ethyca-fides 2.58.2b3__py2.py3-none-any.whl → 2.58.2rc0__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-04-07T11:00:37-0700",
+ "date": "2025-04-09T11:48:07+0200",
  "dirty": false,
  "error": null,
- "full-revisionid": "5ca76c93967b67efa2621c2ec0299aeeca92c5d2",
- "version": "2.58.2b3"
+ "full-revisionid": "90178f03d530f5525b2acc955bdea0cde7751c7a",
+ "version": "2.58.2rc0"
 }
 '''  # END VERSION_JSON
 

fides/api/api/deps.py

@@ -29,14 +29,8 @@ def get_db() -> Generator:
 
 
 @contextmanager
-def get_autoclose_db_session() -> Generator[Session, None, None]:
-    """
-    Return a database session as a context manager that automatically closes when the context exits.
-
-    Unlike get_api_session which is managed by FastAPI's dependency injection,
-    this context manager explicitly closes the session when exiting the context.
-    Use this when you need manual control over the session lifecycle outside of API endpoints.
-    """
+def get_db_contextmanager() -> Generator[Session, None, None]:
+    """Return our database session as a context manager"""
     try:
         db = get_api_session()
         yield db

fides/api/api/v1/endpoints/user_endpoints.py

@@ -54,7 +54,11 @@ from fides.api.schemas.user import (
     UserResponse,
     UserUpdate,
 )
-from fides.api.service.deps import get_user_service
+from fides.api.service.user.fides_user_service import (
+    accept_invite,
+    invite_user,
+    perform_login,
+)
 from fides.api.util.api_router import APIRouter
 from fides.common.api.scope_registry import (
     SCOPE_REGISTRY,
@@ -71,7 +75,6 @@ from fides.common.api.v1 import urn_registry as urls
 from fides.common.api.v1.urn_registry import V1_URL_PREFIX
 from fides.config import CONFIG, FidesConfig, get_config
 from fides.config.config_proxy import ConfigProxy
-from fides.service.user.user_service import UserService
 
 router = APIRouter(tags=["Users"], prefix=V1_URL_PREFIX)
 
@@ -420,7 +423,6 @@ def create_user(
     db: Session = Depends(get_db),
     user_data: UserCreate,
     config_proxy: ConfigProxy = Depends(get_config_proxy),
-    user_service: UserService = Depends(get_user_service),
 ) -> FidesUser:
     """
     Create a user given a username and password.
@@ -459,7 +461,7 @@ def create_user(
     user = FidesUser.create(db=db, data=user_data.model_dump(mode="json"))
 
     # invite user via email
-    user_service.invite_user(user)
+    invite_user(db=db, config_proxy=config_proxy, user=user)
 
     logger.info("Created user with id: '{}'.", user.id)
     FidesUserPermissions.create(
@@ -542,7 +544,6 @@ def user_login(
     db: Session = Depends(get_db),
     config: FidesConfig = Depends(get_config),
     user_data: UserLogin,
-    user_service: UserService = Depends(get_user_service),
 ) -> UserLoginResponse:
     """Login the user by creating a client if it doesn't exist, and have that client
     generate a token."""
@@ -601,7 +602,8 @@ def user_login(
         # from complaining.
         user = user_check
 
-        client = user_service.perform_login(
+        client = perform_login(
+            db,
             config.security.oauth_client_id_length_bytes,
             config.security.oauth_client_secret_length_bytes,
             user,
@@ -664,9 +666,9 @@ def verify_invite_code(
 def accept_user_invite(
     *,
     db: Session = Depends(get_db),
+    config: FidesConfig = Depends(get_config),
     user_data: UserForcePasswordReset,
     verified_invite: FidesUserInvite = Depends(verify_invite_code),
-    user_service: UserService = Depends(get_user_service),
 ) -> UserLoginResponse:
     """Sets the password and enables the user if a valid username and invite code are provided."""
 
