ethyca-fides 2.62.1b3__py2.py3-none-any.whl → 2.62.1rc1__py2.py3-none-any.whl

fides/_version.py

@@ -8,11 +8,11 @@ import json
 
 version_json = '''
 {
- "date": "2025-06-03T15:22:24-0600",
+ "date": "2025-06-09T11:29:40-0400",
  "dirty": false,
  "error": null,
- "full-revisionid": "0bfda78b61acfccbc5c37a58dfa776037a2ca718",
- "version": "2.62.1b3"
+ "full-revisionid": "2025a8965d3f31f35b1a6ea997994721ae068590",
+ "version": "2.62.1rc1"
 }
 '''  # END VERSION_JSON
 

fides/api/api/v1/endpoints/privacy_request_endpoints.py

@@ -120,7 +120,7 @@ from fides.api.util.collection_util import Row
 from fides.api.util.endpoint_utils import validate_start_and_end_filters
 from fides.api.util.enums import ColumnSort
 from fides.api.util.fuzzy_search_utils import get_decrypted_identities_automaton
-from fides.api.util.storage_util import StorageJSONEncoder
+from fides.api.util.storage_util import storage_json_encoder
 from fides.common.api.scope_registry import (
     PRIVACY_REQUEST_CALLBACK_RESUME,
     PRIVACY_REQUEST_CREATE,
@@ -2129,7 +2129,7 @@ def get_test_privacy_request_results(
 
     # Escape datetime and ObjectId values
     raw_data = privacy_request.get_raw_access_results()
-    escaped_json = json.dumps(raw_data, indent=2, cls=StorageJSONEncoder)
+    escaped_json = json.dumps(raw_data, indent=2, default=storage_json_encoder)
     results = json.loads(escaped_json)
 
     filtered_results: Dict[str, Any] = filter_access_results(

fides/api/db/base.py

@@ -22,9 +22,6 @@ from fides.api.models.fides_cloud import FidesCloud
 from fides.api.models.fides_user import FidesUser
 from fides.api.models.fides_user_invite import FidesUserInvite
 from fides.api.models.fides_user_permissions import FidesUserPermissions
-from fides.api.models.fides_user_respondent_email_verification import (
-    FidesUserRespondentEmailVerification,
-)
 from fides.api.models.identity_salt import IdentitySalt
 from fides.api.models.location_regulation_selections import LocationRegulationSelections
 from fides.api.models.manual_webhook import AccessManualWebhook

fides/api/main.py

@@ -240,6 +240,7 @@ async def log_request(request: Request, call_next: Callable) -> Response:
         status_code=response.status_code,
         handler_time=f"{total_time}ms",
         path=request.url.path,
+        fides_client=request.headers.get("Fides-Client", "unknown"),
     ).info("Request received")
     return response
 

fides/api/models/attachment.py

@@ -12,14 +12,12 @@ from sqlalchemy.orm import Session, relationship
 
 from fides.api.db.base_class import Base
 from fides.api.schemas.storage.storage import StorageDetails, StorageType
-from fides.api.service.storage.gcs import get_gcs_client
 from fides.api.service.storage.s3 import (
     generic_delete_from_s3,
     generic_retrieve_from_s3,
     generic_upload_to_s3,
 )
-from fides.api.service.storage.util import AllowedFileType, get_local_filename
-from fides.config import CONFIG
+from fides.api.service.storage.util import get_local_filename
 
 if TYPE_CHECKING:
     from fides.api.models.comment import Comment
@@ -117,13 +115,8 @@ class Attachment(Base):
         uselist=False,
     )
 
-    @property
-    def content_type(self) -> str:
-        """Returns the content type of the attachment."""
-        return AllowedFileType[self.file_name.split(".")[-1]].value
-
     def upload(self, attachment: IO[bytes]) -> None:
-        """Uploads an attachment to S3, GCS, or local storage."""
+        """Uploads an attachment to S3 or local storage."""
         if self.config.type == StorageType.s3:
             bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
             auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
@@ -137,23 +130,6 @@ class Attachment(Base):
             log.info(f"Uploaded {self.file_name} to S3 bucket {bucket_name}/{self.id}")
             return
 
