HJ-138 - Added a security setting that must be set to true to enable …

…the access request download feature (#5451)

Co-authored-by: Adrian Galvan <[email protected]>

CHANGELOG.md

@@ -21,6 +21,9 @@ The types of changes are:
 - Added DataHub integration config [#5401](https://github.com/ethyca/fides/pull/5401)
 - Added keepalive settings to the Redshift integration [#5433](https://github.com/ethyca/fides/pull/5433)
 
+### Changed
+- Added a security setting that must be set to true to enable the access request download feature [#5451](https://github.com/ethyca/fides/pull/5451)
+
 ### Developer Experience
 - Added Carbon Icons to FidesUI [#5416](https://github.com/ethyca/fides/pull/5416)
 - Apply new color palette as scss module [#5453](https://github.com/ethyca/fides/pull/5453)

src/fides/api/api/v1/endpoints/privacy_request_endpoints.py

@@ -2592,6 +2592,11 @@ def get_access_results_urls(
     """
     Endpoint for retrieving access results URLs for a privacy request.
     """
+    if not CONFIG.security.subject_request_download_ui_enabled:
+        raise HTTPException(
+            status_code=HTTP_403_FORBIDDEN,
+            detail="Access results download is disabled.",
+        )
     privacy_request: PrivacyRequest = get_privacy_request_or_error(
         db, privacy_request_id
     )

src/fides/config/security_settings.py

@@ -119,6 +119,10 @@ class SecuritySettings(FidesSettings):
         default=None,
         description="If set, this can be used in conjunction with root_password to log in without first creating a user in the database.",
     )
+    subject_request_download_ui_enabled: bool = Field(
+        default=False,
+        description="If set to True, the user interface will display a download button for subject requests.",
+    )
     subject_request_download_link_ttl_seconds: int = Field(
         default=432000,
         description="The number of seconds that a pre-signed download URL when using S3 storage will be valid. The default is equal to 5 days.",

tests/fixtures/application_fixtures.py

@@ -3264,6 +3264,14 @@ def allow_custom_privacy_request_fields_in_request_execution_disabled():
     )
 
 
+@pytest.fixture(scope="function")
+def subject_request_download_ui_enabled():
+    original_value = CONFIG.security.subject_request_download_ui_enabled
+    CONFIG.security.subject_request_download_ui_enabled = True
+    yield
+    CONFIG.security.subject_request_download_ui_enabled = original_value
+
+
 @pytest.fixture(scope="function")
 def system_with_no_uses(db: Session) -> Generator[System, None, None]:
     system = System.create(

tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py

@@ -62,7 +62,6 @@
     get_should_refresh_automaton,
     manually_reset_automaton,
     remove_refresh_automaton_signal,
-    set_automaton_cache_signal,
 )
 from fides.common.api.scope_registry import (
     DATASET_CREATE_OR_UPDATE,
@@ -72,7 +71,6 @@
     PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
     PRIVACY_REQUEST_NOTIFICATIONS_READ,
     PRIVACY_REQUEST_READ,
-    PRIVACY_REQUEST_READ_ACCESS_RESULTS,
     PRIVACY_REQUEST_REVIEW,
     PRIVACY_REQUEST_TRANSFER,
     PRIVACY_REQUEST_UPLOAD_DATA,
@@ -107,7 +105,7 @@
     V1_URL_PREFIX,
 )
 from fides.config import CONFIG
-from tests.conftest import generate_auth_header_for_user, generate_role_header_for_user
+from tests.conftest import generate_role_header_for_user
 
 page_size = Params().size
 
@@ -8134,21 +8132,6 @@ def test_get_access_results_approver(
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 403
 
-    def test_get_access_results_approver(
-        self,
-        api_client: TestClient,
-        privacy_request: PrivacyRequest,
-        approver_user,
-    ):
-        url = V1_URL_PREFIX + PRIVACY_REQUEST_ACCESS_RESULTS.format(
-            privacy_request_id=privacy_request.id
-        )
-        auth_header = generate_role_header_for_user(
-            approver_user, roles=approver_user.permissions.roles
-        )
-        response = api_client.get(url, headers=auth_header)
-        assert response.status_code == 403
-
     def test_get_access_results_viewer(
         self,
         api_client: TestClient,
@@ -8179,6 +8162,7 @@ def test_get_access_results_viewer_and_approver(
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 403
 
+    @pytest.mark.usefixtures("subject_request_download_ui_enabled")
     def test_get_access_results_request_not_complete(
         self,
         privacy_request: PrivacyRequest,
@@ -8201,6 +8185,7 @@ def test_get_access_results_request_not_complete(
             "detail": f"Access results for privacy request '{privacy_request.id}' are not available because the request is not complete."
         }
 
+    @pytest.mark.usefixtures("subject_request_download_ui_enabled")
     def test_get_access_results_no_data(
         self,
         privacy_request: PrivacyRequest,
@@ -8223,6 +8208,7 @@ def test_get_access_results_no_data(
             "access_result_urls": [],
         }
 
+    @pytest.mark.usefixtures("subject_request_download_ui_enabled")
     def test_get_access_results_owner(
         self,
         privacy_request: PrivacyRequest,
@@ -8254,6 +8240,7 @@ def test_get_access_results_owner(
             ]
         }
 
+    @pytest.mark.usefixtures("subject_request_download_ui_enabled")
     def test_get_access_results_contributor(
         self,
         privacy_request: PrivacyRequest,
@@ -8272,3 +8259,22 @@ def test_get_access_results_contributor(
         )
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 200
+
+    def test_get_access_results_contributor_but_disabled(
+        self,
+        privacy_request: PrivacyRequest,
+        api_client: TestClient,
+        contributor_user,
+        db,
+    ):
+        privacy_request.status = PrivacyRequestStatus.complete
+        privacy_request.save(db)
+
+        url = V1_URL_PREFIX + PRIVACY_REQUEST_ACCESS_RESULTS.format(
+            privacy_request_id=privacy_request.id
+        )
+        auth_header = generate_role_header_for_user(
+            contributor_user, roles=contributor_user.permissions.roles
+        )
+        response = api_client.get(url, headers=auth_header)
+        assert response.status_code == 403