requested. Currently supported
5116 # infoTypes: DATE, DATE_OF_BIRTH and TIME.
5117 "dateTime": { # Message for a date time object. # The date time indicated by the quote.
5118 # e.g. 2018-01-01, 5th August.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5119 "dayOfWeek": "A String", # Day of week
5120 "date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set.
5121 # Must be a valid date or time value.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5122 # and time zone are either specified elsewhere or are not significant. The date
5123 # is relative to the Proleptic Gregorian Calendar. This can represent:
5124 #
5125 # * A full date, with non-zero year, month and day values
5126 # * A month and day value, with a zero year, e.g. an anniversary
5127 # * A year on its own, with zero month and day values
5128 # * A year and month value, with a zero day, e.g. a credit card expiration date
5129 #
5130 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5131 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5132 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5133 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5134 # if specifying a year by itself or a year and month where the day is not
5135 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5136 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5137 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5138 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5139 "timeZone": { # Time zone of the date time object. # Time zone
5140 "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC.
5141 # E.g. For "UTC-9", this value is -540.
5142 },
5143 "time": { # Represents a time of day. The date and time zone are either not significant # Time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5144 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5145 # types are google.type.Date and `google.protobuf.Timestamp`.
5146 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5147 # to allow the value "24:00:00" for scenarios like business closing time.
5148 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5149 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5150 # allow the value 60 if it allows leap-seconds.
5151 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5152 },
5153 },
5154 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5155 "jobCreateTime": "A String", # Time the job started that produced this finding.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5156 "location": { # Specifies the location of the finding. # Where the content was found.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5157 "codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding.
5158 # These are relative to the finding's containing element.
5159 # Provided when the content is text.
5160 "start": "A String", # Index of the first character of the range (inclusive).
5161 "end": "A String", # Index of the last character of the range (exclusive).
5162 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5163 "container": { # Represents a container that may contain DLP findings. # Information about the container where this finding occurred, if available.
5164 # Examples of a container include a file, table, or database record.
5165 "updateTime": "A String", # Findings container modification timestamp, if applicable.
5166 # For Google Cloud Storage contains last file modification timestamp.
5167 # For BigQuery table contains last_modified_time property.
5168 # For Datastore - not populated.
5169 "relativePath": "A String", # The rest of the path after the root.
5170 # Examples:
5171 # - For BigQuery table `project_id:dataset_id.table_id`, the relative path is
5172 # `table_id`
5173 # - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative
5174 # path is `folder/filename.txt`
5175 "rootPath": "A String", # The root of the container.
5176 # Examples:
5177 # - For BigQuery table `project_id:dataset_id.table_id`, the root is
5178 # `dataset_id`
5179 # - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root
5180 # is `gs://bucket`
5181 "version": "A String", # Findings container version, if available
5182 # ("generation" for Google Cloud Storage).
5183 "projectId": "A String", # Project where the finding was found.
5184 # Can be different from the project that owns the finding.
5185 "fullPath": "A String", # A string representation of the full container name.
5186 # Examples:
5187 # - BigQuery: 'Project:DataSetId.TableId'
5188 # - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'
5189 "type": "A String", # Container type, for example BigQuery or Google Cloud Storage.
5190 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5191 "contentLocations": [ # List of nested objects pointing to the precise location of the finding
5192 # within the file or record.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5193 { # Precise location of the finding within a document, record, image, or metadata
5194 # container.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5195 "containerName": "A String", # Name of the container where the finding is located.
5196 # The top level name is the source file name or table name. Names of some
5197 # common storage containers are formatted as follows:
5198 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5199 # * BigQuery tables: `{project_id}:{dataset_id}.{table_id}`
5200 # * Cloud Storage files: `gs://{bucket}/{path}`
5201 # * Datastore namespace: {namespace}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5202 #
5203 # Nested names could be absent if the embedded object has no string
5204 # identifier (for an example an image contained within a document).
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5205 "metadataLocation": { # Metadata Location # Location within the metadata for inspected content.
5206 "type": "A String", # Type of metadata containing the finding.
5207 "storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata.
5208 "key": "A String",
5209 },
5210 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5211 "containerVersion": "A String", # Findings container version, if available
5212 # ("generation" for Google Cloud Storage).
5213 "containerTimestamp": "A String", # Findings container modification timestamp, if applicable.
5214 # For Google Cloud Storage contains last file modification timestamp.
5215 # For BigQuery table contains last_modified_time property.
5216 # For Datastore - not populated.
5217 "documentLocation": { # Location of a finding within a document. # Location data for document files.
5218 "fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding
5219 # is located.
5220 },
5221 "imageLocation": { # Location of the finding within an image. # Location within an image's pixels.
5222 "boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.
5223 { # Bounding box encompassing detected text within an image.
5224 "width": 42, # Width of the bounding box in pixels.
5225 "top": 42, # Top coordinate of the bounding box. (0,0) is upper left.
5226 "left": 42, # Left coordinate of the bounding box. (0,0) is upper left.
5227 "height": 42, # Height of the bounding box in pixels.
5228 },
5229 ],
5230 },
5231 "recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5232 "tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.
5233 "rowIndex": "A String", # The zero-based index of the row where the finding is located. Only
5234 # populated for resources that have a natural ordering, not BigQuery. In
5235 # BigQuery, to identify the row a finding came from, populate
5236 # BigQueryOptions.identifying_fields with your primary key column names and
5237 # when you store the findings the value of those columns will be stored
5238 # inside of Finding.
5239 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5240 "fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.
5241 "name": "A String", # Name describing the field.
5242 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5243 "recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.
5244 "bigQueryKey": { # Row key for identifying a record in BigQuery table.
5245 "tableReference": { # Message defining the location of a BigQuery table. A table is uniquely # Complete BigQuery table reference.
5246 # identified by its project_id, dataset_id, and table_name. Within a query
5247 # a table is often referenced with a string in the format of:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5248 # `&lt;project_id&gt;:&lt;dataset_id&gt;.&lt;table_id&gt;` or
5249 # `&lt;project_id&gt;.&lt;dataset_id&gt;.&lt;table_id&gt;`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5250 "projectId": "A String", # The Google Cloud Platform project ID of the project containing the table.
5251 # If omitted, project ID is inferred from the API call.
5252 "tableId": "A String", # Name of the table.
5253 "datasetId": "A String", # Dataset ID of the table.
5254 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5255 "rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is
5256 # nondeterministic, cannot be queried, and may be null for inspection
5257 # jobs. To locate findings within a table, specify
5258 # `inspect_job.storage_config.big_query_options.identifying_fields` in
5259 # `CreateDlpJobRequest`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5260 },
5261 "idValues": [ # Values of identifying columns in the given row. Order of values matches
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5262 # the order of `identifying_fields` specified in the scanning request.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5263 "A String",
5264 ],
5265 "datastoreKey": { # Record key for a finding in Cloud Datastore.
5266 "entityKey": { # A unique identifier for a Datastore entity. # Datastore entity key.
5267 # If a key's partition ID or any of its path kinds or names are
5268 # reserved/read-only, the key is reserved/read-only.
5269 # A reserved/read-only key is forbidden in certain documented contexts.
5270 "path": [ # The entity path.
5271 # An entity path consists of one or more elements composed of a kind and a
5272 # string or numerical identifier, which identify entities. The first
5273 # element identifies a _root entity_, the second element identifies
5274 # a _child_ of the root entity, the third element identifies a child of the
5275 # second entity, and so forth. The entities identified by all prefixes of
5276 # the path are called the element's _ancestors_.
5277 #
5278 # A path can never be empty, and a path can have at most 100 elements.
5279 { # A (kind, ID/name) pair used to construct a key path.
5280 #
5281 # If either name or ID is set, the element is complete.
5282 # If neither is set, the element is incomplete.
5283 "kind": "A String", # The kind of the entity.
5284 # A kind matching regex `__.*__` is reserved/read-only.
5285 # A kind must not contain more than 1500 bytes when UTF-8 encoded.
5286 # Cannot be `""`.
5287 "name": "A String", # The name of the entity.
5288 # A name matching regex `__.*__` is reserved/read-only.
5289 # A name must not be more than 1500 bytes when UTF-8 encoded.
5290 # Cannot be `""`.
5291 "id": "A String", # The auto-allocated ID of the entity.
5292 # Never equal to zero. Values less than zero are discouraged and may not
5293 # be supported in the future.
5294 },
5295 ],
5296 "partitionId": { # Datastore partition ID. # Entities are partitioned into subsets, currently identified by a project
5297 # ID and namespace ID.
5298 # Queries are scoped to a single partition.
5299 # A partition ID identifies a grouping of entities. The grouping is always
5300 # by project and namespace, however the namespace ID may be empty.
5301 #
5302 # A partition ID contains several dimensions:
5303 # project ID and namespace ID.
5304 "projectId": "A String", # The ID of the project to which the entities belong.
5305 "namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.
5306 },
5307 },
5308 },
5309 },
5310 },
5311 },
5312 ],
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5313 "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding.
5314 # These are relative to the finding's containing element.
5315 # Note that when the content is not textual, this references
5316 # the UTF-8 encoded textual representation of the content.
5317 # Omitted if content is an image.
5318 "start": "A String", # Index of the first character of the range (inclusive).
5319 "end": "A String", # Index of the last character of the range (exclusive).
5320 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5321 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5322 "triggerName": "A String", # Job trigger name, if applicable, for this finding.
5323 "resourceName": "A String", # The job that stored the finding.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5324 "likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.
5325 "createTime": "A String", # Timestamp when finding was detected.
5326 },
5327 ],
5328 },
5329 }</pre>
5330</div>
5331
5332<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5333 <code class="details" id="reidentify">reidentify(parent, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5334 <pre>Re-identifies content that has been de-identified.
5335See
5336https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example
5337to learn more.
5338
5339Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5340 parent: string, Required. The parent resource name. (required)
5341 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5342 The object takes the form of:
5343
5344{ # Request to re-identify an item.
5345 "reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item.
5346 # This field shares the same proto message type that is used for
5347 # de-identification, however its usage here is for the reversal of the
5348 # previous de-identification. Re-identification is performed by examining
5349 # the transformations used to de-identify the items and executing the
5350 # reverse. This requires that only reversible transformations
5351 # be provided here. The reversible transformations are:
5352 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5353 # - `CryptoDeterministicConfig`
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5354 # - `CryptoReplaceFfxFpeConfig`
5355 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
5356 # transformation everywhere.
5357 # apply various `PrimitiveTransformation`s to each finding, where the
5358 # transformation is applied to only values that were identified as a specific
5359 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5360 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
5361 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5362 { # A transformation to apply to text that is identified as a specific
5363 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5364 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
5365 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5366 # input. Outputs a base64 encoded representation of the encrypted output.
5367 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
5368 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
5369 # a key encryption key (KEK) stored by KMS).
5370 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5371 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5372 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5373 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5374 # The wrapped key must be a 128/192/256 bit key.
5375 # Authorization requires the following IAM permissions when sending a request
5376 # to perform a crypto transformation using a kms-wrapped crypto key:
5377 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5378 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5379 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5380 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5381 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5382 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5383 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5384 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5385 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5386 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5387 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5388 # This is an arbitrary string used to differentiate different keys.
5389 # A unique key is generated per name: two separate `TransientCryptoKey`
5390 # protos share the same generated key if their names are the same.
5391 # When the data crypto key is generated, this name is not used in any way
5392 # (repeating the api call will result in a different key being generated).
5393 },
5394 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5395 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5396 # referential integrity such that the same identifier in two different
5397 # contexts will be given a distinct surrogate. The context is appended to
5398 # plaintext value being encrypted. On decryption the provided context is
5399 # validated against the value used during encryption. If a context was
5400 # provided during encryption, same context must be provided during decryption
5401 # as well.
5402 #
5403 # If the context is not set, plaintext would be used as is for encryption.
5404 # If the context is set but:
5405 #
5406 # 1. there is no record present when transforming a given value or
5407 # 2. the field is not present when transforming a given value,
5408 #
5409 # plaintext would be used as is for encryption.
5410 #
5411 # Note that case (1) is expected when an `InfoTypeTransformation` is
5412 # applied to both structured and non-structured `ContentItem`s.
5413 "name": "A String", # Name describing the field.
5414 },
5415 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
5416 # This annotation will be applied to the surrogate by prefixing it with
5417 # the name of the custom info type followed by the number of
5418 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5419 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5420 #
5421 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
5422 # the surrogate is 'abc', the full replacement value
5423 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5424 #
5425 # This annotation identifies the surrogate when inspecting content using the
5426 # custom info type 'Surrogate'. This facilitates reversal of the
5427 # surrogate when it occurs in free text.
5428 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5429 # Note: For record transformations where the entire cell in a table is being
5430 # transformed, surrogates are not mandatory. Surrogates are used to denote
5431 # the location of the token and are necessary for re-identification in free
5432 # form text.
5433 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5434 # In order for inspection to work properly, the name of this info type must
5435 # not occur naturally anywhere in your data; otherwise, inspection may either
5436 #
5437 # - reverse a surrogate that does not correspond to an actual identifier
5438 # - be unable to parse the surrogate and result in an error
5439 #
5440 # Therefore, choose your custom info type name carefully after considering
5441 # what your data looks like. One way to select a name that has a high chance
5442 # of yielding reliable detection is to include one or more unicode characters
5443 # that are highly improbable to exist in your data.
5444 # For example, assuming your data is entered from a regular ASCII keyboard,
5445 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5446 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5447 "name": "A String", # Name of the information type. Either a name of your choosing when
5448 # creating a CustomInfoType, or one of the names listed
5449 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5450 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5451 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5452 },
5453 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5454 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
5455 # fixed character. Masking can start from the beginning or end of the string.
5456 # This can be used on data of any type (numbers, longs, and so on) and when
5457 # de-identifying structured data we'll attempt to preserve the original data's
5458 # type. (This allows you to take a long like 123 and modify it to a string like
5459 # **3.
5460 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
5461 # characters. For example, if the input string is `555-555-5555` and you
5462 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
5463 # returns `***-**5-5555`.
5464 { # Characters to skip when doing deidentification of a value. These will be left
5465 # alone and skipped.
5466 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
5467 # punctuation.
5468 "charactersToSkip": "A String", # Characters to not transform when masking.
5469 },
5470 ],
5471 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
5472 # masked. Skipped characters do not count towards this tally.
5473 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
5474 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
5475 # code or credit card number. This string must have a length of 1. If not
5476 # supplied, this value defaults to `*` for strings, and `0` for digits.
5477 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
5478 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
5479 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
5480 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
5481 # is `true`, then the string `12345` is masked as `12***`.
5482 },
5483 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
5484 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
5485 # output would be 'My phone number is '.
5486 },
5487 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
5488 },
5489 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5490 # Bucketing transformation can provide all of this functionality,
5491 # but requires more configuration. This message is provided as a convenience to
5492 # the user for simple bucketing strategies.
5493 #
5494 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5495 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5496 # all values that are within this bucket will be replaced with "10-20".
5497 #
5498 # This can be used on data of type: double, long.
5499 #
5500 # If the bound Value type differs from the type of data
5501 # being transformed, we will first attempt converting the type of the data to
5502 # be transformed to match the type of the bound before comparing.
5503 #
5504 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5505 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5506 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5507 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5508 # Note that for the purposes of inspection or transformation, the number
5509 # of bytes considered to comprise a 'Value' is based on its representation
5510 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5511 # 123456789, the number of bytes would be counted as 9, even though an
5512 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5513 "floatValue": 3.14, # float
5514 "timestampValue": "A String", # timestamp
5515 "dayOfWeekValue": "A String", # day of week
5516 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5517 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5518 # types are google.type.Date and `google.protobuf.Timestamp`.
5519 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5520 # to allow the value "24:00:00" for scenarios like business closing time.
5521 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5522 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5523 # allow the value 60 if it allows leap-seconds.
5524 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5525 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5526 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5527 # and time zone are either specified elsewhere or are not significant. The date
5528 # is relative to the Proleptic Gregorian Calendar. This can represent:
5529 #
5530 # * A full date, with non-zero year, month and day values
5531 # * A month and day value, with a zero year, e.g. an anniversary
5532 # * A year on its own, with zero month and day values
5533 # * A year and month value, with a zero day, e.g. a credit card expiration date
5534 #
5535 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5536 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5537 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5538 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5539 # if specifying a year by itself or a year and month where the day is not
5540 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5541 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5542 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5543 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5544 "stringValue": "A String", # string
5545 "booleanValue": True or False, # boolean
5546 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5547 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5548 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5549 # grouped together into a single bucket; for example if `upper_bound` = 89,
5550 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5551 # Note that for the purposes of inspection or transformation, the number
5552 # of bytes considered to comprise a 'Value' is based on its representation
5553 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5554 # 123456789, the number of bytes would be counted as 9, even though an
5555 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5556 "floatValue": 3.14, # float
5557 "timestampValue": "A String", # timestamp
5558 "dayOfWeekValue": "A String", # day of week
5559 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5560 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5561 # types are google.type.Date and `google.protobuf.Timestamp`.
5562 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5563 # to allow the value "24:00:00" for scenarios like business closing time.
5564 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5565 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5566 # allow the value 60 if it allows leap-seconds.
5567 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5568 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5569 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5570 # and time zone are either specified elsewhere or are not significant. The date
5571 # is relative to the Proleptic Gregorian Calendar. This can represent:
5572 #
5573 # * A full date, with non-zero year, month and day values
5574 # * A month and day value, with a zero year, e.g. an anniversary
5575 # * A year on its own, with zero month and day values
5576 # * A year and month value, with a zero day, e.g. a credit card expiration date
5577 #
5578 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5579 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5580 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5581 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5582 # if specifying a year by itself or a year and month where the day is not
5583 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5584 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5585 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5586 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5587 "stringValue": "A String", # string
5588 "booleanValue": True or False, # boolean
5589 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5590 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5591 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5592 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
5593 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5594 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5595 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5596 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5597 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5598 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5599 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5600 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5601 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
5602 # to learn more.
5603 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5604 # results in the same shift for the same context and crypto_key. If
5605 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5606 # a key encryption key (KEK) stored by KMS).
5607 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5608 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5609 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5610 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5611 # The wrapped key must be a 128/192/256 bit key.
5612 # Authorization requires the following IAM permissions when sending a request
5613 # to perform a crypto transformation using a kms-wrapped crypto key:
5614 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5615 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5616 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5617 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5618 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5619 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5620 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5621 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5622 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5623 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5624 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5625 # This is an arbitrary string used to differentiate different keys.
5626 # A unique key is generated per name: two separate `TransientCryptoKey`
5627 # protos share the same generated key if their names are the same.
5628 # When the data crypto key is generated, this name is not used in any way
5629 # (repeating the api call will result in a different key being generated).
5630 },
5631 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5632 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
5633 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5634 # range (inclusive ends). Negative means shift to earlier in time. Must not
5635 # be more than 365250 days (1000 years) each direction.
5636 #
5637 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5638 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5639 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5640 # given context.
5641 "name": "A String", # Name describing the field.
5642 },
5643 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5644 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5645 # (FPE) with the FFX mode of operation; however when used in the
5646 # `ReidentifyContent` API method, it serves the opposite function by reversing
5647 # the surrogate back into the original identifier. The identifier must be
5648 # encoded as ASCII. For a given crypto key and context, the same identifier
5649 # will be replaced with the same surrogate. Identifiers must be at least two
5650 # characters long. In the case that the identifier is the empty string, it will
5651 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
5652 # more.
5653 #
5654 # Note: We recommend using CryptoDeterministicConfig for all use cases which
5655 # do not require preserving the input alphabet space and size, plus warrant
5656 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5657 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5658 # a key encryption key (KEK) stored by KMS).
5659 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5660 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5661 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5662 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5663 # The wrapped key must be a 128/192/256 bit key.
5664 # Authorization requires the following IAM permissions when sending a request
5665 # to perform a crypto transformation using a kms-wrapped crypto key:
5666 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5667 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5668 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5669 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5670 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5671 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5672 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5673 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5674 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5675 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5676 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5677 # This is an arbitrary string used to differentiate different keys.
5678 # A unique key is generated per name: two separate `TransientCryptoKey`
5679 # protos share the same generated key if their names are the same.
5680 # When the data crypto key is generated, this name is not used in any way
5681 # (repeating the api call will result in a different key being generated).