@@ -679,7 +681,9 @@ def accept_user_invite(
             detail=f"User with username {verified_invite.username} does not exist.",
         )
 
-    user, access_code = user_service.accept_invite(user, user_data.new_password)
+    user, access_code = accept_invite(
+        db=db, config=config, user=user, new_password=user_data.new_password
+    )
 
     return UserLoginResponse(
         user_data=user,

fides/api/cryptography/identity_salt.py

@@ -3,8 +3,9 @@ from functools import cache
 
 from loguru import logger
 
-from fides.api.api.deps import get_autoclose_db_session
+from fides.api.db.session import get_db_session
 from fides.api.models.identity_salt import IdentitySalt
+from fides.config import CONFIG
 
 
 @cache
@@ -14,14 +15,14 @@ def get_identity_salt() -> str:
     This function is cached to avoid repeated calls to the database for the same value.
     """
 
-    with get_autoclose_db_session() as db:
-        existing_salt = db.query(IdentitySalt).first()
-        if existing_salt is None:
-            new_salt = IdentitySalt.create(
-                db, data={"encrypted_value": {"value": secrets.token_hex(32)}}
-            )
-            logger.info("Created new identity salt.")
-            return new_salt.encrypted_value.get("value")
-
-        logger.info("Caching existing identity salt.")
-        return existing_salt.encrypted_value.get("value")
+    SessionLocal = get_db_session(CONFIG)
+    db = SessionLocal()
+    existing_salt = db.query(IdentitySalt).first()
+    if existing_salt is None:
+        new_salt = IdentitySalt.create(
+            db, data={"encrypted_value": {"value": secrets.token_hex(32)}}
+        )
+        logger.info("Created new identity salt.")
+        return new_salt.encrypted_value.get("value")
+    logger.info("Caching existing identity salt.")
+    return existing_salt.encrypted_value.get("value")

fides/api/custom_types.py

@@ -66,13 +66,8 @@ def validate_html_str(val: str) -> str:
         "strong",
         "u",
     }
-
-    ALLOWED_ATTRIBUTES = {
-        "a": {"href", "hreflang", "target"},
-    }
-
     if val:
-        return clean(val, tags=ALLOWED_HTML_TAGS, attributes=ALLOWED_ATTRIBUTES)
+        return clean(val, tags=ALLOWED_HTML_TAGS)
     return val
 
 

fides/api/db/base.py

@@ -8,7 +8,6 @@ from fides.api.models.attachment import Attachment, AttachmentReference
 from fides.api.models.audit_log import AuditLog
 from fides.api.models.authentication_request import AuthenticationRequest
 from fides.api.models.client import ClientDetail
-from fides.api.models.comment import Comment, CommentReference
 from fides.api.models.connectionconfig import ConnectionConfig
 from fides.api.models.consent_automation import ConsentAutomation
 from fides.api.models.custom_asset import CustomAsset
@@ -59,8 +58,4 @@ from fides.api.models.storage import StorageConfig
 from fides.api.models.system_compass_sync import SystemCompassSync
 from fides.api.models.system_history import SystemHistory
 from fides.api.models.system_manager import SystemManager
-from fides.api.models.tcf_publisher_restrictions import (
-    TCFConfiguration,
-    TCFPublisherRestriction,
-)
 from fides.api.models.tcf_purpose_overrides import TCFPurposeOverride

fides/api/db/system.py

@@ -406,7 +406,9 @@ async def create_system(
 
     # create the system resource using generic creation
     # the system must be created before the privacy declarations so that it can be referenced
-    resource_dict = resource.model_dump()
+    resource_dict = resource.model_dump(
+        mode="json"
+    )  # mode=json helps Url fields be converted to strings before saving to db
 
     # set the current user's ID
     resource_dict["user_id"] = current_user_id

fides/api/migrations/hash_migration_job.py

@@ -2,7 +2,7 @@ from loguru import logger
 from sqlalchemy import text
 from sqlalchemy.orm import Session
 