-        if self.config.type == StorageType.gcs:
-            bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
-            auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
-            storage_client = get_gcs_client(auth_method, self.config.secrets)
-            bucket = storage_client.bucket(bucket_name)
-            blob = bucket.blob(f"{self.id}/{self.file_name}")
-
-            # Reset the file pointer to the beginning
-            try:
-                attachment.seek(0)
-            except Exception as e:
-                raise ValueError(f"Failed to reset file pointer for attachment: {e}")
-
-            blob.upload_from_file(attachment)
-            log.info(f"Uploaded {self.file_name} to GCS bucket {bucket_name}/{self.id}")
-            return
-
         if self.config.type == StorageType.local:
             filename = get_local_filename(f"{self.id}/{self.file_name}")
 
@@ -188,16 +164,13 @@ class Attachment(Base):
         self,
     ) -> Tuple[int, AnyHttpUrlString]:
         """
-        Retrieves the size of the attachment and a presigned/signed URL.
+        Retrieves a the size of the attachment and the presigned URL to retrieve it.
         - For s3:
           - the size is retrieved from the s3 object metadata
-          - returns presigned URL
-        - For gcs:
-          - the size is retrieved from the blob metadata
-          - returns signed URL
+          - the presigned URL is retrieved from the s3 client
         - For local:
           - the size is retrieved from the file size
-          - returns the local file path
+          - the URL is the local file path
         """
         if self.config.type == StorageType.s3:
             bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
@@ -207,81 +180,19 @@ class Attachment(Base):
                 bucket_name=bucket_name,
                 file_key=f"{self.id}/{self.file_name}",
                 auth_method=auth_method,
-                get_content=False,
             )
             return size, url
 
-        if self.config.type == StorageType.gcs:
-            bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
-            auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
-            storage_client = get_gcs_client(auth_method, self.config.secrets)
-            bucket = storage_client.bucket(bucket_name)
-            blob = bucket.blob(f"{self.id}/{self.file_name}")
-
-            # Ensure we have the blob metadata
-            blob.reload()
-            url = blob.generate_signed_url(
-                version="v4",
-                expiration=CONFIG.security.subject_request_download_link_ttl_seconds,
-                method="GET",
-            )
-            return blob.size, url
-
-        if self.config.type == StorageType.local:
-            filename = get_local_filename(f"{self.id}/{self.file_name}")
-            size = os.path.getsize(filename)
-            return size, filename
-
-        raise ValueError(f"Unsupported storage type: {self.config.type}")
-
-    def retrieve_attachment_content(
-        self,
-    ) -> Tuple[int, bytes]:
-        """
-        Retrieves the size of the attachment and its actual content.
-        - For s3:
-          - the size is retrieved from the s3 object metadata
-          - returns the actual content
-        - For gcs:
-          - the size is retrieved from the blob metadata
-          - returns the actual content
-        - For local:
-          - the size is retrieved from the file size
-          - returns the actual content
-        """
-        if self.config.type == StorageType.s3:
-            bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
-            auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
-            size, content = generic_retrieve_from_s3(
-                storage_secrets=self.config.secrets,
-                bucket_name=bucket_name,
-                file_key=f"{self.id}/{self.file_name}",
-                auth_method=auth_method,
-                get_content=True,
-            )
-            return size, content
-
-        if self.config.type == StorageType.gcs:
-            bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
-            auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
-            storage_client = get_gcs_client(auth_method, self.config.secrets)
-            bucket = storage_client.bucket(bucket_name)
-            blob = bucket.blob(f"{self.id}/{self.file_name}")
-
-            content = blob.download_as_bytes()
-            return len(content), content
-
         if self.config.type == StorageType.local:
             filename = get_local_filename(f"{self.id}/{self.file_name}")
             with open(filename, "rb") as file:
-                content = file.read()
-                size = len(content)
-                return size, content
+                size = len(file.read())
+                return size, filename
 
         raise ValueError(f"Unsupported storage type: {self.config.type}")
 
     def delete_attachment_from_storage(self) -> None:
-        """Deletes an attachment from S3, GCS, or local storage."""
+        """Deletes an attachment from S3 or local storage."""
         if self.config.type == StorageType.s3:
             bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
             auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
@@ -293,27 +204,9 @@ class Attachment(Base):
             )
             return
 
