Add support for applying BigQuery hidden policy tags to PII fields in the airbyte table

Author: asatwal

config/locales/en.yml

@@ -28,6 +28,13 @@ en:
           description: |
             The name of the BigQuery dataset we're writing to.
           default: ENV['BIGQUERY_DATASET']
+        bigquery_airbyte_dataset:
+          description: |
+            The name of the BigQuery airbyte dataset we're writing to.
+          default: ENV['BIGQUERY_AIRBYTE_DATASET']
+        bigquery_hidden_policy_tag:
+          description: The name of the BigQuery hidden policy tag applied to PII in raw airbyte tables.
+          default: ENV['BIGQUERY_HIDDEN_POLICY_TAG']
         bigquery_retries:
           description: |
             Passed directly to the retries: option on the BigQuery client

lib/dfe/analytics.rb

@@ -29,6 +29,7 @@
 require 'dfe/analytics/azure_federated_auth'
 require 'dfe/analytics/api_requests'
 require 'dfe/analytics/airbyte_stream_config'
+require 'dfe/analytics/big_query_apply_policy_tags'
 require 'services/airbyte'
 
 module DfE

lib/dfe/analytics/big_query_api.rb

@@ -9,43 +9,42 @@ class BigQueryApi
       RETRY_INITIAL_BASE_INTERVAL = 15
       RETRY_MAX_INTERVAL = 60
       RETRY_INTERVAL_MULTIPLIER = 2
-
-      def self.events_client
-        @events_client ||= begin
-          missing_config = %i[
-            bigquery_project_id
-            bigquery_table_name
-            bigquery_dataset
-            azure_client_id
-            azure_token_path
-            azure_scope
-            gcp_scope
-            google_cloud_credentials
-          ].select { |val| DfE::Analytics.config.send(val).blank? }
-
-          raise(ConfigurationError, "DfE::Analytics: missing required config values: #{missing_config.join(', ')}") if missing_config.any?
+      BIGQUERY_MANDATORY_CONFIG = %i[
+        bigquery_project_id
+        bigquery_table_name
+        bigquery_dataset
+        azure_client_id
+        azure_token_path
+        azure_scope
+        gcp_scope
+        google_cloud_credentials
+      ].freeze
+
+      def self.client
+        @client ||= begin
+          DfE::Analytics::Config.check_missing_config!(BIGQUERY_MANDATORY_CONFIG)
 
           Google::Apis::BigqueryV2::BigqueryService.new
         end
 
-        @events_client.authorization = DfE::Analytics::AzureFederatedAuth.gcp_client_credentials
-        @events_client
+        @client.authorization = DfE::Analytics::AzureFederatedAuth.gcp_client_credentials
+        @client
       end
 
       def self.insert(events)
         rows            = events.map { |event| { json: event } }
         data_request    = Google::Apis::BigqueryV2::InsertAllTableDataRequest.new(rows: rows, skip_invalid_rows: true)
         options         = Google::Apis::RequestOptions.default
 
-        options.authorization    = events_client.authorization
+        options.authorization    = client.authorization
         options.retries          = DfE::Analytics.config.bigquery_retries
         options.max_elapsed_time = ALL_RETRIES_MAX_ELASPED_TIME
         options.base_interval    = RETRY_INITIAL_BASE_INTERVAL
         options.max_interval     = RETRY_MAX_INTERVAL
         options.multiplier       = RETRY_INTERVAL_MULTIPLIER
 
         response =
-          events_client.insert_all_table_data(
+          client.insert_all_table_data(
             DfE::Analytics.config.bigquery_project_id,
             DfE::Analytics.config.bigquery_dataset,
             DfE::Analytics.config.bigquery_table_name,
@@ -77,8 +76,46 @@ def self.error_message_for(response)
         "DfE::Analytics BigQuery API insert error for #{response.insert_errors.length} event(s):\n#{message}"
       end
 
