ethyca-fides 2.58.2b2__py2.py3-none-any.whl → 2.58.2b5__py2.py3-none-any.whl

fides/api/alembic/migrations/versions/9288f729cac4_add_tcf_configuration_fk_to_experience_.py

@@ -0,0 +1,62 @@
+"""Add tcf_configuration FK to experience config
+
+Revision ID: 9288f729cac4
+Revises: 99c603c1b8f9
+Create Date: 2025-04-07 18:49:31.843362
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "9288f729cac4"
+down_revision = "99c603c1b8f9"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "privacyexperienceconfig",
+        sa.Column("tcf_configuration_id", sa.String(), nullable=True),
+    )
+    op.create_foreign_key(
+        "privacyexperienceconfig_tcf_configuration_fkey",
+        "privacyexperienceconfig",
+        "tcf_configuration",
+        ["tcf_configuration_id"],
+        ["id"],
+        ondelete="SET NULL",
+    )
+    op.add_column(
+        "privacyexperienceconfighistory",
+        sa.Column("tcf_configuration_id", sa.String(), nullable=True),
+    )
+    op.create_foreign_key(
+        "privacyexperienceconfighistory_tcf_configuration_fkey",
+        "privacyexperienceconfighistory",
+        "tcf_configuration",
+        ["tcf_configuration_id"],
+        ["id"],
+        ondelete="SET NULL",
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint(
+        "privacyexperienceconfighistory_tcf_configuration_fkey",
+        "privacyexperienceconfighistory",
+        type_="foreignkey",
+    )
+    op.drop_column("privacyexperienceconfighistory", "tcf_configuration_id")
+    op.drop_constraint(
+        "privacyexperienceconfig_tcf_configuration_fkey",
+        "privacyexperienceconfig",
+        type_="foreignkey",
+    )
+    op.drop_column("privacyexperienceconfig", "tcf_configuration_id")
+    # ### end Alembic commands ###

fides/api/alembic/migrations/versions/99c603c1b8f9_add_password_login_enabled_and_totp_secret_to_fidesuser.py

@@ -0,0 +1,45 @@
+"""add password login enabled and totp secret to fidesuser
+
+Revision ID: 99c603c1b8f9
+Revises: 6e565c16dae1
+Create Date: 2025-04-02 01:55:57.890545
+
+"""
+
+import sqlalchemy as sa
+import sqlalchemy_utils
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "99c603c1b8f9"
+down_revision = "6e565c16dae1"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column(
+        "fidesuser",
+        sa.Column(
+            "password_login_enabled",
+            sa.Boolean(),
+            nullable=True,
+        ),
+    )
+    op.add_column(
+        "fidesuser",
+        sa.Column(
+            "totp_secret",
+            sqlalchemy_utils.types.encrypted.encrypted_type.StringEncryptedType(),
+            nullable=True,
+        ),
+    )
+    op.alter_column("fidesuser", "hashed_password", nullable=True)
+    op.alter_column("fidesuser", "salt", nullable=True)
+
+
+def downgrade():
+    op.alter_column("fidesuser", "hashed_password", nullable=False)
+    op.alter_column("fidesuser", "salt", nullable=False)
+    op.drop_column("fidesuser", "totp_secret")
+    op.drop_column("fidesuser", "password_login_enabled")

fides/api/api/v1/endpoints/user_endpoints.py

@@ -54,11 +54,7 @@ from fides.api.schemas.user import (
     UserResponse,
     UserUpdate,
 )
-from fides.api.service.user.fides_user_service import (
-    accept_invite,
-    invite_user,
-    perform_login,
-)
+from fides.api.service.deps import get_user_service
 from fides.api.util.api_router import APIRouter
 from fides.common.api.scope_registry import (
     SCOPE_REGISTRY,
@@ -75,6 +71,7 @@ from fides.common.api.v1 import urn_registry as urls
 from fides.common.api.v1.urn_registry import V1_URL_PREFIX
 from fides.config import CONFIG, FidesConfig, get_config
 from fides.config.config_proxy import ConfigProxy
+from fides.service.user.user_service import UserService
 
 router = APIRouter(tags=["Users"], prefix=V1_URL_PREFIX)
 
