ethyca-fides 2.63.1b1__py2.py3-none-any.whl → 2.63.1b4__py2.py3-none-any.whl

fides/api/util/data_size.py

@@ -0,0 +1,102 @@
+"""
+Helpers for estimating the size of large collections of access data.
+"""
+
+from __future__ import annotations
+
+import json
+import sys
+from typing import List, Optional
+
+from loguru import logger
+
+from fides.api.util.collection_util import Row
+from fides.api.util.custom_json_encoder import CustomJSONEncoder
+
+# 640MB threshold for external storage
+# We only generate an estimated size for large datasets so we want to be conservative
+# and fallback to external storage even if we haven't hit the 1GB max limit.
+# We also want to pad for encryption and base64 encoding.
+LARGE_DATA_THRESHOLD_BYTES = 640 * 1024 * 1024  # 640MB
+
+
+def calculate_data_size(data: List[Row]) -> int:  # noqa: D401 – utility function
+    """Return an approximate JSON-serialized size (in bytes) for a list of *Row*.
+
+    The implementation purposefully avoids serializing the entire payload when
+    *data* is large.  For collections >1000 rows we sample a subset, measure the
+    encoded size, then extrapolate.  This keeps memory usage bounded while still
+    giving us an order-of-magnitude estimate suitable for "should I stream this
+    out to S3?" decisions.
+    """
+
+    if not data:
+        return 0
+
+    try:
+        data_count = len(data)
+
+        # For very large datasets, estimate size from a sample to avoid memory issues
+        if data_count > 1000:
+            logger.debug(
+                f"Calculating size for large dataset ({data_count} rows) using sampling"
+            )
+
+            sample_size = min(500, max(100, data_count // 20))  # 5 % capped at 500
+
+            # stratified sampling – take items spaced across the set when possible
+            if data_count > sample_size * 3:
+                step = data_count // sample_size
+                sample_indices = list(range(0, data_count, step))[:sample_size]
+                sample = [data[i] for i in sample_indices]
+            else:
+                sample = data[:sample_size]
+
+            sample_json = json.dumps(
+                sample, cls=CustomJSONEncoder, separators=(",", ":")
+            )
+            sample_bytes = len(sample_json.encode("utf-8"))
+
+            avg_record_size = sample_bytes / sample_size
+            content_size = int(avg_record_size * data_count)
+
+            # overhead: 2 bytes for [] plus a comma between every record plus 1 % slack
+            structure_overhead = 2 + (data_count - 1) + int(content_size * 0.01)
+            return content_size + structure_overhead
+
+        # small datasets – just measure
+        json_str = json.dumps(data, cls=CustomJSONEncoder, separators=(",", ":"))
+        return len(json_str.encode("utf-8"))
+
+    except (TypeError, ValueError) as exc:
+        logger.warning(
+            f"Failed to calculate JSON size, falling back to sys.getsizeof: {exc}"
+        )
+        return sys.getsizeof(data)
+
+
+def is_large_data(
+    data: List[Row], threshold_bytes: Optional[int] = None
+) -> bool:  # noqa: D401
+    """Return *True* if *data* is likely to exceed *threshold_bytes* when serialized."""
+
+    if not data:
+        return False
+
+    threshold = (
+        threshold_bytes if threshold_bytes is not None else LARGE_DATA_THRESHOLD_BYTES
+    )
+    size = calculate_data_size(data)
+    if size > threshold:
+        logger.info(
+            f"Data size ({size:,} bytes) exceeds threshold ({threshold:,} bytes) – using external storage"
+        )
+        return True
+    return False
+
+
+__all__ = [
+    "calculate_data_size",
+    "is_large_data",
+    "LARGE_DATA_THRESHOLD_BYTES",
+]