-      class ConfigurationError < StandardError; end
+      def self.apply_policy_tags(tables, policy_tag)
+        tables.each do |table_name, column_names|
+          begin
+            table = client.get_table(
+              DfE::Analytics.config.bigquery_project_id,
+              DfE::Analytics.config.bigquery_airbyte_dataset,
+              table_name.to_s
+            )
+          rescue Google::Apis::ClientError => e
+            error_message = "DfE::Analytics Failed to retrieve table: #{table_name}: #{e.message}"
+            Rails.logger.error(error_message)
+            raise PolicyTagError, error_message
+          end
+
+          updated_fields = table.schema.fields.map do |field|
+            field.policy_tags = Google::Apis::BigqueryV2::TableFieldSchema::PolicyTags.new(names: [policy_tag]) if column_names.include?(field.name)
+            field
+          end
+
+          new_schema = Google::Apis::BigqueryV2::TableSchema.new(fields: updated_fields)
+          updated_table = Google::Apis::BigqueryV2::Table.new(schema: new_schema)
+
+          begin
+            client.patch_table(
+              DfE::Analytics.config.bigquery_project_id,
+              DfE::Analytics.config.bigquery_airbyte_dataset,
+              table_name.to_s,
+              updated_table,
+              fields: 'schema'
+            )
+          rescue Google::Apis::ClientError => e
+            error_message = "DfE::Analytics  Failed to update table: #{table_name}: #{e.message}"
+            Rails.logger.error(error_message)
+            raise PolicyTagError, error_message
+          end
+        end
+      end
+
       class SendEventsError < StandardError; end
+      class PolicyTagError < StandardError; end
     end
   end
 end

lib/dfe/analytics/big_query_apply_policy_tags.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module DfE
+  module Analytics
+    # Applies BigQuery hidden policy tags to PII fields in the airbyte tables
+    class BigQueryApplyPolicyTags < AnalyticsJob
+      def self.do(delay_in_minutes: 0)
+        if delay_in_minutes.zero?
+          perform_later
+        else
+          time_to_run = Time.zone.now + delay_in_minutes.minutes
+
+          set(wait_until: time_to_run).perform_later
+        end
+      end
+
+      def perform
+        unless DfE::Analytics.airbyte_enabled?
+          Rails.logger.warn('DfE::Analytics::BigQueryApplyPolicyTags.perform called but airbyte is disabled. Please check DfE::Analytics.airbyte_enabled? before applying policy tags in BigQuery')
+          return
+        end
+
+        DfE::Analytics::BigQueryApi.apply_policy_tags(
+          DfE::Analytics.hidden_pii,
+          DfE::Analytics.config.bigquery_hidden_policy_tag
+        )
+      end
+    end
+  end
+end

lib/dfe/analytics/config.rb

@@ -11,7 +11,9 @@ module Config
         bigquery_table_name
         bigquery_project_id
         bigquery_dataset
+        bigquery_airbyte_dataset
         bigquery_api_json_key
+        bigquery_hidden_policy_tag
         bigquery_retries
         bigquery_timeout
         enable_analytics
@@ -46,7 +48,9 @@ def self.configure(config)
         config.bigquery_table_name              ||= ENV.fetch('BIGQUERY_TABLE_NAME', nil)
         config.bigquery_project_id              ||= ENV.fetch('BIGQUERY_PROJECT_ID', nil)
         config.bigquery_dataset                 ||= ENV.fetch('BIGQUERY_DATASET', nil)
+        config.bigquery_airbyte_dataset         ||= ENV.fetch('BIGQUERY_AIRBYTE_DATASET', nil)
         config.bigquery_api_json_key            ||= ENV.fetch('BIGQUERY_API_JSON_KEY', nil)
+        config.bigquery_hidden_policy_tag       ||= ENV.fetch('BIGQUERY_HIDDEN_POLICY_TAG', nil)
         config.bigquery_retries                 ||= 3
         config.bigquery_timeout                 ||= 120
         config.environment                      ||= ENV.fetch('RAILS_ENV', 'development')
@@ -77,6 +81,14 @@ def self.configure(config)
         config.azure_scope              ||= DfE::Analytics::AzureFederatedAuth::DEFAULT_AZURE_SCOPE
         config.gcp_scope                ||= DfE::Analytics::AzureFederatedAuth::DEFAULT_GCP_SCOPE
       end
+
+      def self.check_missing_config!(config)
+        missing_config = config.select { |val| DfE::Analytics.config.send(val).blank? }
+
+        raise(ConfigurationError, "DfE::Analytics: missing required config values: #{missing_config.join(', ')}") if missing_config.any?
+      end
+
+      class ConfigurationError < StandardError; end
     end
   end
 end