-from fides.api.api.deps import get_autoclose_db_session
+from fides.api.api.deps import get_db_contextmanager
 from fides.api.db.base_class import FidesBase
 from fides.api.migrations.hash_migration_mixin import HashMigrationMixin
 from fides.api.migrations.hash_migration_tracker import HashMigrationTracker
@@ -47,7 +47,7 @@ def bcrypt_migration_task() -> None:
     Job to migrate all the tables using bcrypt hashes for general data (excludes tables with credentials).
     """
 
-    with get_autoclose_db_session() as db:
+    with get_db_contextmanager() as db:
         # Do a single pass to check if any of the models have already been migrated.
         # This will allow us to optimize searching for these models by not calling
         # the previously used bcrypt hash.

fides/api/models/attachment.py

@@ -1,13 +1,11 @@
 import os
 from enum import Enum as EnumType
-from io import BytesIO
-from typing import IO, TYPE_CHECKING, Any, Optional, Tuple, Union
+from typing import IO, Any, Optional
 
-from fideslang.validation import AnyHttpUrlString
 from loguru import logger as log
 from sqlalchemy import Column
 from sqlalchemy import Enum as EnumColumn
-from sqlalchemy import ForeignKey, String, UniqueConstraint, orm
+from sqlalchemy import ForeignKey, String, UniqueConstraint
 from sqlalchemy.ext.declarative import declared_attr
 from sqlalchemy.orm import Session, relationship
 
@@ -25,10 +23,6 @@ from fides.api.service.storage.util import (
     get_local_filename,
 )
 
-if TYPE_CHECKING:
-    from fides.api.models.comment import Comment
-    from fides.api.models.privacy_request import PrivacyRequest
-
 
 class AttachmentType(str, EnumType):
     """
@@ -59,9 +53,7 @@ class AttachmentReference(Base):
         """Overriding base class method to set the table name."""
         return "attachment_reference"
 
-    attachment_id = Column(
-        String, ForeignKey("attachment.id", ondelete="CASCADE"), nullable=False
-    )
+    attachment_id = Column(String, ForeignKey("attachment.id"), nullable=False)
     reference_id = Column(String, nullable=False)
     reference_type = Column(EnumColumn(AttachmentReferenceType), nullable=False)
 
@@ -71,8 +63,11 @@ class AttachmentReference(Base):
         ),
     )
 
-    # Relationships
-    attachment = relationship("Attachment", back_populates="references")
+    attachment = relationship(
+        "Attachment",
+        back_populates="references",
+        uselist=False,
+    )
 
     @classmethod
     def create(
@@ -105,11 +100,8 @@ class Attachment(Base):
     references = relationship(
         "AttachmentReference",
         back_populates="attachment",
-        cascade="all, delete-orphan",
+        cascade="all, delete",
         uselist=True,
-        foreign_keys=[AttachmentReference.attachment_id],
-        primaryjoin=lambda: Attachment.id
-        == orm.foreign(AttachmentReference.attachment_id),
     )
 
     config = relationship(
@@ -135,34 +127,13 @@ class Attachment(Base):
 
         if self.config.type == StorageType.local:
             filename = get_local_filename(self.id)
-
-            # Validate that attachment is a file-like object
-            if not hasattr(attachment, "read"):
-                raise TypeError(f"Expected a file-like object, got {type(attachment)}")
-
-            # Reset the file pointer to the beginning
-            try:
-                attachment.seek(0)
-            except Exception as e:
-                raise ValueError(f"Failed to reset file pointer for attachment: {e}")
-
-            # Write the file in chunks to avoid loading the entire content into memory
             with open(filename, "wb") as file:
-                for chunk in iter(
-                    lambda: attachment.read(1024 * 1024), b""
-                ):  # 1 MB chunks
-                    if not isinstance(chunk, bytes):
-                        raise TypeError(f"Expected bytes, got {type(chunk)}")
-                    file.write(chunk)
-
-            log.info(f"Uploaded {self.file_name} to local storage at {filename}")
+                file.write(attachment.read())
             return
 
         raise ValueError(f"Unsupported storage type: {self.config.type}")
 