-        if self.config.type == StorageType.gcs:
-            bucket_name = f"{self.config.details[StorageDetails.BUCKET.value]}"
-            auth_method = self.config.details[StorageDetails.AUTH_METHOD.value]
-            storage_client = get_gcs_client(auth_method, self.config.secrets)
-            bucket = storage_client.bucket(bucket_name)
-
-            # List and delete all blobs in the folder
-            prefix = f"{self.id}/"
-            blobs = bucket.list_blobs(prefix=prefix)
-            for blob in blobs:
-                blob.delete()
-            return
-
         if self.config.type == StorageType.local:
-            folder_path = os.path.dirname(
-                get_local_filename(f"{self.id}/{self.file_name}")
-            )
-            if os.path.exists(folder_path):
-                import shutil
-
-                shutil.rmtree(folder_path)
+            filename = get_local_filename(f"{self.id}/{self.file_name}")
+            os.remove(filename)
             return
 
         raise ValueError(f"Unsupported storage type: {self.config.type}")

fides/api/models/audit_log.py

@@ -11,6 +11,9 @@ class AuditLogAction(str, EnumType):
     """Enum for audit log actions, reflecting what a user did."""
 
     approved = "approved"
+    attachment_uploaded = "attachment_uploaded"
+    attachment_deleted = "attachment_deleted"
+    attachment_retrieved = "attachment_retrieved"
     denied = "denied"
     email_sent = "email_sent"
     finished = "finished"

fides/api/models/detection_discovery.py

@@ -9,7 +9,6 @@ from loguru import logger
 from sqlalchemy import ARRAY, Boolean, Column, DateTime, ForeignKey, String, func
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy.ext.declarative import declared_attr
 from sqlalchemy.ext.mutable import MutableDict
 from sqlalchemy.future import select
 from sqlalchemy.orm import Session, relationship
@@ -48,29 +47,6 @@ class MonitorFrequency(Enum):
 QUARTERLY_MONTH_PATTERN = r"^\d+,\d+,\d+,\d+$"
 
 
-class SharedMonitorConfig(Base, FidesBase):
-    """SQL model for shareable monitor configurations"""
-
-    @declared_attr
-    def __tablename__(self) -> str:
-        return "shared_monitor_config"
-
-    # Basic info
-    name = Column(String, nullable=False)
-    key = Column(String, unique=True, nullable=False)
-    description = Column(String, nullable=True)
-
-    # Classification parameters (including regex patterns)
-    classify_params = Column(
-        MutableDict.as_mutable(JSONB),
-        index=False,
-        unique=False,
-        nullable=False,
-        server_default="{}",
-        default=dict,
-    )
-
-
 class MonitorConfig(Base):
     """
     Monitor configuration used for data detection and discovery.
@@ -111,9 +87,7 @@ class MonitorConfig(Base):
     )  # stores the cron-based kwargs for scheduling the monitor execution.
     # see https://apscheduler.readthedocs.io/en/3.x/modules/triggers/cron.html
 
-    # We use _classify_params for the actual column to prevent direct access
-    _classify_params = Column(
-        "classify_params",
+    classify_params = Column(
         MutableDict.as_mutable(JSONB),
         index=False,
         unique=False,
@@ -150,45 +124,6 @@ class MonitorConfig(Base):
         backref="monitor_config",
     )
 
-    shared_config_id = Column(
-        String,
-        ForeignKey(SharedMonitorConfig.id_field_path, ondelete="RESTRICT"),
-        nullable=True,
-        index=True,
-    )
-
-    shared_config = relationship(SharedMonitorConfig)
-
-    @property
-    def classify_params(self) -> dict:
-        """
-        Returns the merged classify parameters from both the monitor config and
-        the shared config (if it exists).
-
-        The shared config parameters take precedence over the monitor's own parameters,
-        but only for values that are not falsy (None, empty, etc.).
-        """
-        # Start with an empty dict
-        merged_params = {}
-
-        # Add this monitor's params if available
-        if self._classify_params:
-            merged_params.update(self._classify_params)
-
-        # Add/override with shared config params if available
-        if self.shared_config and self.shared_config.classify_params:
-            # Only update with non-falsy values from shared config
-            for key, value in self.shared_config.classify_params.items():
-                if value:  # Only override if the value is not falsy
-                    merged_params[key] = value
-
-        return merged_params
-
-    @classify_params.setter
-    def classify_params(self, value: Dict[str, Any]) -> None:
-        """Setter for the classify_params to maintain compatibility with existing code"""
-        self._classify_params = value
-
     @property
     def connection_config_key(self) -> str:
         """Derives the `connection_config_key`"""

fides/api/models/fides_user.py

@@ -23,16 +23,12 @@ from fides.api.db.base_class import Base
 from fides.api.models.audit_log import AuditLog
 