5682 },
5683 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5684 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
5685 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5686 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
5687 # that the FFX mode natively supports. This happens before/after
5688 # encryption/decryption.
5689 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5690 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5691 # This must be encoded as ASCII.
5692 # The order of characters does not matter.
5693 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
5694 # identifier in two different contexts won't be given the same surrogate. If
5695 # the context is not set, a default tweak will be used.
5696 #
5697 # If the context is set but:
5698 #
5699 # 1. there is no record present when transforming a given value or
5700 # 1. the field is not present when transforming a given value,
5701 #
5702 # a default tweak will be used.
5703 #
5704 # Note that case (1) is expected when an `InfoTypeTransformation` is
5705 # applied to both structured and non-structured `ContentItem`s.
5706 # Currently, the referenced field may be of value type integer or string.
5707 #
5708 # The tweak is constructed as a sequence of bytes in big endian byte order
5709 # such that:
5710 #
5711 # - a 64 bit integer is encoded followed by a single byte of value 1
5712 # - a string is encoded in UTF-8 format followed by a single byte of value 2
5713 "name": "A String", # Name describing the field.
5714 },
5715 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
5716 # This annotation will be applied to the surrogate by prefixing it with
5717 # the name of the custom infoType followed by the number of
5718 # characters comprising the surrogate. The following scheme defines the
5719 # format: info_type_name(surrogate_character_count):surrogate
5720 #
5721 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
5722 # the surrogate is 'abc', the full replacement value
5723 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5724 #
5725 # This annotation identifies the surrogate when inspecting content using the
5726 # custom infoType
5727 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
5728 # This facilitates reversal of the surrogate when it occurs in free text.
5729 #
5730 # In order for inspection to work properly, the name of this infoType must
5731 # not occur naturally anywhere in your data; otherwise, inspection may
5732 # find a surrogate that does not correspond to an actual identifier.
5733 # Therefore, choose your custom infoType name carefully after considering
5734 # what your data looks like. One way to select a name that has a high chance
5735 # of yielding reliable detection is to include one or more unicode characters
5736 # that are highly improbable to exist in your data.
5737 # For example, assuming your data is entered from a regular ASCII keyboard,
5738 # the symbol with the hex code point 29DD might be used like so:
5739 # ⧝MY_TOKEN_TYPE
5740 "name": "A String", # Name of the information type. Either a name of your choosing when
5741 # creating a CustomInfoType, or one of the names listed
5742 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5743 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5744 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5745 },
5746 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5747 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
5748 # replacement values are dynamically provided by the user for custom behavior,
5749 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
5750 # This can be used on
5751 # data of type: number, long, string, timestamp.
5752 # If the bound `Value` type differs from the type of data being transformed, we
5753 # will first attempt converting the type of the data to be transformed to match
5754 # the type of the bound before comparing.
5755 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5756 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
5757 { # Bucket is represented as a range, along with replacement values.
5758 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
5759 # Note that for the purposes of inspection or transformation, the number
5760 # of bytes considered to comprise a 'Value' is based on its representation
5761 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5762 # 123456789, the number of bytes would be counted as 9, even though an
5763 # int64 only holds up to 8 bytes of data.
5764 "floatValue": 3.14, # float
5765 "timestampValue": "A String", # timestamp
5766 "dayOfWeekValue": "A String", # day of week
5767 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5768 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5769 # types are google.type.Date and `google.protobuf.Timestamp`.
5770 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5771 # to allow the value "24:00:00" for scenarios like business closing time.
5772 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5773 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5774 # allow the value 60 if it allows leap-seconds.
5775 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5776 },
5777 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5778 # and time zone are either specified elsewhere or are not significant. The date
5779 # is relative to the Proleptic Gregorian Calendar. This can represent:
5780 #
5781 # * A full date, with non-zero year, month and day values
5782 # * A month and day value, with a zero year, e.g. an anniversary
5783 # * A year on its own, with zero month and day values
5784 # * A year and month value, with a zero day, e.g. a credit card expiration date
5785 #
5786 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5787 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5788 # month and day.
5789 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5790 # if specifying a year by itself or a year and month where the day is not
5791 # significant.
5792 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5793 # a year.
5794 },
5795 "stringValue": "A String", # string
5796 "booleanValue": True or False, # boolean
5797 "integerValue": "A String", # integer
5798 },
5799 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
5800 # the default behavior will be to hyphenate the min-max range.
5801 # Note that for the purposes of inspection or transformation, the number
5802 # of bytes considered to comprise a 'Value' is based on its representation
5803 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5804 # 123456789, the number of bytes would be counted as 9, even though an
5805 # int64 only holds up to 8 bytes of data.
5806 "floatValue": 3.14, # float
5807 "timestampValue": "A String", # timestamp
5808 "dayOfWeekValue": "A String", # day of week
5809 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5810 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5811 # types are google.type.Date and `google.protobuf.Timestamp`.
5812 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5813 # to allow the value "24:00:00" for scenarios like business closing time.
5814 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5815 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5816 # allow the value 60 if it allows leap-seconds.
5817 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5818 },
5819 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5820 # and time zone are either specified elsewhere or are not significant. The date
5821 # is relative to the Proleptic Gregorian Calendar. This can represent:
5822 #
5823 # * A full date, with non-zero year, month and day values
5824 # * A month and day value, with a zero year, e.g. an anniversary
5825 # * A year on its own, with zero month and day values
5826 # * A year and month value, with a zero day, e.g. a credit card expiration date
5827 #
5828 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5829 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5830 # month and day.
5831 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5832 # if specifying a year by itself or a year and month where the day is not
5833 # significant.
5834 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5835 # a year.
5836 },
5837 "stringValue": "A String", # string
5838 "booleanValue": True or False, # boolean
5839 "integerValue": "A String", # integer
5840 },
5841 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
5842 # used.
5843 # Note that for the purposes of inspection or transformation, the number
5844 # of bytes considered to comprise a 'Value' is based on its representation
5845 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5846 # 123456789, the number of bytes would be counted as 9, even though an
5847 # int64 only holds up to 8 bytes of data.
5848 "floatValue": 3.14, # float
5849 "timestampValue": "A String", # timestamp
5850 "dayOfWeekValue": "A String", # day of week
5851 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5852 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5853 # types are google.type.Date and `google.protobuf.Timestamp`.
5854 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5855 # to allow the value "24:00:00" for scenarios like business closing time.
5856 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5857 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5858 # allow the value 60 if it allows leap-seconds.
5859 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5860 },
5861 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5862 # and time zone are either specified elsewhere or are not significant. The date
5863 # is relative to the Proleptic Gregorian Calendar. This can represent:
5864 #
5865 # * A full date, with non-zero year, month and day values
5866 # * A month and day value, with a zero year, e.g. an anniversary
5867 # * A year on its own, with zero month and day values
5868 # * A year and month value, with a zero day, e.g. a credit card expiration date
5869 #
5870 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5871 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5872 # month and day.
5873 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5874 # if specifying a year by itself or a year and month where the day is not
5875 # significant.
5876 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5877 # a year.
5878 },
5879 "stringValue": "A String", # string
5880 "booleanValue": True or False, # boolean
5881 "integerValue": "A String", # integer
5882 },
5883 },
5884 ],
5885 },
5886 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
5887 # Uses SHA-256.
5888 # The key size must be either 32 or 64 bytes.
5889 # Outputs a base64 encoded representation of the hashed output
5890 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
5891 # Currently, only string and integer values can be hashed.
5892 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
5893 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
5894 # a key encryption key (KEK) stored by KMS).
5895 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5896 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5897 # unwrap the data crypto key.
5898 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
5899 # The wrapped key must be a 128/192/256 bit key.
5900 # Authorization requires the following IAM permissions when sending a request
5901 # to perform a crypto transformation using a kms-wrapped crypto key:
5902 # dlp.kms.encrypt
5903 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5904 "wrappedKey": "A String", # Required. The wrapped data crypto key.
5905 },
5906 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
5907 # leaking the key. Choose another type of key if possible.
5908 "key": "A String", # Required. A 128/192/256 bit key.
5909 },
5910 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
5911 # It will be discarded after the request finishes.
5912 "name": "A String", # Required. Name of the key.
5913 # This is an arbitrary string used to differentiate different keys.
5914 # A unique key is generated per name: two separate `TransientCryptoKey`
5915 # protos share the same generated key if their names are the same.
5916 # When the data crypto key is generated, this name is not used in any way
5917 # (repeating the api call will result in a different key being generated).
5918 },
5919 },
5920 },
5921 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5922 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
5923 # Note that for the purposes of inspection or transformation, the number
5924 # of bytes considered to comprise a 'Value' is based on its representation
5925 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5926 # 123456789, the number of bytes would be counted as 9, even though an
5927 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5928 "floatValue": 3.14, # float
5929 "timestampValue": "A String", # timestamp
5930 "dayOfWeekValue": "A String", # day of week
5931 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5932 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5933 # types are google.type.Date and `google.protobuf.Timestamp`.
5934 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5935 # to allow the value "24:00:00" for scenarios like business closing time.
5936 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5937 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5938 # allow the value 60 if it allows leap-seconds.
5939 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5940 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5941 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5942 # and time zone are either specified elsewhere or are not significant. The date
5943 # is relative to the Proleptic Gregorian Calendar. This can represent:
5944 #
5945 # * A full date, with non-zero year, month and day values
5946 # * A month and day value, with a zero year, e.g. an anniversary
5947 # * A year on its own, with zero month and day values
5948 # * A year and month value, with a zero day, e.g. a credit card expiration date
5949 #
5950 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5951 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5952 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5953 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5954 # if specifying a year by itself or a year and month where the day is not
5955 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5956 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5957 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5958 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5959 "stringValue": "A String", # string
5960 "booleanValue": True or False, # boolean
5961 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5962 },
5963 },
5964 },
5965 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
5966 # this transformation to apply to all findings that correspond to
5967 # infoTypes that were requested in `InspectConfig`.
5968 { # Type of information detected by the API.
5969 "name": "A String", # Name of the information type. Either a name of your choosing when
5970 # creating a CustomInfoType, or one of the names listed
5971 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5972 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5973 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5974 },
5975 ],
5976 },
5977 ],
5978 },
5979 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
5980 # specific locations within structured datasets, such as transforming
5981 # a column within a table.
5982 # table.
5983 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5984 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5985 { # Configuration to suppress records whose suppression conditions evaluate to
5986 # true.
5987 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
5988 # evaluated to be suppressed from the transformed content.
5989 # a field.
5990 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5991 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
5992 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5993 { # The field type of `value` and `field` do not need to match to be
5994 # considered equal, but not all comparisons are possible.
5995 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
5996 # but all other comparisons are invalid with incompatible types.
5997 # A `value` of type:
5998 #
5999 # - `string` can be compared against all other types
6000 # - `boolean` can only be compared against other booleans
6001 # - `integer` can be compared against doubles or a string if the string value
6002 # can be parsed as an integer.
6003 # - `double` can be compared against integers or a string if the string can
6004 # be parsed as a double.
6005 # - `Timestamp` can be compared against strings in RFC 3339 date string
6006 # format.
6007 # - `TimeOfDay` can be compared against timestamps and strings in the format
6008 # of 'HH:mm:ss'.
6009 #
6010 # If we fail to compare do to type mismatch, a warning will be given and
6011 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6012 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
6013 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6014 "name": "A String", # Name describing the field.
6015 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6016 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6017 # Note that for the purposes of inspection or transformation, the number
6018 # of bytes considered to comprise a 'Value' is based on its representation
6019 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6020 # 123456789, the number of bytes would be counted as 9, even though an
6021 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6022 "floatValue": 3.14, # float
6023 "timestampValue": "A String", # timestamp
6024 "dayOfWeekValue": "A String", # day of week
6025 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6026 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6027 # types are google.type.Date and `google.protobuf.Timestamp`.
6028 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6029 # to allow the value "24:00:00" for scenarios like business closing time.
6030 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6031 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6032 # allow the value 60 if it allows leap-seconds.
6033 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6034 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6035 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6036 # and time zone are either specified elsewhere or are not significant. The date
6037 # is relative to the Proleptic Gregorian Calendar. This can represent:
6038 #
6039 # * A full date, with non-zero year, month and day values
6040 # * A month and day value, with a zero year, e.g. an anniversary
6041 # * A year on its own, with zero month and day values
6042 # * A year and month value, with a zero day, e.g. a credit card expiration date
6043 #
6044 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6045 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6046 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6047 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6048 # if specifying a year by itself or a year and month where the day is not
6049 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6050 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6051 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6052 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6053 "stringValue": "A String", # string
6054 "booleanValue": True or False, # boolean
6055 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6056 },
6057 },
6058 ],
6059 },
6060 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
6061 # only supported value is `AND`.
6062 },
6063 },
6064 },
6065 ],
6066 "fieldTransformations": [ # Transform the record by applying various field transformations.
6067 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6068 "fields": [ # Required. Input field(s) to apply the transformation to.
6069 { # General identifier of a data field in a storage service.
6070 "name": "A String", # Name describing the field.
6071 },
6072 ],
6073 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
6074 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
6075 # input. Outputs a base64 encoded representation of the encrypted output.
6076 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
6077 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
6078 # a key encryption key (KEK) stored by KMS).
6079 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6080 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6081 # unwrap the data crypto key.
6082 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6083 # The wrapped key must be a 128/192/256 bit key.
6084 # Authorization requires the following IAM permissions when sending a request
6085 # to perform a crypto transformation using a kms-wrapped crypto key:
6086 # dlp.kms.encrypt
6087 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6088 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6089 },
6090 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6091 # leaking the key. Choose another type of key if possible.
6092 "key": "A String", # Required. A 128/192/256 bit key.
6093 },
6094 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6095 # It will be discarded after the request finishes.
6096 "name": "A String", # Required. Name of the key.
6097 # This is an arbitrary string used to differentiate different keys.
6098 # A unique key is generated per name: two separate `TransientCryptoKey`
6099 # protos share the same generated key if their names are the same.
6100 # When the data crypto key is generated, this name is not used in any way
6101 # (repeating the api call will result in a different key being generated).
6102 },
6103 },
6104 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
6105 # referential integrity such that the same identifier in two different
6106 # contexts will be given a distinct surrogate. The context is appended to
6107 # plaintext value being encrypted. On decryption the provided context is
6108 # validated against the value used during encryption. If a context was
6109 # provided during encryption, same context must be provided during decryption
6110 # as well.
6111 #
6112 # If the context is not set, plaintext would be used as is for encryption.
6113 # If the context is set but:
6114 #
6115 # 1. there is no record present when transforming a given value or
6116 # 2. the field is not present when transforming a given value,
6117 #
6118 # plaintext would be used as is for encryption.
6119 #
6120 # Note that case (1) is expected when an `InfoTypeTransformation` is
6121 # applied to both structured and non-structured `ContentItem`s.
6122 "name": "A String", # Name describing the field.
6123 },
6124 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
6125 # This annotation will be applied to the surrogate by prefixing it with
6126 # the name of the custom info type followed by the number of
6127 # characters comprising the surrogate. The following scheme defines the
6128 # format: {info type name}({surrogate character count}):{surrogate}
6129 #
6130 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
6131 # the surrogate is 'abc', the full replacement value
6132 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6133 #
6134 # This annotation identifies the surrogate when inspecting content using the
6135 # custom info type 'Surrogate'. This facilitates reversal of the
6136 # surrogate when it occurs in free text.
6137 #
6138 # Note: For record transformations where the entire cell in a table is being
6139 # transformed, surrogates are not mandatory. Surrogates are used to denote
6140 # the location of the token and are necessary for re-identification in free
6141 # form text.
6142 #
6143 # In order for inspection to work properly, the name of this info type must
6144 # not occur naturally anywhere in your data; otherwise, inspection may either
6145 #
6146 # - reverse a surrogate that does not correspond to an actual identifier
6147 # - be unable to parse the surrogate and result in an error
6148 #
6149 # Therefore, choose your custom info type name carefully after considering
6150 # what your data looks like. One way to select a name that has a high chance
6151 # of yielding reliable detection is to include one or more unicode characters
6152 # that are highly improbable to exist in your data.
6153 # For example, assuming your data is entered from a regular ASCII keyboard,
6154 # the symbol with the hex code point 29DD might be used like so:
6155 # ⧝MY_TOKEN_TYPE.
6156 "name": "A String", # Name of the information type. Either a name of your choosing when
6157 # creating a CustomInfoType, or one of the names listed
6158 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6159 # a built-in type. InfoType names should conform to the pattern
6160 # `[a-zA-Z0-9_]{1,64}`.
6161 },
6162 },
6163 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
6164 # fixed character. Masking can start from the beginning or end of the string.
6165 # This can be used on data of any type (numbers, longs, and so on) and when
6166 # de-identifying structured data we'll attempt to preserve the original data's
6167 # type. (This allows you to take a long like 123 and modify it to a string like
6168 # **3.
6169 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
6170 # characters. For example, if the input string is `555-555-5555` and you
6171 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
6172 # returns `***-**5-5555`.
6173 { # Characters to skip when doing deidentification of a value. These will be left
6174 # alone and skipped.
6175 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
6176 # punctuation.
6177 "charactersToSkip": "A String", # Characters to not transform when masking.
6178 },
6179 ],
6180 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
6181 # masked. Skipped characters do not count towards this tally.
6182 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
6183 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
6184 # code or credit card number. This string must have a length of 1. If not
6185 # supplied, this value defaults to `*` for strings, and `0` for digits.
6186 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
6187 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
6188 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
6189 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
6190 # is `true`, then the string `12345` is masked as `12***`.
6191 },
6192 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
6193 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
6194 # output would be 'My phone number is '.
6195 },
6196 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
6197 },
6198 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
6199 # Bucketing transformation can provide all of this functionality,
6200 # but requires more configuration. This message is provided as a convenience to
6201 # the user for simple bucketing strategies.
6202 #
6203 # The transformed value will be a hyphenated string of
6204 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
6205 # all values that are within this bucket will be replaced with "10-20".
6206 #
6207 # This can be used on data of type: double, long.
6208 #
6209 # If the bound Value type differs from the type of data
6210 # being transformed, we will first attempt converting the type of the data to
6211 # be transformed to match the type of the bound before comparing.
6212 #
6213 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6214 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
6215 # grouped together into a single bucket; for example if `lower_bound` = 10,
6216 # then all values less than 10 are replaced with the value “-10”.
6217 # Note that for the purposes of inspection or transformation, the number
6218 # of bytes considered to comprise a 'Value' is based on its representation
6219 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6220 # 123456789, the number of bytes would be counted as 9, even though an
6221 # int64 only holds up to 8 bytes of data.
6222 "floatValue": 3.14, # float
6223 "timestampValue": "A String", # timestamp
6224 "dayOfWeekValue": "A String", # day of week
6225 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6226 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6227 # types are google.type.Date and `google.protobuf.Timestamp`.
6228 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6229 # to allow the value "24:00:00" for scenarios like business closing time.
6230 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6231 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6232 # allow the value 60 if it allows leap-seconds.
6233 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6234 },
6235 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6236 # and time zone are either specified elsewhere or are not significant. The date
6237 # is relative to the Proleptic Gregorian Calendar. This can represent:
6238 #
6239 # * A full date, with non-zero year, month and day values
6240 # * A month and day value, with a zero year, e.g. an anniversary
6241 # * A year on its own, with zero month and day values
6242 # * A year and month value, with a zero day, e.g. a credit card expiration date
6243 #
6244 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6245 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6246 # month and day.
6247 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6248 # if specifying a year by itself or a year and month where the day is not
6249 # significant.
6250 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6251 # a year.
6252 },
6253 "stringValue": "A String", # string
6254 "booleanValue": True or False, # boolean
6255 "integerValue": "A String", # integer
6256 },
6257 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
6258 # grouped together into a single bucket; for example if `upper_bound` = 89,
6259 # then all values greater than 89 are replaced with the value “89+”.
6260 # Note that for the purposes of inspection or transformation, the number
6261 # of bytes considered to comprise a 'Value' is based on its representation
6262 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6263 # 123456789, the number of bytes would be counted as 9, even though an
6264 # int64 only holds up to 8 bytes of data.
6265 "floatValue": 3.14, # float
6266 "timestampValue": "A String", # timestamp
6267 "dayOfWeekValue": "A String", # day of week
6268 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6269 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6270 # types are google.type.Date and `google.protobuf.Timestamp`.