fides/api/util/encryption/aes_gcm_encryption_util.py

@@ -0,0 +1,271 @@
+"""
+AES GCM encryption utilities with SQLAlchemy-Utils and cryptography library implementations.
+
+This module provides simplified encrypt/decrypt functions using two approaches:
+1. SQLAlchemy-Utils AesGcmEngine (compatible with existing database encryption)
+2. Cryptography library with chunked processing (better performance, standard library)
+"""
+
+import base64
+import hashlib
+import json
+import os
+from typing import Any, List, Optional, Union
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from loguru import logger
+from sqlalchemy_utils.types.encrypted.encrypted_type import AesGcmEngine
+
+from fides.api.util.collection_util import Row
+from fides.api.util.custom_json_encoder import CustomJSONEncoder, _custom_decoder
+from fides.config import CONFIG
+
+
+class EncryptionError(Exception):
+    """Raised when encryption/decryption operations fail"""
+
+
+# SQLAlchemy-Utils Implementation (for compatibility with existing database encryption)
+def encrypt_with_sqlalchemy_utils(data: List[Row]) -> bytes:
+    """
+    Serialize and encrypt data using CustomJSONEncoder and SQLAlchemy-Utils AesGcmEngine.
+
+    This approach is compatible with existing database encryption but has lower performance.
+
+    Args:
+        data: Raw data to serialize and encrypt
+
+    Returns:
+        Encrypted bytes
+
+    Raises:
+        EncryptionError: If serialization or encryption fails
+    """
+    try:
+        # Serialize using CustomJSONEncoder for consistent ObjectId handling
+        serialized_data = json.dumps(data, cls=CustomJSONEncoder, separators=(",", ":"))
+        data_bytes = serialized_data.encode("utf-8")
+
+        # Encrypt using SQLAlchemy-Utils AesGcmEngine
+        engine = AesGcmEngine()
+        key = CONFIG.security.app_encryption_key
+        engine._update_key(key)  # pylint: disable=protected-access
+
+        # AesGcmEngine expects string input
+        data_str = data_bytes.decode("utf-8")
+        encrypted_data = engine.encrypt(data_str)
+        encrypted_bytes = encrypted_data.encode("utf-8")
+
+        logger.debug(
+            f"SQLAlchemy-Utils: Encrypted {len(data_bytes)} bytes to {len(encrypted_bytes)} bytes"
+        )
+        return encrypted_bytes
+
+    except Exception as e:
+        logger.error(f"SQLAlchemy-Utils encryption failed: {e}")
+        raise EncryptionError(f"SQLAlchemy-Utils encryption failed: {str(e)}")
+
+
+def decrypt_with_sqlalchemy_utils(encrypted_bytes: bytes) -> List[Row]:
+    """
+    Decrypt and deserialize data using SQLAlchemy-Utils AesGcmEngine and _custom_decoder.
+
+    Args:
+        encrypted_bytes: Encrypted data bytes to decrypt
+
+    Returns:
+        Deserialized data
+
+    Raises:
+        EncryptionError: If decryption or deserialization fails
+    """
+    try:
+        # Decrypt using SQLAlchemy-Utils AesGcmEngine
+        engine = AesGcmEngine()
+        key = CONFIG.security.app_encryption_key
+        engine._update_key(key)  # pylint: disable=protected-access
+
+        # AesGcmEngine expects string input
+        encrypted_str = encrypted_bytes.decode("utf-8")
+        decrypted_data = engine.decrypt(encrypted_str)
+
+        # Deserialize using _custom_decoder for consistent ObjectId handling
+        data = json.loads(decrypted_data, object_hook=_custom_decoder)
+
+        logger.debug(
+            f"SQLAlchemy-Utils: Decrypted {len(encrypted_bytes)} bytes to {len(data)} records"
+        )
+        return data
+
+    except Exception as e:
+        logger.error(f"SQLAlchemy-Utils decryption failed: {e}")
+        raise EncryptionError(f"SQLAlchemy-Utils decryption failed: {str(e)}")
+
+
+# Cryptography Library Implementation (standard, chunked processing)
+def encrypt_with_cryptography(
+    data: Union[List[Row], Any], chunk_size: Optional[int] = None
+) -> bytes:
+    """
+    Serialize and encrypt data using the standard cryptography library with chunked processing.
+
+    This provides fast performance and memory efficiency for large datasets.
+
+    Args:
+        data: Raw data to serialize and encrypt
+        chunk_size: Size of chunks for processing (default 4MB)
+
+    Returns:
+        Encrypted bytes (base64-encoded string as bytes)
+
+    Raises:
+        EncryptionError: If serialization or encryption fails
+    """
+    try:
+        # Set default chunk size
+        if chunk_size is None:
+            chunk_size = 4 * 1024 * 1024  # 4MB chunks
+
+        # Serialize using CustomJSONEncoder for consistent handling
+        serialized_data = json.dumps(data, cls=CustomJSONEncoder, separators=(",", ":"))
+        plaintext = serialized_data.encode("utf-8")
+
+        data_size_mb = len(plaintext) / (1024 * 1024)
+        chunk_size_mb = chunk_size / (1024 * 1024)
+        estimated_chunks = len(plaintext) // chunk_size + (
+            1 if len(plaintext) % chunk_size else 0
+        )