 # Intentionally importing SystemManager here to build the FidesUser.systems relationship
+from fides.api.models.system_manager import SystemManager  # type: ignore[unused-import]
 from fides.api.schemas.user import DisabledReason
 from fides.config import CONFIG
 
 if TYPE_CHECKING:
-    from fides.api.models.fides_user_permissions import FidesUserPermissions
-    from fides.api.models.fides_user_respondent_email_verification import (
-        FidesUserRespondentEmailVerification,
-    )
     from fides.api.models.sql_models import System  # type: ignore[attr-defined]
-    from fides.api.models.system_manager import SystemManager
 
 
 class FidesUser(Base):
@@ -75,20 +71,6 @@ class FidesUser(Base):
     )
 
     systems = relationship("System", secondary="systemmanager", back_populates="data_stewards")  # type: ignore
-    # permissions relationship is defined via backref in FidesUserPermissions
-    email_verifications = relationship(
-        "FidesUserRespondentEmailVerification",
-        back_populates="user",
-        cascade="all,delete",
-        lazy="dynamic",
-        foreign_keys="[FidesUserRespondentEmailVerification.user_id]",
-    )
-    permissions = relationship(
-        "FidesUserPermissions",
-        back_populates="user",
-        cascade="all,delete",
-        uselist=False,
-    )
 
     @property
     def system_ids(self) -> List[str]:
@@ -110,11 +92,12 @@ class FidesUser(Base):
     ) -> FidesUser:
         """Create a FidesUser by hashing the password with a generated salt
         and storing the hashed password and the salt"""
-        hashed_password = None
-        salt = None
 
         if password := data.get("password"):
             hashed_password, salt = FidesUser.hash_password(password)
+        else:
+            hashed_password = None
+            salt = None
 
         user = super().create(
             db,
@@ -134,18 +117,6 @@ class FidesUser(Base):
 
         return user  # type: ignore
 
-    @classmethod
-    def create_respondent(cls, db: Session, data: dict[str, Any]) -> FidesUser:
-        """Create a respondent user. This user will not be able to login with a password and
-        requires an email address to be provided.
-        """
-        if not data.get("email_address"):
-            raise ValueError("Email address is required for external respondents")
-        if data.get("password"):
-            raise ValueError("Password login is not allowed for external respondents")
-        data["password_login_enabled"] = False
-        return cls.create(db, data)
-
     def credentials_valid(self, password: str, encoding: str = "UTF-8") -> bool:
         """Verifies that the provided password is correct."""
         if self.salt is None:
@@ -163,9 +134,6 @@ class FidesUser(Base):
 
         No validations are performed on the old/existing password within this function.
         """
-        if self.permissions is not None:
-            if self.permissions.is_respondent():
-                raise ValueError("Password changes are not allowed for respondents")
 
         hashed_password, salt = FidesUser.hash_password(new_password)
         self.hashed_password = hashed_password  # type: ignore
@@ -173,17 +141,6 @@ class FidesUser(Base):
         self.password_reset_at = datetime.utcnow()  # type: ignore
         self.save(db)
 
-    def update_email_address(self, db: Session, new_email_address: str) -> None:
-        """Updates the user's email address to the specified value."""
-        if self.permissions is not None:
-            if self.permissions.is_respondent():
-                raise ValueError(
-                    "Email address changes are not allowed for respondents"
-                )
-
-        self.email_address = new_email_address  # type: ignore
-        self.save(db)
-
     def set_as_system_manager(self, db: Session, system: System) -> None:
         """Add a user as one of the system managers for the given system
         If applicable, also update the systems on the user's client
@@ -200,10 +157,6 @@ class FidesUser(Base):
                 f"User '{self.username}' is already a system manager of '{system.name}'."
             )
 