6271 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6272 # to allow the value "24:00:00" for scenarios like business closing time.
6273 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6274 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6275 # allow the value 60 if it allows leap-seconds.
6276 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6277 },
6278 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6279 # and time zone are either specified elsewhere or are not significant. The date
6280 # is relative to the Proleptic Gregorian Calendar. This can represent:
6281 #
6282 # * A full date, with non-zero year, month and day values
6283 # * A month and day value, with a zero year, e.g. an anniversary
6284 # * A year on its own, with zero month and day values
6285 # * A year and month value, with a zero day, e.g. a credit card expiration date
6286 #
6287 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6288 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6289 # month and day.
6290 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6291 # if specifying a year by itself or a year and month where the day is not
6292 # significant.
6293 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6294 # a year.
6295 },
6296 "stringValue": "A String", # string
6297 "booleanValue": True or False, # boolean
6298 "integerValue": "A String", # integer
6299 },
6300 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
6301 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
6302 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
6303 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
6304 },
6305 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
6306 # portion of the value.
6307 "partToExtract": "A String", # The part of the time to keep.
6308 },
6309 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
6310 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
6311 # to learn more.
6312 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
6313 # results in the same shift for the same context and crypto_key. If
6314 # set, must also set context. Can only be applied to table items.
6315 # a key encryption key (KEK) stored by KMS).
6316 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6317 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6318 # unwrap the data crypto key.
6319 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6320 # The wrapped key must be a 128/192/256 bit key.
6321 # Authorization requires the following IAM permissions when sending a request
6322 # to perform a crypto transformation using a kms-wrapped crypto key:
6323 # dlp.kms.encrypt
6324 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6325 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6326 },
6327 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6328 # leaking the key. Choose another type of key if possible.
6329 "key": "A String", # Required. A 128/192/256 bit key.
6330 },
6331 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6332 # It will be discarded after the request finishes.
6333 "name": "A String", # Required. Name of the key.
6334 # This is an arbitrary string used to differentiate different keys.
6335 # A unique key is generated per name: two separate `TransientCryptoKey`
6336 # protos share the same generated key if their names are the same.
6337 # When the data crypto key is generated, this name is not used in any way
6338 # (repeating the api call will result in a different key being generated).
6339 },
6340 },
6341 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
6342 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
6343 # range (inclusive ends). Negative means shift to earlier in time. Must not
6344 # be more than 365250 days (1000 years) each direction.
6345 #
6346 # For example, 3 means shift date to at most 3 days into the future.
6347 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
6348 # If set, must also set cryptoKey. If set, shift will be consistent for the
6349 # given context.
6350 "name": "A String", # Name describing the field.
6351 },
6352 },
6353 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
6354 # (FPE) with the FFX mode of operation; however when used in the
6355 # `ReidentifyContent` API method, it serves the opposite function by reversing
6356 # the surrogate back into the original identifier. The identifier must be
6357 # encoded as ASCII. For a given crypto key and context, the same identifier
6358 # will be replaced with the same surrogate. Identifiers must be at least two
6359 # characters long. In the case that the identifier is the empty string, it will
6360 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
6361 # more.
6362 #
6363 # Note: We recommend using CryptoDeterministicConfig for all use cases which
6364 # do not require preserving the input alphabet space and size, plus warrant
6365 # referential integrity.
6366 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
6367 # a key encryption key (KEK) stored by KMS).
6368 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6369 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6370 # unwrap the data crypto key.
6371 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6372 # The wrapped key must be a 128/192/256 bit key.
6373 # Authorization requires the following IAM permissions when sending a request
6374 # to perform a crypto transformation using a kms-wrapped crypto key:
6375 # dlp.kms.encrypt
6376 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6377 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6378 },
6379 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6380 # leaking the key. Choose another type of key if possible.
6381 "key": "A String", # Required. A 128/192/256 bit key.
6382 },
6383 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6384 # It will be discarded after the request finishes.
6385 "name": "A String", # Required. Name of the key.
6386 # This is an arbitrary string used to differentiate different keys.
6387 # A unique key is generated per name: two separate `TransientCryptoKey`
6388 # protos share the same generated key if their names are the same.
6389 # When the data crypto key is generated, this name is not used in any way
6390 # (repeating the api call will result in a different key being generated).
6391 },
6392 },
6393 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
6394 "commonAlphabet": "A String", # Common alphabets.
6395 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
6396 # that the FFX mode natively supports. This happens before/after
6397 # encryption/decryption.
6398 # Each character listed must appear only once.
6399 # Number of characters must be in the range [2, 95].
6400 # This must be encoded as ASCII.
6401 # The order of characters does not matter.
6402 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
6403 # identifier in two different contexts won't be given the same surrogate. If
6404 # the context is not set, a default tweak will be used.
6405 #
6406 # If the context is set but:
6407 #
6408 # 1. there is no record present when transforming a given value or
6409 # 1. the field is not present when transforming a given value,
6410 #
6411 # a default tweak will be used.
6412 #
6413 # Note that case (1) is expected when an `InfoTypeTransformation` is
6414 # applied to both structured and non-structured `ContentItem`s.
6415 # Currently, the referenced field may be of value type integer or string.
6416 #
6417 # The tweak is constructed as a sequence of bytes in big endian byte order
6418 # such that:
6419 #
6420 # - a 64 bit integer is encoded followed by a single byte of value 1
6421 # - a string is encoded in UTF-8 format followed by a single byte of value 2
6422 "name": "A String", # Name describing the field.
6423 },
6424 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
6425 # This annotation will be applied to the surrogate by prefixing it with
6426 # the name of the custom infoType followed by the number of
6427 # characters comprising the surrogate. The following scheme defines the
6428 # format: info_type_name(surrogate_character_count):surrogate
6429 #
6430 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
6431 # the surrogate is 'abc', the full replacement value
6432 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6433 #
6434 # This annotation identifies the surrogate when inspecting content using the
6435 # custom infoType
6436 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
6437 # This facilitates reversal of the surrogate when it occurs in free text.
6438 #
6439 # In order for inspection to work properly, the name of this infoType must
6440 # not occur naturally anywhere in your data; otherwise, inspection may
6441 # find a surrogate that does not correspond to an actual identifier.
6442 # Therefore, choose your custom infoType name carefully after considering
6443 # what your data looks like. One way to select a name that has a high chance
6444 # of yielding reliable detection is to include one or more unicode characters
6445 # that are highly improbable to exist in your data.
6446 # For example, assuming your data is entered from a regular ASCII keyboard,
6447 # the symbol with the hex code point 29DD might be used like so:
6448 # ⧝MY_TOKEN_TYPE
6449 "name": "A String", # Name of the information type. Either a name of your choosing when
6450 # creating a CustomInfoType, or one of the names listed
6451 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6452 # a built-in type. InfoType names should conform to the pattern
6453 # `[a-zA-Z0-9_]{1,64}`.
6454 },
6455 },
6456 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
6457 # replacement values are dynamically provided by the user for custom behavior,
6458 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
6459 # This can be used on
6460 # data of type: number, long, string, timestamp.
6461 # If the bound `Value` type differs from the type of data being transformed, we
6462 # will first attempt converting the type of the data to be transformed to match
6463 # the type of the bound before comparing.
6464 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6465 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
6466 { # Bucket is represented as a range, along with replacement values.
6467 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
6468 # Note that for the purposes of inspection or transformation, the number
6469 # of bytes considered to comprise a 'Value' is based on its representation
6470 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6471 # 123456789, the number of bytes would be counted as 9, even though an
6472 # int64 only holds up to 8 bytes of data.
6473 "floatValue": 3.14, # float
6474 "timestampValue": "A String", # timestamp
6475 "dayOfWeekValue": "A String", # day of week
6476 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6477 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6478 # types are google.type.Date and `google.protobuf.Timestamp`.
6479 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6480 # to allow the value "24:00:00" for scenarios like business closing time.
6481 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6482 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6483 # allow the value 60 if it allows leap-seconds.
6484 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6485 },
6486 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6487 # and time zone are either specified elsewhere or are not significant. The date
6488 # is relative to the Proleptic Gregorian Calendar. This can represent:
6489 #
6490 # * A full date, with non-zero year, month and day values
6491 # * A month and day value, with a zero year, e.g. an anniversary
6492 # * A year on its own, with zero month and day values
6493 # * A year and month value, with a zero day, e.g. a credit card expiration date
6494 #
6495 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6496 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6497 # month and day.
6498 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6499 # if specifying a year by itself or a year and month where the day is not
6500 # significant.
6501 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6502 # a year.
6503 },
6504 "stringValue": "A String", # string
6505 "booleanValue": True or False, # boolean
6506 "integerValue": "A String", # integer
6507 },
6508 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
6509 # the default behavior will be to hyphenate the min-max range.
6510 # Note that for the purposes of inspection or transformation, the number
6511 # of bytes considered to comprise a 'Value' is based on its representation
6512 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6513 # 123456789, the number of bytes would be counted as 9, even though an
6514 # int64 only holds up to 8 bytes of data.
6515 "floatValue": 3.14, # float
6516 "timestampValue": "A String", # timestamp
6517 "dayOfWeekValue": "A String", # day of week
6518 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6519 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6520 # types are google.type.Date and `google.protobuf.Timestamp`.
6521 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6522 # to allow the value "24:00:00" for scenarios like business closing time.
6523 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6524 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6525 # allow the value 60 if it allows leap-seconds.
6526 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6527 },
6528 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6529 # and time zone are either specified elsewhere or are not significant. The date
6530 # is relative to the Proleptic Gregorian Calendar. This can represent:
6531 #
6532 # * A full date, with non-zero year, month and day values
6533 # * A month and day value, with a zero year, e.g. an anniversary
6534 # * A year on its own, with zero month and day values
6535 # * A year and month value, with a zero day, e.g. a credit card expiration date
6536 #
6537 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6538 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6539 # month and day.
6540 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6541 # if specifying a year by itself or a year and month where the day is not
6542 # significant.
6543 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6544 # a year.
6545 },
6546 "stringValue": "A String", # string
6547 "booleanValue": True or False, # boolean
6548 "integerValue": "A String", # integer
6549 },
6550 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
6551 # used.
6552 # Note that for the purposes of inspection or transformation, the number
6553 # of bytes considered to comprise a 'Value' is based on its representation
6554 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6555 # 123456789, the number of bytes would be counted as 9, even though an
6556 # int64 only holds up to 8 bytes of data.
6557 "floatValue": 3.14, # float
6558 "timestampValue": "A String", # timestamp
6559 "dayOfWeekValue": "A String", # day of week
6560 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6561 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6562 # types are google.type.Date and `google.protobuf.Timestamp`.
6563 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6564 # to allow the value "24:00:00" for scenarios like business closing time.
6565 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6566 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6567 # allow the value 60 if it allows leap-seconds.
6568 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6569 },
6570 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6571 # and time zone are either specified elsewhere or are not significant. The date
6572 # is relative to the Proleptic Gregorian Calendar. This can represent:
6573 #
6574 # * A full date, with non-zero year, month and day values
6575 # * A month and day value, with a zero year, e.g. an anniversary
6576 # * A year on its own, with zero month and day values
6577 # * A year and month value, with a zero day, e.g. a credit card expiration date
6578 #
6579 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6580 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6581 # month and day.
6582 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6583 # if specifying a year by itself or a year and month where the day is not
6584 # significant.
6585 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6586 # a year.
6587 },
6588 "stringValue": "A String", # string
6589 "booleanValue": True or False, # boolean
6590 "integerValue": "A String", # integer
6591 },
6592 },
6593 ],
6594 },
6595 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
6596 # Uses SHA-256.
6597 # The key size must be either 32 or 64 bytes.
6598 # Outputs a base64 encoded representation of the hashed output
6599 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
6600 # Currently, only string and integer values can be hashed.
6601 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
6602 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
6603 # a key encryption key (KEK) stored by KMS).
6604 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6605 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6606 # unwrap the data crypto key.
6607 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6608 # The wrapped key must be a 128/192/256 bit key.
6609 # Authorization requires the following IAM permissions when sending a request
6610 # to perform a crypto transformation using a kms-wrapped crypto key:
6611 # dlp.kms.encrypt
6612 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6613 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6614 },
6615 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6616 # leaking the key. Choose another type of key if possible.
6617 "key": "A String", # Required. A 128/192/256 bit key.
6618 },
6619 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6620 # It will be discarded after the request finishes.
6621 "name": "A String", # Required. Name of the key.
6622 # This is an arbitrary string used to differentiate different keys.
6623 # A unique key is generated per name: two separate `TransientCryptoKey`
6624 # protos share the same generated key if their names are the same.
6625 # When the data crypto key is generated, this name is not used in any way
6626 # (repeating the api call will result in a different key being generated).
6627 },
6628 },
6629 },
6630 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
6631 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
6632 # Note that for the purposes of inspection or transformation, the number
6633 # of bytes considered to comprise a 'Value' is based on its representation
6634 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6635 # 123456789, the number of bytes would be counted as 9, even though an
6636 # int64 only holds up to 8 bytes of data.
6637 "floatValue": 3.14, # float
6638 "timestampValue": "A String", # timestamp
6639 "dayOfWeekValue": "A String", # day of week
6640 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6641 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6642 # types are google.type.Date and `google.protobuf.Timestamp`.
6643 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6644 # to allow the value "24:00:00" for scenarios like business closing time.
6645 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6646 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6647 # allow the value 60 if it allows leap-seconds.
6648 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6649 },
6650 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6651 # and time zone are either specified elsewhere or are not significant. The date
6652 # is relative to the Proleptic Gregorian Calendar. This can represent:
6653 #
6654 # * A full date, with non-zero year, month and day values
6655 # * A month and day value, with a zero year, e.g. an anniversary
6656 # * A year on its own, with zero month and day values
6657 # * A year and month value, with a zero day, e.g. a credit card expiration date
6658 #
6659 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6660 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6661 # month and day.
6662 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6663 # if specifying a year by itself or a year and month where the day is not
6664 # significant.
6665 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6666 # a year.
6667 },
6668 "stringValue": "A String", # string
6669 "booleanValue": True or False, # boolean
6670 "integerValue": "A String", # integer
6671 },
6672 },
6673 },
6674 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
6675 # given `RecordCondition`. The conditions are allowed to reference fields
6676 # that are not used in the actual transformation.
6677 #
6678 # Example Use Cases:
6679 #
6680 # - Apply a different bucket transformation to an age column if the zip code
6681 # column for the same record is within a specific range.
6682 # - Redact a field if the date of birth field is greater than 85.
6683 # a field.
6684 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
6685 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
6686 "conditions": [ # A collection of conditions.
6687 { # The field type of `value` and `field` do not need to match to be
6688 # considered equal, but not all comparisons are possible.
6689 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
6690 # but all other comparisons are invalid with incompatible types.
6691 # A `value` of type:
6692 #
6693 # - `string` can be compared against all other types
6694 # - `boolean` can only be compared against other booleans
6695 # - `integer` can be compared against doubles or a string if the string value
6696 # can be parsed as an integer.
6697 # - `double` can be compared against integers or a string if the string can
6698 # be parsed as a double.
6699 # - `Timestamp` can be compared against strings in RFC 3339 date string
6700 # format.
6701 # - `TimeOfDay` can be compared against timestamps and strings in the format
6702 # of 'HH:mm:ss'.
6703 #
6704 # If we fail to compare do to type mismatch, a warning will be given and
6705 # the condition will evaluate to false.
6706 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
6707 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
6708 "name": "A String", # Name describing the field.
6709 },
6710 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
6711 # Note that for the purposes of inspection or transformation, the number
6712 # of bytes considered to comprise a 'Value' is based on its representation
6713 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6714 # 123456789, the number of bytes would be counted as 9, even though an
6715 # int64 only holds up to 8 bytes of data.
6716 "floatValue": 3.14, # float
6717 "timestampValue": "A String", # timestamp
6718 "dayOfWeekValue": "A String", # day of week
6719 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6720 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6721 # types are google.type.Date and `google.protobuf.Timestamp`.
6722 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6723 # to allow the value "24:00:00" for scenarios like business closing time.
6724 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6725 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6726 # allow the value 60 if it allows leap-seconds.
6727 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6728 },
6729 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6730 # and time zone are either specified elsewhere or are not significant. The date
6731 # is relative to the Proleptic Gregorian Calendar. This can represent:
6732 #
6733 # * A full date, with non-zero year, month and day values
6734 # * A month and day value, with a zero year, e.g. an anniversary
6735 # * A year on its own, with zero month and day values
6736 # * A year and month value, with a zero day, e.g. a credit card expiration date
6737 #
6738 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6739 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6740 # month and day.
6741 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6742 # if specifying a year by itself or a year and month where the day is not
6743 # significant.
6744 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6745 # a year.
6746 },
6747 "stringValue": "A String", # string
6748 "booleanValue": True or False, # boolean
6749 "integerValue": "A String", # integer
6750 },
6751 },
6752 ],
6753 },
6754 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
6755 # only supported value is `AND`.
6756 },
6757 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6758 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
6759 # transform content that matches an `InfoType`.
6760 # apply various `PrimitiveTransformation`s to each finding, where the
6761 # transformation is applied to only values that were identified as a specific
6762 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6763 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
6764 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6765 { # A transformation to apply to text that is identified as a specific
6766 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6767 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
6768 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6769 # input. Outputs a base64 encoded representation of the encrypted output.
6770 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
6771 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
6772 # a key encryption key (KEK) stored by KMS).
6773 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6774 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6775 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6776 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6777 # The wrapped key must be a 128/192/256 bit key.
6778 # Authorization requires the following IAM permissions when sending a request
6779 # to perform a crypto transformation using a kms-wrapped crypto key:
6780 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6781 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6782 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6783 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6784 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6785 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6786 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6787 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6788 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6789 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6790 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6791 # This is an arbitrary string used to differentiate different keys.
6792 # A unique key is generated per name: two separate `TransientCryptoKey`
6793 # protos share the same generated key if their names are the same.
6794 # When the data crypto key is generated, this name is not used in any way
6795 # (repeating the api call will result in a different key being generated).
6796 },
6797 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6798 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6799 # referential integrity such that the same identifier in two different
6800 # contexts will be given a distinct surrogate. The context is appended to
6801 # plaintext value being encrypted. On decryption the provided context is
6802 # validated against the value used during encryption. If a context was
6803 # provided during encryption, same context must be provided during decryption
6804 # as well.
6805 #
6806 # If the context is not set, plaintext would be used as is for encryption.
6807 # If the context is set but:
6808 #
6809 # 1. there is no record present when transforming a given value or
6810 # 2. the field is not present when transforming a given value,
6811 #
6812 # plaintext would be used as is for encryption.
6813 #
6814 # Note that case (1) is expected when an `InfoTypeTransformation` is
6815 # applied to both structured and non-structured `ContentItem`s.
6816 "name": "A String", # Name describing the field.
6817 },
6818 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
6819 # This annotation will be applied to the surrogate by prefixing it with
6820 # the name of the custom info type followed by the number of
6821 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6822 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6823 #
6824 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
6825 # the surrogate is 'abc', the full replacement value
6826 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6827 #
6828 # This annotation identifies the surrogate when inspecting content using the
6829 # custom info type 'Surrogate'. This facilitates reversal of the
6830 # surrogate when it occurs in free text.
6831 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6832 # Note: For record transformations where the entire cell in a table is being
6833 # transformed, surrogates are not mandatory. Surrogates are used to denote
6834 # the location of the token and are necessary for re-identification in free
6835 # form text.
6836 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6837 # In order for inspection to work properly, the name of this info type must
6838 # not occur naturally anywhere in your data; otherwise, inspection may either
6839 #
6840 # - reverse a surrogate that does not correspond to an actual identifier
6841 # - be unable to parse the surrogate and result in an error
6842 #
6843 # Therefore, choose your custom info type name carefully after considering
6844 # what your data looks like. One way to select a name that has a high chance
6845 # of yielding reliable detection is to include one or more unicode characters
6846 # that are highly improbable to exist in your data.
6847 # For example, assuming your data is entered from a regular ASCII keyboard,
6848 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6849 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6850 "name": "A String", # Name of the information type. Either a name of your choosing when
6851 # creating a CustomInfoType, or one of the names listed
6852 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6853 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6854 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6855 },
6856 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6857 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
6858 # fixed character. Masking can start from the beginning or end of the string.