@@ -423,6 +420,7 @@ def create_user(
     db: Session = Depends(get_db),
     user_data: UserCreate,
     config_proxy: ConfigProxy = Depends(get_config_proxy),
+    user_service: UserService = Depends(get_user_service),
 ) -> FidesUser:
     """
     Create a user given a username and password.
@@ -461,7 +459,7 @@ def create_user(
     user = FidesUser.create(db=db, data=user_data.model_dump(mode="json"))
 
     # invite user via email
-    invite_user(db=db, config_proxy=config_proxy, user=user)
+    user_service.invite_user(user)
 
     logger.info("Created user with id: '{}'.", user.id)
     FidesUserPermissions.create(
@@ -544,6 +542,7 @@ def user_login(
     db: Session = Depends(get_db),
     config: FidesConfig = Depends(get_config),
     user_data: UserLogin,
+    user_service: UserService = Depends(get_user_service),
 ) -> UserLoginResponse:
     """Login the user by creating a client if it doesn't exist, and have that client
     generate a token."""
@@ -602,8 +601,7 @@ def user_login(
         # from complaining.
         user = user_check
 
-        client = perform_login(
-            db,
+        client = user_service.perform_login(
             config.security.oauth_client_id_length_bytes,
             config.security.oauth_client_secret_length_bytes,
             user,
@@ -666,9 +664,9 @@ def verify_invite_code(
 def accept_user_invite(
     *,
     db: Session = Depends(get_db),
-    config: FidesConfig = Depends(get_config),
     user_data: UserForcePasswordReset,
     verified_invite: FidesUserInvite = Depends(verify_invite_code),
+    user_service: UserService = Depends(get_user_service),
 ) -> UserLoginResponse:
     """Sets the password and enables the user if a valid username and invite code are provided."""
 
@@ -681,9 +679,7 @@ def accept_user_invite(
             detail=f"User with username {verified_invite.username} does not exist.",
         )
 
-    user, access_code = accept_invite(
-        db=db, config=config, user=user, new_password=user_data.new_password
-    )
+    user, access_code = user_service.accept_invite(user, user_data.new_password)
 
     return UserLoginResponse(
         user_data=user,

fides/api/models/detection_discovery.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 from datetime import datetime
 from enum import Enum
+from re import match
 from typing import Any, Dict, Iterable, List, Optional, Type
 
 from loguru import logger
@@ -35,9 +36,17 @@ class MonitorFrequency(Enum):
     DAILY = "Daily"
     WEEKLY = "Weekly"
     MONTHLY = "Monthly"
+    QUARTERLY = "Quarterly"
+    YEARLY = "Yearly"
     NOT_SCHEDULED = "Not scheduled"
 
 
+# pattern for a string of 4 comma-separated integers,
+# used to represent the months of the year that the monitor will run
+# on quarterly basis, in cron format
+QUARTERLY_MONTH_PATTERN = r"^\d+,\d+,\d+,\d+$"
+
+
 class MonitorConfig(Base):
     """
     Monitor configuration used for data detection and discovery.
@@ -138,6 +147,13 @@ class MonitorConfig(Base):
             or self.monitor_execution_trigger.get("hour", None) is None
         ):
             return MonitorFrequency.NOT_SCHEDULED
+        month_trigger = self.monitor_execution_trigger.get("month", None)
+        if month_trigger is not None:
+            if isinstance(month_trigger, str) and match(
+                QUARTERLY_MONTH_PATTERN, month_trigger
+            ):
+                return MonitorFrequency.QUARTERLY
+            return MonitorFrequency.YEARLY
         if self.monitor_execution_trigger.get("day", None) is not None:
             return MonitorFrequency.MONTHLY
         if self.monitor_execution_trigger.get("day_of_week", None) is not None:
@@ -201,6 +217,10 @@ class MonitorConfig(Base):
         a Tuesday.
         - with an `execution_frequency` of "monthly", it will result in monthly
         execution at 12:00:00+00:00 on the 14th day of every month.
+        - with an `execution_frequency` of "quarterly", it will result in quarterly
+        execution at 12:00:00+00:00 on the 14th day of the first month of each quarter.
+        - with an `execution_frequency` of "yearly", it will result in yearly
+        execution at 12:00:00+00:00 on May 14th of each year.
 