-    def retrieve_attachment(
-        self,
-    ) -> Optional[Tuple[BytesIO, Union[AnyHttpUrlString, str]]]:
+    def retrieve_attachment(self) -> Optional[bytes]:
         """Returns the attachment from S3 in bytes form."""
         if self.config.type == StorageType.s3:
             bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
@@ -237,44 +208,4 @@ class Attachment(Base):
     def delete(self, db: Session) -> None:
         """Deletes an attachment record from the database and deletes the attachment from S3."""
         self.delete_attachment_from_storage()
-        for attachment_reference in self.references:
-            attachment_reference.delete(db)
         super().delete(db=db)
-
-    @staticmethod
-    def delete_attachments_for_reference_and_type(
-        db: Session, reference_id: str, reference_type: AttachmentReferenceType
-    ) -> None:
-        """
-        Deletes attachments associated with a given reference_id and reference_type.
-        Deletes all references to the attachments.
-
-        Args:
-            db: Database session
-            reference_id: ID of the reference
-            reference_type: Type of the reference
-
-        Examples:
-
-        - Delete all attachments associated with a comment.
-           ``Attachment.delete_attachments_for_reference_and_type(
-               db, comment.id, AttachmentReferenceType.comment
-           )``
-        - Delete all attachments associated with a privacy request.
-           ``Attachment.delete_attachments_for_reference_and_type(
-               db, privacy_request.id, AttachmentReferenceType.privacy_request
-            )``
-        """
-        # Query attachments explicitly to avoid lazy loading
-        attachments = (
-            db.query(Attachment)
-            .join(AttachmentReference)
-            .filter(
-                AttachmentReference.reference_id == reference_id,
-                AttachmentReference.reference_type == reference_type,
-            )
-            .all()
-        )
-
-        for attachment in attachments:
-            attachment.delete(db)

fides/api/models/comment.py

@@ -3,17 +3,15 @@ from typing import TYPE_CHECKING, Any
 
 from sqlalchemy import Column
 from sqlalchemy import Enum as EnumColumn
-from sqlalchemy import ForeignKey, String, UniqueConstraint, orm
+from sqlalchemy import ForeignKey, String, UniqueConstraint
 from sqlalchemy.ext.declarative import declared_attr
 from sqlalchemy.orm import Session, relationship
 
 from fides.api.db.base_class import Base
-from fides.api.models.attachment import Attachment, AttachmentReferenceType
 
 if TYPE_CHECKING:
-    from fides.api.models.attachment import AttachmentReference
+    from fides.api.models.attachment import Attachment
     from fides.api.models.fides_user import FidesUser
-    from fides.api.models.privacy_request import PrivacyRequest
 
 
 class CommentType(str, EnumType):
@@ -89,51 +87,23 @@ class Comment(Base):
     references = relationship(
         "CommentReference",
         back_populates="comment",
-        cascade="all, delete-orphan",
+        cascade="all, delete",
+        uselist=True,
+    )
+
+    attachments = relationship(
+        "Attachment",
+        secondary="attachment_reference",
+        primaryjoin="Comment.id == AttachmentReference.reference_id",
+        secondaryjoin="Attachment.id == AttachmentReference.attachment_id",
+        order_by="Attachment.created_at",
         uselist=True,
-        foreign_keys=[CommentReference.comment_id],
-        primaryjoin=lambda: Comment.id == orm.foreign(CommentReference.comment_id),
     )
 
     def delete(self, db: Session) -> None:
         """Delete the comment and all associated references."""
         # Delete the comment
-        Attachment.delete_attachments_for_reference_and_type(
-            db, self.id, AttachmentReferenceType.comment
-        )
-        for reference in self.references:
-            reference.delete(db)
+        for attachment in self.attachments:
+            if len(attachment.references) == 1:
+                attachment.delete(db)
         db.delete(self)
-
-    @staticmethod
-    def delete_comments_for_reference_and_type(
-        db: Session, reference_id: str, reference_type: CommentReferenceType
-    ) -> None:
-        """
-        Deletes comments associated with a given reference_id and reference_type.
-        Delete all references to the comments.
-
-        Args:
-            db: Database session.
-            reference_id: The reference id to delete.
-            reference_type: The reference type to delete
-
-        Examples:
-          - Delete all comments associated with a privacy request.
-            ``Comment.delete_comments_for_reference_and_type(
-                db, privacy_request.id, CommentReferenceType.privacy_request
-            )``
-        """
-        # Query comments explicitly to avoid lazy loading
-        comments = (
-            db.query(Comment)
-            .join(CommentReference)
-            .filter(
-                CommentReference.reference_id == reference_id,
-                CommentReference.reference_type == reference_type,
-            )
-            .all()
-        )
-
-        for comment in comments:
-            comment.delete(db)