+        record_count = len(data) if isinstance(data, list) else "N/A"
+
+        logger.info(
+            f"Cryptography: Encrypting {record_count} records ({data_size_mb:.1f} MB) "
+            f"using {chunk_size_mb:.0f}MB chunks (~{estimated_chunks} chunks)"
+        )
+
+        # Use SQLAlchemy-Utils compatible key (SHA256 hash of app key)
+        key = _get_sqlalchemy_compatible_key()
+        nonce = os.urandom(12)  # 96-bit nonce for AES-GCM
+
+        # Create cipher
+        cipher = Cipher(
+            algorithms.AES(key), modes.GCM(nonce), backend=default_backend()
+        )
+        encryptor = cipher.encryptor()
+
+        # Process in chunks for memory efficiency
+        ciphertext_chunks = []
+        for i in range(0, len(plaintext), chunk_size):
+            chunk = plaintext[i : i + chunk_size]
+            ciphertext_chunks.append(encryptor.update(chunk))
+
+        # Finalize and get tag
+        encryptor.finalize()
+        tag = encryptor.tag
+
+        # Combine in same format as SQLAlchemy-Utils: [nonce/iv][tag][ciphertext]
+        ciphertext = b"".join(ciphertext_chunks)
+        binary_result = nonce + tag + ciphertext
+
+        # Base64 encode to match SQLAlchemy-Utils format
+        base64_result = base64.b64encode(binary_result).decode("utf-8")
+        result_bytes = base64_result.encode("utf-8")
+
+        encrypted_size_mb = len(result_bytes) / (1024 * 1024)
+        logger.info(
+            f"Cryptography: Encrypted successfully - "
+            f"{len(ciphertext_chunks)} chunks, {encrypted_size_mb:.1f} MB output (base64)"
+        )
+
+        return result_bytes
+
+    except Exception as e:
+        logger.error(f"Cryptography encryption failed: {e}")
+        raise EncryptionError(f"Cryptography encryption failed: {str(e)}")
+
+
+def decrypt_with_cryptography(
+    encrypted_bytes: bytes, chunk_size: Optional[int] = None
+) -> Union[List[Row], Any]:
+    """
+    Decrypt and deserialize data using the cryptography library with chunked processing.
+
+    Args:
+        encrypted_bytes: Encrypted data (base64-encoded string as bytes)
+        chunk_size: Size of chunks for processing (default 4MB)
+
+    Returns:
+        Deserialized data
+
+    Raises:
+        EncryptionError: If decryption or deserialization fails
+    """
+    try:
+        # Set default chunk size
+        if chunk_size is None:
+            chunk_size = 4 * 1024 * 1024  # 4MB chunks
+
+        # Decode from base64
+        encrypted_str = encrypted_bytes.decode("utf-8")
+        binary_data = base64.b64decode(encrypted_str)
+
+        # Extract components in SQLAlchemy-Utils format: [nonce/iv][tag][ciphertext]
+        if len(binary_data) < 28:  # 12 (nonce) + 16 (tag)
+            raise ValueError("Encrypted data too short")
+
+        nonce = binary_data[:12]  # First 12 bytes: nonce/IV
+        tag = binary_data[12:28]  # Next 16 bytes: tag
+        ciphertext = binary_data[28:]  # Remaining bytes: ciphertext
+
+        encrypted_size_mb = len(encrypted_bytes) / (1024 * 1024)
+        chunk_size_mb = chunk_size / (1024 * 1024)
+        estimated_chunks = len(ciphertext) // chunk_size + (
+            1 if len(ciphertext) % chunk_size else 0
+        )
+
+        logger.info(
+            f"Cryptography: Decrypting {encrypted_size_mb:.1f} MB "
+            f"using {chunk_size_mb:.0f}MB chunks (~{estimated_chunks} chunks)"
+        )
+
+        # Use SQLAlchemy-Utils compatible key
+        key = _get_sqlalchemy_compatible_key()
+        cipher = Cipher(
+            algorithms.AES(key), modes.GCM(nonce, tag), backend=default_backend()
+        )
+        decryptor = cipher.decryptor()
+
+        # Process in chunks for memory efficiency
+        plaintext_chunks = []
+        for i in range(0, len(ciphertext), chunk_size):
+            chunk = ciphertext[i : i + chunk_size]
+            plaintext_chunks.append(decryptor.update(chunk))
+
+        # Finalize
+        decryptor.finalize()
+
+        # Combine and deserialize
+        plaintext = b"".join(plaintext_chunks)
+        decrypted_json = plaintext.decode("utf-8")
+        data = json.loads(decrypted_json, object_hook=_custom_decoder)
+
+        record_count = len(data) if isinstance(data, list) else "N/A"
+        logger.info(f"Cryptography: Successfully decrypted {record_count} records")
+
+        return data
+
+    except Exception as e:
+        logger.error(f"Cryptography decryption failed: {e}")
+        raise EncryptionError(f"Cryptography decryption failed: {str(e)}")
+
+
+def _get_sqlalchemy_compatible_key() -> bytes:
+    """Get 32-byte encryption key compatible with SQLAlchemy-Utils AesGcmEngine."""
+    app_key = CONFIG.security.app_encryption_key.encode(CONFIG.security.encoding)
+    # SQLAlchemy-Utils always uses SHA256 hash of the key
+    return hashlib.sha256(app_key).digest()
+
+
+# Public API - Use cryptography by default for new operations
+encrypt_data = encrypt_with_cryptography
+decrypt_data = decrypt_with_cryptography

