5. Install the Redact Text Extension
Overview
In this section, you will use Pangea Redact Text Extension to remove sensitive or Personal Identifiable Information (PII) such as names, emails, phone, credit card or social security numbers from a string by adding it to a specified Cloud Firestore Collection. String sanitization or redaction can be used to prevent users from disclosing personal information or even offensive language in your application's social features, for example, in the user-provided comments or review section of a form.
Prerequisites
- A free Firebase account with the Pay as you go billing plan enabled.
- A free Pangea account.
- Completed part 1. Configure a Starter Application of this multi-part tutorial OR a Firebase project with Cloud Firestore enabled.
- A Pangea Domain and Access Token with access rights to the Secure Audit Log service. To learn how to create an account and configure each service, visit the Getting Started guide.
Install and configure the Extension
Step 1: Click the Redact Text Extension install link, and select the Firebase project you'd like to deploy the Extension to:
Step 2: Accept the Early Access acknowledgement by clicking the Next button:
Step 3: Review the billing and usage details, and tap the Next button. If you have not done so already, you'll be presented with the option to upgrade your Firebase account to a pay-as-you-go plan, and you can do so by clicking the Upgrade project to continue button and following the instructions:
If upgrading your billing plan, you will be redirected to the Set up your billing profile section of Google Cloud Platform (GCP). After setting up your billing profile, you may need to restart the Extension install by clicking the install and repeating Step 1 and Step 2.
Step 4: Review the APIs and the resources that this Extension will create. If any required Firebase services are not yet enabled, tap the Enable button next to each required service and then click the Next button.
The extension declares a single function to invoke the Redact service:
fsredact - listens for changes made to a Firestore collection. You can invoke this Extension to redact sensitive strings from text by writing to a document in a specified collection with the text you'd like to sanitize in the specific field.
Step 5: In the Review access granted to this extension section, grant the extension permission to Cloud Datastore User and Secret Manager Secret Accessor by clicking the Next button.
The Cloud Datastore User permission will be used to read and write the responses of the Pangea Redact service to a Firestore document. The Secret Manager Secret Accessor permission is required to store your Pangea Auth Token.
Step 5: In the final step, Configure extension, of the install process, you'll be asked to provide a few parameters, some of which are optional. The first two and what region you want to deploy the Extension and where your Pangea services are deployed, respectively. The Extension should be deployed as close to your Firebase Cloud Firestore, so ideally, the same region you used when you configured it. The Pangea service base Domain and Auth Token can be copied from Redact Overview page of the Pangea Console. The Pangea Auth Token should be stored in Google Secret Manager. To do so, click the Create secret button next to its input field after entering the token value.
The Collection path and Input field name are the Firestore paths you want to write the text that will be sanitized to, and the Redaction output field name is the path to which the response of each request will be written to by the Extension.
You can use the default values for now and reconfigure your Extension later.
To complete the installation, click the Install extension button.
It may take Firebase 3-5 minutes to deploy your Extension.
When it completes, you should see it listed under the Extensions section of your Firebase Console .
That's it! You now have Redact Text Extension enabled in your Firebase app and can read and write to the specified collection to obtain a redacted version of your input string.
Test Redact with server-defined Rulesets
Use the Pangea Console to define rules
To test the Redact service, you'll need to configure Rulesets to determine what class of data should be redacted from the input string. To do so, perform the following steps:
Step 1: Navigate to the Redact Rulesets View of the Pangea Console and select a ruleset category such as PII.
Step 2: From the right-hand column, enable the rules you'd like to be applied to each redact operation, for example, to redact email addresses and people's names, enable the Email Address and Person rules.
Step 3: Click the Save button to confirm the update to the ruleset.
Use the Firebase Console to create a document and invoke the Redact services
When you installed the Redact Text Extension, you configured it to listen to changes to a specific Document in your application's Firestore database. You can apply the rulesets defined in the Pangea Console to a string by simply writing it a Document. In this section, you will test this functionality using the Firebase Console user interface. To do so, perform the following steps:
Step 1: From Firebase Console , expand the Build category and select Firestore Database from the left-hand menu.
Step 2: Select the Start collection option from the Panel View, and because you used the default collection name when installing the Secure Audit Logging Extension, enter 'redact' as the Collection ID and click the Next button.
The collection names are case-sensitive. Use all lowercase letters in the Collection ID field.
Step 3: To add the Document to the Collection, click the Auto-ID button to generate an ID for the Document; then again, if you used the default configuration parameters when you installed the Extension, enter 'input' as the Field value and set the Type to string.
Set the Value field to a test string like Hello, my name is Nicolas. A document with an auto-generated Document ID and single Field of type string should look similar to this:
Then, to create the Document and trigger Redact Service, click the Save button.
In a few moments, you should see a redacted field containing a modified version of the string added to the Document as a pier to the input field you created.
Redact Text by writing to Firestore
The Redact Text Extension will be invoked by any write operation to the Document it is configured to observe. The Cloud Firestore Panel view is a great way to test the Extension by quickly creating and editing Firestore documents, but you'll want to redact text from your application code. With the Redact Text Extension installed, you can do so from anywhere in your application that can write to Firestore.
Here is a quick example of how to create the same Document programmatically:
import {getFirestore} from "firebase-admin/firestore";
getFirestore().collection("redact").add({
input: "Hello, my name is Nicolas",
});
You can also provide multiple strings to redact by setting the input field to an array of strings:
import {getFirestore} from "firebase-admin/firestore";
getFirestore().collection("redact").add({
input: [
"Hello, my name is Nicolas",
"and my email is nicolas.vautier@pangea.cloud"
],
});
The result will look similar to:
