PyPI - ethyca-fides - Versions diffs - 2.66.1rc0__py2.py3-none-any.whl → 2.66.2b0__py2.py3-none-any.whl - Mend

ethyca-fides 2.66.1rc0py2.py3-none-any.whl → 2.66.2b0py2.py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ethyca-fides might be problematic. Click here for more details.

Files changed (267) hide show

fides/api/models/masking_secret.py ADDED Viewed

@@ -0,0 +1,72 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING, Any, Union
+from urllib.parse import unquote_to_bytes
+from sqlalchemy import Column, ForeignKey, String
+from sqlalchemy.ext.declarative import declared_attr
+from sqlalchemy.orm import Session, relationship
+from sqlalchemy_utils.types.encrypted.encrypted_type import (
+    AesGcmEngine,
+    StringEncryptedType,
+)
+from fides.api.db.base_class import Base, JSONTypeOverride
+from fides.api.util.custom_json_encoder import ENCODED_BYTES_PREFIX
+from fides.config import CONFIG
+if TYPE_CHECKING:
+    from fides.api.models.privacy_request import PrivacyRequest
+class MaskingSecret(Base):
+    """SQLAlchemy model for storing secret caching information"""
+    @declared_attr
+    def __tablename__(self) -> str:
+        return "masking_secret"
+    privacy_request_id = Column(
+        String, ForeignKey("privacyrequest.id", ondelete="CASCADE"), nullable=False
+    )
+    secret = Column(
+        StringEncryptedType(
+            JSONTypeOverride,
+            CONFIG.security.app_encryption_key,
+            AesGcmEngine,
+            "pkcs5",
+        ),
+        nullable=False,
+    )
+    masking_strategy = Column(String, nullable=False)
+    secret_type = Column(String, nullable=False)
+    privacy_request = relationship("PrivacyRequest", back_populates="masking_secrets")
+    def set_secret(self, secret: Union[str, bytes]) -> None:
+        """Set the secret value, handling both string and bytes types"""
+        if isinstance(secret, str):
+            self.secret = secret.encode("utf-8")
+        elif isinstance(secret, bytes):
+            self.secret = secret
+        else:
+            raise ValueError("Secret must be either string or bytes")
+    def get_secret(self) -> Union[str, bytes]:
+        """Retrieve the secret in its original type"""
+        secret = self.secret
+        if isinstance(secret, str) and secret.startswith(ENCODED_BYTES_PREFIX):
+            return unquote_to_bytes(secret)[len(ENCODED_BYTES_PREFIX) :]
+        return secret
+    @classmethod
+    def create(
+        cls,
+        db: Session,
+        *,
+        data: dict[str, Any],
+        check_name: bool = True,
+    ) -> "MaskingSecret":
+        """
+        Create a new masking secret. Handles both string and bytes secrets automatically, encrypting them for storage.
+        """
+        return super().create(db=db, data=data, check_name=check_name)

fides/api/models/policy.py CHANGED Viewed

@@ -25,7 +25,9 @@ from fides.api.models.client import ClientDetail
 from fides.api.models.connectionconfig import ConnectionConfig
 from fides.api.models.sql_models import DataCategory  # type: ignore
 from fides.api.models.storage import StorageConfig, get_active_default_storage_config
+from fides.api.schemas.masking.masking_secrets import MaskingSecretCache
 from fides.api.schemas.policy import ActionType, DrpAction
+from fides.api.service.masking.strategy.masking_strategy import MaskingStrategy
 from fides.api.util.data_category import _validate_data_category
 from fides.config import CONFIG
@@ -140,6 +142,27 @@ class Policy(Base):
         except IndexError:
             return None
+    def generate_masking_secrets(self) -> Optional[List[MaskingSecretCache]]:
+        """
+        Returns a list of masking secrets for the masking strategies in the policy.
+        """
+        masking_secrets: List[MaskingSecretCache] = []
+        erasure_rules = self.get_rules_for_action(action_type=ActionType.erasure)
+        unique_masking_strategies_by_name: Set[str] = set()
+        for rule in erasure_rules:
+            strategy_name: str = rule.masking_strategy["strategy"]  # type: ignore
+            configuration = rule.masking_strategy["configuration"]  # type: ignore
+            if strategy_name in unique_masking_strategies_by_name:
+                continue
+            unique_masking_strategies_by_name.add(strategy_name)
+            masking_strategy = MaskingStrategy.get_strategy(
+                strategy_name, configuration
+            )
+            if masking_strategy.secrets_required():
+                masking_secrets.extend(masking_strategy.generate_secrets_for_cache())
+        return masking_secrets
     def applies_to(self, node: "TraversalNode") -> bool:
         """
         Returns True if any data category in the traversal node starts with any of the policy's target categories.

fides/api/models/privacy_request/privacy_request.py CHANGED Viewed

@@ -50,6 +50,7 @@ from fides.api.models.comment import Comment, CommentReference, CommentReference
 from fides.api.models.fides_user import FidesUser
 from fides.api.models.field_types import EncryptedLargeDataDescriptor
 from fides.api.models.manual_webhook import AccessManualWebhook
+from fides.api.models.masking_secret import MaskingSecret
 from fides.api.models.policy import (
     Policy,
     PolicyPreWebhook,
@@ -98,7 +99,6 @@ from fides.api.util.cache import (
     get_drp_request_body_cache_key,
     get_encryption_cache_key,
     get_identity_cache_key,
-    get_masking_secret_cache_key,
 )
 from fides.api.util.collection_util import Row, extract_key_for_address
 from fides.api.util.constants import API_DATE_FORMAT
@@ -289,6 +289,13 @@ class PrivacyRequest(
         order_by="RequestTask.created_at",
     )
+    masking_secrets: "RelationshipProperty[List[MaskingSecret]]" = relationship(
+        "MaskingSecret",
+        back_populates="privacy_request",
+        uselist=True,
+        passive_deletes="all",
+    )
     @property
     def days_left(self: PrivacyRequest) -> Union[int, None]:
         if self.due_date is None:
@@ -566,19 +573,24 @@ class PrivacyRequest(
             encryption_key,
         )
-    def cache_masking_secret(self, masking_secret: MaskingSecretCache) -> None:
-        """Sets masking encryption secrets in the Fides app cache if provided"""
-        if not masking_secret:
+    def persist_masking_secrets(
+        self, masking_secrets: List[MaskingSecretCache]
+    ) -> None:
+        """Persists masking encryption secrets to database."""
+        if not masking_secrets:
             return
-        cache: FidesopsRedis = get_cache()
-        cache.set_with_autoexpire(
-            get_masking_secret_cache_key(
-                self.id,
-                masking_strategy=masking_secret.masking_strategy,
-                secret_type=masking_secret.secret_type,
-            ),
-            FidesopsRedis.encode_obj(masking_secret.secret),
-        )
+        session = Session.object_session(self)
+        for masking_secret in masking_secrets:
+            MaskingSecret.create(
+                db=session,
+                data={
+                    "privacy_request_id": self.id,
+                    "secret": masking_secret.secret,
+                    "masking_strategy": masking_secret.masking_strategy,
+                    "secret_type": masking_secret.secret_type,
+                },
+            )
     def get_cached_identity_data(self) -> Dict[str, Any]:
         """Retrieves any identity data pertaining to this request from the cache"""

fides/api/oauth/roles.py CHANGED Viewed

@@ -47,6 +47,7 @@ from fides.common.api.scope_registry import (
     SYSTEM_READ,
     USER_PERMISSION_ASSIGN_OWNERS,
     USER_READ,
+    USER_READ_OWN,
     WEBHOOK_READ,
 )
@@ -126,6 +127,7 @@ viewer_scopes = [  # Intentionally omitted USER_PERMISSION_READ and PRIVACY_REQU
 respondent_scopes = [
     PRIVACY_REQUEST_MANUAL_STEPS_RESPOND,  # allows respondents to respond to assigned manual steps
+    USER_READ_OWN,
 ]
 external_respondent_scopes = [

fides/api/schemas/application_config.py CHANGED Viewed

@@ -11,6 +11,14 @@ from fides.api.schemas.messaging.messaging import MessagingServiceType
 from fides.config.admin_ui_settings import ErrorNotificationMode
+class SqlDryRunMode(str, Enum):
+    """SQL dry run mode for controlling execution of SQL statements in privacy requests"""
+    none = "none"
+    access = "access"
+    erasure = "erasure"
 class StorageTypeApiAccepted(Enum):
     """Enum for storage destination types accepted in API updates"""
@@ -62,7 +70,9 @@ class ExecutionApplicationConfig(FidesSchema):
     subject_identity_verification_required: Optional[bool] = None
     disable_consent_identity_verification: Optional[bool] = None
     require_manual_request_approval: Optional[bool] = None
-    model_config = ConfigDict(extra="forbid")
+    sql_dry_run: Optional[SqlDryRunMode] = None
+    model_config = ConfigDict(use_enum_values=True, extra="forbid")
 class AdminUIConfig(FidesSchema):

fides/api/schemas/masking/masking_secrets.py CHANGED Viewed

@@ -5,7 +5,7 @@ from typing import Callable, Generic, TypeVar
 T = TypeVar("T")
-class SecretType(Enum):
+class SecretType(str, Enum):
     """Enum that holds all possible types of secrets across all masking strategies"""
     key = "key"

fides/api/service/connectors/base_connector.py CHANGED Viewed

@@ -82,6 +82,7 @@ class BaseConnector(Generic[DB_CONNECTOR_TYPE], ABC):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request. Return the number of rows that have been updated

fides/api/service/connectors/bigquery_connector.py CHANGED Viewed

@@ -1,13 +1,8 @@
-from typing import List, Optional
+from typing import Any, Dict, List, Optional
 from loguru import logger
 from sqlalchemy import text
-from sqlalchemy.engine import (  # type: ignore
-    Connection,
-    Engine,
-    LegacyCursorResult,
-    create_engine,
-)
+from sqlalchemy.engine import Connection, Engine, create_engine  # type: ignore
 from sqlalchemy.orm import Session
 from sqlalchemy.sql import Executable  # type: ignore
 from sqlalchemy.sql.elements import TextClause
@@ -17,6 +12,7 @@ from fides.api.graph.execution import ExecutionNode
 from fides.api.models.connectionconfig import ConnectionTestStatus
 from fides.api.models.policy import Policy
 from fides.api.models.privacy_request import PrivacyRequest, RequestTask
+from fides.api.schemas.application_config import SqlDryRunMode
 from fides.api.schemas.connection_configuration.connection_secrets_bigquery import (
     BigQuerySchema,
 )
@@ -99,6 +95,16 @@ class BigQueryConnector(SQLConnector):
         logger.info(
             f"Executing {len(partition_clauses)} partition queries for node '{query_config.node.address}' in DSR execution"
         )
+        if self.should_dry_run(SqlDryRunMode.access):
+            for partition_clause in partition_clauses:
+                existing_bind_params = stmt.compile().params
+                partitioned_stmt = text(
+                    f"{stmt} AND ({text(partition_clause)})"
+                ).params(existing_bind_params)
+                logger.warning(f"SQL DRY RUN - Would execute SQL: {partitioned_stmt}")
+            return []
         rows = []
         for partition_clause in partition_clauses:
             logger.debug(
@@ -135,6 +141,39 @@ class BigQueryConnector(SQLConnector):
             logger.exception(f"Error testing connection to remote BigQuery {str(e)}")
             raise ConnectionException(f"Connection error: {e}")
+    def _execute_statements_with_sql_dry_run(
+        self,
+        statements: List[Executable],
+        sql_dry_run_enabled: bool,
+        client: Engine,
+    ) -> int:
+        """
+        Execute SQL statements with sql_dry_run support.
+        Args:
+            statements: List of SQL statements to execute
+            sql_dry_run_enabled: Whether sql_dry_run mode is enabled
+            client: Database engine
+        Returns:
+            int: Number of affected rows (0 in sql_dry_run mode)
+        """
+        if not statements:
+            return 0
+        if sql_dry_run_enabled:
+            for stmt in statements:
+                logger.warning(f"SQL DRY RUN - Would execute SQL: {stmt}")
+            return 0
+        row_count = 0
+        with client.connect() as connection:
+            for stmt in statements:
+                results = connection.execute(stmt)
+                logger.debug(f"Affected {results.rowcount} rows")
+                row_count += results.rowcount
+        return row_count
     def mask_data(
         self,
         node: ExecutionNode,
@@ -142,22 +181,31 @@ class BigQueryConnector(SQLConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request. Returns the number of records updated or deleted"""
         query_config = self.query_config(node)
         update_or_delete_ct = 0
         client = self.client()
-        for row in rows:
-            update_or_delete_stmts: List[Executable] = (
-                query_config.generate_masking_stmt(
-                    node, row, policy, privacy_request, client
-                )
+        if query_config.uses_delete_masking_strategy():
+            delete_stmts = query_config.generate_delete(client, input_data or {})
+            logger.debug(f"Generated {len(delete_stmts)} DELETE statements")
+            update_or_delete_ct += self._execute_statements_with_sql_dry_run(
+                delete_stmts, self.should_dry_run(SqlDryRunMode.erasure), client
             )
-            if update_or_delete_stmts:
-                with client.connect() as connection:
-                    for update_or_delete_stmt in update_or_delete_stmts:
-                        results: LegacyCursorResult = connection.execute(
-                            update_or_delete_stmt
-                        )
-                        update_or_delete_ct = update_or_delete_ct + results.rowcount
+        else:
+            for row in rows:
+                update_or_delete_stmts: List[Executable] = query_config.generate_update(
+                    row, policy, privacy_request, client
+                )
+                logger.debug(
+                    f"Generated {len(update_or_delete_stmts)} UPDATE statements"
+                )
+                update_or_delete_ct += self._execute_statements_with_sql_dry_run(
+                    update_or_delete_stmts,
+                    self.should_dry_run(SqlDryRunMode.erasure),
+                    client,
+                )
         return update_or_delete_ct

fides/api/service/connectors/dynamodb_connector.py CHANGED Viewed

@@ -140,8 +140,9 @@ class DynamoDBConnector(BaseConnector[Any]):  # type: ignore
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
-        """Execute a masking requestfor DynamoDB"""
+        """Execute a masking request for DynamoDB"""
         query_config = self.query_config(node)
         collection_name = node.address.collection

fides/api/service/connectors/fides_connector.py CHANGED Viewed

@@ -142,6 +142,7 @@ class FidesConnector(BaseConnector[FidesClient]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute an erasure request on remote fides"""
         identity_data = {

fides/api/service/connectors/http_connector.py CHANGED Viewed

@@ -90,6 +90,7 @@ class HTTPSConnector(BaseConnector[None]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Currently not supported as webhooks are not called at the collection level"""
         raise NotImplementedError(

fides/api/service/connectors/manual_task_connector.py CHANGED Viewed

@@ -80,6 +80,7 @@ class ManualTaskConnector(BaseConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """
         Manual tasks don't support erasure operations.

fides/api/service/connectors/manual_webhook_connector.py CHANGED Viewed

@@ -1,4 +1,4 @@
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Optional
 from fides.api.graph.execution import ExecutionNode
 from fides.api.models.connectionconfig import ConnectionConfig, ConnectionTestStatus
@@ -53,6 +53,7 @@ class ManualWebhookConnector(BaseConnector[None]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[List[List[Row]]] = None,
     ) -> None:
         """
         Not applicable for a manual webhook.  Manual webhooks are not called as part of the traversal.

fides/api/service/connectors/mongodb_connector.py CHANGED Viewed

@@ -126,6 +126,7 @@ class MongoDBConnector(BaseConnector[MongoClient]):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """Execute a masking request"""
         query_config = self.query_config(node)

fides/api/service/connectors/okta_connector.py CHANGED Viewed

@@ -82,6 +82,7 @@ class OktaConnector(BaseConnector):
         privacy_request: PrivacyRequest,
         request_task: RequestTask,
         rows: List[Row],
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> int:
         """DSR execution not supported for Okta connector"""
         return 0

fides/api/service/connectors/query_configs/bigquery_query_config.py CHANGED Viewed