fides/config/redis_settings.py

@@ -20,6 +20,10 @@ class RedisSettings(FidesSettings):
         default=0,
         description="The application will use this index in the Redis cache to cache data.",
     )
+    test_db_index: int = Field(
+        default=1,
+        description="The application will use this index in the Redis cache to cache data for testing.",
+    )
     decode_responses: bool = Field(
         default=True,
         description="Whether or not to automatically decode the values fetched from Redis. Decodes using the `charset` configuration value.",
@@ -64,14 +68,57 @@ class RedisSettings(FidesSettings):
         default="", description="The user with which to login to the Redis cache."
     )
 
+    # Read-only Redis settings
+    read_only_enabled: bool = Field(
+        default=False,
+        description="Whether a read-only Redis cache is enabled.",
+    )
+    read_only_host: str = Field(
+        default="",
+        description="The network address for the read-only Redis cache.",
+    )
+    read_only_port: int = Field(
+        default=6379,
+        description="The port at which the read-only Redis cache will be accessible.",
+    )
+    read_only_user: str = Field(
+        default="",
+        description="The user with which to login to the read-only Redis cache.",
+    )
+    read_only_password: str = Field(
+        default="",
+        description="The password with which to login to the read-only Redis cache.",
+    )
+    read_only_db_index: int = Field(
+        default=0,
+        description="The application will use this index in the read-only Redis cache to cache data.",
+    )
+    read_only_ssl: bool = Field(
+        default=False,
+        description="Whether the application's connections to the read-only cache should be encrypted using TLS.",
+    )
+    read_only_ssl_cert_reqs: Optional[str] = Field(
+        default="required",
+        description="If using TLS encryption, set this to 'required' if you wish to enforce the read-only Redis cache to provide a certificate. Note that not all cache providers support this without setting ssl_ca_certs (e.g. AWS Elasticache).",
+    )
+    read_only_ssl_ca_certs: str = Field(
+        default="",
+        description="If using TLS encryption rooted with a custom Certificate Authority, set this to the path of the CA certificate.",
+    )
+
     # This relies on other values to get built so must be last
     connection_url: Optional[str] = Field(
         default=None,
         description="A full connection URL to the Redis cache. If not specified, this URL is automatically assembled from the host, port, password and db_index specified above.",
         exclude=True,
     )
+    read_only_connection_url: Optional[str] = Field(
+        default=None,
+        description="A full connection URL to the read-only Redis cache. If not specified, this URL is automatically assembled from the read_only_host, read_only_port, read_only_password and read_only_db_index specified above.",
+        exclude=True,
+    )
 
-    @field_validator("connection_url", mode="before")
+    @field_validator("connection_url", "read_only_connection_url", mode="before")
     @classmethod
     def assemble_connection_url(
         cls,
@@ -83,22 +130,50 @@ class RedisSettings(FidesSettings):
             # If the whole URL is provided via the config, preference that
             return v
 