6859 # This can be used on data of any type (numbers, longs, and so on) and when
6860 # de-identifying structured data we'll attempt to preserve the original data's
6861 # type. (This allows you to take a long like 123 and modify it to a string like
6862 # **3.
6863 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
6864 # characters. For example, if the input string is `555-555-5555` and you
6865 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
6866 # returns `***-**5-5555`.
6867 { # Characters to skip when doing deidentification of a value. These will be left
6868 # alone and skipped.
6869 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
6870 # punctuation.
6871 "charactersToSkip": "A String", # Characters to not transform when masking.
6872 },
6873 ],
6874 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
6875 # masked. Skipped characters do not count towards this tally.
6876 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
6877 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
6878 # code or credit card number. This string must have a length of 1. If not
6879 # supplied, this value defaults to `*` for strings, and `0` for digits.
6880 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
6881 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
6882 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
6883 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
6884 # is `true`, then the string `12345` is masked as `12***`.
6885 },
6886 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
6887 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
6888 # output would be 'My phone number is '.
6889 },
6890 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
6891 },
6892 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6893 # Bucketing transformation can provide all of this functionality,
6894 # but requires more configuration. This message is provided as a convenience to
6895 # the user for simple bucketing strategies.
6896 #
6897 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6898 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6899 # all values that are within this bucket will be replaced with "10-20".
6900 #
6901 # This can be used on data of type: double, long.
6902 #
6903 # If the bound Value type differs from the type of data
6904 # being transformed, we will first attempt converting the type of the data to
6905 # be transformed to match the type of the bound before comparing.
6906 #
6907 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6908 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6909 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6910 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6911 # Note that for the purposes of inspection or transformation, the number
6912 # of bytes considered to comprise a 'Value' is based on its representation
6913 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6914 # 123456789, the number of bytes would be counted as 9, even though an
6915 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6916 "floatValue": 3.14, # float
6917 "timestampValue": "A String", # timestamp
6918 "dayOfWeekValue": "A String", # day of week
6919 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6920 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6921 # types are google.type.Date and `google.protobuf.Timestamp`.
6922 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6923 # to allow the value "24:00:00" for scenarios like business closing time.
6924 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6925 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6926 # allow the value 60 if it allows leap-seconds.
6927 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6928 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6929 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6930 # and time zone are either specified elsewhere or are not significant. The date
6931 # is relative to the Proleptic Gregorian Calendar. This can represent:
6932 #
6933 # * A full date, with non-zero year, month and day values
6934 # * A month and day value, with a zero year, e.g. an anniversary
6935 # * A year on its own, with zero month and day values
6936 # * A year and month value, with a zero day, e.g. a credit card expiration date
6937 #
6938 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6939 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6940 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6941 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6942 # if specifying a year by itself or a year and month where the day is not
6943 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6944 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6945 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6946 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6947 "stringValue": "A String", # string
6948 "booleanValue": True or False, # boolean
6949 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6950 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6951 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6952 # grouped together into a single bucket; for example if `upper_bound` = 89,
6953 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6954 # Note that for the purposes of inspection or transformation, the number
6955 # of bytes considered to comprise a 'Value' is based on its representation
6956 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6957 # 123456789, the number of bytes would be counted as 9, even though an
6958 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6959 "floatValue": 3.14, # float
6960 "timestampValue": "A String", # timestamp
6961 "dayOfWeekValue": "A String", # day of week
6962 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6963 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6964 # types are google.type.Date and `google.protobuf.Timestamp`.
6965 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6966 # to allow the value "24:00:00" for scenarios like business closing time.
6967 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6968 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6969 # allow the value 60 if it allows leap-seconds.
6970 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6971 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6972 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6973 # and time zone are either specified elsewhere or are not significant. The date
6974 # is relative to the Proleptic Gregorian Calendar. This can represent:
6975 #
6976 # * A full date, with non-zero year, month and day values
6977 # * A month and day value, with a zero year, e.g. an anniversary
6978 # * A year on its own, with zero month and day values
6979 # * A year and month value, with a zero day, e.g. a credit card expiration date
6980 #
6981 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6982 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6983 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6984 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6985 # if specifying a year by itself or a year and month where the day is not
6986 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6987 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6988 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6989 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6990 "stringValue": "A String", # string
6991 "booleanValue": True or False, # boolean
6992 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6993 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6994 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6995 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
6996 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6997 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6998 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6999 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7000 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7001 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7002 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7003 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7004 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
7005 # to learn more.
7006 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7007 # results in the same shift for the same context and crypto_key. If
7008 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7009 # a key encryption key (KEK) stored by KMS).
7010 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7011 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7012 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7013 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7014 # The wrapped key must be a 128/192/256 bit key.
7015 # Authorization requires the following IAM permissions when sending a request
7016 # to perform a crypto transformation using a kms-wrapped crypto key:
7017 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7018 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7019 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7020 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7021 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7022 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7023 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7024 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7025 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7026 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7027 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7028 # This is an arbitrary string used to differentiate different keys.
7029 # A unique key is generated per name: two separate `TransientCryptoKey`
7030 # protos share the same generated key if their names are the same.
7031 # When the data crypto key is generated, this name is not used in any way
7032 # (repeating the api call will result in a different key being generated).
7033 },
7034 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7035 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
7036 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7037 # range (inclusive ends). Negative means shift to earlier in time. Must not
7038 # be more than 365250 days (1000 years) each direction.
7039 #
7040 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7041 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7042 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7043 # given context.
7044 "name": "A String", # Name describing the field.
7045 },
7046 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7047 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7048 # (FPE) with the FFX mode of operation; however when used in the
7049 # `ReidentifyContent` API method, it serves the opposite function by reversing
7050 # the surrogate back into the original identifier. The identifier must be
7051 # encoded as ASCII. For a given crypto key and context, the same identifier
7052 # will be replaced with the same surrogate. Identifiers must be at least two
7053 # characters long. In the case that the identifier is the empty string, it will
7054 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
7055 # more.
7056 #
7057 # Note: We recommend using CryptoDeterministicConfig for all use cases which
7058 # do not require preserving the input alphabet space and size, plus warrant
7059 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7060 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7061 # a key encryption key (KEK) stored by KMS).
7062 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7063 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7064 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7065 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7066 # The wrapped key must be a 128/192/256 bit key.
7067 # Authorization requires the following IAM permissions when sending a request
7068 # to perform a crypto transformation using a kms-wrapped crypto key:
7069 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7070 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7071 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7072 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7073 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7074 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7075 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7076 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7077 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7078 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7079 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7080 # This is an arbitrary string used to differentiate different keys.
7081 # A unique key is generated per name: two separate `TransientCryptoKey`
7082 # protos share the same generated key if their names are the same.
7083 # When the data crypto key is generated, this name is not used in any way
7084 # (repeating the api call will result in a different key being generated).
7085 },
7086 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7087 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
7088 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7089 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
7090 # that the FFX mode natively supports. This happens before/after
7091 # encryption/decryption.
7092 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7093 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7094 # This must be encoded as ASCII.
7095 # The order of characters does not matter.
7096 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
7097 # identifier in two different contexts won't be given the same surrogate. If
7098 # the context is not set, a default tweak will be used.
7099 #
7100 # If the context is set but:
7101 #
7102 # 1. there is no record present when transforming a given value or
7103 # 1. the field is not present when transforming a given value,
7104 #
7105 # a default tweak will be used.
7106 #
7107 # Note that case (1) is expected when an `InfoTypeTransformation` is
7108 # applied to both structured and non-structured `ContentItem`s.
7109 # Currently, the referenced field may be of value type integer or string.
7110 #
7111 # The tweak is constructed as a sequence of bytes in big endian byte order
7112 # such that:
7113 #
7114 # - a 64 bit integer is encoded followed by a single byte of value 1
7115 # - a string is encoded in UTF-8 format followed by a single byte of value 2
7116 "name": "A String", # Name describing the field.
7117 },
7118 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
7119 # This annotation will be applied to the surrogate by prefixing it with
7120 # the name of the custom infoType followed by the number of
7121 # characters comprising the surrogate. The following scheme defines the
7122 # format: info_type_name(surrogate_character_count):surrogate
7123 #
7124 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
7125 # the surrogate is 'abc', the full replacement value
7126 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7127 #
7128 # This annotation identifies the surrogate when inspecting content using the
7129 # custom infoType
7130 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
7131 # This facilitates reversal of the surrogate when it occurs in free text.
7132 #
7133 # In order for inspection to work properly, the name of this infoType must
7134 # not occur naturally anywhere in your data; otherwise, inspection may
7135 # find a surrogate that does not correspond to an actual identifier.
7136 # Therefore, choose your custom infoType name carefully after considering
7137 # what your data looks like. One way to select a name that has a high chance
7138 # of yielding reliable detection is to include one or more unicode characters
7139 # that are highly improbable to exist in your data.
7140 # For example, assuming your data is entered from a regular ASCII keyboard,
7141 # the symbol with the hex code point 29DD might be used like so:
7142 # ⧝MY_TOKEN_TYPE
7143 "name": "A String", # Name of the information type. Either a name of your choosing when
7144 # creating a CustomInfoType, or one of the names listed
7145 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7146 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7147 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7148 },
7149 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7150 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
7151 # replacement values are dynamically provided by the user for custom behavior,
7152 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
7153 # This can be used on
7154 # data of type: number, long, string, timestamp.
7155 # If the bound `Value` type differs from the type of data being transformed, we
7156 # will first attempt converting the type of the data to be transformed to match
7157 # the type of the bound before comparing.
7158 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7159 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
7160 { # Bucket is represented as a range, along with replacement values.
7161 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
7162 # Note that for the purposes of inspection or transformation, the number
7163 # of bytes considered to comprise a 'Value' is based on its representation
7164 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7165 # 123456789, the number of bytes would be counted as 9, even though an
7166 # int64 only holds up to 8 bytes of data.
7167 "floatValue": 3.14, # float
7168 "timestampValue": "A String", # timestamp
7169 "dayOfWeekValue": "A String", # day of week
7170 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7171 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7172 # types are google.type.Date and `google.protobuf.Timestamp`.
7173 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7174 # to allow the value "24:00:00" for scenarios like business closing time.
7175 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7176 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7177 # allow the value 60 if it allows leap-seconds.
7178 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7179 },
7180 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7181 # and time zone are either specified elsewhere or are not significant. The date
7182 # is relative to the Proleptic Gregorian Calendar. This can represent:
7183 #
7184 # * A full date, with non-zero year, month and day values
7185 # * A month and day value, with a zero year, e.g. an anniversary
7186 # * A year on its own, with zero month and day values
7187 # * A year and month value, with a zero day, e.g. a credit card expiration date
7188 #
7189 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7190 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7191 # month and day.
7192 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7193 # if specifying a year by itself or a year and month where the day is not
7194 # significant.
7195 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7196 # a year.
7197 },
7198 "stringValue": "A String", # string
7199 "booleanValue": True or False, # boolean
7200 "integerValue": "A String", # integer
7201 },
7202 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
7203 # the default behavior will be to hyphenate the min-max range.
7204 # Note that for the purposes of inspection or transformation, the number
7205 # of bytes considered to comprise a 'Value' is based on its representation
7206 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7207 # 123456789, the number of bytes would be counted as 9, even though an
7208 # int64 only holds up to 8 bytes of data.
7209 "floatValue": 3.14, # float
7210 "timestampValue": "A String", # timestamp
7211 "dayOfWeekValue": "A String", # day of week
7212 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7213 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7214 # types are google.type.Date and `google.protobuf.Timestamp`.
7215 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7216 # to allow the value "24:00:00" for scenarios like business closing time.
7217 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7218 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7219 # allow the value 60 if it allows leap-seconds.
7220 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7221 },
7222 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7223 # and time zone are either specified elsewhere or are not significant. The date
7224 # is relative to the Proleptic Gregorian Calendar. This can represent:
7225 #
7226 # * A full date, with non-zero year, month and day values
7227 # * A month and day value, with a zero year, e.g. an anniversary
7228 # * A year on its own, with zero month and day values
7229 # * A year and month value, with a zero day, e.g. a credit card expiration date
7230 #
7231 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7232 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7233 # month and day.
7234 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7235 # if specifying a year by itself or a year and month where the day is not
7236 # significant.
7237 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7238 # a year.
7239 },
7240 "stringValue": "A String", # string
7241 "booleanValue": True or False, # boolean
7242 "integerValue": "A String", # integer
7243 },
7244 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
7245 # used.
7246 # Note that for the purposes of inspection or transformation, the number
7247 # of bytes considered to comprise a 'Value' is based on its representation
7248 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7249 # 123456789, the number of bytes would be counted as 9, even though an
7250 # int64 only holds up to 8 bytes of data.
7251 "floatValue": 3.14, # float
7252 "timestampValue": "A String", # timestamp
7253 "dayOfWeekValue": "A String", # day of week
7254 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7255 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7256 # types are google.type.Date and `google.protobuf.Timestamp`.
7257 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7258 # to allow the value "24:00:00" for scenarios like business closing time.
7259 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7260 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7261 # allow the value 60 if it allows leap-seconds.
7262 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7263 },
7264 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7265 # and time zone are either specified elsewhere or are not significant. The date
7266 # is relative to the Proleptic Gregorian Calendar. This can represent:
7267 #
7268 # * A full date, with non-zero year, month and day values
7269 # * A month and day value, with a zero year, e.g. an anniversary
7270 # * A year on its own, with zero month and day values
7271 # * A year and month value, with a zero day, e.g. a credit card expiration date
7272 #
7273 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7274 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7275 # month and day.
7276 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7277 # if specifying a year by itself or a year and month where the day is not
7278 # significant.
7279 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7280 # a year.
7281 },
7282 "stringValue": "A String", # string
7283 "booleanValue": True or False, # boolean
7284 "integerValue": "A String", # integer
7285 },
7286 },
7287 ],
7288 },
7289 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
7290 # Uses SHA-256.
7291 # The key size must be either 32 or 64 bytes.
7292 # Outputs a base64 encoded representation of the hashed output
7293 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
7294 # Currently, only string and integer values can be hashed.
7295 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
7296 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
7297 # a key encryption key (KEK) stored by KMS).
7298 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7299 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7300 # unwrap the data crypto key.
7301 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
7302 # The wrapped key must be a 128/192/256 bit key.
7303 # Authorization requires the following IAM permissions when sending a request
7304 # to perform a crypto transformation using a kms-wrapped crypto key:
7305 # dlp.kms.encrypt
7306 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7307 "wrappedKey": "A String", # Required. The wrapped data crypto key.
7308 },
7309 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
7310 # leaking the key. Choose another type of key if possible.
7311 "key": "A String", # Required. A 128/192/256 bit key.
7312 },
7313 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
7314 # It will be discarded after the request finishes.
7315 "name": "A String", # Required. Name of the key.
7316 # This is an arbitrary string used to differentiate different keys.
7317 # A unique key is generated per name: two separate `TransientCryptoKey`
7318 # protos share the same generated key if their names are the same.
7319 # When the data crypto key is generated, this name is not used in any way
7320 # (repeating the api call will result in a different key being generated).
7321 },
7322 },
7323 },
7324 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7325 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
7326 # Note that for the purposes of inspection or transformation, the number
7327 # of bytes considered to comprise a 'Value' is based on its representation
7328 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7329 # 123456789, the number of bytes would be counted as 9, even though an
7330 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7331 "floatValue": 3.14, # float
7332 "timestampValue": "A String", # timestamp
7333 "dayOfWeekValue": "A String", # day of week
7334 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7335 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7336 # types are google.type.Date and `google.protobuf.Timestamp`.
7337 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7338 # to allow the value "24:00:00" for scenarios like business closing time.
7339 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7340 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7341 # allow the value 60 if it allows leap-seconds.
7342 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7343 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7344 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7345 # and time zone are either specified elsewhere or are not significant. The date
7346 # is relative to the Proleptic Gregorian Calendar. This can represent:
7347 #
7348 # * A full date, with non-zero year, month and day values
7349 # * A month and day value, with a zero year, e.g. an anniversary
7350 # * A year on its own, with zero month and day values
7351 # * A year and month value, with a zero day, e.g. a credit card expiration date
7352 #
7353 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7354 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7355 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7356 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7357 # if specifying a year by itself or a year and month where the day is not
7358 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7359 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7360 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7361 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7362 "stringValue": "A String", # string
7363 "booleanValue": True or False, # boolean
7364 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7365 },
7366 },
7367 },
7368 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
7369 # this transformation to apply to all findings that correspond to
7370 # infoTypes that were requested in `InspectConfig`.
7371 { # Type of information detected by the API.
7372 "name": "A String", # Name of the information type. Either a name of your choosing when
7373 # creating a CustomInfoType, or one of the names listed
7374 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7375 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7376 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7377 },
7378 ],
7379 },
7380 ],
7381 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7382 },
7383 ],
7384 },
7385 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
7386 # mode is `TransformationErrorHandling.ThrowError`.
7387 # transformation error occurs when the requested transformation is incompatible
7388 # with the data. For example, trying to de-identify an IP address using a
7389 # `DateShift` transformation would result in a transformation error, since date
7390 # info cannot be extracted from an IP address.
7391 # Information about any incompatible transformations, and how they were
7392 # handled, is returned in the response as part of the
7393 # `TransformationOverviews`.
7394 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
7395 },
7396 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
7397 # cause an error. For example, if a `DateShift` transformation were applied
7398 # an an IP address, this mode would leave the IP address unchanged in the
7399 # response.
7400 },
7401 },
7402 },
7403 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
7404 # `inspect_config` will override those set in the template. Singular fields
7405 # that are set in this request will replace their corresponding fields in the
7406 # template. Repeated fields are appended. Singular sub-messages and groups
7407 # are recursively merged.
7408 "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
7409 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
7410 # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
7411 # learn more.
7412 # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
7413 # learn more.
7414 "headers": [ # Headers of the table.
7415 { # General identifier of a data field in a storage service.
7416 "name": "A String", # Name describing the field.
7417 },
7418 ],
7419 "rows": [ # Rows of the table.
7420 { # Values of the row.
7421 "values": [ # Individual cells.
7422 { # Set of primitive values supported by the system.
7423 # Note that for the purposes of inspection or transformation, the number
7424 # of bytes considered to comprise a 'Value' is based on its representation
7425 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7426 # 123456789, the number of bytes would be counted as 9, even though an
7427 # int64 only holds up to 8 bytes of data.
7428 "floatValue": 3.14, # float
7429 "timestampValue": "A String", # timestamp
7430 "dayOfWeekValue": "A String", # day of week
7431 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7432 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7433 # types are google.type.Date and `google.protobuf.Timestamp`.
7434 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7435 # to allow the value "24:00:00" for scenarios like business closing time.
7436 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7437 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7438 # allow the value 60 if it allows leap-seconds.
7439 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7440 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7441 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7442 # and time zone are either specified elsewhere or are not significant. The date
7443 # is relative to the Proleptic Gregorian Calendar. This can represent:
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7444 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7445 # * A full date, with non-zero year, month and day values
7446 # * A month and day value, with a zero year, e.g. an anniversary
7447 # * A year on its own, with zero month and day values
7448 # * A year and month value, with a zero day, e.g. a credit card expiration date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7449 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7450 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7451 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7452 # month and day.
7453 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7454 # if specifying a year by itself or a year and month where the day is not
7455 # significant.
7456 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7457 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7458 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7459 "stringValue": "A String", # string
7460 "booleanValue": True or False, # boolean
7461 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7462 },
7463 ],
7464 },
7465 ],
7466 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7467 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
7468 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
7469 "data": "A String", # Content data to inspect or redact.
7470 },
7471 "value": "A String", # String data to inspect or redact.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7472 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7473 "reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7474 # Any configuration directly specified in `reidentify_config` or
7475 # `inspect_config` will override those set in the template. Singular fields
7476 # that are set in this request will replace their corresponding fields in the
7477 # template. Repeated fields are appended. Singular sub-messages and groups
7478 # are recursively merged.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7479 "locationId": "A String", # The geographic location to process content reidentification. Reserved for
7480 # future extensions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7481 "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
7482 # When used with redactContent only info_types and min_likelihood are currently
7483 # used.
7484 "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7485 "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7486 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
7487 # When set within `InspectContentRequest`, the maximum returned is 2000
7488 # regardless if this is set higher.
7489 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
7490 { # Max findings configuration per infoType, per content item or long
7491 # running DlpJob.