         See https://apscheduler.readthedocs.io/en/3.x/modules/triggers/cron.html
         for more information about the cron trigger parameters.
@@ -221,6 +241,17 @@ class MonitorConfig(Base):
                 cron_trigger_dict["day_of_week"] = execution_start_date.weekday()
             if execution_frequency == MonitorFrequency.MONTHLY:
                 cron_trigger_dict["day"] = execution_start_date.day
+            if execution_frequency == MonitorFrequency.QUARTERLY:
+                cron_trigger_dict["day"] = execution_start_date.day
+                # Calculate which month of the quarter (0-2) this is
+                month_of_quarter = (execution_start_date.month - 1) % 3
+                # Set to run in the same month of each quarter (1, 4, 7, 10 for first month)
+                cron_trigger_dict["month"] = (
+                    f"{1 + month_of_quarter},{4 + month_of_quarter},{7 + month_of_quarter},{10 + month_of_quarter}"
+                )
+            if execution_frequency == MonitorFrequency.YEARLY:
+                cron_trigger_dict["day"] = execution_start_date.day
+                cron_trigger_dict["month"] = execution_start_date.month
             data["monitor_execution_trigger"] = cron_trigger_dict
 
 

fides/api/models/fides_user.py

@@ -1,7 +1,6 @@
 # pylint: disable=unused-import
 from __future__ import annotations
 
-import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING, Any, List
 
@@ -10,6 +9,10 @@ from sqlalchemy import Boolean, Column, DateTime
 from sqlalchemy import Enum as EnumColumn
 from sqlalchemy import String
 from sqlalchemy.orm import Session, relationship
+from sqlalchemy_utils.types.encrypted.encrypted_type import (
+    AesGcmEngine,
+    StringEncryptedType,
+)
 
 from fides.api.common_exceptions import SystemManagerException
 from fides.api.cryptography.cryptographic_util import (
@@ -20,8 +23,8 @@ from fides.api.db.base_class import Base
 from fides.api.models.audit_log import AuditLog
 
 # Intentionally importing SystemManager here to build the FidesUser.systems relationship
-from fides.api.models.system_manager import SystemManager  # type: ignore[unused-import]
 from fides.api.schemas.user import DisabledReason
+from fides.config import CONFIG
 
 if TYPE_CHECKING:
     from fides.api.models.sql_models import System  # type: ignore[attr-defined]
@@ -34,12 +37,22 @@ class FidesUser(Base):
     email_address = Column(CIText, unique=True, nullable=True)
     first_name = Column(String, nullable=True)
     last_name = Column(String, nullable=True)
-    hashed_password = Column(String, nullable=False)
-    salt = Column(String, nullable=False)
+    hashed_password = Column(String, nullable=True)
+    salt = Column(String, nullable=True)
     disabled = Column(Boolean, nullable=False, server_default="f")
     disabled_reason = Column(EnumColumn(DisabledReason), nullable=True)
     last_login_at = Column(DateTime(timezone=True), nullable=True)
     password_reset_at = Column(DateTime(timezone=True), nullable=True)
+    password_login_enabled = Column(Boolean, nullable=True)
+    totp_secret = Column(
+        StringEncryptedType(
+            type_in=String(),
+            key=CONFIG.security.app_encryption_key,
+            engine=AesGcmEngine,
+            padding="pkcs5",
+        ),
+        nullable=True,
+    )
 
     # passive_deletes="all" prevents audit logs from having their
     # privacy_request_id set to null when a privacy_request is deleted.
@@ -79,11 +92,11 @@ class FidesUser(Base):
         """Create a FidesUser by hashing the password with a generated salt
         and storing the hashed password and the salt"""
 
