ethyca-fides 2.69.1b0__py2.py3-none-any.whl → 2.69.1b2__py2.py3-none-any.whl

fides/api/service/storage/streaming/s3/streaming_s3.py

@@ -54,7 +54,8 @@ def upload_to_s3_streaming(
         return response
 
     try:
-        storage_client = SmartOpenStorageClient("s3", formatted_secrets)
+        logger.debug("Creating SmartOpenStorageClient with formatted secrets")
+        storage_client = SmartOpenStorageClient("s3", auth_method, formatted_secrets)
 
         # Create upload config for the streaming interface
         upload_config = StorageUploadConfig(
@@ -92,6 +93,10 @@ def _process_storage_secrets_input(
     """Process input and convert to string-keyed dictionary."""
     final_secrets: dict[str, Any] = {}
 
+    logger.debug(
+        f"Processing storage secrets input of type: {type(storage_secrets).__name__}"
+    )
+
     if isinstance(storage_secrets, StorageSecretsS3):
         # Convert StorageSecretsS3 model directly to string keys
         for key, value in storage_secrets.model_dump().items():
@@ -133,6 +138,7 @@ def _validate_aws_credentials(final_secrets: dict[str, Any]) -> None:
     else:
         # AUTOMATIC authentication - check if region is provided
         has_region = "region_name" in final_secrets and final_secrets["region_name"]
+
         if not has_region:
             raise ValueError(
                 "Missing required region_name for AUTOMATIC authentication. "
@@ -140,13 +146,6 @@ def _validate_aws_credentials(final_secrets: dict[str, Any]) -> None:
             )
 
 
-def _set_default_region(final_secrets: dict[str, Any]) -> None:
-    """Set default region if missing."""
-    if "region_name" not in final_secrets or not final_secrets["region_name"]:
-        logger.debug("Setting default region to 'us-east-1'")
-        final_secrets["region_name"] = "us-east-1"
-
-
 def format_secrets(
     storage_secrets: Union[StorageSecretsS3, dict[StorageSecrets, Any]]  # type: ignore[misc]
 ) -> dict[str, Any]:
@@ -156,8 +155,8 @@ def format_secrets(
     This function handles multiple credential formats and processes them through several stages:
     1. Input processing: Accepts either StorageSecretsS3 models (from API) or raw dicts (from database)
     2. Key normalization: Converts all keys to string format for consistency
-    3. Validation: Ensures required AWS credentials are present based on auth method
-    4. Default setting: Sets default region if missing (after validation)
+    3. Default setting: Sets default region if missing (before validation for better automatic auth support)
+    4. Validation: Ensures required AWS credentials are present based on auth method
     5. Return: Returns string-keyed dict ready for S3StorageClient
 
     Input formats:
@@ -179,18 +178,7 @@ def format_secrets(
     Raises:
         ValueError: If required AWS credentials are missing for the chosen auth method
     """
-    logger.debug("format_secrets called with type: {}", type(storage_secrets).__name__)
-
-    # Stage 1: Process input and create final format directly
     final_secrets = _process_storage_secrets_input(storage_secrets)
-
-    # Stage 2: Validate required credentials BEFORE setting defaults
     _validate_aws_credentials(final_secrets)
 
-    # Stage 3: Set default region if missing (after validation)
-    _set_default_region(final_secrets)
-
-    logger.debug(
-        "format_secrets completed successfully with {} keys", len(final_secrets)
-    )
     return final_secrets

fides/api/service/storage/streaming/smart_open_client.py

@@ -29,7 +29,12 @@ class SmartOpenStorageClient:
 
     min_part_size: int = MIN_PART_SIZE
 
-    def __init__(self, storage_type: str, storage_secrets: Any):
+    def __init__(
+        self,
+        storage_type: str,
+        auth_method: Optional[str],
+        storage_secrets: Any,
+    ):
         """Initialize the smart-open storage client.
 
         Args:
@@ -38,9 +43,10 @@ class SmartOpenStorageClient:
                            Will be passed to the specific storage client implementation.
         """
         self.storage_type = StorageClientFactory._normalize_storage_type(storage_type)
+        self.auth_method = auth_method
         self.storage_secrets = storage_secrets
         self._provider_client = StorageClientFactory.create_client(
-            storage_type, storage_secrets
+            storage_type, auth_method, storage_secrets
         )
 
     def _build_uri(self, bucket: str, key: str) -> str:
@@ -216,7 +222,6 @@ class SmartOpenStorageClient:
         self,
         bucket: str,
         key: str,
-        content_type: Optional[str] = None,
     ) -> Any:
         """Get a writable stream for uploading data.
 
@@ -225,7 +230,6 @@ class SmartOpenStorageClient:
         Args:
             bucket: Storage bucket/container name
             key: Object key/path
-            content_type: MIME type of the object
 
         Returns:
             Writable file-like object
@@ -233,9 +237,6 @@ class SmartOpenStorageClient:
         uri = self._build_uri(bucket, key)
         transport_params = self._get_transport_params()
 
-        if content_type:
-            transport_params["content_type"] = content_type
-
         return smart_open.open(uri, "wb", transport_params=transport_params)
 
     @retry_cloud_storage_operation(

fides/api/service/storage/streaming/smart_open_streaming_storage.py

@@ -244,7 +244,6 @@ class SmartOpenStreamingStorage:
         all_attachments = []
 
         for key, value in data.items():
-            logger.debug(f"Processing key '{key}' with value type: {type(value)}")
 
             if not isinstance(value, list) or not value:
                 continue
@@ -270,10 +269,6 @@ class SmartOpenStreamingStorage:
         """
         direct_attachments = []
 
-        logger.debug(
-            f"Found 'attachments' key with {len(attachments_list)} items - processing as direct attachments"
-        )
-
         for idx, attachment in enumerate(attachments_list):
             if not isinstance(attachment, dict):
                 continue
@@ -431,9 +426,6 @@ class SmartOpenStreamingStorage:
             Iterator that yields chunks of the attachment content
         """
         try:
-            logger.debug(
-                f"Starting streaming read of {storage_key} from bucket: {bucket}, key: {key}"
-            )
             with self.storage_client.stream_read(bucket, key) as content_stream:
                 # Stream in chunks instead of reading entire file
                 chunk_count = 0
@@ -478,9 +470,6 @@ class SmartOpenStreamingStorage:
             if validated:
                 validated_attachments.append(validated)
 
-        logger.debug(
-            f"Successfully validated {len(validated_attachments)} out of {len(raw_attachments)} attachments"
-        )
         return validated_attachments
 
     @retry_cloud_storage_operation(
@@ -667,7 +656,7 @@ class SmartOpenStreamingStorage:
                 )
             except Exception as e:
                 logger.error(
-                    f"Failed to generate presigned URL for {config.bucket_name}/{config.file_key}: {e}"
+                    f"Failed to generate presigned URL for {config.file_key}: {e}"
                 )
                 raise StorageUploadError(
                     f"Failed to generate presigned URL: {e}"
@@ -693,7 +682,6 @@ class SmartOpenStreamingStorage:
         with self.storage_client.stream_upload(
             config.bucket_name,
             config.file_key,
-            content_type="application/zip",
         ) as upload_stream:
             for chunk in stream_zip(combined_entries):
                 upload_stream.write(chunk)
@@ -708,9 +696,7 @@ class SmartOpenStreamingStorage:
                 config.bucket_name, config.file_key
             )
         except Exception as e:
-            logger.error(
-                f"Failed to generate presigned URL for {config.bucket_name}/{config.file_key}: {e}"
-            )
+            logger.error(f"Failed to generate presigned URL for {config.file_key}: {e}")
             raise StorageUploadError(f"Failed to generate presigned URL: {e}") from e
 
     @retry_cloud_storage_operation(
@@ -770,9 +756,7 @@ class SmartOpenStreamingStorage:
         )
 
         # Use smart-open's streaming upload capability
-        with self.storage_client.stream_upload(
-            bucket_name, file_key, content_type="application/zip"
-        ) as upload_stream:
+        with self.storage_client.stream_upload(bucket_name, file_key) as upload_stream:
             for chunk in stream_zip(zip_generator):
                 upload_stream.write(chunk)
 
@@ -800,9 +784,7 @@ class SmartOpenStreamingStorage:
         zip_generator = self._convert_to_stream_zip_format(data_files_generator)
 
         # Use smart-open streaming upload
-        with self.storage_client.stream_upload(
-            bucket_name, file_key, content_type="application/zip"
-        ) as upload_stream:
+        with self.storage_client.stream_upload(bucket_name, file_key) as upload_stream:
             for chunk in stream_zip(zip_generator):
                 upload_stream.write(chunk)
 