lib/dfe/analytics/tasks/big_query_apply_policy_tags.rake

@@ -0,0 +1,11 @@
+namespace :dfe do
+  namespace :analytics do
+    desc 'Apply BigQuery policy tags. Optionally pass delay_in_minutes (default is 0)'
+    task :big_query_apply_policy_tags, [:delay_in_minutes] => :environment do |_, args|
+      delay = args[:delay_in_minutes].to_i || 0
+
+      puts "Calling DfE::Analytics::BigQueryApplyPolicyTags.do(delay_in_minutes: #{delay})"
+      DfE::Analytics::BigQueryApplyPolicyTags.do(delay_in_minutes: delay)
+    end
+  end
+end

lib/dfe/analytics/testing.rb

@@ -74,7 +74,7 @@ def authorization; end
     end
 
     module TestOverrides
-      def events_client
+      def client
         if DfE::Analytics::Testing.fake?
           StubClient.new
         else

lib/services/airbyte/connection_update.rb

@@ -71,7 +71,7 @@ def connection_update_payload
                   supportedSyncModes: discovered_stream.dig('stream', 'supportedSyncModes'),
                   defaultCursorField: discovered_stream.dig('stream', 'defaultCursorField'),
                   sourceDefinedCursor: discovered_stream.dig('stream', 'sourceDefinedCursor'),
-                  sourceDefinedPrimaryKey: discovered_stream.dig('stream', 'sourceDefinedPrimaryKey'),
+                  sourceDefinedPrimaryKey: discovered_stream.dig('stream', 'sourceDefinedPrimaryKey')
                 },
                 config: {
                   syncMode: discovered_stream.dig('config', 'syncMode') || SYNC_MODE,

spec/dfe/analytics/big_query_api_spec.rb

@@ -11,31 +11,31 @@
     }
   end
 
-  let(:events_client) { double(:events_client) }
+  let(:client) { double(:client) }
   let(:authorization) { double(:authorization) }
 
   before(:each) do
     allow(DfE::Analytics.config).to receive(:azure_federated_auth).and_return(true)
 
-    allow(Google::Apis::BigqueryV2::BigqueryService).to receive(:new).and_return(events_client)
+    allow(Google::Apis::BigqueryV2::BigqueryService).to receive(:new).and_return(client)
     allow(DfE::Analytics::AzureFederatedAuth).to receive(:gcp_client_credentials).and_return(authorization)
-    allow(events_client).to receive(:authorization=).and_return(authorization)
-    allow(events_client).to receive(:authorization).and_return(authorization)
+    allow(client).to receive(:authorization=).and_return(authorization)
+    allow(client).to receive(:authorization).and_return(authorization)
 
     DfE::Analytics::Testing.webmock!
   end
 
-  describe '#events_client' do
+  describe '#client' do
     it 'raises a configuration error on missing config values' do
       with_analytics_config(bigquery_project_id: nil) do
-        expect { described_class.events_client }.to raise_error(DfE::Analytics::BigQueryApi::ConfigurationError)
+        expect { described_class.client }.to raise_error(DfE::Analytics::Config::ConfigurationError)
       end
     end
 
     context 'when authorization endpoint returns OK response' do
       it 'calls the expected big query apis' do
         with_analytics_config(test_dummy_config) do
-          expect(described_class.events_client).to eq(events_client)
+          expect(described_class.client).to eq(client)
         end
       end
     end
@@ -52,14 +52,14 @@
       let(:response) { double(:response, insert_errors: []) }
 
       it 'does not log the request when event_debug disabled' do
-        allow(events_client).to receive(:insert_all_table_data).and_return(response)
+        allow(client).to receive(:insert_all_table_data).and_return(response)
         expect(Rails.logger).not_to receive(:info)
 
         insert
       end
 
       it 'calls the expected big query apis' do
-        expect(events_client).to receive(:insert_all_table_data)
+        expect(client).to receive(:insert_all_table_data)
           .with(
             test_dummy_config[:bigquery_project_id],
             test_dummy_config[:bigquery_dataset],
@@ -78,7 +78,7 @@
       let(:insert_error) { double(:insert_error, index: 0, errors: [error]) }
       let(:error) { double(:error, message: 'An error.') }
 