7492 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
7493 # info_type should be provided. If InfoTypeLimit does not have an
7494 # info_type, the DLP API applies the limit against all info_types that
7495 # are found but not specified in another InfoTypeLimit.
7496 "name": "A String", # Name of the information type. Either a name of your choosing when
7497 # creating a CustomInfoType, or one of the names listed
7498 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7499 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7500 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7501 },
7502 "maxFindings": 42, # Max findings limit for the given infoType.
7503 },
7504 ],
7505 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7506 # When set within `InspectJobConfig`,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7507 # the maximum returned is 2000 regardless if this is set higher.
7508 # When set within `InspectContentRequest`, this field is ignored.
7509 },
7510 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
7511 # POSSIBLE.
7512 # See https://cloud.google.com/dlp/docs/likelihood to learn more.
7513 "customInfoTypes": [ # CustomInfoTypes provided by the user. See
7514 # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
7515 { # Custom information type provided by the user. Used to find domain-specific
7516 # sensitive information configurable to the data in question.
7517 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
7518 "pattern": "A String", # Pattern defining the regular expression. Its syntax
7519 # (https://github.com/google/re2/wiki/Syntax) can be found under the
7520 # google/re2 repository on GitHub.
7521 "groupIndexes": [ # The index of the submatch to extract as findings. When not
7522 # specified, the entire match is returned. No more than 3 may be included.
7523 42,
7524 ],
7525 },
7526 "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
7527 # support reversing.
7528 # such as
7529 # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
7530 # These types of transformations are
7531 # those that perform pseudonymization, thereby producing a "surrogate" as
7532 # output. This should be used in conjunction with a field on the
7533 # transformation such as `surrogate_info_type`. This CustomInfoType does
7534 # not support the use of `detection_rules`.
7535 },
7536 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
7537 # infoType, when the name matches one of existing infoTypes and that infoType
7538 # is specified in `InspectContent.info_types` field. Specifying the latter
7539 # adds findings to the one detected by the system. If built-in info type is
7540 # not specified in `InspectContent.info_types` list then the name is treated
7541 # as a custom info type.
7542 "name": "A String", # Name of the information type. Either a name of your choosing when
7543 # creating a CustomInfoType, or one of the names listed
7544 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7545 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7546 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7547 },
7548 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
7549 # be used to match sensitive information specific to the data, such as a list
7550 # of employee IDs or job titles.
7551 #
7552 # Dictionary words are case-insensitive and all characters other than letters
7553 # and digits in the unicode [Basic Multilingual
7554 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
7555 # will be replaced with whitespace when scanning for matches, so the
7556 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
7557 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
7558 # surrounding any match must be of a different type than the adjacent
7559 # characters within the word, so letters must be next to non-letters and
7560 # digits next to non-digits. For example, the dictionary word "jen" will
7561 # match the first three letters of the text "jen123" but will return no
7562 # matches for "jennifer".
7563 #
7564 # Dictionary words containing a large number of characters that are not
7565 # letters or digits may result in unexpected findings because such characters
7566 # are treated as whitespace. The
7567 # [limits](https://cloud.google.com/dlp/limits) page contains details about
7568 # the size limits of dictionaries. For dictionaries that do not fit within
7569 # these constraints, consider using `LargeCustomDictionaryConfig` in the
7570 # `StoredInfoType` API.
7571 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
7572 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
7573 # at least one phrase and every phrase must contain at least 2 characters
7574 # that are letters or digits. [required]
7575 "A String",
7576 ],
7577 },
7578 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
7579 # is accepted.
7580 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
7581 # Example: gs://[BUCKET_NAME]/dictionary.txt
7582 },
7583 },
7584 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
7585 # `InspectDataSource`. Not currently supported in `InspectContent`.
7586 "name": "A String", # Resource name of the requested `StoredInfoType`, for example
7587 # `organizations/433245324/storedInfoTypes/432452342` or
7588 # `projects/project-id/storedInfoTypes/432452342`.
7589 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
7590 # inspection was created. Output-only field, populated by the system.
7591 },
7592 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
7593 # Rules are applied in order that they are specified. Not supported for the
7594 # `surrogate_type` CustomInfoType.
7595 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
7596 # `CustomInfoType` to alter behavior under certain circumstances, depending
7597 # on the specific details of the rule. Not supported for the `surrogate_type`
7598 # custom infoType.
7599 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
7600 # proximity of hotwords.
7601 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
7602 # The total length of the window cannot exceed 1000 characters. Note that
7603 # the finding itself will be included in the window, so that hotwords may
7604 # be used to match substrings of the finding itself. For example, the
7605 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
7606 # adjusted upwards if the area code is known to be the local area code of
7607 # a company office using the hotword regex "\(xxx\)", where "xxx"
7608 # is the area code in question.
7609 # rule.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7610 "windowBefore": 42, # Number of characters before the finding to consider.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7611 "windowAfter": 42, # Number of characters after the finding to consider.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7612 },
7613 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
7614 "pattern": "A String", # Pattern defining the regular expression. Its syntax
7615 # (https://github.com/google/re2/wiki/Syntax) can be found under the
7616 # google/re2 repository on GitHub.
7617 "groupIndexes": [ # The index of the submatch to extract as findings. When not
7618 # specified, the entire match is returned. No more than 3 may be included.
7619 42,
7620 ],
7621 },
7622 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
7623 # part of a detection rule.
7624 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
7625 # levels. For example, if a finding would be `POSSIBLE` without the
7626 # detection rule and `relative_likelihood` is 1, then it is upgraded to
7627 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
7628 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
7629 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
7630 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
7631 # a final likelihood of `LIKELY`.
7632 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
7633 },
7634 },
7635 },
7636 ],
7637 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
7638 # to be returned. It still can be used for rules matching.
7639 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
7640 # altered by a detection rule if the finding meets the criteria specified by
7641 # the rule. Defaults to `VERY_LIKELY` if not specified.
7642 },
7643 ],
7644 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
7645 # included in the response; see Finding.quote.
7646 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
7647 # Exclusion rules, contained in the set are executed in the end, other
7648 # rules are executed in the order they are specified for each info type.
7649 { # Rule set for modifying a set of infoTypes to alter behavior under certain
7650 # circumstances, depending on the specific details of the rules within the set.
7651 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
7652 { # A single inspection rule to be applied to infoTypes, specified in
7653 # `InspectionRuleSet`.
7654 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
7655 # proximity of hotwords.
7656 "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
7657 # The total length of the window cannot exceed 1000 characters. Note that
7658 # the finding itself will be included in the window, so that hotwords may
7659 # be used to match substrings of the finding itself. For example, the
7660 # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
7661 # adjusted upwards if the area code is known to be the local area code of
7662 # a company office using the hotword regex "\(xxx\)", where "xxx"
7663 # is the area code in question.
7664 # rule.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7665 "windowBefore": 42, # Number of characters before the finding to consider.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7666 "windowAfter": 42, # Number of characters after the finding to consider.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7667 },
7668 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
7669 "pattern": "A String", # Pattern defining the regular expression. Its syntax
7670 # (https://github.com/google/re2/wiki/Syntax) can be found under the
7671 # google/re2 repository on GitHub.
7672 "groupIndexes": [ # The index of the submatch to extract as findings. When not
7673 # specified, the entire match is returned. No more than 3 may be included.
7674 42,
7675 ],
7676 },
7677 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
7678 # part of a detection rule.
7679 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
7680 # levels. For example, if a finding would be `POSSIBLE` without the
7681 # detection rule and `relative_likelihood` is 1, then it is upgraded to
7682 # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
7683 # Likelihood may never drop below `VERY_UNLIKELY` or exceed
7684 # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
7685 # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
7686 # a final likelihood of `LIKELY`.
7687 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
7688 },
7689 },
7690 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
7691 # `InspectionRuleSet` are removed from results.
7692 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
7693 "pattern": "A String", # Pattern defining the regular expression. Its syntax
7694 # (https://github.com/google/re2/wiki/Syntax) can be found under the
7695 # google/re2 repository on GitHub.
7696 "groupIndexes": [ # The index of the submatch to extract as findings. When not
7697 # specified, the entire match is returned. No more than 3 may be included.
7698 42,
7699 ],
7700 },
7701 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
7702 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
7703 # contained within with a finding of an infoType from this list. For
7704 # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
7705 # `exclusion_rule` containing `exclude_info_types.info_types` with
7706 # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
7707 # with EMAIL_ADDRESS finding.
7708 # That leads to "555-222-2222@example.org" to generate only a single
7709 # finding, namely email address.
7710 { # Type of information detected by the API.
7711 "name": "A String", # Name of the information type. Either a name of your choosing when
7712 # creating a CustomInfoType, or one of the names listed
7713 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7714 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7715 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7716 },
7717 ],
7718 },
7719 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
7720 # be used to match sensitive information specific to the data, such as a list
7721 # of employee IDs or job titles.
7722 #
7723 # Dictionary words are case-insensitive and all characters other than letters
7724 # and digits in the unicode [Basic Multilingual
7725 # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
7726 # will be replaced with whitespace when scanning for matches, so the
7727 # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
7728 # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
7729 # surrounding any match must be of a different type than the adjacent
7730 # characters within the word, so letters must be next to non-letters and
7731 # digits next to non-digits. For example, the dictionary word "jen" will
7732 # match the first three letters of the text "jen123" but will return no
7733 # matches for "jennifer".
7734 #
7735 # Dictionary words containing a large number of characters that are not
7736 # letters or digits may result in unexpected findings because such characters
7737 # are treated as whitespace. The
7738 # [limits](https://cloud.google.com/dlp/limits) page contains details about
7739 # the size limits of dictionaries. For dictionaries that do not fit within
7740 # these constraints, consider using `LargeCustomDictionaryConfig` in the
7741 # `StoredInfoType` API.
7742 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
7743 "words": [ # Words or phrases defining the dictionary. The dictionary must contain
7744 # at least one phrase and every phrase must contain at least 2 characters
7745 # that are letters or digits. [required]
7746 "A String",
7747 ],
7748 },
7749 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
7750 # is accepted.
7751 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
7752 # Example: gs://[BUCKET_NAME]/dictionary.txt
7753 },
7754 },
7755 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
7756 },
7757 },
7758 ],
7759 "infoTypes": [ # List of infoTypes this rule set is applied to.
7760 { # Type of information detected by the API.
7761 "name": "A String", # Name of the information type. Either a name of your choosing when
7762 # creating a CustomInfoType, or one of the names listed
7763 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7764 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7765 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7766 },
7767 ],
7768 },
7769 ],
7770 "contentOptions": [ # List of options defining data content to scan.
7771 # If empty, text, images, and other content will be included.
7772 "A String",
7773 ],
7774 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to
7775 # InfoType values returned by ListInfoTypes or listed at
7776 # https://cloud.google.com/dlp/docs/infotypes-reference.
7777 #
7778 # When no InfoTypes or CustomInfoTypes are specified in a request, the
7779 # system may automatically choose what detectors to run. By default this may
7780 # be all types, but may change over time as detectors are updated.
7781 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7782 # If you need precise control and predictability as to what detectors are
7783 # run you should specify specific InfoTypes listed in the reference,
7784 # otherwise a default list will be used, which may change over time.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7785 { # Type of information detected by the API.
7786 "name": "A String", # Name of the information type. Either a name of your choosing when
7787 # creating a CustomInfoType, or one of the names listed
7788 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7789 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7790 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7791 },
7792 ],
7793 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7794 }
7795
7796 x__xgafv: string, V1 error format.
7797 Allowed values
7798 1 - v1 error format
7799 2 - v2 error format
7800
7801Returns:
7802 An object of the form:
7803
7804 { # Results of re-identifying a item.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7805 "item": { # Container structure for the content to inspect. # The re-identified item.
7806 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
7807 # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
7808 # learn more.
7809 # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
7810 # learn more.
7811 "headers": [ # Headers of the table.
7812 { # General identifier of a data field in a storage service.
7813 "name": "A String", # Name describing the field.
7814 },
7815 ],
7816 "rows": [ # Rows of the table.
7817 { # Values of the row.
7818 "values": [ # Individual cells.
7819 { # Set of primitive values supported by the system.
7820 # Note that for the purposes of inspection or transformation, the number
7821 # of bytes considered to comprise a 'Value' is based on its representation
7822 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7823 # 123456789, the number of bytes would be counted as 9, even though an
7824 # int64 only holds up to 8 bytes of data.
7825 "floatValue": 3.14, # float
7826 "timestampValue": "A String", # timestamp
7827 "dayOfWeekValue": "A String", # day of week
7828 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7829 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7830 # types are google.type.Date and `google.protobuf.Timestamp`.
7831 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7832 # to allow the value "24:00:00" for scenarios like business closing time.
7833 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7834 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7835 # allow the value 60 if it allows leap-seconds.
7836 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7837 },
7838 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7839 # and time zone are either specified elsewhere or are not significant. The date
7840 # is relative to the Proleptic Gregorian Calendar. This can represent:
7841 #
7842 # * A full date, with non-zero year, month and day values
7843 # * A month and day value, with a zero year, e.g. an anniversary
7844 # * A year on its own, with zero month and day values
7845 # * A year and month value, with a zero day, e.g. a credit card expiration date
7846 #
7847 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7848 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7849 # month and day.
7850 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7851 # if specifying a year by itself or a year and month where the day is not
7852 # significant.
7853 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7854 # a year.
7855 },
7856 "stringValue": "A String", # string
7857 "booleanValue": True or False, # boolean
7858 "integerValue": "A String", # integer
7859 },
7860 ],
7861 },
7862 ],
7863 },
7864 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
7865 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
7866 "data": "A String", # Content data to inspect or redact.
7867 },
7868 "value": "A String", # String data to inspect or redact.
7869 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7870 "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.
7871 "transformationSummaries": [ # Transformations applied to the dataset.
7872 { # Summary of a single transformation.
7873 # Only one of 'transformation', 'field_transformation', or 'record_suppress'
7874 # will be set.
7875 "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
7876 "name": "A String", # Name of the information type. Either a name of your choosing when
7877 # creating a CustomInfoType, or one of the names listed
7878 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7879 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7880 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7881 },
7882 "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
7883 # true.
7884 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
7885 # evaluated to be suppressed from the transformed content.
7886 # a field.
7887 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7888 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
7889 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7890 { # The field type of `value` and `field` do not need to match to be
7891 # considered equal, but not all comparisons are possible.
7892 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
7893 # but all other comparisons are invalid with incompatible types.
7894 # A `value` of type:
7895 #
7896 # - `string` can be compared against all other types
7897 # - `boolean` can only be compared against other booleans
7898 # - `integer` can be compared against doubles or a string if the string value
7899 # can be parsed as an integer.
7900 # - `double` can be compared against integers or a string if the string can
7901 # be parsed as a double.
7902 # - `Timestamp` can be compared against strings in RFC 3339 date string
7903 # format.
7904 # - `TimeOfDay` can be compared against timestamps and strings in the format
7905 # of 'HH:mm:ss'.
7906 #
7907 # If we fail to compare do to type mismatch, a warning will be given and
7908 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7909 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
7910 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7911 "name": "A String", # Name describing the field.
7912 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7913 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7914 # Note that for the purposes of inspection or transformation, the number
7915 # of bytes considered to comprise a 'Value' is based on its representation
7916 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7917 # 123456789, the number of bytes would be counted as 9, even though an
7918 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7919 "floatValue": 3.14, # float
7920 "timestampValue": "A String", # timestamp
7921 "dayOfWeekValue": "A String", # day of week
7922 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7923 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7924 # types are google.type.Date and `google.protobuf.Timestamp`.
7925 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7926 # to allow the value "24:00:00" for scenarios like business closing time.
7927 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7928 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7929 # allow the value 60 if it allows leap-seconds.
7930 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7931 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7932 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7933 # and time zone are either specified elsewhere or are not significant. The date
7934 # is relative to the Proleptic Gregorian Calendar. This can represent:
7935 #
7936 # * A full date, with non-zero year, month and day values
7937 # * A month and day value, with a zero year, e.g. an anniversary
7938 # * A year on its own, with zero month and day values
7939 # * A year and month value, with a zero day, e.g. a credit card expiration date
7940 #
7941 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7942 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7943 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7944 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7945 # if specifying a year by itself or a year and month where the day is not
7946 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7947 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7948 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7949 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7950 "stringValue": "A String", # string
7951 "booleanValue": True or False, # boolean
7952 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7953 },
7954 },
7955 ],
7956 },
7957 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
7958 # only supported value is `AND`.
7959 },
7960 },
7961 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7962 "results": [ # Collection of all transformations that took place or had an error.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7963 { # A collection that informs the user the number of times a particular
7964 # `TransformationResultCode` and error details occurred.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7965 "count": "A String", # Number of transformations counted by this result.
7966 "code": "A String", # Outcome of the transformation.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7967 "details": "A String", # A place for warnings or errors to show up if a transformation didn't
7968 # work as expected.
7969 },
7970 ],
7971 "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
7972 "name": "A String", # Name describing the field.
7973 },
7974 "fieldTransformations": [ # The field transformation that was applied.
7975 # If multiple field transformations are requested for a single field,
7976 # this list will contain all of them; otherwise, only one is supplied.
7977 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7978 "fields": [ # Required. Input field(s) to apply the transformation to.
7979 { # General identifier of a data field in a storage service.
7980 "name": "A String", # Name describing the field.
7981 },
7982 ],
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7983 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7984 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7985 # input. Outputs a base64 encoded representation of the encrypted output.
7986 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
7987 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
7988 # a key encryption key (KEK) stored by KMS).
7989 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7990 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7991 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7992 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7993 # The wrapped key must be a 128/192/256 bit key.
7994 # Authorization requires the following IAM permissions when sending a request
7995 # to perform a crypto transformation using a kms-wrapped crypto key:
7996 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7997 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7998 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7999 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8000 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8001 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8002 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8003 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8004 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8005 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8006 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8007 # This is an arbitrary string used to differentiate different keys.
8008 # A unique key is generated per name: two separate `TransientCryptoKey`
8009 # protos share the same generated key if their names are the same.
8010 # When the data crypto key is generated, this name is not used in any way
8011 # (repeating the api call will result in a different key being generated).
8012 },
8013 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8014 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8015 # referential integrity such that the same identifier in two different
8016 # contexts will be given a distinct surrogate. The context is appended to
8017 # plaintext value being encrypted. On decryption the provided context is
8018 # validated against the value used during encryption. If a context was
8019 # provided during encryption, same context must be provided during decryption
8020 # as well.
8021 #
8022 # If the context is not set, plaintext would be used as is for encryption.
8023 # If the context is set but:
8024 #
8025 # 1. there is no record present when transforming a given value or
8026 # 2. the field is not present when transforming a given value,
8027 #
8028 # plaintext would be used as is for encryption.
8029 #
8030 # Note that case (1) is expected when an `InfoTypeTransformation` is
8031 # applied to both structured and non-structured `ContentItem`s.
8032 "name": "A String", # Name describing the field.
8033 },
8034 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
8035 # This annotation will be applied to the surrogate by prefixing it with
8036 # the name of the custom info type followed by the number of
8037 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8038 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8039 #
8040 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
8041 # the surrogate is 'abc', the full replacement value
8042 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8043 #
8044 # This annotation identifies the surrogate when inspecting content using the
8045 # custom info type 'Surrogate'. This facilitates reversal of the
8046 # surrogate when it occurs in free text.
8047 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8048 # Note: For record transformations where the entire cell in a table is being
8049 # transformed, surrogates are not mandatory. Surrogates are used to denote
8050 # the location of the token and are necessary for re-identification in free
8051 # form text.
8052 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8053 # In order for inspection to work properly, the name of this info type must
8054 # not occur naturally anywhere in your data; otherwise, inspection may either
8055 #
8056 # - reverse a surrogate that does not correspond to an actual identifier
8057 # - be unable to parse the surrogate and result in an error
8058 #
8059 # Therefore, choose your custom info type name carefully after considering
8060 # what your data looks like. One way to select a name that has a high chance
8061 # of yielding reliable detection is to include one or more unicode characters
8062 # that are highly improbable to exist in your data.
8063 # For example, assuming your data is entered from a regular ASCII keyboard,
8064 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8065 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8066 "name": "A String", # Name of the information type. Either a name of your choosing when
8067 # creating a CustomInfoType, or one of the names listed
8068 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8069 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8070 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8071 },
8072 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8073 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
8074 # fixed character. Masking can start from the beginning or end of the string.