@@ -838,12 +820,10 @@ class SmartOpenStreamingStorage:
             data_files_generator = self._create_data_files(
                 data, resp_format, all_attachments
             )
-            logger.debug("Yielding data files for ZIP")
             yield from self._convert_to_stream_zip_format(data_files_generator)
 
         # Then, yield attachment files (already in stream_zip format, stream directly)
         attachment_files_generator = self._create_attachment_files(all_attachments)
-        logger.debug("Yielding attachment files for ZIP")
         yield from attachment_files_generator
 
     def _create_data_files(
@@ -958,11 +938,7 @@ class SmartOpenStreamingStorage:
 
             try:
                 source_bucket, source_key = self._parse_storage_url(storage_key)
-                logger.debug(
-                    f"Parsed storage URL - bucket: {source_bucket}, key: {source_key}"
-                )
             except ValueError as e:
-                logger.error(f"Could not parse storage URL: {storage_key} - {e}")
                 raise StorageUploadError(
                     f"Could not parse storage URL: {storage_key} - {e}"
                 ) from e

fides/api/service/storage/streaming/storage_client_factory.py

@@ -2,7 +2,7 @@
 
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, Optional
 
 from fides.api.service.storage.streaming.base_storage_client import BaseStorageClient
 from fides.api.service.storage.streaming.s3.s3_storage_client import S3StorageClient
@@ -17,7 +17,9 @@ class StorageClientFactory:
     """
 
     @staticmethod
-    def create_client(storage_type: str, storage_secrets: Any) -> BaseStorageClient:
+    def create_client(
+        storage_type: str, auth_method: Optional[str], storage_secrets: Any
+    ) -> BaseStorageClient:
         """Create a provider-specific storage client.
 
         Args:
@@ -34,7 +36,9 @@ class StorageClientFactory:
         normalized_type = StorageClientFactory._normalize_storage_type(storage_type)
 
         if normalized_type == "s3":
-            return S3StorageClient(storage_secrets)
+            if not auth_method:
+                raise ValueError("auth_method is required for S3 storage")
+            return S3StorageClient(auth_method, storage_secrets)
         if normalized_type == "gcs":
             raise NotImplementedError("GCS storage is not yet supported")
         raise ValueError(f"Unsupported storage type: {storage_type}")

fides/api/task/graph_runners.py

@@ -1,6 +1,5 @@
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List
 
-from loguru import logger
 from sqlalchemy.orm import Session
 
 from fides.api.common_exceptions import PrivacyRequestExit
@@ -19,37 +18,8 @@ from fides.api.task.deprecated_graph_task import (
     run_consent_request_deprecated,
     run_erasure_request_deprecated,
 )
+from fides.api.task.scheduler_utils import use_dsr_3_0_scheduler
 from fides.api.util.collection_util import Row
-from fides.config import CONFIG
-
-
-def use_dsr_3_0_scheduler(
-    privacy_request: PrivacyRequest, action_type: ActionType
-) -> bool:
-    """Return whether we should use the DSR 3.0 scheduler.
-
-    Override if we have a partially processed Privacy Request that was already run on
-    DSR 2.0 so we can finish processing it on 2.0.
-
-    """
-    use_dsr_3_0 = CONFIG.execution.use_dsr_3_0
-
-    prev_results: Dict[str, Optional[List[Row]]] = (
-        privacy_request.get_raw_access_results()
-    )
-    existing_tasks_count: int = privacy_request.get_tasks_by_action(action_type).count()
-
-    if prev_results and use_dsr_3_0 and not existing_tasks_count:
-        # If we've previously tried to process this Privacy Request using DSR 2.0, continue doing so
-        # for access and erasure requests
-        logger.info(
-            "Overriding scheduler to run privacy request {} using DSR 2.0 as it's "
-            "already partially processed",
-            privacy_request.id,
-        )
-        use_dsr_3_0 = False
-
-    return use_dsr_3_0
 
 
 def access_runner(

fides/api/task/graph_task.py

@@ -47,6 +47,7 @@ from fides.api.service.execution_context import collect_execution_log_messages
 from fides.api.task.consolidate_query_matches import consolidate_query_matches
 from fides.api.task.filter_element_match import filter_element_match
 from fides.api.task.refine_target_path import FieldPathNodeInput
+from fides.api.task.scheduler_utils import use_dsr_3_0_scheduler
 from fides.api.task.task_resources import TaskResources
 from fides.api.util.cache import get_cache
 from fides.api.util.collection_util import (
@@ -589,7 +590,7 @@ class GraphTask(ABC):  # pylint: disable=too-many-instance-attributes
         # TODO Remove when we stop support for DSR 2.0
         # Save data to build masking requests for DSR 2.0 in Redis.
         # Results saved with matching array elements preserved
-        if not CONFIG.execution.use_dsr_3_0:
+        if not use_dsr_3_0_scheduler(self.resources.request, ActionType.access):
             self.resources.cache_results_with_placeholders(
                 f"access_request__{self.key}", placeholder_output
             )
@@ -619,7 +620,8 @@ class GraphTask(ABC):  # pylint: disable=too-many-instance-attributes
 