-        if self.permissions is not None:
-            if self.permissions.is_respondent():
-                raise SystemManagerException("Respondents cannot be system managers.")
-
         self.systems.append(system)
         self.save(db=db)
 

fides/api/models/fides_user_permissions.py

@@ -1,15 +1,11 @@
-from typing import List, cast
+from typing import List
 
 from sqlalchemy import ARRAY, Column, ForeignKey, String
-from sqlalchemy.orm import Session, relationship
+from sqlalchemy.orm import backref, relationship
 
 from fides.api.db.base_class import Base
 from fides.api.models.fides_user import FidesUser
-from fides.api.oauth.roles import (
-    EXTERNAL_RESPONDENT,
-    RESPONDENT,
-    ROLES_TO_SCOPES_MAPPING,
-)
+from fides.api.oauth.roles import ROLES_TO_SCOPES_MAPPING
 
 
 class FidesUserPermissions(Base):
@@ -17,7 +13,10 @@ class FidesUserPermissions(Base):
 
     user_id = Column(String, ForeignKey(FidesUser.id), nullable=False, unique=True)
     roles = Column(ARRAY(String), nullable=False, server_default="{}", default=dict)
-    user = relationship(FidesUser, back_populates="permissions", uselist=False)
+    user = relationship(
+        FidesUser,
+        backref=backref("permissions", cascade="all,delete", uselist=False),
+    )
 
     @property
     def total_scopes(self) -> List[str]:
@@ -27,20 +26,3 @@ class FidesUserPermissions(Base):
             all_scopes += ROLES_TO_SCOPES_MAPPING.get(role, [])
 
         return sorted(list(set(all_scopes)))
-
-    def is_respondent(self) -> bool:
-        """Check if the user is a respondent."""
-        return any(role in self.roles for role in [RESPONDENT, EXTERNAL_RESPONDENT])
-
-    def update_roles(self, db: Session, new_roles: List[str]) -> None:
-        """Update the user's roles if allowed.
-        Raises ValueError if role changes are not allowed."""
-        if self.is_respondent():
-            raise ValueError("Role changes are not allowed for respondents")
-
-        self.roles = new_roles
-        self.save(db)
-
-    def update(self, db: Session, *, data: dict) -> "FidesUserPermissions":
-        """Update the user permissions with the provided data."""
-        return cast(FidesUserPermissions, super().update(db, data=data))

fides/api/models/privacy_request/privacy_request.py

@@ -1089,46 +1089,6 @@ class PrivacyRequest(
         if attachment:
             attachment.delete(db)
 
-    def _get_manual_webhook_attachments(
-        self, db: Session, manual_webhook_id: str, reference_type: str
-    ) -> List[Attachment]:
-        """Helper method to get attachments that have references to both this privacy request and the specified manual webhook"""
-        query = """
-            SELECT DISTINCT a.*
-            FROM attachment a
-            INNER JOIN attachment_reference ar1 ON a.id = ar1.attachment_id
-            INNER JOIN attachment_reference ar2 ON a.id = ar2.attachment_id
-            WHERE ar1.reference_id = :privacy_request_id
-            AND ar1.reference_type = 'privacy_request'
-            AND ar2.reference_id = :manual_webhook_id
-            AND ar2.reference_type = :reference_type
-        """
-        result = db.execute(
-            query,
-            {
-                "privacy_request_id": self.id,
-                "manual_webhook_id": manual_webhook_id,
-                "reference_type": reference_type,
-            },
-        )
-        return [Attachment(**row) for row in result]
-
-    def get_access_manual_webhook_attachments(
-        self, db: Session, manual_webhook_id: str
-    ) -> List[Attachment]:
-        """Get all attachments that have references to both this privacy request and the specified access manual webhook"""
-        return self._get_manual_webhook_attachments(
-            db, manual_webhook_id, "access_manual_webhook"
-        )
-
-    def get_erasure_manual_webhook_attachments(
-        self, db: Session, manual_webhook_id: str
-    ) -> List[Attachment]:
-        """Get all attachments that have references to both this privacy request and the specified erasure manual webhook"""
-        return self._get_manual_webhook_attachments(
-            db, manual_webhook_id, "erasure_manual_webhook"
-        )
-
     def get_existing_request_task(
         self,
         db: Session,
@@ -1268,6 +1228,7 @@ class PrivacyRequest(
         """
         if not self.policy.get_rules_for_action(action_type=ActionType.access):
             return None
+
         self.filtered_final_upload = results
         self.save(db)
 