+        is_read_only = info.field_name == "read_only_connection_url"
+
         connection_protocol = "redis"
         params_str = ""
-        use_tls = info.data.get("ssl", False)
+        use_tls = (
+            info.data.get("read_only_ssl")
+            if is_read_only
+            else info.data.get("ssl", False)
+        )
 
         # These vars are intentionally fetched with `or ""` as the default to account
         # for the edge case where `None` is explicitly set in `values` by Pydantic because
         # it is not overridden by the config file or an env var
-        user = info.data.get("user") or ""
-        password = info.data.get("password") or ""
-        db_index = info.data.get("db_index") or ""
+        user = (
+            info.data.get("read_only_user", "")
+            if is_read_only
+            else info.data.get("user", "")
+        )
+        password = (
+            info.data.get("read_only_password", "")
+            if is_read_only
+            else info.data.get("password", "")
+        )
+        db_index = (
+            info.data.get("read_only_db_index", "")
+            if is_read_only
+            else info.data.get("db_index", "")
+        )
         if use_tls:
             # If using TLS update the connection URL format
             connection_protocol = "rediss"
-            cert_reqs = info.data.get("ssl_cert_reqs", "none")
+            cert_reqs = (
+                info.data.get("read_only_ssl_cert_reqs", "none")
+                if is_read_only
+                else info.data.get("ssl_cert_reqs", "none")
+            )
             params = {"ssl_cert_reqs": quote_plus(cert_reqs)}
-            if ssl_ca_certs := info.data.get("ssl_ca_certs", ""):
+
+            ssl_ca_certs = (
+                info.data.get("read_only_ssl_ca_certs", "")
+                if is_read_only
+                else info.data.get("ssl_ca_certs", "")
+            )
+            if ssl_ca_certs:
                 params["ssl_ca_certs"] = quote(ssl_ca_certs, safe="/")
             params_str = "?" + urlencode(params, quote_via=quote, safe="/")
 
@@ -108,7 +183,23 @@ class RedisSettings(FidesSettings):
         if password or user:
             auth_prefix = f"{quote_plus(user)}:{quote_plus(password)}@"
 
-        connection_url = f"{connection_protocol}://{auth_prefix}{info.data.get('host', '')}:{info.data.get('port', '')}/{db_index}{params_str}"
+        host = (
+            info.data.get("read_only_host", "")
+            if is_read_only
+            else info.data.get("host", "")
+        )
+        port = (
+            info.data.get("read_only_port", "")
+            if is_read_only
+            else info.data.get("port", "")
+        )
+
+        # Only include database index in URL if it's not the default (0)
+        db_path = f"{db_index}" if db_index != 0 else ""
+
+        connection_url = (
+            f"{connection_protocol}://{auth_prefix}{host}:{port}/{db_path}{params_str}"
+        )
         return connection_url
 
     model_config = SettingsConfigDict(env_prefix=ENV_PREFIX)