         # TODO Remove when we stop support for DSR 2.0
         # Saves intermediate access results for DSR 2.0 in Redis
-        if not CONFIG.execution.use_dsr_3_0:
+        # Only cache for existing DSR 2.0 requests
+        if not use_dsr_3_0_scheduler(self.resources.request, ActionType.access):
             self.resources.cache_object(f"access_request__{self.key}", output)
 
         # Return filtered rows with non-matched array data removed.

fides/api/task/scheduler_utils.py

@@ -0,0 +1,39 @@
+"""Utilities for determining which DSR scheduler to use."""
+
+from typing import Dict, List, Optional
+
+from loguru import logger
+
+from fides.api.models.privacy_request import PrivacyRequest
+from fides.api.schemas.policy import ActionType
+from fides.api.util.collection_util import Row
+
+
+def use_dsr_3_0_scheduler(
+    privacy_request: PrivacyRequest, action_type: ActionType
+) -> bool:
+    """Return whether we should use the DSR 3.0 scheduler.
+
+    DSR 3.0 is now the default for all new privacy requests. Only allow DSR 2.0 for
+    existing requests that were already partially processed with DSR 2.0.
+
+    """
+    # DSR 3.0 is now the default
+    use_dsr_3_0 = True
+
+    # Check if this is an existing DSR 2.0 request that should continue with DSR 2.0
+    prev_results: Dict[str, Optional[List[Row]]] = (
+        privacy_request.get_raw_access_results()
+    )
+    existing_tasks_count: int = privacy_request.get_tasks_by_action(action_type).count()
+
+    # Only allow DSR 2.0 for requests that have already been partially processed with DSR 2.0
+    if prev_results and not existing_tasks_count:
+        logger.info(
+            "Overriding scheduler to run privacy request {} using DSR 2.0 as it's "
+            "already partially processed",
+            privacy_request.id,
+        )
+        use_dsr_3_0 = False
+
+    return use_dsr_3_0

fides/api/util/endpoint_utils.py

@@ -5,8 +5,6 @@ from typing import Any, Callable, Dict, List, Optional, Tuple
 
 from fastapi import HTTPException
 from fideslang import FidesModelType
-from slowapi import Limiter
-from slowapi.util import get_remote_address  # type: ignore
 from sqlalchemy.ext.asyncio import AsyncSession
 from starlette.status import HTTP_400_BAD_REQUEST
 
@@ -23,7 +21,6 @@ from fides.common.api.scope_registry import (
     ORGANIZATION,
     SYSTEM,
 )
-from fides.config import CONFIG
 
 from fides.api.models.sql_models import (  # type: ignore[attr-defined] # isort: skip
     ModelWithDefaultField,
@@ -44,16 +41,6 @@ CLI_SCOPE_PREFIX_MAPPING: Dict[str, str] = {
     "system": SYSTEM,
 }
 
-# Used for rate limiting with Slow API
-# Decorate individual routes to deviate from the default rate limits
-fides_limiter = Limiter(
-    default_limits=[CONFIG.security.request_rate_limit],
-    headers_enabled=True,
-    key_prefix=CONFIG.security.rate_limit_prefix,
-    key_func=get_remote_address,
-    retry_after="http-date",
-)
-
 
