ENG-13633: Initial discovery and classification implementation

[ccampo133]

Description of the change

Initial implementation of Dmap's discovery and classification feature.

Includes a dmap CLI which can be used as follows:

$ dmap --help             
Usage: dmap <command> [flags]

Assess your data security posture in AWS.

Flags:
  -h, --help                 Show context-sensitive help.
      --log-level="info"     Set the logging level (trace|debug|info|warn|error|fatal)
      --log-format="text"    Set the logging format (text|json)
      --version              Print version information and quit

Commands:
  repo-scan    Perform data discovery and classification on a data repository.

Run "dmap <command> --help" for more information on a command.

The repo-scan sub-command performs the data discovery and classification. Currently it just prints the output to stdout, in JSON form, example:

$ dmap repo-scan --type postgres --database postgres --host ... --port ...  --user ... --password ...
{
    "labels": [
        {
            "name": "ADDRESS",
            "description": "Address",
            "tags": [
                "PII"
            ]
        },
        ...
    ],
    "classifications": [
        {
            "attributePath": [
                "postgres",
                "public",
                "doctors",
                "address2"
            ],
            "labels": [
                "ADDRESS"
            ]
        },
        ...
    ]
}

Note that some of the details like command name, parameters, etc. are subject to change until the first stable version is released.

Additionally, most of the code that powers the CLI has been added as public packages to the main module, enhancing the API of the existing Dmap library. Users can use these packages to implement their own discovery and classification tooling if desired. There are two new top-level packages added to the public API:

• classification - provides an API to perform data classification on arbitrary string data.
• sql - provides an API to introspect, sample, and scan (which is introspect + sample + classify) SQL data repositories.

A new RepoScanner interface was also added to the scan package.

Type of change

• Bug fix (non-breaking change that fixes an issue).
• New feature (non-breaking change that adds functionality).
• Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklists

Development

• Lint rules pass locally.
• The code changed/added as part of this pull request has been covered with tests.
• All tests related to the changed code pass.

Code review

• This pull request has a descriptive title and information useful to a reviewer. There may be a screenshot or screencast attached.
• Jira issue referenced in commit message and/or PR title.

Testing

Unit and manual testing.

[yoursnerdly]

A big PR, thanks for the effort @ccampo133 - I've taken a quick initial pass, skipping over repo specific code that I know is from an existing implementation.

[yoursnerdly]

What's the benefit of building within the Dockerfile?

[ccampo133]

I thought that it simplified the build process, since we just need to run a single command and don't need to do any sort of relative path copying, and also makes it somewhat self contained. However if we plan to release a binary in addition to the Docker image (we probably should), then we should also change this up to pull the binary from that build step and include it in the image.

[yoursnerdly]

Maybe you should log the error and move on - if there's a mistake in one of the rego classifiers, we can still use the others.

[ccampo133]

Good call. I tried to find a way of not doing this stuff at runtime and instead at compile time, but came up blank. If you have any ideas, LMK. We will need runtime parsing of classifier code to support custom labels in any case, but I'd prefer not having the possibility of us releasing a binary with potentially broken classifiers.

[yoursnerdly]

Well at compile time you could do a "test" run with some input and check for the output format. That still doesn't rule out the possibility (in theory) though that the rego code will give output in some other format for some other inputs.

[ccampo133]

@VictorGFM @yoursnerdly after a bunch of churn, I believe this is good to go, at least for the initial implementation. I put a lot of effort into minimizing the public API surface through a bunch of refactoring, but the code is largely the same. The main difference being representing attributes as a path array (e.g. [db, schema, table, column]) and also reporting the labels along with the classifications.

[VictorGFM]

@ccampo133 The package organization and type definitions look really good! I left a few comments below for your consideration. I'll let the approval to @yoursnerdly since he got the chance to take a look at the implementation in more detail.

[VictorGFM]

What do you think about moving the Repository implementations to a separate package? Maybe a package within sql named repository, seems easier to understand the repo implementations from the type definitions and utilities if they're in separated packages.

[ccampo133]

That was the original design actually. If you think it makes it clearer, I am happy to do that. I thought just having a single package was easier from an API consumer perspective, but if you don't think so, let's change it.

[ccampo133]

Actually what ends up happening is you get a circular dependency, which is difficult to avoid. For example, if we have the following package layout:

sql/
  scanner.go
  sample.go
  repository/
    mysql.go

The scanner depends on the repository package, but the repository package will depend on the sql package to use the Sample type, and thus you get the circular dependency. What ends up happening is that the only thing that can live in the sql package by itself is the Scanner type. Everything else needs to go in the repository package, which is annoying and sort of defeats the purpose.

WDYT?

[VictorGFM]

Oh, I see the problem with circular dependency now. In that case I think it's fine to keep the way it is on the sql package.

[yoursnerdly]

This is looking really good @ccampo133, thanks for the huge PR. Please look at my comments (mostly nitpicks).

[yoursnerdly]

Oracle does support multiple databases (in a very confusing way) since version 12c, there is a root CDB and then multiple PDBs within that. I think we need to support those scenarios as well - perhaps in a future PR.

For now, we can tell the UI to expect no database name for Oracle (just schema, table, column) but if we do later support PDB etc, the attribute path may have 3 or 4 entries depending upon on the version etc. In the latter case, the first entry should be interpreted as the database name.

[ccampo133]

Thanks - we should add support for this in a future PR then. I will need to research how Oracle works to add support for it, or delegate it to somebody more experienced with Oracle.

[yoursnerdly]

Thanks Chris, this looks good to me. Just a couple of nitpicks.

[yoursnerdly]

Does this work if the path begins with ... Based on the documentation, it looks like it should but just checking.

We should document somewhere that the relative paths in the yaml file are relative to the directory containing the yaml file itself (and not the current directory).

[ccampo133]

Thanks - it works now but there were actually some bugs around this. I added some test cases to cover them. The part about the path being relative to the file is documented in the embedded labels.yaml file as a header comment. I will also ensure this is documented in the public README, when it is updated.

[yoursnerdly]

Maybe we should return error if len(lbls) == 0 since there is no point scanning the db if there are no labels.

[yoursnerdly]

golangci-lint seems to be running into some internal errors - will need to look into that.