fides/api/oauth/roles.py

@@ -27,8 +27,6 @@ from fides.common.api.scope_registry import (
     PRIVACY_NOTICE_READ,
     PRIVACY_REQUEST_CALLBACK_RESUME,
     PRIVACY_REQUEST_DELETE,
-    PRIVACY_REQUEST_MANUAL_STEPS_RESPOND,
-    PRIVACY_REQUEST_MANUAL_STEPS_REVIEW,
     PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
     PRIVACY_REQUEST_NOTIFICATIONS_READ,
     PRIVACY_REQUEST_READ,
@@ -54,8 +52,6 @@ CONTRIBUTOR = "contributor"
 OWNER = "owner"
 VIEWER = "viewer"
 VIEWER_AND_APPROVER = "viewer_and_approver"
-RESPONDENT = "respondent"
-EXTERNAL_RESPONDENT = "external_respondent"
 
 
 class RoleRegistryEnum(Enum):
@@ -66,8 +62,6 @@ class RoleRegistryEnum(Enum):
     Approver - Limited viewer but can approve Privacy Requests
     Viewer + Approver = Full View and can approve Privacy Requests
     Contributor - Can't configure storage and messaging
-    Respondent - Internal user who can respond to manual steps
-    External Respondent - External user who can only respond to assigned manual steps
     """
 
     owner = OWNER
@@ -75,8 +69,6 @@ class RoleRegistryEnum(Enum):
     viewer = VIEWER
     approver = APPROVER
     contributor = CONTRIBUTOR
-    respondent = RESPONDENT
-    external_respondent = EXTERNAL_RESPONDENT
 
 
 approver_scopes = [
@@ -87,7 +79,6 @@ approver_scopes = [
     PRIVACY_REQUEST_VIEW_DATA,
     PRIVACY_REQUEST_DELETE,
     USER_READ,  # allows approver to view user management table and update their own password
-    PRIVACY_REQUEST_MANUAL_STEPS_REVIEW,  # allows approvers to see all manual steps
 ]
 
 
@@ -123,14 +114,6 @@ viewer_scopes = [  # Intentionally omitted USER_PERMISSION_READ and PRIVACY_REQU
     USER_READ,
 ]
 
-respondent_scopes = [
-    PRIVACY_REQUEST_MANUAL_STEPS_RESPOND,  # allows respondents to respond to assigned manual steps
-]
-
-external_respondent_scopes = [
-    PRIVACY_REQUEST_MANUAL_STEPS_RESPOND,  # allows external respondents to respond to assigned manual steps
-]
-
 not_contributor_scopes = [
     CONNECTOR_TEMPLATE_REGISTER,
     STORAGE_CREATE_OR_UPDATE,
@@ -147,8 +130,6 @@ ROLES_TO_SCOPES_MAPPING: Dict[str, List] = {
     VIEWER: sorted(viewer_scopes),
     APPROVER: sorted(approver_scopes),
     CONTRIBUTOR: sorted(list(set(SCOPE_REGISTRY) - set(not_contributor_scopes))),
-    RESPONDENT: sorted(respondent_scopes),
-    EXTERNAL_RESPONDENT: sorted(external_respondent_scopes),
 }
 
 

fides/api/service/connectors/query_configs/saas_query_config.py

@@ -52,6 +52,7 @@ from fides.api.util.saas_util import (
     get_identities,
 )
 from fides.common.api.v1.urn_registry import REQUEST_TASK_CALLBACK, V1_URL_PREFIX
+from fides.config.config_proxy import ConfigProxy
 
 T = TypeVar("T")
 
@@ -143,12 +144,16 @@ class SaaSQueryConfig(QueryConfig[SaaSRequestParams]):
         """
         Returns a tuple of the preferred action and SaaSRequest to use for masking.
         An update request is preferred, but we can use a gdpr delete endpoint or
-        delete endpoint.
+        delete endpoint if not MASKING_STRICT.
         """
 
         update: Optional[SaaSRequest] = self.get_erasure_request_by_action("update")
-        gdpr_delete: Optional[SaaSRequest] = self.data_protection_request
-        delete: Optional[SaaSRequest] = self.get_erasure_request_by_action("delete")
+        gdpr_delete: Optional[SaaSRequest] = None
+        delete: Optional[SaaSRequest] = None
+
+        if not ConfigProxy(db).execution.masking_strict:
+            gdpr_delete = self.data_protection_request
+            delete = self.get_erasure_request_by_action("delete")
 
         try:
             # Return first viable option