 async def forbid_if_editing_is_default(
     sql_model: Base,

fides/api/util/rate_limit.py

@@ -0,0 +1,194 @@
+from __future__ import annotations
+
+from ipaddress import ip_address
+from typing import Optional
+
+from fastapi import Request
+from fastapi.responses import JSONResponse
+from loguru import logger
+from slowapi import Limiter
+from slowapi.util import get_remote_address  # type: ignore
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from fides.config import CONFIG
+
+
+class InvalidClientIPError(Exception):
+    def __init__(self, detail: str, header_value: str, header_name: str):
+        self.detail = detail
+        self.header_value = header_value
+        self.header_name = header_name
+        super().__init__(detail)
+
+
+def validate_client_ip(ip: Optional[str]) -> bool:
+    """
+    Returns true if the provided ip is valid and not from a reserved range.
+    Returns false otherwise.
+    """
+    if not ip:
+        return False
+    try:
+        ip_obj = ip_address(ip)
+        if (
+            ip_obj.is_loopback
+            or ip_obj.is_link_local
+            or ip_obj.is_reserved
+            or ip_obj.is_multicast
+            or ip_obj.is_private
+        ):
+            return False
+        return True
+    except ValueError:
+        return False
+
+
+def _extract_hostname_from_ip(ip: str) -> Optional[str]:
+    """
+    Extract hostname/IP address from header value, stripping port if present.
+
+    Simple string-based approach following the reference implementation pattern.
+    Does not validate whether the result is a valid IP address.
+
+    Examples:
+        # IPv4 cases
+        _extract_hostname_from_ip("192.168.1.1") -> "192.168.1.1"
+        _extract_hostname_from_ip("192.168.1.1:8080") -> "192.168.1.1"
+
+        # IPv6 cases
+        _extract_hostname_from_ip("2001:db8::1") -> "2001:db8::1"
+        _extract_hostname_from_ip("[2001:db8::1]:8080") -> "2001:db8::1"
+
+        # Edge cases (alidation will later reject)
+        _extract_hostname_from_ip("192.168.1.1, 192.168.1.2") -> "192.168.1.1, 192.168.1.2"
+        _extract_hostname_from_ip("not-an-ip:8080") -> "not-an-ip"
+
+        # Error
+        _extract_hostname_from_ip("") -> raises ValueError
+
+    Raises:
+        ValueError: If no hostname can be extracted from the input
+    """
+
+    clean_ip = ip.strip()
+
+    if not clean_ip:
+        raise ValueError("Could not parse IP from header value")
+
+    # Handle IPv6 with port: [IPv6]:port
+    if "]:" in clean_ip:
+        return clean_ip.split("]:")[0].replace("[", "").strip()
+
+    # Handle IPv4 with port: IPv4:port
+    if ":" in clean_ip and "::" not in clean_ip:
+        return clean_ip.split(":")[0].strip()
+
+    # Return as-is (IPv6 without port, IPv4 without port, or other values)
+    return clean_ip
+
+
+def _resolve_client_ip_from_header(request: Request, strict: bool) -> str:
+    """Shared resolver for client IP from the configured header.
+
+    - When strict=True: raise InvalidClientIPError on invalid/malformed header values.
+    - When strict=False: never raise; fall back to the connection source IP.
+    """
+    header_name = CONFIG.security.rate_limit_client_ip_header
+    if not header_name:
+        # This line should never be reached when rate limiting is enabled
+        logger.warning(
+            "Rate limit client IP header not configured. Falling back to source IP.",
+            header_name,
+        )
+        return get_remote_address(request)
+
+    ip_address_from_header = request.headers.get(header_name)
+    if not ip_address_from_header:
+        logger.debug(
+            "Rate limit header '{}' not found. Falling back to source IP.",
+            header_name,
+        )
+        return get_remote_address(request)
+
+    # Extract and validate IP
+    try:
+        extracted_ip = _extract_hostname_from_ip(ip_address_from_header)
+        if extracted_ip and validate_client_ip(extracted_ip):
+            return extracted_ip
+        raise ValueError("IP failed validation")
+    except ValueError:
+        if strict:
+            logger.error(
+                "Invalid IP '{}' in header '{}'. Rejecting request.",
+                ip_address_from_header,
+                header_name,
+            )
+            raise InvalidClientIPError(
+                detail="Invalid IP address format",
+                header_value=ip_address_from_header,
+                header_name=header_name,
+            )
+        # Non-strict path: fall back silently to source IP
+        return get_remote_address(request)
+
+
+def get_client_ip_from_header(request: Request) -> str:
+    """
+    Extracts the client IP from the configured CDN header.
+
+    If the header is not configured or is missing, it falls back to the
+    source IP on the request.
+
+    Raises InvalidClientIPError if header contains invalid IP format.
+    """
+    return _resolve_client_ip_from_header(request, strict=True)
+
+
+def safe_rate_limit_key(request: Request) -> str:
+    """
+    Safe key function for SlowAPI limiter.
+
+    Must never raise. If the configured header is missing or malformed,
+    fall back to the connection source IP for rate limiting purposes.
+    """
+    return _resolve_client_ip_from_header(request, strict=False)
+
+
+class RateLimitIPValidationMiddleware(BaseHTTPMiddleware):
+    """
+    Pre-validate the configured client IP header when rate limiting is enabled.
+
+    If the header is present but invalid, short-circuit the request with 422.
+    This keeps SlowAPI's middleware path free of exceptions from the key function.
+    """
+
+    async def dispatch(self, request: Request, call_next):  # type: ignore
+        if is_rate_limit_enabled:
+            try:
+                # Triggers parsing/validation; raises on invalid header
+                get_client_ip_from_header(request)
+            except InvalidClientIPError:
+                return JSONResponse(
+                    status_code=422, content={"detail": "Invalid client IP header"}
+                )
+        return await call_next(request)
+
+
+# Used for rate limiting with Slow API
+# Decorate individual routes to deviate from the default rate limits
+is_rate_limit_enabled = (
+    CONFIG.security.rate_limit_client_ip_header is not None
+    and CONFIG.security.rate_limit_client_ip_header != ""
+)
+fides_limiter = Limiter(
+    storage_uri=CONFIG.redis.connection_url_unencoded,
+    application_limits=[
+        CONFIG.security.request_rate_limit
+    ],  # Creates ONE shared bucket for all endpoints
+    headers_enabled=True,
+    key_prefix=CONFIG.security.rate_limit_prefix,
+    key_func=safe_rate_limit_key,
+    retry_after="http-date",
+    in_memory_fallback_enabled=False,  # Fall back to no rate limiting if Redis unavailable
+    enabled=is_rate_limit_enabled,
+)