8075 # This can be used on data of any type (numbers, longs, and so on) and when
8076 # de-identifying structured data we'll attempt to preserve the original data's
8077 # type. (This allows you to take a long like 123 and modify it to a string like
8078 # **3.
8079 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
8080 # characters. For example, if the input string is `555-555-5555` and you
8081 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
8082 # returns `***-**5-5555`.
8083 { # Characters to skip when doing deidentification of a value. These will be left
8084 # alone and skipped.
8085 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
8086 # punctuation.
8087 "charactersToSkip": "A String", # Characters to not transform when masking.
8088 },
8089 ],
8090 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
8091 # masked. Skipped characters do not count towards this tally.
8092 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
8093 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
8094 # code or credit card number. This string must have a length of 1. If not
8095 # supplied, this value defaults to `*` for strings, and `0` for digits.
8096 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
8097 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
8098 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
8099 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
8100 # is `true`, then the string `12345` is masked as `12***`.
8101 },
8102 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
8103 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
8104 # output would be 'My phone number is '.
8105 },
8106 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
8107 },
8108 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8109 # Bucketing transformation can provide all of this functionality,
8110 # but requires more configuration. This message is provided as a convenience to
8111 # the user for simple bucketing strategies.
8112 #
8113 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8114 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8115 # all values that are within this bucket will be replaced with "10-20".
8116 #
8117 # This can be used on data of type: double, long.
8118 #
8119 # If the bound Value type differs from the type of data
8120 # being transformed, we will first attempt converting the type of the data to
8121 # be transformed to match the type of the bound before comparing.
8122 #
8123 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8124 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8125 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8126 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8127 # Note that for the purposes of inspection or transformation, the number
8128 # of bytes considered to comprise a 'Value' is based on its representation
8129 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8130 # 123456789, the number of bytes would be counted as 9, even though an
8131 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8132 "floatValue": 3.14, # float
8133 "timestampValue": "A String", # timestamp
8134 "dayOfWeekValue": "A String", # day of week
8135 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8136 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8137 # types are google.type.Date and `google.protobuf.Timestamp`.
8138 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8139 # to allow the value "24:00:00" for scenarios like business closing time.
8140 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8141 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8142 # allow the value 60 if it allows leap-seconds.
8143 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8144 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8145 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8146 # and time zone are either specified elsewhere or are not significant. The date
8147 # is relative to the Proleptic Gregorian Calendar. This can represent:
8148 #
8149 # * A full date, with non-zero year, month and day values
8150 # * A month and day value, with a zero year, e.g. an anniversary
8151 # * A year on its own, with zero month and day values
8152 # * A year and month value, with a zero day, e.g. a credit card expiration date
8153 #
8154 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8155 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8156 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8157 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8158 # if specifying a year by itself or a year and month where the day is not
8159 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8160 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8161 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8162 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8163 "stringValue": "A String", # string
8164 "booleanValue": True or False, # boolean
8165 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8166 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8167 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8168 # grouped together into a single bucket; for example if `upper_bound` = 89,
8169 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8170 # Note that for the purposes of inspection or transformation, the number
8171 # of bytes considered to comprise a 'Value' is based on its representation
8172 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8173 # 123456789, the number of bytes would be counted as 9, even though an
8174 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8175 "floatValue": 3.14, # float
8176 "timestampValue": "A String", # timestamp
8177 "dayOfWeekValue": "A String", # day of week
8178 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8179 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8180 # types are google.type.Date and `google.protobuf.Timestamp`.
8181 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8182 # to allow the value "24:00:00" for scenarios like business closing time.
8183 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8184 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8185 # allow the value 60 if it allows leap-seconds.
8186 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8187 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8188 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8189 # and time zone are either specified elsewhere or are not significant. The date
8190 # is relative to the Proleptic Gregorian Calendar. This can represent:
8191 #
8192 # * A full date, with non-zero year, month and day values
8193 # * A month and day value, with a zero year, e.g. an anniversary
8194 # * A year on its own, with zero month and day values
8195 # * A year and month value, with a zero day, e.g. a credit card expiration date
8196 #
8197 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8198 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8199 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8200 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8201 # if specifying a year by itself or a year and month where the day is not
8202 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8203 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8204 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8205 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8206 "stringValue": "A String", # string
8207 "booleanValue": True or False, # boolean
8208 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8209 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8210 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8211 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
8212 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8213 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8214 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8215 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8216 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8217 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8218 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8219 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8220 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
8221 # to learn more.
8222 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8223 # results in the same shift for the same context and crypto_key. If
8224 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8225 # a key encryption key (KEK) stored by KMS).
8226 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8227 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8228 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8229 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8230 # The wrapped key must be a 128/192/256 bit key.
8231 # Authorization requires the following IAM permissions when sending a request
8232 # to perform a crypto transformation using a kms-wrapped crypto key:
8233 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8234 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8235 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8236 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8237 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8238 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8239 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8240 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8241 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8242 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8243 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8244 # This is an arbitrary string used to differentiate different keys.
8245 # A unique key is generated per name: two separate `TransientCryptoKey`
8246 # protos share the same generated key if their names are the same.
8247 # When the data crypto key is generated, this name is not used in any way
8248 # (repeating the api call will result in a different key being generated).
8249 },
8250 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8251 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
8252 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8253 # range (inclusive ends). Negative means shift to earlier in time. Must not
8254 # be more than 365250 days (1000 years) each direction.
8255 #
8256 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8257 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8258 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8259 # given context.
8260 "name": "A String", # Name describing the field.
8261 },
8262 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8263 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8264 # (FPE) with the FFX mode of operation; however when used in the
8265 # `ReidentifyContent` API method, it serves the opposite function by reversing
8266 # the surrogate back into the original identifier. The identifier must be
8267 # encoded as ASCII. For a given crypto key and context, the same identifier
8268 # will be replaced with the same surrogate. Identifiers must be at least two
8269 # characters long. In the case that the identifier is the empty string, it will
8270 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8271 # more.
8272 #
8273 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8274 # do not require preserving the input alphabet space and size, plus warrant
8275 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8276 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8277 # a key encryption key (KEK) stored by KMS).
8278 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8279 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8280 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8281 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8282 # The wrapped key must be a 128/192/256 bit key.
8283 # Authorization requires the following IAM permissions when sending a request
8284 # to perform a crypto transformation using a kms-wrapped crypto key:
8285 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8286 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8287 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8288 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8289 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8290 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8291 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8292 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8293 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8294 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8295 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8296 # This is an arbitrary string used to differentiate different keys.
8297 # A unique key is generated per name: two separate `TransientCryptoKey`
8298 # protos share the same generated key if their names are the same.
8299 # When the data crypto key is generated, this name is not used in any way
8300 # (repeating the api call will result in a different key being generated).
8301 },
8302 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8303 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
8304 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8305 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
8306 # that the FFX mode natively supports. This happens before/after
8307 # encryption/decryption.
8308 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8309 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8310 # This must be encoded as ASCII.
8311 # The order of characters does not matter.
8312 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
8313 # identifier in two different contexts won't be given the same surrogate. If
8314 # the context is not set, a default tweak will be used.
8315 #
8316 # If the context is set but:
8317 #
8318 # 1. there is no record present when transforming a given value or
8319 # 1. the field is not present when transforming a given value,
8320 #
8321 # a default tweak will be used.
8322 #
8323 # Note that case (1) is expected when an `InfoTypeTransformation` is
8324 # applied to both structured and non-structured `ContentItem`s.
8325 # Currently, the referenced field may be of value type integer or string.
8326 #
8327 # The tweak is constructed as a sequence of bytes in big endian byte order
8328 # such that:
8329 #
8330 # - a 64 bit integer is encoded followed by a single byte of value 1
8331 # - a string is encoded in UTF-8 format followed by a single byte of value 2
8332 "name": "A String", # Name describing the field.
8333 },
8334 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
8335 # This annotation will be applied to the surrogate by prefixing it with
8336 # the name of the custom infoType followed by the number of
8337 # characters comprising the surrogate. The following scheme defines the
8338 # format: info_type_name(surrogate_character_count):surrogate
8339 #
8340 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
8341 # the surrogate is 'abc', the full replacement value
8342 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8343 #
8344 # This annotation identifies the surrogate when inspecting content using the
8345 # custom infoType
8346 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
8347 # This facilitates reversal of the surrogate when it occurs in free text.
8348 #
8349 # In order for inspection to work properly, the name of this infoType must
8350 # not occur naturally anywhere in your data; otherwise, inspection may
8351 # find a surrogate that does not correspond to an actual identifier.
8352 # Therefore, choose your custom infoType name carefully after considering
8353 # what your data looks like. One way to select a name that has a high chance
8354 # of yielding reliable detection is to include one or more unicode characters
8355 # that are highly improbable to exist in your data.
8356 # For example, assuming your data is entered from a regular ASCII keyboard,
8357 # the symbol with the hex code point 29DD might be used like so:
8358 # ⧝MY_TOKEN_TYPE
8359 "name": "A String", # Name of the information type. Either a name of your choosing when
8360 # creating a CustomInfoType, or one of the names listed
8361 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8362 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8363 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8364 },
8365 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8366 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
8367 # replacement values are dynamically provided by the user for custom behavior,
8368 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
8369 # This can be used on
8370 # data of type: number, long, string, timestamp.
8371 # If the bound `Value` type differs from the type of data being transformed, we
8372 # will first attempt converting the type of the data to be transformed to match
8373 # the type of the bound before comparing.
8374 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8375 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
8376 { # Bucket is represented as a range, along with replacement values.
8377 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
8378 # Note that for the purposes of inspection or transformation, the number
8379 # of bytes considered to comprise a 'Value' is based on its representation
8380 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8381 # 123456789, the number of bytes would be counted as 9, even though an
8382 # int64 only holds up to 8 bytes of data.
8383 "floatValue": 3.14, # float
8384 "timestampValue": "A String", # timestamp
8385 "dayOfWeekValue": "A String", # day of week
8386 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8387 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8388 # types are google.type.Date and `google.protobuf.Timestamp`.
8389 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8390 # to allow the value "24:00:00" for scenarios like business closing time.
8391 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8392 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8393 # allow the value 60 if it allows leap-seconds.
8394 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8395 },
8396 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8397 # and time zone are either specified elsewhere or are not significant. The date
8398 # is relative to the Proleptic Gregorian Calendar. This can represent:
8399 #
8400 # * A full date, with non-zero year, month and day values
8401 # * A month and day value, with a zero year, e.g. an anniversary
8402 # * A year on its own, with zero month and day values
8403 # * A year and month value, with a zero day, e.g. a credit card expiration date
8404 #
8405 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8406 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8407 # month and day.
8408 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8409 # if specifying a year by itself or a year and month where the day is not
8410 # significant.
8411 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8412 # a year.
8413 },
8414 "stringValue": "A String", # string
8415 "booleanValue": True or False, # boolean
8416 "integerValue": "A String", # integer
8417 },
8418 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
8419 # the default behavior will be to hyphenate the min-max range.
8420 # Note that for the purposes of inspection or transformation, the number
8421 # of bytes considered to comprise a 'Value' is based on its representation
8422 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8423 # 123456789, the number of bytes would be counted as 9, even though an
8424 # int64 only holds up to 8 bytes of data.
8425 "floatValue": 3.14, # float
8426 "timestampValue": "A String", # timestamp
8427 "dayOfWeekValue": "A String", # day of week
8428 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8429 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8430 # types are google.type.Date and `google.protobuf.Timestamp`.
8431 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8432 # to allow the value "24:00:00" for scenarios like business closing time.
8433 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8434 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8435 # allow the value 60 if it allows leap-seconds.
8436 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8437 },
8438 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8439 # and time zone are either specified elsewhere or are not significant. The date
8440 # is relative to the Proleptic Gregorian Calendar. This can represent:
8441 #
8442 # * A full date, with non-zero year, month and day values
8443 # * A month and day value, with a zero year, e.g. an anniversary
8444 # * A year on its own, with zero month and day values
8445 # * A year and month value, with a zero day, e.g. a credit card expiration date
8446 #
8447 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8448 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8449 # month and day.
8450 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8451 # if specifying a year by itself or a year and month where the day is not
8452 # significant.
8453 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8454 # a year.
8455 },
8456 "stringValue": "A String", # string
8457 "booleanValue": True or False, # boolean
8458 "integerValue": "A String", # integer
8459 },
8460 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
8461 # used.
8462 # Note that for the purposes of inspection or transformation, the number
8463 # of bytes considered to comprise a 'Value' is based on its representation
8464 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8465 # 123456789, the number of bytes would be counted as 9, even though an
8466 # int64 only holds up to 8 bytes of data.
8467 "floatValue": 3.14, # float
8468 "timestampValue": "A String", # timestamp
8469 "dayOfWeekValue": "A String", # day of week
8470 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8471 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8472 # types are google.type.Date and `google.protobuf.Timestamp`.
8473 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8474 # to allow the value "24:00:00" for scenarios like business closing time.
8475 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8476 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8477 # allow the value 60 if it allows leap-seconds.
8478 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8479 },
8480 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8481 # and time zone are either specified elsewhere or are not significant. The date
8482 # is relative to the Proleptic Gregorian Calendar. This can represent:
8483 #
8484 # * A full date, with non-zero year, month and day values
8485 # * A month and day value, with a zero year, e.g. an anniversary
8486 # * A year on its own, with zero month and day values
8487 # * A year and month value, with a zero day, e.g. a credit card expiration date
8488 #
8489 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8490 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8491 # month and day.
8492 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8493 # if specifying a year by itself or a year and month where the day is not
8494 # significant.
8495 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8496 # a year.
8497 },
8498 "stringValue": "A String", # string
8499 "booleanValue": True or False, # boolean
8500 "integerValue": "A String", # integer
8501 },
8502 },
8503 ],
8504 },
8505 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
8506 # Uses SHA-256.
8507 # The key size must be either 32 or 64 bytes.
8508 # Outputs a base64 encoded representation of the hashed output
8509 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
8510 # Currently, only string and integer values can be hashed.
8511 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
8512 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
8513 # a key encryption key (KEK) stored by KMS).
8514 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8515 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8516 # unwrap the data crypto key.
8517 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
8518 # The wrapped key must be a 128/192/256 bit key.
8519 # Authorization requires the following IAM permissions when sending a request
8520 # to perform a crypto transformation using a kms-wrapped crypto key:
8521 # dlp.kms.encrypt
8522 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8523 "wrappedKey": "A String", # Required. The wrapped data crypto key.
8524 },
8525 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
8526 # leaking the key. Choose another type of key if possible.
8527 "key": "A String", # Required. A 128/192/256 bit key.
8528 },
8529 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
8530 # It will be discarded after the request finishes.
8531 "name": "A String", # Required. Name of the key.
8532 # This is an arbitrary string used to differentiate different keys.
8533 # A unique key is generated per name: two separate `TransientCryptoKey`
8534 # protos share the same generated key if their names are the same.
8535 # When the data crypto key is generated, this name is not used in any way
8536 # (repeating the api call will result in a different key being generated).
8537 },
8538 },
8539 },
8540 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8541 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
8542 # Note that for the purposes of inspection or transformation, the number
8543 # of bytes considered to comprise a 'Value' is based on its representation
8544 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8545 # 123456789, the number of bytes would be counted as 9, even though an
8546 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8547 "floatValue": 3.14, # float
8548 "timestampValue": "A String", # timestamp
8549 "dayOfWeekValue": "A String", # day of week
8550 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8551 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8552 # types are google.type.Date and `google.protobuf.Timestamp`.
8553 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8554 # to allow the value "24:00:00" for scenarios like business closing time.
8555 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8556 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8557 # allow the value 60 if it allows leap-seconds.
8558 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8559 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8560 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8561 # and time zone are either specified elsewhere or are not significant. The date
8562 # is relative to the Proleptic Gregorian Calendar. This can represent:
8563 #
8564 # * A full date, with non-zero year, month and day values
8565 # * A month and day value, with a zero year, e.g. an anniversary
8566 # * A year on its own, with zero month and day values
8567 # * A year and month value, with a zero day, e.g. a credit card expiration date
8568 #
8569 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8570 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8571 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8572 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8573 # if specifying a year by itself or a year and month where the day is not
8574 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8575 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8576 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8577 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8578 "stringValue": "A String", # string
8579 "booleanValue": True or False, # boolean
8580 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8581 },
8582 },
8583 },
8584 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
8585 # given `RecordCondition`. The conditions are allowed to reference fields
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8586 # that are not used in the actual transformation.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8587 #
8588 # Example Use Cases:
8589 #
8590 # - Apply a different bucket transformation to an age column if the zip code
8591 # column for the same record is within a specific range.
8592 # - Redact a field if the date of birth field is greater than 85.
8593 # a field.
8594 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8595 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
8596 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8597 { # The field type of `value` and `field` do not need to match to be
8598 # considered equal, but not all comparisons are possible.
8599 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
8600 # but all other comparisons are invalid with incompatible types.
8601 # A `value` of type:
8602 #
8603 # - `string` can be compared against all other types
8604 # - `boolean` can only be compared against other booleans
8605 # - `integer` can be compared against doubles or a string if the string value
8606 # can be parsed as an integer.
8607 # - `double` can be compared against integers or a string if the string can
8608 # be parsed as a double.
8609 # - `Timestamp` can be compared against strings in RFC 3339 date string
8610 # format.
8611 # - `TimeOfDay` can be compared against timestamps and strings in the format
8612 # of 'HH:mm:ss'.
8613 #
8614 # If we fail to compare do to type mismatch, a warning will be given and
8615 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8616 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
8617 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8618 "name": "A String", # Name describing the field.
8619 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8620 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8621 # Note that for the purposes of inspection or transformation, the number
8622 # of bytes considered to comprise a 'Value' is based on its representation
8623 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8624 # 123456789, the number of bytes would be counted as 9, even though an
8625 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8626 "floatValue": 3.14, # float
8627 "timestampValue": "A String", # timestamp
8628 "dayOfWeekValue": "A String", # day of week
8629 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8630 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8631 # types are google.type.Date and `google.protobuf.Timestamp`.
8632 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8633 # to allow the value "24:00:00" for scenarios like business closing time.
8634 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8635 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8636 # allow the value 60 if it allows leap-seconds.
8637 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8638 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8639 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8640 # and time zone are either specified elsewhere or are not significant. The date
8641 # is relative to the Proleptic Gregorian Calendar. This can represent:
8642 #
8643 # * A full date, with non-zero year, month and day values
8644 # * A month and day value, with a zero year, e.g. an anniversary
8645 # * A year on its own, with zero month and day values
8646 # * A year and month value, with a zero day, e.g. a credit card expiration date
8647 #
8648 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8649 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8650 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8651 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8652 # if specifying a year by itself or a year and month where the day is not
8653 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8654 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8655 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8656 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8657 "stringValue": "A String", # string
8658 "booleanValue": True or False, # boolean
8659 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8660 },
8661 },
8662 ],
8663 },
8664 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
8665 # only supported value is `AND`.
8666 },
8667 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8668 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
8669 # transform content that matches an `InfoType`.
8670 # apply various `PrimitiveTransformation`s to each finding, where the
8671 # transformation is applied to only values that were identified as a specific
8672 # info_type.
8673 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
8674 # for a given infoType.
8675 { # A transformation to apply to text that is identified as a specific
8676 # info_type.
8677 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
8678 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
8679 # input. Outputs a base64 encoded representation of the encrypted output.
8680 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
8681 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
8682 # a key encryption key (KEK) stored by KMS).
8683 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8684 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8685 # unwrap the data crypto key.
8686 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
8687 # The wrapped key must be a 128/192/256 bit key.
8688 # Authorization requires the following IAM permissions when sending a request
8689 # to perform a crypto transformation using a kms-wrapped crypto key:
8690 # dlp.kms.encrypt
8691 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8692 "wrappedKey": "A String", # Required. The wrapped data crypto key.
8693 },
8694 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
8695 # leaking the key. Choose another type of key if possible.
8696 "key": "A String", # Required. A 128/192/256 bit key.
8697 },
8698 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
8699 # It will be discarded after the request finishes.
8700 "name": "A String", # Required. Name of the key.
8701 # This is an arbitrary string used to differentiate different keys.
8702 # A unique key is generated per name: two separate `TransientCryptoKey`
8703 # protos share the same generated key if their names are the same.
8704 # When the data crypto key is generated, this name is not used in any way
8705 # (repeating the api call will result in a different key being generated).