fides/api/models/detection_discovery.py

@@ -2,7 +2,6 @@ from __future__ import annotations
 
 from datetime import datetime
 from enum import Enum
-from re import match
 from typing import Any, Dict, Iterable, List, Optional, Type
 
 from loguru import logger
@@ -36,17 +35,9 @@ class MonitorFrequency(Enum):
     DAILY = "Daily"
     WEEKLY = "Weekly"
     MONTHLY = "Monthly"
-    QUARTERLY = "Quarterly"
-    YEARLY = "Yearly"
     NOT_SCHEDULED = "Not scheduled"
 
 
-# pattern for a string of 4 comma-separated integers,
-# used to represent the months of the year that the monitor will run
-# on quarterly basis, in cron format
-QUARTERLY_MONTH_PATTERN = r"^\d+,\d+,\d+,\d+$"
-
-
 class MonitorConfig(Base):
     """
     Monitor configuration used for data detection and discovery.
@@ -147,13 +138,6 @@ class MonitorConfig(Base):
             or self.monitor_execution_trigger.get("hour", None) is None
         ):
             return MonitorFrequency.NOT_SCHEDULED
-        month_trigger = self.monitor_execution_trigger.get("month", None)
-        if month_trigger is not None:
-            if isinstance(month_trigger, str) and match(
-                QUARTERLY_MONTH_PATTERN, month_trigger
-            ):
-                return MonitorFrequency.QUARTERLY
-            return MonitorFrequency.YEARLY
         if self.monitor_execution_trigger.get("day", None) is not None:
             return MonitorFrequency.MONTHLY
         if self.monitor_execution_trigger.get("day_of_week", None) is not None:
@@ -217,10 +201,6 @@ class MonitorConfig(Base):
         a Tuesday.
         - with an `execution_frequency` of "monthly", it will result in monthly
         execution at 12:00:00+00:00 on the 14th day of every month.
-        - with an `execution_frequency` of "quarterly", it will result in quarterly
-        execution at 12:00:00+00:00 on the 14th day of the first month of each quarter.
-        - with an `execution_frequency` of "yearly", it will result in yearly
-        execution at 12:00:00+00:00 on May 14th of each year.
 
         See https://apscheduler.readthedocs.io/en/3.x/modules/triggers/cron.html
         for more information about the cron trigger parameters.
@@ -241,17 +221,6 @@ class MonitorConfig(Base):
                 cron_trigger_dict["day_of_week"] = execution_start_date.weekday()
             if execution_frequency == MonitorFrequency.MONTHLY:
                 cron_trigger_dict["day"] = execution_start_date.day
-            if execution_frequency == MonitorFrequency.QUARTERLY:
-                cron_trigger_dict["day"] = execution_start_date.day
-                # Calculate which month of the quarter (0-2) this is
-                month_of_quarter = (execution_start_date.month - 1) % 3
-                # Set to run in the same month of each quarter (1, 4, 7, 10 for first month)
-                cron_trigger_dict["month"] = (
-                    f"{1 + month_of_quarter},{4 + month_of_quarter},{7 + month_of_quarter},{10 + month_of_quarter}"
-                )
-            if execution_frequency == MonitorFrequency.YEARLY:
-                cron_trigger_dict["day"] = execution_start_date.day
-                cron_trigger_dict["month"] = execution_start_date.month
             data["monitor_execution_trigger"] = cron_trigger_dict
 