fides/config/execution_settings.py

@@ -65,10 +65,6 @@ class ExecutionSettings(FidesSettings):
         default=3600,
         description="Seconds between polling for async tasks to requeue",
     )
-    use_dsr_3_0: bool = Field(
-        default=False,
-        description="Temporary flag to switch to using DSR 3.0 to process your tasks.",
-    )
     erasure_request_finalization_required: bool = Field(
         default=False,
         description="Whether erasure requests require an additional finalization step after all collections have been executed.",

fides/config/redis_settings.py

@@ -181,8 +181,24 @@ class RedisSettings(FidesSettings):
         description="A full connection URL to the read-only Redis cache. If not specified, this URL is automatically assembled from the read_only_host, read_only_port, read_only_password and read_only_db_index specified above.",
         exclude=True,
     )
+    connection_url_unencoded: Optional[str] = Field(
+        default=None,
+        description="A full connection URL to the Redis cache with the password unencoded. If not specified, this URL is automatically assembled from the host, port, password and db_index specified above.",
+        exclude=True,
+    )
+    read_only_connection_url_unencoded: Optional[str] = Field(
+        default=None,
+        description="A full connection URL to the read-only Redis cache with the password unencoded. If not specified, this URL is automatically assembled from the read_only_host, read_only_port, read_only_password and read_only_db_index specified above.",
+        exclude=True,
+    )
 
-    @field_validator("connection_url", "read_only_connection_url", mode="before")
+    @field_validator(
+        "connection_url",
+        "read_only_connection_url",
+        "connection_url_unencoded",
+        "read_only_connection_url_unencoded",
+        mode="before",
+    )
     @classmethod
     def assemble_connection_url(
         cls,
@@ -195,7 +211,14 @@ class RedisSettings(FidesSettings):
             return v
 
         # Determine which set of settings to use based on field name
-        is_read_only = info.field_name == "read_only_connection_url"
+        is_read_only = info.field_name in (
+            "read_only_connection_url",
+            "read_only_connection_url_unencoded",
+        )
+        is_unencoded = info.field_name in (
+            "connection_url_unencoded",
+            "read_only_connection_url_unencoded",
+        )
 
         # Extract settings - fallbacks already resolved by field validators for read-only fields
         user = (
@@ -244,7 +267,8 @@ class RedisSettings(FidesSettings):
         # redis://<user>:<password>@<host>
         auth_prefix = ""
         if password or user:
-            auth_prefix = f"{quote_plus(user)}:{quote_plus(password)}@"
+            encoded_password = password if is_unencoded else quote_plus(password)
+            auth_prefix = f"{quote_plus(user)}:{encoded_password}@"
 
         # For host, we don't have a fallback - read replica should be a different host
         host = (