8706 },
8707 },
8708 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
8709 # referential integrity such that the same identifier in two different
8710 # contexts will be given a distinct surrogate. The context is appended to
8711 # plaintext value being encrypted. On decryption the provided context is
8712 # validated against the value used during encryption. If a context was
8713 # provided during encryption, same context must be provided during decryption
8714 # as well.
8715 #
8716 # If the context is not set, plaintext would be used as is for encryption.
8717 # If the context is set but:
8718 #
8719 # 1. there is no record present when transforming a given value or
8720 # 2. the field is not present when transforming a given value,
8721 #
8722 # plaintext would be used as is for encryption.
8723 #
8724 # Note that case (1) is expected when an `InfoTypeTransformation` is
8725 # applied to both structured and non-structured `ContentItem`s.
8726 "name": "A String", # Name describing the field.
8727 },
8728 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
8729 # This annotation will be applied to the surrogate by prefixing it with
8730 # the name of the custom info type followed by the number of
8731 # characters comprising the surrogate. The following scheme defines the
8732 # format: {info type name}({surrogate character count}):{surrogate}
8733 #
8734 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
8735 # the surrogate is 'abc', the full replacement value
8736 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8737 #
8738 # This annotation identifies the surrogate when inspecting content using the
8739 # custom info type 'Surrogate'. This facilitates reversal of the
8740 # surrogate when it occurs in free text.
8741 #
8742 # Note: For record transformations where the entire cell in a table is being
8743 # transformed, surrogates are not mandatory. Surrogates are used to denote
8744 # the location of the token and are necessary for re-identification in free
8745 # form text.
8746 #
8747 # In order for inspection to work properly, the name of this info type must
8748 # not occur naturally anywhere in your data; otherwise, inspection may either
8749 #
8750 # - reverse a surrogate that does not correspond to an actual identifier
8751 # - be unable to parse the surrogate and result in an error
8752 #
8753 # Therefore, choose your custom info type name carefully after considering
8754 # what your data looks like. One way to select a name that has a high chance
8755 # of yielding reliable detection is to include one or more unicode characters
8756 # that are highly improbable to exist in your data.
8757 # For example, assuming your data is entered from a regular ASCII keyboard,
8758 # the symbol with the hex code point 29DD might be used like so:
8759 # ⧝MY_TOKEN_TYPE.
8760 "name": "A String", # Name of the information type. Either a name of your choosing when
8761 # creating a CustomInfoType, or one of the names listed
8762 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8763 # a built-in type. InfoType names should conform to the pattern
8764 # `[a-zA-Z0-9_]{1,64}`.
8765 },
8766 },
8767 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
8768 # fixed character. Masking can start from the beginning or end of the string.
8769 # This can be used on data of any type (numbers, longs, and so on) and when
8770 # de-identifying structured data we'll attempt to preserve the original data's
8771 # type. (This allows you to take a long like 123 and modify it to a string like
8772 # **3.
8773 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
8774 # characters. For example, if the input string is `555-555-5555` and you
8775 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
8776 # returns `***-**5-5555`.
8777 { # Characters to skip when doing deidentification of a value. These will be left
8778 # alone and skipped.
8779 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
8780 # punctuation.
8781 "charactersToSkip": "A String", # Characters to not transform when masking.
8782 },
8783 ],
8784 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
8785 # masked. Skipped characters do not count towards this tally.
8786 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
8787 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
8788 # code or credit card number. This string must have a length of 1. If not
8789 # supplied, this value defaults to `*` for strings, and `0` for digits.
8790 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
8791 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
8792 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
8793 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
8794 # is `true`, then the string `12345` is masked as `12***`.
8795 },
8796 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
8797 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
8798 # output would be 'My phone number is '.
8799 },
8800 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
8801 },
8802 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
8803 # Bucketing transformation can provide all of this functionality,
8804 # but requires more configuration. This message is provided as a convenience to
8805 # the user for simple bucketing strategies.
8806 #
8807 # The transformed value will be a hyphenated string of
8808 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
8809 # all values that are within this bucket will be replaced with "10-20".
8810 #
8811 # This can be used on data of type: double, long.
8812 #
8813 # If the bound Value type differs from the type of data
8814 # being transformed, we will first attempt converting the type of the data to
8815 # be transformed to match the type of the bound before comparing.
8816 #
8817 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8818 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
8819 # grouped together into a single bucket; for example if `lower_bound` = 10,
8820 # then all values less than 10 are replaced with the value “-10”.
8821 # Note that for the purposes of inspection or transformation, the number
8822 # of bytes considered to comprise a 'Value' is based on its representation
8823 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8824 # 123456789, the number of bytes would be counted as 9, even though an
8825 # int64 only holds up to 8 bytes of data.
8826 "floatValue": 3.14, # float
8827 "timestampValue": "A String", # timestamp
8828 "dayOfWeekValue": "A String", # day of week
8829 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8830 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8831 # types are google.type.Date and `google.protobuf.Timestamp`.
8832 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8833 # to allow the value "24:00:00" for scenarios like business closing time.
8834 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8835 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8836 # allow the value 60 if it allows leap-seconds.
8837 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8838 },
8839 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8840 # and time zone are either specified elsewhere or are not significant. The date
8841 # is relative to the Proleptic Gregorian Calendar. This can represent:
8842 #
8843 # * A full date, with non-zero year, month and day values
8844 # * A month and day value, with a zero year, e.g. an anniversary
8845 # * A year on its own, with zero month and day values
8846 # * A year and month value, with a zero day, e.g. a credit card expiration date
8847 #
8848 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8849 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8850 # month and day.
8851 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8852 # if specifying a year by itself or a year and month where the day is not
8853 # significant.
8854 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8855 # a year.
8856 },
8857 "stringValue": "A String", # string
8858 "booleanValue": True or False, # boolean
8859 "integerValue": "A String", # integer
8860 },
8861 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
8862 # grouped together into a single bucket; for example if `upper_bound` = 89,
8863 # then all values greater than 89 are replaced with the value “89+”.
8864 # Note that for the purposes of inspection or transformation, the number
8865 # of bytes considered to comprise a 'Value' is based on its representation
8866 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8867 # 123456789, the number of bytes would be counted as 9, even though an
8868 # int64 only holds up to 8 bytes of data.
8869 "floatValue": 3.14, # float
8870 "timestampValue": "A String", # timestamp
8871 "dayOfWeekValue": "A String", # day of week
8872 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8873 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8874 # types are google.type.Date and `google.protobuf.Timestamp`.
8875 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8876 # to allow the value "24:00:00" for scenarios like business closing time.
8877 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8878 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8879 # allow the value 60 if it allows leap-seconds.
8880 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8881 },
8882 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8883 # and time zone are either specified elsewhere or are not significant. The date
8884 # is relative to the Proleptic Gregorian Calendar. This can represent:
8885 #
8886 # * A full date, with non-zero year, month and day values
8887 # * A month and day value, with a zero year, e.g. an anniversary
8888 # * A year on its own, with zero month and day values
8889 # * A year and month value, with a zero day, e.g. a credit card expiration date
8890 #
8891 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8892 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8893 # month and day.
8894 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8895 # if specifying a year by itself or a year and month where the day is not
8896 # significant.
8897 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8898 # a year.
8899 },
8900 "stringValue": "A String", # string
8901 "booleanValue": True or False, # boolean
8902 "integerValue": "A String", # integer
8903 },
8904 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
8905 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
8906 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
8907 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
8908 },
8909 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
8910 # portion of the value.
8911 "partToExtract": "A String", # The part of the time to keep.
8912 },
8913 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
8914 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
8915 # to learn more.
8916 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
8917 # results in the same shift for the same context and crypto_key. If
8918 # set, must also set context. Can only be applied to table items.
8919 # a key encryption key (KEK) stored by KMS).
8920 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8921 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8922 # unwrap the data crypto key.
8923 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
8924 # The wrapped key must be a 128/192/256 bit key.
8925 # Authorization requires the following IAM permissions when sending a request
8926 # to perform a crypto transformation using a kms-wrapped crypto key:
8927 # dlp.kms.encrypt
8928 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8929 "wrappedKey": "A String", # Required. The wrapped data crypto key.
8930 },
8931 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
8932 # leaking the key. Choose another type of key if possible.
8933 "key": "A String", # Required. A 128/192/256 bit key.
8934 },
8935 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
8936 # It will be discarded after the request finishes.
8937 "name": "A String", # Required. Name of the key.
8938 # This is an arbitrary string used to differentiate different keys.
8939 # A unique key is generated per name: two separate `TransientCryptoKey`
8940 # protos share the same generated key if their names are the same.
8941 # When the data crypto key is generated, this name is not used in any way
8942 # (repeating the api call will result in a different key being generated).
8943 },
8944 },
8945 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
8946 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
8947 # range (inclusive ends). Negative means shift to earlier in time. Must not
8948 # be more than 365250 days (1000 years) each direction.
8949 #
8950 # For example, 3 means shift date to at most 3 days into the future.
8951 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
8952 # If set, must also set cryptoKey. If set, shift will be consistent for the
8953 # given context.
8954 "name": "A String", # Name describing the field.
8955 },
8956 },
8957 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
8958 # (FPE) with the FFX mode of operation; however when used in the
8959 # `ReidentifyContent` API method, it serves the opposite function by reversing
8960 # the surrogate back into the original identifier. The identifier must be
8961 # encoded as ASCII. For a given crypto key and context, the same identifier
8962 # will be replaced with the same surrogate. Identifiers must be at least two
8963 # characters long. In the case that the identifier is the empty string, it will
8964 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8965 # more.
8966 #
8967 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8968 # do not require preserving the input alphabet space and size, plus warrant
8969 # referential integrity.
8970 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
8971 # a key encryption key (KEK) stored by KMS).
8972 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8973 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8974 # unwrap the data crypto key.
8975 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
8976 # The wrapped key must be a 128/192/256 bit key.
8977 # Authorization requires the following IAM permissions when sending a request
8978 # to perform a crypto transformation using a kms-wrapped crypto key:
8979 # dlp.kms.encrypt
8980 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8981 "wrappedKey": "A String", # Required. The wrapped data crypto key.
8982 },
8983 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
8984 # leaking the key. Choose another type of key if possible.
8985 "key": "A String", # Required. A 128/192/256 bit key.
8986 },
8987 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
8988 # It will be discarded after the request finishes.
8989 "name": "A String", # Required. Name of the key.
8990 # This is an arbitrary string used to differentiate different keys.
8991 # A unique key is generated per name: two separate `TransientCryptoKey`
8992 # protos share the same generated key if their names are the same.
8993 # When the data crypto key is generated, this name is not used in any way
8994 # (repeating the api call will result in a different key being generated).
8995 },
8996 },
8997 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
8998 "commonAlphabet": "A String", # Common alphabets.
8999 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
9000 # that the FFX mode natively supports. This happens before/after
9001 # encryption/decryption.
9002 # Each character listed must appear only once.
9003 # Number of characters must be in the range [2, 95].
9004 # This must be encoded as ASCII.
9005 # The order of characters does not matter.
9006 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
9007 # identifier in two different contexts won't be given the same surrogate. If
9008 # the context is not set, a default tweak will be used.
9009 #
9010 # If the context is set but:
9011 #
9012 # 1. there is no record present when transforming a given value or
9013 # 1. the field is not present when transforming a given value,
9014 #
9015 # a default tweak will be used.
9016 #
9017 # Note that case (1) is expected when an `InfoTypeTransformation` is
9018 # applied to both structured and non-structured `ContentItem`s.
9019 # Currently, the referenced field may be of value type integer or string.
9020 #
9021 # The tweak is constructed as a sequence of bytes in big endian byte order
9022 # such that:
9023 #
9024 # - a 64 bit integer is encoded followed by a single byte of value 1
9025 # - a string is encoded in UTF-8 format followed by a single byte of value 2
9026 "name": "A String", # Name describing the field.
9027 },
9028 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
9029 # This annotation will be applied to the surrogate by prefixing it with
9030 # the name of the custom infoType followed by the number of
9031 # characters comprising the surrogate. The following scheme defines the
9032 # format: info_type_name(surrogate_character_count):surrogate
9033 #
9034 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
9035 # the surrogate is 'abc', the full replacement value
9036 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9037 #
9038 # This annotation identifies the surrogate when inspecting content using the
9039 # custom infoType
9040 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
9041 # This facilitates reversal of the surrogate when it occurs in free text.
9042 #
9043 # In order for inspection to work properly, the name of this infoType must
9044 # not occur naturally anywhere in your data; otherwise, inspection may
9045 # find a surrogate that does not correspond to an actual identifier.
9046 # Therefore, choose your custom infoType name carefully after considering
9047 # what your data looks like. One way to select a name that has a high chance
9048 # of yielding reliable detection is to include one or more unicode characters
9049 # that are highly improbable to exist in your data.
9050 # For example, assuming your data is entered from a regular ASCII keyboard,
9051 # the symbol with the hex code point 29DD might be used like so:
9052 # ⧝MY_TOKEN_TYPE
9053 "name": "A String", # Name of the information type. Either a name of your choosing when
9054 # creating a CustomInfoType, or one of the names listed
9055 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9056 # a built-in type. InfoType names should conform to the pattern
9057 # `[a-zA-Z0-9_]{1,64}`.
9058 },
9059 },
9060 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
9061 # replacement values are dynamically provided by the user for custom behavior,
9062 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
9063 # This can be used on
9064 # data of type: number, long, string, timestamp.
9065 # If the bound `Value` type differs from the type of data being transformed, we
9066 # will first attempt converting the type of the data to be transformed to match
9067 # the type of the bound before comparing.
9068 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9069 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
9070 { # Bucket is represented as a range, along with replacement values.
9071 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
9072 # Note that for the purposes of inspection or transformation, the number
9073 # of bytes considered to comprise a 'Value' is based on its representation
9074 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9075 # 123456789, the number of bytes would be counted as 9, even though an
9076 # int64 only holds up to 8 bytes of data.
9077 "floatValue": 3.14, # float
9078 "timestampValue": "A String", # timestamp
9079 "dayOfWeekValue": "A String", # day of week
9080 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9081 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9082 # types are google.type.Date and `google.protobuf.Timestamp`.
9083 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9084 # to allow the value "24:00:00" for scenarios like business closing time.
9085 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9086 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9087 # allow the value 60 if it allows leap-seconds.
9088 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9089 },
9090 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9091 # and time zone are either specified elsewhere or are not significant. The date
9092 # is relative to the Proleptic Gregorian Calendar. This can represent:
9093 #
9094 # * A full date, with non-zero year, month and day values
9095 # * A month and day value, with a zero year, e.g. an anniversary
9096 # * A year on its own, with zero month and day values
9097 # * A year and month value, with a zero day, e.g. a credit card expiration date
9098 #
9099 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9100 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9101 # month and day.
9102 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9103 # if specifying a year by itself or a year and month where the day is not
9104 # significant.
9105 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9106 # a year.
9107 },
9108 "stringValue": "A String", # string
9109 "booleanValue": True or False, # boolean
9110 "integerValue": "A String", # integer
9111 },
9112 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
9113 # the default behavior will be to hyphenate the min-max range.
9114 # Note that for the purposes of inspection or transformation, the number
9115 # of bytes considered to comprise a 'Value' is based on its representation
9116 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9117 # 123456789, the number of bytes would be counted as 9, even though an
9118 # int64 only holds up to 8 bytes of data.
9119 "floatValue": 3.14, # float
9120 "timestampValue": "A String", # timestamp
9121 "dayOfWeekValue": "A String", # day of week
9122 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9123 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9124 # types are google.type.Date and `google.protobuf.Timestamp`.
9125 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9126 # to allow the value "24:00:00" for scenarios like business closing time.
9127 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9128 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9129 # allow the value 60 if it allows leap-seconds.
9130 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9131 },
9132 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9133 # and time zone are either specified elsewhere or are not significant. The date
9134 # is relative to the Proleptic Gregorian Calendar. This can represent:
9135 #
9136 # * A full date, with non-zero year, month and day values
9137 # * A month and day value, with a zero year, e.g. an anniversary
9138 # * A year on its own, with zero month and day values
9139 # * A year and month value, with a zero day, e.g. a credit card expiration date
9140 #
9141 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9142 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9143 # month and day.
9144 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9145 # if specifying a year by itself or a year and month where the day is not
9146 # significant.
9147 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9148 # a year.
9149 },
9150 "stringValue": "A String", # string
9151 "booleanValue": True or False, # boolean
9152 "integerValue": "A String", # integer
9153 },
9154 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
9155 # used.
9156 # Note that for the purposes of inspection or transformation, the number
9157 # of bytes considered to comprise a 'Value' is based on its representation
9158 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9159 # 123456789, the number of bytes would be counted as 9, even though an
9160 # int64 only holds up to 8 bytes of data.
9161 "floatValue": 3.14, # float
9162 "timestampValue": "A String", # timestamp
9163 "dayOfWeekValue": "A String", # day of week
9164 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9165 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9166 # types are google.type.Date and `google.protobuf.Timestamp`.
9167 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9168 # to allow the value "24:00:00" for scenarios like business closing time.
9169 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9170 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9171 # allow the value 60 if it allows leap-seconds.
9172 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9173 },
9174 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9175 # and time zone are either specified elsewhere or are not significant. The date
9176 # is relative to the Proleptic Gregorian Calendar. This can represent:
9177 #
9178 # * A full date, with non-zero year, month and day values
9179 # * A month and day value, with a zero year, e.g. an anniversary
9180 # * A year on its own, with zero month and day values
9181 # * A year and month value, with a zero day, e.g. a credit card expiration date
9182 #
9183 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9184 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9185 # month and day.
9186 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9187 # if specifying a year by itself or a year and month where the day is not
9188 # significant.
9189 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9190 # a year.
9191 },
9192 "stringValue": "A String", # string
9193 "booleanValue": True or False, # boolean
9194 "integerValue": "A String", # integer
9195 },
9196 },
9197 ],
9198 },
9199 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
9200 # Uses SHA-256.
9201 # The key size must be either 32 or 64 bytes.
9202 # Outputs a base64 encoded representation of the hashed output
9203 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9204 # Currently, only string and integer values can be hashed.
9205 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9206 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9207 # a key encryption key (KEK) stored by KMS).
9208 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9209 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9210 # unwrap the data crypto key.
9211 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9212 # The wrapped key must be a 128/192/256 bit key.
9213 # Authorization requires the following IAM permissions when sending a request
9214 # to perform a crypto transformation using a kms-wrapped crypto key:
9215 # dlp.kms.encrypt
9216 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9217 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9218 },
9219 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9220 # leaking the key. Choose another type of key if possible.
9221 "key": "A String", # Required. A 128/192/256 bit key.
9222 },
9223 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9224 # It will be discarded after the request finishes.
9225 "name": "A String", # Required. Name of the key.
9226 # This is an arbitrary string used to differentiate different keys.
9227 # A unique key is generated per name: two separate `TransientCryptoKey`
9228 # protos share the same generated key if their names are the same.
9229 # When the data crypto key is generated, this name is not used in any way
9230 # (repeating the api call will result in a different key being generated).
9231 },
9232 },
9233 },
9234 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
9235 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
9236 # Note that for the purposes of inspection or transformation, the number
9237 # of bytes considered to comprise a 'Value' is based on its representation
9238 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9239 # 123456789, the number of bytes would be counted as 9, even though an
9240 # int64 only holds up to 8 bytes of data.
9241 "floatValue": 3.14, # float
9242 "timestampValue": "A String", # timestamp
9243 "dayOfWeekValue": "A String", # day of week
9244 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9245 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9246 # types are google.type.Date and `google.protobuf.Timestamp`.
9247 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9248 # to allow the value "24:00:00" for scenarios like business closing time.
9249 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9250 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9251 # allow the value 60 if it allows leap-seconds.
9252 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9253 },
9254 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9255 # and time zone are either specified elsewhere or are not significant. The date
9256 # is relative to the Proleptic Gregorian Calendar. This can represent:
9257 #
9258 # * A full date, with non-zero year, month and day values
9259 # * A month and day value, with a zero year, e.g. an anniversary
9260 # * A year on its own, with zero month and day values
9261 # * A year and month value, with a zero day, e.g. a credit card expiration date
9262 #
9263 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9264 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9265 # month and day.
9266 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9267 # if specifying a year by itself or a year and month where the day is not
9268 # significant.
