Add authenticated privacy request route (#1819)

Co-authored-by: Paul Sanders <pau@ethyca.com>
Co-authored-by: Adam Sachs <adam@Adams-MBP.hsd1.ma.comcast.net>

CHANGELOG.md

@@ -39,6 +39,7 @@ The types of changes are:
 * Privacy-Center-Cypress workflow for CI checks of the Privacy Center. [#1722](https://github.com/ethyca/fides/pull/1722)
 * Privacy Center `fides-consent.js` script for accessing consent on external pages. [Details](/clients/privacy-center/packages/fides-consent/README.md)
 * Erasure support for Twilio Conversations API [#1673](https://github.com/ethyca/fides/pull/1673)
+* Add authenticated privacy request route. [#1819](https://github.com/ethyca/fides/pull/1819)
 
 ### Changed
 

src/fides/api/ctl/database/seed.py

@@ -6,12 +6,18 @@
 from fideslang import DEFAULT_TAXONOMY
 from fideslib.exceptions import KeyOrNameAlreadyExists
 from fideslib.models.client import ClientDetail
+from fideslib.models.fides_user import FidesUser
+from fideslib.models.fides_user_permissions import FidesUserPermissions
 from fideslib.utils.text import to_snake_case
 from loguru import logger as log
 
 from fides.api.ctl.database.session import sync_session
 from fides.api.ctl.sql_models import sql_model_map  # type: ignore[attr-defined]
 from fides.api.ctl.utils.errors import AlreadyExistsError, QueryError
+from fides.api.ops.api.v1.scope_registry import (
+    PRIVACY_REQUEST_CREATE,
+    PRIVACY_REQUEST_READ,
+)
 from fides.api.ops.models.policy import ActionType, DrpAction, Policy, Rule, RuleTarget
 from fides.api.ops.models.storage import StorageConfig
 from fides.api.ops.schemas.storage.storage import (
@@ -34,6 +40,62 @@
 DEFAULT_ERASURE_MASKING_STRATEGY = "hmac"
 
 
+def create_or_update_parent_user() -> None:
+    with sync_session() as db_session:
+        if (
+            not CONFIG.security.parent_server_username
+            and not CONFIG.security.parent_server_password
+        ):
+            return
+
+        if (
+            CONFIG.security.parent_server_username
+            and not CONFIG.security.parent_server_password
+            or CONFIG.security.parent_server_password
+            and not CONFIG.security.parent_server_username
+        ):
+            # Both log and raise are here because the raise message is not showing.
+            # It could potentially be related to https://github.com/ethyca/fides/issues/1228
+            log.error(
+                "Both a parent_server_user and parent_server_password must be set to create a parent server user"
+            )
+            raise ValueError(
+                "Both a parent_server_user and parent_server_password must be set to create a parent server user"
+            )
+
+        user = (
+            FidesUser.get_by(
+                db_session,
+                field="username",
+                value=CONFIG.security.parent_server_username,
+            )
+            if CONFIG.security.parent_server_username
+            else None
+        )
+
+        if user and CONFIG.security.parent_server_password:
+            if not user.credentials_valid(CONFIG.security.parent_server_password):
+                log.info("Updating parent user")
+                user.update_password(db_session, CONFIG.security.parent_server_password)
+                return
+
+        log.info("Creating parent user")
+        user = FidesUser.create(
+            db=db_session,
+            data={
+                "username": CONFIG.security.parent_server_username,
+                "password": CONFIG.security.parent_server_password,
+            },
+        )
+        FidesUserPermissions.create(
+            db=db_session,
+            data={
+                "user_id": user.id,
+                "scopes": [PRIVACY_REQUEST_CREATE, PRIVACY_REQUEST_READ],
+            },
+        )
+
+
 def filter_data_categories(
     categories: List[str], excluded_categories: List[str]
 ) -> List[str]:

src/fides/api/main.py

@@ -26,6 +26,7 @@
 
 from fides.api.ctl import view
 from fides.api.ctl.database.database import configure_db
+from fides.api.ctl.database.seed import create_or_update_parent_user
 from fides.api.ctl.routes import admin, crud, datamap, generate, health, validate
 from fides.api.ctl.routes.util import API_PREFIX
 from fides.api.ctl.ui import (
@@ -218,6 +219,8 @@ async def setup_server() -> None:
 
     await configure_db(CONFIG.database.sync_database_uri)
 
+    create_or_update_parent_user()
+
     log.info("Validating SaaS connector templates...")
     try:
         registry = load_registry(registry_file)