-        # we set a dummy password if one isn't provided because this means it's part of the user
-        # invite flow and the password will be set by the user after they accept their invite
-        hashed_password, salt = FidesUser.hash_password(
-            data.get("password") or str(uuid.uuid4())
-        )
+        if password := data.get("password"):
+            hashed_password, salt = FidesUser.hash_password(password)
+        else:
+            hashed_password = None
+            salt = None
 
         user = super().create(
             db,
@@ -96,6 +109,7 @@ class FidesUser(Base):
                 "last_name": data.get("last_name"),
                 "disabled": data.get("disabled") or False,
                 "disabled_reason": data.get("disabled_reason"),
+                "password_login_enabled": data.get("password_login_enabled"),
             },
             check_name=check_name,
         )
@@ -104,6 +118,9 @@ class FidesUser(Base):
 
     def credentials_valid(self, password: str, encoding: str = "UTF-8") -> bool:
         """Verifies that the provided password is correct."""
+        if self.salt is None:
+            return False
+
         provided_password_hash = hash_credential_with_salt(
             password.encode(encoding),
             self.salt.encode(encoding),

fides/api/models/fides_user_invite.py

@@ -67,6 +67,8 @@ class FidesUserInvite(Base):
 
     def invite_code_valid(self, invite_code: str, encoding: str = "UTF-8") -> bool:
         """Verifies that the provided invite code is correct."""
+        if self.salt is None:
+            return False
 
         invite_code_hash = hash_credential_with_salt(
             invite_code.encode(encoding),

fides/api/models/privacy_experience.py

@@ -20,6 +20,7 @@ from fides.api.models import (
 from fides.api.models.location_regulation_selections import PrivacyNoticeRegion
 from fides.api.models.privacy_notice import PrivacyNotice
 from fides.api.models.property import Property
+from fides.api.models.tcf_publisher_restrictions import TCFConfiguration
 from fides.api.schemas.language import SupportedLanguage
 
 
@@ -228,6 +229,13 @@ class PrivacyExperienceConfig(PrivacyExperienceConfigBase, Base):
         EnumColumn(RejectAllMechanism),
         nullable=True,
     )
+    # Optional FK to a TCF Configuration
+
+    tcf_configuration_id = Column(
+        String,
+        ForeignKey(TCFConfiguration.id_field_path, ondelete="SET NULL"),
+        nullable=True,
+    )
 
     # Relationships
     experiences = relationship(
@@ -258,6 +266,12 @@ class PrivacyExperienceConfig(PrivacyExperienceConfigBase, Base):
         lazy="selectin",
     )
 
+    tcf_configuration: RelationshipProperty[Optional[TCFConfiguration]] = relationship(
+        "TCFConfiguration",
+        back_populates="privacy_experience_configs",
+        lazy="selectin",
+    )
+
     @property
     def regions(self) -> List[PrivacyNoticeRegion]:
         """Return the regions using this experience config"""
@@ -548,6 +562,17 @@ class PrivacyExperienceConfigHistory(
         EnumColumn(RejectAllMechanism),
         nullable=True,
     )
+    # Optional FK to a TCF Configuration
+    tcf_configuration_id = Column(
+        String,
+        ForeignKey(TCFConfiguration.id_field_path, ondelete="SET NULL"),
+        nullable=True,
+    )
+
+    tcf_configuration: RelationshipProperty[Optional[TCFConfiguration]] = relationship(
+        "TCFConfiguration",
+        lazy="selectin",
+    )
 
     version = Column(Float, nullable=False, default=1.0)
 
@@ -611,6 +636,7 @@ class PrivacyExperience(Base):
     tcf_special_features: List = []
     tcf_system_consents: List = []
     tcf_system_legitimate_interests: List = []
+    tcf_publisher_restrictions: List = []
     gvl: Optional[Dict] = {}
     # TCF Developer-Friendly Meta added at runtime as the result of build_tc_data_for_mobile
     meta: Dict = {}