 

fides/api/models/fides_user.py

@@ -1,6 +1,7 @@
 # pylint: disable=unused-import
 from __future__ import annotations
 
+import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING, Any, List
 
@@ -9,10 +10,6 @@ from sqlalchemy import Boolean, Column, DateTime
 from sqlalchemy import Enum as EnumColumn
 from sqlalchemy import String
 from sqlalchemy.orm import Session, relationship
-from sqlalchemy_utils.types.encrypted.encrypted_type import (
-    AesGcmEngine,
-    StringEncryptedType,
-)
 
 from fides.api.common_exceptions import SystemManagerException
 from fides.api.cryptography.cryptographic_util import (
@@ -23,8 +20,8 @@ from fides.api.db.base_class import Base
 from fides.api.models.audit_log import AuditLog
 
 # Intentionally importing SystemManager here to build the FidesUser.systems relationship
+from fides.api.models.system_manager import SystemManager  # type: ignore[unused-import]
 from fides.api.schemas.user import DisabledReason
-from fides.config import CONFIG
 
 if TYPE_CHECKING:
     from fides.api.models.sql_models import System  # type: ignore[attr-defined]
@@ -37,22 +34,12 @@ class FidesUser(Base):
     email_address = Column(CIText, unique=True, nullable=True)
     first_name = Column(String, nullable=True)
     last_name = Column(String, nullable=True)
-    hashed_password = Column(String, nullable=True)
-    salt = Column(String, nullable=True)
+    hashed_password = Column(String, nullable=False)
+    salt = Column(String, nullable=False)
     disabled = Column(Boolean, nullable=False, server_default="f")
     disabled_reason = Column(EnumColumn(DisabledReason), nullable=True)
     last_login_at = Column(DateTime(timezone=True), nullable=True)
     password_reset_at = Column(DateTime(timezone=True), nullable=True)
-    password_login_enabled = Column(Boolean, nullable=True)
-    totp_secret = Column(
-        StringEncryptedType(
-            type_in=String(),
-            key=CONFIG.security.app_encryption_key,
-            engine=AesGcmEngine,
-            padding="pkcs5",
-        ),
-        nullable=True,
-    )
 
     # passive_deletes="all" prevents audit logs from having their
     # privacy_request_id set to null when a privacy_request is deleted.
@@ -92,11 +79,11 @@ class FidesUser(Base):
         """Create a FidesUser by hashing the password with a generated salt
         and storing the hashed password and the salt"""
 
-        if password := data.get("password"):
-            hashed_password, salt = FidesUser.hash_password(password)
-        else:
-            hashed_password = None
-            salt = None
+        # we set a dummy password if one isn't provided because this means it's part of the user
+        # invite flow and the password will be set by the user after they accept their invite
+        hashed_password, salt = FidesUser.hash_password(
+            data.get("password") or str(uuid.uuid4())
+        )
 
         user = super().create(
             db,
@@ -109,7 +96,6 @@ class FidesUser(Base):
                 "last_name": data.get("last_name"),
                 "disabled": data.get("disabled") or False,
                 "disabled_reason": data.get("disabled_reason"),
-                "password_login_enabled": data.get("password_login_enabled"),
             },
             check_name=check_name,
         )
@@ -118,9 +104,6 @@ class FidesUser(Base):
 
     def credentials_valid(self, password: str, encoding: str = "UTF-8") -> bool:
         """Verifies that the provided password is correct."""
-        if self.salt is None:
-            return False
-
         provided_password_hash = hash_credential_with_salt(
             password.encode(encoding),
             self.salt.encode(encoding),

fides/api/models/fides_user_invite.py

@@ -67,8 +67,6 @@ class FidesUserInvite(Base):
 
     def invite_code_valid(self, invite_code: str, encoding: str = "UTF-8") -> bool:
         """Verifies that the provided invite code is correct."""
-        if self.salt is None:
-            return False
 
         invite_code_hash = hash_credential_with_salt(
             invite_code.encode(encoding),