@@ -3,7 +3,7 @@ from typing import Any, Dict, List, Optional, Union, cast
 import pydash
 from fideslang.models import MaskingStrategies
 from loguru import logger
-from sqlalchemy import MetaData, Table, text
+from sqlalchemy import MetaData, Table, or_, text
 from sqlalchemy.engine import Engine
 from sqlalchemy.sql import Delete, Update
 from sqlalchemy.sql.elements import ColumnElement, TextClause
@@ -125,6 +125,7 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
         policy: Policy,
         request: PrivacyRequest,
         client: Engine,
+        input_data: Optional[Dict[str, List[Any]]] = None,
     ) -> Union[List[Update], List[Delete]]:
         """
         Generate a masking statement for BigQuery.
@@ -137,7 +138,7 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
             logger.info(
                 f"Masking override detected for collection {node.address.value}: {masking_override.strategy.value}"
             )
-            return self.generate_delete(row, client)
+            return self.generate_delete(client, input_data or {})
         return self.generate_update(row, policy, request, client)
     def generate_update(
@@ -198,9 +199,16 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
         table = Table(self._generate_table_name(), MetaData(bind=client), autoload=True)
         where_clauses: List[ColumnElement] = [
-            getattr(table.c, k) == v for k, v in non_empty_reference_field_keys.items()
+            table.c[k] == v for k, v in non_empty_reference_field_keys.items()
         ]
+        # Create update values using Column objects as keys to handle column names with spaces
+        update_values = {}
+        for column_name, value in final_update_map.items():
+            # Use bracket notation to access columns with spaces in their names
+            column = table.c[column_name]
+            update_values[column] = value
         if self.partitioning:
             partition_clauses = self.get_partition_clauses()
             partitioned_queries = []
@@ -211,34 +219,37 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
                 partitioned_queries.append(
                     table.update()
                     .where(*(where_clauses + [text(partition_clause)]))
-                    .values(**final_update_map)
+                    .values(update_values)
                 )
             return partitioned_queries
-        return [table.update().where(*where_clauses).values(**final_update_map)]
+        return [table.update().where(*where_clauses).values(update_values)]
-    def generate_delete(self, row: Row, client: Engine) -> List[Delete]:
-        """Returns a List of SQLAlchemy DELETE statements for BigQuery. Does not actually execute the delete statement.
+    def generate_delete(
+        self,
+        client: Engine,
+        input_data: Optional[Dict[str, List[Any]]] = None,
+    ) -> List[Delete]:
+        """
+        Returns a List of SQLAlchemy DELETE statements for BigQuery. Does not actually execute the delete statement.
         Used when a collection-level masking override is present and the masking strategy is DELETE.
         A List of multiple DELETE statements are returned for partitioned tables; for a non-partitioned table,
         a single DELETE statement is returned in a List for consistent typing.
-        TODO: DRY up this method and `generate_update` a bit
         """
-        non_empty_reference_field_keys: Dict[str, Field] = filter_nonempty_values(
-            {
-                fpath.string_path: fld.cast(row[fpath.string_path])
-                for fpath, fld in self.reference_field_paths.items()
-                if fpath.string_path in row
-            }
-        )
+        if not input_data:
+            logger.warning(
+                "No input data provided for node '{}', skipping DELETE statement generation",
+                self.node.address,
+            )
+            return []
-        valid = len(non_empty_reference_field_keys) > 0
-        if not valid:
+        filtered_data = self.node.typed_filtered_values(input_data)
+        if not filtered_data:
             logger.warning(
                 "There is not enough data to generate a valid DELETE statement for {}",
                 self.node.address,
@@ -246,9 +257,17 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
             return []
         table = Table(self._generate_table_name(), MetaData(bind=client), autoload=True)
-        where_clauses: List[ColumnElement] = [
-            getattr(table.c, k) == v for k, v in non_empty_reference_field_keys.items()
-        ]
+        # Build individual reference clauses
+        where_clauses: List[ColumnElement] = []
+        for column_name, values in filtered_data.items():
+            if len(values) == 1:
+                where_clauses.append(table.c[column_name] == values[0])
+            else:
+                where_clauses.append(table.c[column_name].in_(values))
+        # Combine reference clauses with OR instead of AND
+        combined_reference_clause = or_(*where_clauses)
         if self.partitioning:
             partition_clauses = self.get_partition_clauses()
@@ -259,12 +278,25 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
             for partition_clause in partition_clauses:
                 partitioned_queries.append(