9269 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9270 # a year.
9271 },
9272 "stringValue": "A String", # string
9273 "booleanValue": True or False, # boolean
9274 "integerValue": "A String", # integer
9275 },
9276 },
9277 },
9278 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
9279 # this transformation to apply to all findings that correspond to
9280 # infoTypes that were requested in `InspectConfig`.
9281 { # Type of information detected by the API.
9282 "name": "A String", # Name of the information type. Either a name of your choosing when
9283 # creating a CustomInfoType, or one of the names listed
9284 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9285 # a built-in type. InfoType names should conform to the pattern
9286 # `[a-zA-Z0-9_]{1,64}`.
9287 },
9288 ],
9289 },
9290 ],
9291 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9292 },
9293 ],
9294 "transformedBytes": "A String", # Total size in bytes that were transformed in some way.
9295 "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9296 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9297 # input. Outputs a base64 encoded representation of the encrypted output.
9298 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
9299 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
9300 # a key encryption key (KEK) stored by KMS).
9301 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9302 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9303 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9304 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9305 # The wrapped key must be a 128/192/256 bit key.
9306 # Authorization requires the following IAM permissions when sending a request
9307 # to perform a crypto transformation using a kms-wrapped crypto key:
9308 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9309 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9310 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9311 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9312 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9313 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9314 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9315 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9316 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9317 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9318 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9319 # This is an arbitrary string used to differentiate different keys.
9320 # A unique key is generated per name: two separate `TransientCryptoKey`
9321 # protos share the same generated key if their names are the same.
9322 # When the data crypto key is generated, this name is not used in any way
9323 # (repeating the api call will result in a different key being generated).
9324 },
9325 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9326 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9327 # referential integrity such that the same identifier in two different
9328 # contexts will be given a distinct surrogate. The context is appended to
9329 # plaintext value being encrypted. On decryption the provided context is
9330 # validated against the value used during encryption. If a context was
9331 # provided during encryption, same context must be provided during decryption
9332 # as well.
9333 #
9334 # If the context is not set, plaintext would be used as is for encryption.
9335 # If the context is set but:
9336 #
9337 # 1. there is no record present when transforming a given value or
9338 # 2. the field is not present when transforming a given value,
9339 #
9340 # plaintext would be used as is for encryption.
9341 #
9342 # Note that case (1) is expected when an `InfoTypeTransformation` is
9343 # applied to both structured and non-structured `ContentItem`s.
9344 "name": "A String", # Name describing the field.
9345 },
9346 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
9347 # This annotation will be applied to the surrogate by prefixing it with
9348 # the name of the custom info type followed by the number of
9349 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9350 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9351 #
9352 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
9353 # the surrogate is 'abc', the full replacement value
9354 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9355 #
9356 # This annotation identifies the surrogate when inspecting content using the
9357 # custom info type 'Surrogate'. This facilitates reversal of the
9358 # surrogate when it occurs in free text.
9359 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9360 # Note: For record transformations where the entire cell in a table is being
9361 # transformed, surrogates are not mandatory. Surrogates are used to denote
9362 # the location of the token and are necessary for re-identification in free
9363 # form text.
9364 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9365 # In order for inspection to work properly, the name of this info type must
9366 # not occur naturally anywhere in your data; otherwise, inspection may either
9367 #
9368 # - reverse a surrogate that does not correspond to an actual identifier
9369 # - be unable to parse the surrogate and result in an error
9370 #
9371 # Therefore, choose your custom info type name carefully after considering
9372 # what your data looks like. One way to select a name that has a high chance
9373 # of yielding reliable detection is to include one or more unicode characters
9374 # that are highly improbable to exist in your data.
9375 # For example, assuming your data is entered from a regular ASCII keyboard,
9376 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9377 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9378 "name": "A String", # Name of the information type. Either a name of your choosing when
9379 # creating a CustomInfoType, or one of the names listed
9380 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9381 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9382 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9383 },
9384 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9385 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
9386 # fixed character. Masking can start from the beginning or end of the string.
9387 # This can be used on data of any type (numbers, longs, and so on) and when
9388 # de-identifying structured data we'll attempt to preserve the original data's
9389 # type. (This allows you to take a long like 123 and modify it to a string like
9390 # **3.
9391 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
9392 # characters. For example, if the input string is `555-555-5555` and you
9393 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
9394 # returns `***-**5-5555`.
9395 { # Characters to skip when doing deidentification of a value. These will be left
9396 # alone and skipped.
9397 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
9398 # punctuation.
9399 "charactersToSkip": "A String", # Characters to not transform when masking.
9400 },
9401 ],
9402 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
9403 # masked. Skipped characters do not count towards this tally.
9404 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
9405 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
9406 # code or credit card number. This string must have a length of 1. If not
9407 # supplied, this value defaults to `*` for strings, and `0` for digits.
9408 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
9409 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
9410 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
9411 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
9412 # is `true`, then the string `12345` is masked as `12***`.
9413 },
9414 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
9415 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
9416 # output would be 'My phone number is '.
9417 },
9418 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
9419 },
9420 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9421 # Bucketing transformation can provide all of this functionality,
9422 # but requires more configuration. This message is provided as a convenience to
9423 # the user for simple bucketing strategies.
9424 #
9425 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9426 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9427 # all values that are within this bucket will be replaced with "10-20".
9428 #
9429 # This can be used on data of type: double, long.
9430 #
9431 # If the bound Value type differs from the type of data
9432 # being transformed, we will first attempt converting the type of the data to
9433 # be transformed to match the type of the bound before comparing.
9434 #
9435 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9436 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9437 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9438 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9439 # Note that for the purposes of inspection or transformation, the number
9440 # of bytes considered to comprise a 'Value' is based on its representation
9441 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9442 # 123456789, the number of bytes would be counted as 9, even though an
9443 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9444 "floatValue": 3.14, # float
9445 "timestampValue": "A String", # timestamp
9446 "dayOfWeekValue": "A String", # day of week
9447 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9448 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9449 # types are google.type.Date and `google.protobuf.Timestamp`.
9450 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9451 # to allow the value "24:00:00" for scenarios like business closing time.
9452 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9453 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9454 # allow the value 60 if it allows leap-seconds.
9455 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9456 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9457 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9458 # and time zone are either specified elsewhere or are not significant. The date
9459 # is relative to the Proleptic Gregorian Calendar. This can represent:
9460 #
9461 # * A full date, with non-zero year, month and day values
9462 # * A month and day value, with a zero year, e.g. an anniversary
9463 # * A year on its own, with zero month and day values
9464 # * A year and month value, with a zero day, e.g. a credit card expiration date
9465 #
9466 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9467 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9468 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9469 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9470 # if specifying a year by itself or a year and month where the day is not
9471 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9472 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9473 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9474 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9475 "stringValue": "A String", # string
9476 "booleanValue": True or False, # boolean
9477 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9478 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9479 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9480 # grouped together into a single bucket; for example if `upper_bound` = 89,
9481 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9482 # Note that for the purposes of inspection or transformation, the number
9483 # of bytes considered to comprise a 'Value' is based on its representation
9484 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9485 # 123456789, the number of bytes would be counted as 9, even though an
9486 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9487 "floatValue": 3.14, # float
9488 "timestampValue": "A String", # timestamp
9489 "dayOfWeekValue": "A String", # day of week
9490 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9491 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9492 # types are google.type.Date and `google.protobuf.Timestamp`.
9493 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9494 # to allow the value "24:00:00" for scenarios like business closing time.
9495 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9496 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9497 # allow the value 60 if it allows leap-seconds.
9498 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9499 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9500 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9501 # and time zone are either specified elsewhere or are not significant. The date
9502 # is relative to the Proleptic Gregorian Calendar. This can represent:
9503 #
9504 # * A full date, with non-zero year, month and day values
9505 # * A month and day value, with a zero year, e.g. an anniversary
9506 # * A year on its own, with zero month and day values
9507 # * A year and month value, with a zero day, e.g. a credit card expiration date
9508 #
9509 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9510 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9511 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9512 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9513 # if specifying a year by itself or a year and month where the day is not
9514 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9515 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9516 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9517 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9518 "stringValue": "A String", # string
9519 "booleanValue": True or False, # boolean
9520 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9521 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9522 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9523 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
9524 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9525 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9526 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9527 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9528 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9529 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9530 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9531 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9532 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
9533 # to learn more.
9534 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9535 # results in the same shift for the same context and crypto_key. If
9536 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9537 # a key encryption key (KEK) stored by KMS).
9538 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9539 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9540 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9541 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9542 # The wrapped key must be a 128/192/256 bit key.
9543 # Authorization requires the following IAM permissions when sending a request
9544 # to perform a crypto transformation using a kms-wrapped crypto key:
9545 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9546 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9547 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9548 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9549 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9550 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9551 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9552 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9553 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9554 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9555 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9556 # This is an arbitrary string used to differentiate different keys.
9557 # A unique key is generated per name: two separate `TransientCryptoKey`
9558 # protos share the same generated key if their names are the same.
9559 # When the data crypto key is generated, this name is not used in any way
9560 # (repeating the api call will result in a different key being generated).
9561 },
9562 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9563 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
9564 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9565 # range (inclusive ends). Negative means shift to earlier in time. Must not
9566 # be more than 365250 days (1000 years) each direction.
9567 #
9568 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9569 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9570 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9571 # given context.
9572 "name": "A String", # Name describing the field.
9573 },
9574 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9575 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9576 # (FPE) with the FFX mode of operation; however when used in the
9577 # `ReidentifyContent` API method, it serves the opposite function by reversing
9578 # the surrogate back into the original identifier. The identifier must be
9579 # encoded as ASCII. For a given crypto key and context, the same identifier
9580 # will be replaced with the same surrogate. Identifiers must be at least two
9581 # characters long. In the case that the identifier is the empty string, it will
9582 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
9583 # more.
9584 #
9585 # Note: We recommend using CryptoDeterministicConfig for all use cases which
9586 # do not require preserving the input alphabet space and size, plus warrant
9587 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9588 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9589 # a key encryption key (KEK) stored by KMS).
9590 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9591 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9592 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9593 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9594 # The wrapped key must be a 128/192/256 bit key.
9595 # Authorization requires the following IAM permissions when sending a request
9596 # to perform a crypto transformation using a kms-wrapped crypto key:
9597 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9598 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9599 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9600 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9601 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9602 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9603 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9604 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9605 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9606 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9607 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9608 # This is an arbitrary string used to differentiate different keys.
9609 # A unique key is generated per name: two separate `TransientCryptoKey`
9610 # protos share the same generated key if their names are the same.
9611 # When the data crypto key is generated, this name is not used in any way
9612 # (repeating the api call will result in a different key being generated).
9613 },
9614 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9615 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
9616 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9617 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
9618 # that the FFX mode natively supports. This happens before/after
9619 # encryption/decryption.
9620 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9621 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9622 # This must be encoded as ASCII.
9623 # The order of characters does not matter.
9624 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
9625 # identifier in two different contexts won't be given the same surrogate. If
9626 # the context is not set, a default tweak will be used.
9627 #
9628 # If the context is set but:
9629 #
9630 # 1. there is no record present when transforming a given value or
9631 # 1. the field is not present when transforming a given value,
9632 #
9633 # a default tweak will be used.
9634 #
9635 # Note that case (1) is expected when an `InfoTypeTransformation` is
9636 # applied to both structured and non-structured `ContentItem`s.
9637 # Currently, the referenced field may be of value type integer or string.
9638 #
9639 # The tweak is constructed as a sequence of bytes in big endian byte order
9640 # such that:
9641 #
9642 # - a 64 bit integer is encoded followed by a single byte of value 1
9643 # - a string is encoded in UTF-8 format followed by a single byte of value 2
9644 "name": "A String", # Name describing the field.
9645 },
9646 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
9647 # This annotation will be applied to the surrogate by prefixing it with
9648 # the name of the custom infoType followed by the number of
9649 # characters comprising the surrogate. The following scheme defines the
9650 # format: info_type_name(surrogate_character_count):surrogate
9651 #
9652 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
9653 # the surrogate is 'abc', the full replacement value
9654 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9655 #
9656 # This annotation identifies the surrogate when inspecting content using the
9657 # custom infoType
9658 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
9659 # This facilitates reversal of the surrogate when it occurs in free text.
9660 #
9661 # In order for inspection to work properly, the name of this infoType must
9662 # not occur naturally anywhere in your data; otherwise, inspection may
9663 # find a surrogate that does not correspond to an actual identifier.
9664 # Therefore, choose your custom infoType name carefully after considering
9665 # what your data looks like. One way to select a name that has a high chance
9666 # of yielding reliable detection is to include one or more unicode characters
9667 # that are highly improbable to exist in your data.
9668 # For example, assuming your data is entered from a regular ASCII keyboard,
9669 # the symbol with the hex code point 29DD might be used like so:
9670 # ⧝MY_TOKEN_TYPE
9671 "name": "A String", # Name of the information type. Either a name of your choosing when
9672 # creating a CustomInfoType, or one of the names listed
9673 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9674 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9675 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9676 },
9677 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9678 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
9679 # replacement values are dynamically provided by the user for custom behavior,
9680 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
9681 # This can be used on
9682 # data of type: number, long, string, timestamp.
9683 # If the bound `Value` type differs from the type of data being transformed, we
9684 # will first attempt converting the type of the data to be transformed to match
9685 # the type of the bound before comparing.
9686 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9687 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
9688 { # Bucket is represented as a range, along with replacement values.
9689 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
9690 # Note that for the purposes of inspection or transformation, the number
9691 # of bytes considered to comprise a 'Value' is based on its representation
9692 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9693 # 123456789, the number of bytes would be counted as 9, even though an
9694 # int64 only holds up to 8 bytes of data.
9695 "floatValue": 3.14, # float
9696 "timestampValue": "A String", # timestamp
9697 "dayOfWeekValue": "A String", # day of week
9698 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9699 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9700 # types are google.type.Date and `google.protobuf.Timestamp`.
9701 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9702 # to allow the value "24:00:00" for scenarios like business closing time.
9703 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9704 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9705 # allow the value 60 if it allows leap-seconds.
9706 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9707 },
9708 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9709 # and time zone are either specified elsewhere or are not significant. The date
9710 # is relative to the Proleptic Gregorian Calendar. This can represent:
9711 #
9712 # * A full date, with non-zero year, month and day values
9713 # * A month and day value, with a zero year, e.g. an anniversary
9714 # * A year on its own, with zero month and day values
9715 # * A year and month value, with a zero day, e.g. a credit card expiration date
9716 #
9717 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9718 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9719 # month and day.
9720 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9721 # if specifying a year by itself or a year and month where the day is not
9722 # significant.
9723 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9724 # a year.
9725 },
9726 "stringValue": "A String", # string
9727 "booleanValue": True or False, # boolean
9728 "integerValue": "A String", # integer
9729 },
9730 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
9731 # the default behavior will be to hyphenate the min-max range.
9732 # Note that for the purposes of inspection or transformation, the number
9733 # of bytes considered to comprise a 'Value' is based on its representation
9734 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9735 # 123456789, the number of bytes would be counted as 9, even though an
9736 # int64 only holds up to 8 bytes of data.
9737 "floatValue": 3.14, # float
9738 "timestampValue": "A String", # timestamp
9739 "dayOfWeekValue": "A String", # day of week
9740 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9741 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9742 # types are google.type.Date and `google.protobuf.Timestamp`.
9743 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9744 # to allow the value "24:00:00" for scenarios like business closing time.
9745 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9746 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9747 # allow the value 60 if it allows leap-seconds.
9748 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9749 },
9750 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9751 # and time zone are either specified elsewhere or are not significant. The date
9752 # is relative to the Proleptic Gregorian Calendar. This can represent:
9753 #
9754 # * A full date, with non-zero year, month and day values
9755 # * A month and day value, with a zero year, e.g. an anniversary
9756 # * A year on its own, with zero month and day values
9757 # * A year and month value, with a zero day, e.g. a credit card expiration date
9758 #
9759 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9760 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9761 # month and day.
9762 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9763 # if specifying a year by itself or a year and month where the day is not
9764 # significant.
9765 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9766 # a year.
9767 },
9768 "stringValue": "A String", # string
9769 "booleanValue": True or False, # boolean
9770 "integerValue": "A String", # integer
9771 },
9772 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
9773 # used.
9774 # Note that for the purposes of inspection or transformation, the number
9775 # of bytes considered to comprise a 'Value' is based on its representation
9776 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9777 # 123456789, the number of bytes would be counted as 9, even though an
9778 # int64 only holds up to 8 bytes of data.
9779 "floatValue": 3.14, # float
9780 "timestampValue": "A String", # timestamp
9781 "dayOfWeekValue": "A String", # day of week
9782 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9783 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9784 # types are google.type.Date and `google.protobuf.Timestamp`.
9785 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9786 # to allow the value "24:00:00" for scenarios like business closing time.
9787 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9788 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9789 # allow the value 60 if it allows leap-seconds.
9790 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9791 },
9792 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9793 # and time zone are either specified elsewhere or are not significant. The date
9794 # is relative to the Proleptic Gregorian Calendar. This can represent:
9795 #
9796 # * A full date, with non-zero year, month and day values
9797 # * A month and day value, with a zero year, e.g. an anniversary
9798 # * A year on its own, with zero month and day values
9799 # * A year and month value, with a zero day, e.g. a credit card expiration date
9800 #
9801 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9802 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9803 # month and day.
9804 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9805 # if specifying a year by itself or a year and month where the day is not
9806 # significant.
9807 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9808 # a year.
9809 },
9810 "stringValue": "A String", # string
9811 "booleanValue": True or False, # boolean
9812 "integerValue": "A String", # integer
9813 },
9814 },
9815 ],
9816 },
9817 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
9818 # Uses SHA-256.
9819 # The key size must be either 32 or 64 bytes.
9820 # Outputs a base64 encoded representation of the hashed output
9821 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9822 # Currently, only string and integer values can be hashed.
9823 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9824 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9825 # a key encryption key (KEK) stored by KMS).
9826 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9827 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9828 # unwrap the data crypto key.
9829 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9830 # The wrapped key must be a 128/192/256 bit key.
9831 # Authorization requires the following IAM permissions when sending a request
9832 # to perform a crypto transformation using a kms-wrapped crypto key:
9833 # dlp.kms.encrypt
9834 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9835 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9836 },
9837 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9838 # leaking the key. Choose another type of key if possible.
9839 "key": "A String", # Required. A 128/192/256 bit key.
9840 },
9841 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9842 # It will be discarded after the request finishes.
9843 "name": "A String", # Required. Name of the key.
9844 # This is an arbitrary string used to differentiate different keys.
9845 # A unique key is generated per name: two separate `TransientCryptoKey`
9846 # protos share the same generated key if their names are the same.
9847 # When the data crypto key is generated, this name is not used in any way
9848 # (repeating the api call will result in a different key being generated).
9849 },
9850 },
9851 },
9852 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9853 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
9854 # Note that for the purposes of inspection or transformation, the number
9855 # of bytes considered to comprise a 'Value' is based on its representation
9856 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9857 # 123456789, the number of bytes would be counted as 9, even though an
9858 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9859 "floatValue": 3.14, # float
9860 "timestampValue": "A String", # timestamp
9861 "dayOfWeekValue": "A String", # day of week
9862 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9863 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9864 # types are google.type.Date and `google.protobuf.Timestamp`.
9865 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9866 # to allow the value "24:00:00" for scenarios like business closing time.
9867 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9868 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9869 # allow the value 60 if it allows leap-seconds.
9870 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9871 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9872 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9873 # and time zone are either specified elsewhere or are not significant. The date
9874 # is relative to the Proleptic Gregorian Calendar. This can represent:
9875 #
9876 # * A full date, with non-zero year, month and day values
9877 # * A month and day value, with a zero year, e.g. an anniversary
9878 # * A year on its own, with zero month and day values
9879 # * A year and month value, with a zero day, e.g. a credit card expiration date
9880 #
9881 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9882 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9883 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9884 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9885 # if specifying a year by itself or a year and month where the day is not
9886 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9887 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9888 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9889 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9890 "stringValue": "A String", # string
9891 "booleanValue": True or False, # boolean
9892 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9893 },
9894 },
9895 },
9896 },
9897 ],
9898 "transformedBytes": "A String", # Total size in bytes that were transformed in some way.
9899 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9900 }</pre>
9901</div>
9902
9903</body></html>