fides/service/manual_tasks/manual_task_service.py

@@ -0,0 +1,150 @@
+from typing import Optional
+
+from loguru import logger
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from fides.api.models.fides_user import FidesUser
+from fides.api.models.manual_tasks.manual_task import ManualTask, ManualTaskReference
+from fides.api.models.manual_tasks.manual_task_log import ManualTaskLog
+from fides.api.schemas.manual_tasks.manual_task_schemas import (
+    ManualTaskLogStatus,
+    ManualTaskParentEntityType,
+    ManualTaskReferenceType,
+    ManualTaskType,
+)
+
+
+class ManualTaskService:
+    def __init__(self, db: Session):
+        self.db = db
+
+    def get_task(
+        self,
+        task_id: Optional[str] = None,
+        parent_entity_id: Optional[str] = None,
+        parent_entity_type: Optional[ManualTaskParentEntityType] = None,
+        task_type: Optional[ManualTaskType] = None,
+    ) -> Optional[ManualTask]:
+        """Get the manual task using provided filters.
+
+        Args:
+            task_id: The task ID
+            parent_entity_id: The parent entity ID
+            parent_entity_type: The parent entity type
+            task_type: The task type
+
+        Returns:
+            Optional[ManualTask]: The manual task for the connection, if it exists
+        """
+        if not any([task_id, parent_entity_id, parent_entity_type, task_type]):
+            logger.warning("No filters provided to get_task. Returning None.")
+            return None
+
+        stmt = select(ManualTask)  # type: ignore[arg-type]
+        if task_id:
+            stmt = stmt.where(ManualTask.id == task_id)
+        if parent_entity_id:
+            stmt = stmt.where(ManualTask.parent_entity_id == parent_entity_id)
+        if parent_entity_type:
+            stmt = stmt.where(ManualTask.parent_entity_type == parent_entity_type)
+        if task_type:
+            stmt = stmt.where(ManualTask.task_type == task_type)
+        return self.db.execute(stmt).scalar_one_or_none()
+
+    # User Management
+    def assign_users_to_task(
+        self, db: Session, task: ManualTask, user_ids: list[str]
+    ) -> None:
+        """Assigns users to this task. We can assign one or more users to a task.
+
+        Args:
+            db: Database session
+            task: The task to assign users to
+            user_ids: List of user IDs to assign
+        """
+        user_ids = list(set(user_ids))
+        if not user_ids:
+            raise ValueError("User ID is required for assignment")
+
+        # Create new user assignment
+        for user_id in user_ids:
+            # if user is already assigned, skip
+            if user_id in task.assigned_users:
+                continue
+            # verify user exists
+            user = db.query(FidesUser).filter_by(id=user_id).first()
+            if not user:
+                ManualTaskLog.create_error_log(
+                    db=db,
+                    task_id=task.id,
+                    message=f"Failed to add user {user_id} to task {task.id}: user does not exist",
+                    details={"user_id": user_id},
+                )
+                continue
+
+            ManualTaskReference.create(
+                db=db,
+                data={
+                    "task_id": task.id,
+                    "reference_id": user_id,
+                    "reference_type": ManualTaskReferenceType.assigned_user,
+                },
+            )
+
+            # Log the user assignment
+            ManualTaskLog.create_log(
+                db=db,
+                task_id=task.id,
+                status=ManualTaskLogStatus.updated,
+                message=f"User {user_id} assigned to task",
+                details={"assigned_user_id": user_id},
+            )
+
+    def unassign_users_from_task(
+        self, db: Session, task: ManualTask, user_ids: list[str]
+    ) -> None:
+        """Remove the user assignment from this task.
+
+        Args:
+            db: Database session
+            task: The task to unassign users from
+            user_ids: List of user IDs to unassign
+        """
+        user_ids = list(set(user_ids))
+        if not user_ids:
+            raise ValueError("User ID is required for unassignment")
+
+        # Get references to unassign
+        references_to_unassign = (
+            db.query(ManualTaskReference)
+            .filter(
+                ManualTaskReference.task_id == task.id,
+                ManualTaskReference.reference_type
+                == ManualTaskReferenceType.assigned_user,
+                ManualTaskReference.reference_id.in_(user_ids),
+            )
+            .all()
+        )
+
+        # Delete references and log unassignments
+        for ref in references_to_unassign:
+            ref.delete(db)
+            ManualTaskLog.create_log(
+                db=db,
+                task_id=task.id,
+                status=ManualTaskLogStatus.updated,
+                message=f"User {ref.reference_id} unassigned from task",
+                details={"unassigned_user_id": ref.reference_id},
+            )
+
+        # Check if any users weren't unassigned
+        unassigned_user_ids = [ref.reference_id for ref in references_to_unassign]
+        left_over_user_ids = [
+            user_id for user_id in user_ids if user_id not in unassigned_user_ids
+        ]
+        if left_over_user_ids:
+            logger.warning(
+                f"Failed to unassign users {left_over_user_ids} from task {task.id}: "
+                "users were not assigned to the task"
+            )

fides/service/privacy_request/privacy_request_service.py

@@ -20,6 +20,7 @@ from fides.api.models.privacy_request import (
     RequestTask,
 )
 from fides.api.models.property import Property
+from fides.api.models.worker_task import ExecutionLogStatus
 from fides.api.schemas.api import BulkUpdateFailed
 from fides.api.schemas.messaging.messaging import MessagingActionType
 from fides.api.schemas.policy import ActionType, CurrentStep
@@ -27,7 +28,6 @@ from fides.api.schemas.privacy_request import (
     BulkPostPrivacyRequests,
     BulkReviewResponse,
     CheckpointActionRequired,
-    ExecutionLogStatus,
     PrivacyRequestCreate,
     PrivacyRequestResponse,
     PrivacyRequestResubmit,