-                    table.delete().where(*(where_clauses + [text(partition_clause)]))
+                    table.delete()
+                    .where(combined_reference_clause)
+                    .where(text(partition_clause))
                 )
             return partitioned_queries
-        return [table.delete().where(*where_clauses)]
+        return [table.delete().where(combined_reference_clause)]
+    def uses_delete_masking_strategy(self) -> bool:
+        """Check if this collection uses DELETE masking strategy.
+        Returns True if masking override is present and strategy is DELETE.
+        """
+        masking_override = self.node.collection.masking_strategy_override
+        return (
+            masking_override is not None
+            and masking_override.strategy == MaskingStrategies.DELETE
+        )
     def format_fields_for_query(
         self,
@@ -281,6 +313,25 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
                 formatted_fields.append(field_path.levels[0])
         return formatted_fields
+    def format_clause_for_query(
+        self, string_path: str, operator: str, operand: str
+    ) -> str:
+        """
+        Returns clauses with proper BigQuery backtick escaping for column names.
+        Handles column names with spaces and nested fields (dot-separated) by escaping each part individually.
+        """
+        # For nested fields (containing dots), escape each part individually
+        if "." in string_path:
+            parts = string_path.split(".")
+            escaped_field = ".".join(f"`{part}`" for part in parts)
+        else:
+            # For simple fields, wrap the entire name in backticks
+            escaped_field = f"`{string_path}`"
+        if operator == "IN":
+            return f"{escaped_field} IN ({operand})"
+        return f"{escaped_field} {operator} :{operand}"
     def generate_raw_query_without_tuples(
         self, field_list: List[str], filters: Dict[str, List[Any]]
     ) -> Optional[TextClause]:
@@ -290,27 +341,35 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
         This is an override of the base class method that supports nested fields for BigQuery.
-        Examples with dot-delimited field names, notice the periods are replaced with underscores in the parameter bindings:
+        Examples with field names containing dots and spaces, notice these are replaced with underscores in the parameter bindings:
         1. Single value filter:
            field_list = ["id", "name", "email"]
            filters = {"user.id": [123]}
-           Generates: SELECT id, name, email FROM `project_id.dataset_id.table_name` WHERE (user.id = :user_id)
+           Generates: SELECT id, name, email FROM `project_id.dataset_id.table_name` WHERE (`user`.`id` = :user_id)
            With parameter binding: user_id = 123
-        2. Multiple value filter:
+        2. Field with spaces:
+           field_list = ["id", "custom id", "email"]
+           filters = {"custom id": ["abc123"]}
+           Generates: SELECT id, `custom id`, email FROM `project_id.dataset_id.table_name` WHERE (`custom id` = :custom_id)
+           With parameter binding: custom_id = "abc123"
+        3. Multiple value filter with nested field:
            field_list = ["id", "name", "email"]
-           filters = {"user.status": ["active", "pending"]}
+           filters = {"contact_info.primary_email": ["active", "pending"]}
-           Generates: SELECT id, name, email FROM `project_id.dataset_id.table_name` WHERE (user.status IN (:user_status_in_stmt_generated_0, :user_status_in_stmt_generated_1))
-           With parameter bindings: user_status_in_stmt_generated_0 = "active", user_status_in_stmt_generated_1 = "pending"
+           Generates: SELECT id, name, email FROM `project_id.dataset_id.table_name` WHERE (`contact_info`.`primary_email` IN (:contact_info_primary_email_in_stmt_generated_0, :contact_info_primary_email_in_stmt_generated_1))
+           With parameter bindings: contact_info_primary_email_in_stmt_generated_0 = "active", contact_info_primary_email_in_stmt_generated_1 = "pending"
         """
         clauses = []
         query_data = {}
         for field_name, field_value in filters.items():
-            # Replace dots with underscores in field names for parameter binding
-            field_binding_name = field_name.replace(".", "_")
+            # Replace dots and spaces with underscores in field names for parameter binding
+            # SQLAlchemy parameter names cannot contain spaces or special characters
+            field_binding_name = field_name.replace(".", "_").replace(" ", "_")
             data = set(field_value)
             if len(data) == 1:
                 clauses.append(
@@ -333,7 +392,7 @@ class BigQueryQueryConfig(QueryStringWithoutTuplesOverrideQueryConfig):
                 clauses.append(self.format_clause_for_query(field_name, "IN", operand))
         if len(clauses) > 0:
-            formatted_fields = ", ".join(field_list)
+            formatted_fields = ", ".join([f"`{field}`" for field in field_list])
             query_str = self.get_formatted_query_string(formatted_fields, clauses)
             return text(query_str).params(query_data)

ethyca-fides 2.66.1rc0__py2.py3-none-any.whl → 2.66.2b0__py2.py3-none-any.whl

Potentially problematic release.

ethyca-fides 2.66.1rc0py2.py3-none-any.whl → 2.66.2b0py2.py3-none-any.whl