-      before { expect(events_client).to receive(:insert_all_table_data).and_return(response) }
+      before { expect(client).to receive(:insert_all_table_data).and_return(response) }
 
       it 'raises an exception' do
         expect { insert }.to raise_error(DfE::Analytics::BigQueryApi::SendEventsError, /An error./)
@@ -99,4 +99,77 @@
       end
     end
   end
+
+  describe '.apply_policy_tags' do
+    let(:tables) { { users: %w[email name] } }
+    let(:policy_tag) { 'projects/my-project/locations/eu/taxonomies/123/policyTags/abc' }
+
+    let(:table_schema_fields) do
+      [
+        double('field', name: 'email').tap { |f| allow(f).to receive(:policy_tags=) },
+        double('field', name: 'name').tap { |f| allow(f).to receive(:policy_tags=) },
+        double('field', name: 'created_at').tap { |f| allow(f).to receive(:policy_tags=) }
+      ]
+    end
+
+    let(:schema) do
+      instance_double(Google::Apis::BigqueryV2::TableSchema, fields: table_schema_fields)
+    end
+
+    let(:table) do
+      instance_double(Google::Apis::BigqueryV2::Table, schema: schema)
+    end
+
+    before do
+      allow(client).to receive(:get_table).with(
+        test_dummy_config[:bigquery_project_id],
+        'airbyte_dataset',
+        'users'
+      ).and_return(table)
+
+      allow(client).to receive(:patch_table)
+    end
+
+    it 'updates policy tags for matching columns only' do
+      with_analytics_config(test_dummy_config.merge(bigquery_airbyte_dataset: 'airbyte_dataset')) do
+        expect(client).to receive(:patch_table).with(
+          test_dummy_config[:bigquery_project_id],
+          'airbyte_dataset',
+          'users',
+          an_instance_of(Google::Apis::BigqueryV2::Table),
+          fields: 'schema'
+        )
+
+        described_class.apply_policy_tags(tables, policy_tag)
+
+        expect(table_schema_fields[0]).to have_received(:policy_tags=)
+        expect(table_schema_fields[1]).to have_received(:policy_tags=)
+        expect(table_schema_fields[2]).not_to have_received(:policy_tags=)
+      end
+    end
+
+    context 'when get_table raises a ClientError' do
+      it 'raises a PolicyTagError and logs the error' do
+        with_analytics_config(test_dummy_config.merge(bigquery_airbyte_dataset: 'airbyte_dataset')) do
+          allow(client).to receive(:get_table).and_raise(Google::Apis::ClientError.new('Table not found'))
+          expect(Rails.logger).to receive(:error).with(/Failed to retrieve table: users/)
+          expect do
+            described_class.apply_policy_tags(tables, policy_tag)
+          end.to raise_error(DfE::Analytics::BigQueryApi::PolicyTagError)
+        end
+      end
+    end
+
+    context 'when patch_table raises a ClientError' do
+      it 'raises a PolicyTagError and logs the error' do
+        with_analytics_config(test_dummy_config.merge(bigquery_airbyte_dataset: 'airbyte_dataset')) do
+          allow(client).to receive(:patch_table).and_raise(Google::Apis::ClientError.new('Invalid schema'))
+          expect(Rails.logger).to receive(:error).with(/Failed to update table: users/)
+          expect do
+            described_class.apply_policy_tags(tables, policy_tag)
+          end.to raise_error(DfE::Analytics::BigQueryApi::PolicyTagError)
+        end
+      end
+    end
+  end
 end