Executing Consent Requests via the Privacy Request Execution Layer [#2146]

src/fides/api/ctl/database/seed.py

@@ -15,7 +15,14 @@
     PRIVACY_REQUEST_READ,
     PRIVACY_REQUEST_TRANSFER,
 )
-from fides.api.ops.models.policy import ActionType, DrpAction, Policy, Rule, RuleTarget
+from fides.api.ops.models.policy import (
+    ActionType,
+    DrpAction,
+    Policy,
+    Rule,
+    RuleTarget,
+    RuleUse,
+)
 from fides.api.ops.models.storage import StorageConfig
 from fides.api.ops.schemas.storage.storage import (
     FileNaming,
@@ -41,6 +48,9 @@
 DEFAULT_ERASURE_POLICY_RULE = "default_erasure_policy_rule"
 DEFAULT_ERASURE_MASKING_STRATEGY = "hmac"
 
+DEFAULT_CONSENT_POLICY = "default_consent_policy"
+DEFAULT_CONSENT_RULE = "default_consent_rule"
+
 
 def create_or_update_parent_user() -> None:
     with sync_session() as db_session:
@@ -278,6 +288,46 @@ async def load_default_dsr_policies() -> None:
             except KeyOrNameAlreadyExists:
                 # This rule target already exists against the Policy
                 pass
+
+        log.info("Creating: Default Consent Policy")
+        consent_policy = Policy.create_or_update(
+            db=db_session,
+            data={
+                "name": "Default Consent Policy",
+                "key": DEFAULT_CONSENT_POLICY,
+                "execution_timeframe": 45,
+                "client_id": client_id,
+            },
+        )
+
+        log.info("Creating: Default Consent Rule")
+        consent_rule = Rule.create_or_update(
+            db=db_session,
+            data={
+                "action_type": ActionType.consent.value,
+                "name": "Default Consent Rule",
+                "key": DEFAULT_CONSENT_RULE,
+                "policy_id": consent_policy.id,
+                "client_id": client_id,
+            },
+        )
+
+        log.info("Creating:Default Consent Rule Uses...")
+        for use in ["advertising", "advertising.first_party", "improve"]:
+            try:
+                RuleUse.create(
+                    db=db_session,
+                    data={
+                        "key": use,
+                        "data_use": use,  # TODO: get rid of data_use, and have this be the key.
+                        "rule_id": consent_rule.id,
+                        "executable": True,
+                    },
+                )
+            except KeyOrNameAlreadyExists:
+                # This rule use already exists against the Policy
+                pass
+
         log.info("All Policies & Rules Seeded.")
 
 

src/fides/api/ctl/migrations/versions/de456534dbda_add_privacyrequest_consent_preferences_.py

@@ -0,0 +1,82 @@
+"""add privacyrequest consent preferences and ruleuse table
+
+Revision ID: de456534dbda
+Revises: 1f61c765cd1c
+Create Date: 2023-01-03 22:59:45.144538
+
+"""
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = "de456534dbda"
+down_revision = "1f61c765cd1c"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "ruleuse",
+        sa.Column("id", sa.String(length=255), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=True,
+        ),
+        sa.Column("data_use", sa.String(), nullable=False),
+        sa.Column("data_use_description", sa.String(), nullable=True),
+        sa.Column("key", sa.String(), nullable=False),
+        sa.Column("executable", sa.Boolean(), nullable=False),
+        sa.Column("rule_id", sa.String(), nullable=False),
+        sa.Column("client_id", sa.String(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["client_id"],
+            ["client.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["rule_id"],
+            ["rule.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("rule_id", "data_use", name="_rule_id_data_use_uc"),
+    )
+    op.create_index(op.f("ix_ruleuse_id"), "ruleuse", ["id"], unique=False)
+    op.create_index(op.f("ix_ruleuse_key"), "ruleuse", ["key"], unique=True)
+    op.add_column(
+        "privacyrequest",
+        sa.Column(
+            "consent_preferences",
+            postgresql.JSONB(astext_type=sa.Text()),
+            nullable=True,
+        ),
+    )
+
+    op.add_column(
+        "consentrequest", sa.Column("privacy_request_id", sa.String(), nullable=True)
+    )
+    op.create_foreign_key(
+        None, "consentrequest", "privacyrequest", ["privacy_request_id"], ["id"]
+    )
+
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("privacyrequest", "consent_preferences")
+    op.drop_index(op.f("ix_ruleuse_key"), table_name="ruleuse")
+    op.drop_index(op.f("ix_ruleuse_id"), table_name="ruleuse")
+    op.drop_table("ruleuse")
+
+    op.drop_constraint(None, "consentrequest", type_="foreignkey")
+    op.drop_column("consentrequest", "privacy_request_id")
+    # ### end Alembic commands ###

src/fides/api/ops/api/v1/endpoints/consent_request_endpoints.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Optional
+from typing import Optional, Tuple
 
 from fastapi import Depends, HTTPException, Security
 from loguru import logger
@@ -14,7 +14,11 @@
     HTTP_500_INTERNAL_SERVER_ERROR,
 )
 
+from fides.api.ctl.database.seed import DEFAULT_CONSENT_POLICY
 from fides.api.ops.api.deps import get_db
+from fides.api.ops.api.v1.endpoints.privacy_request_endpoints import (
+    create_privacy_request_func,
+)
 from fides.api.ops.api.v1.scope_registry import CONSENT_READ
 from fides.api.ops.api.v1.urn_registry import (
     CONSENT_REQUEST,
@@ -34,11 +38,13 @@
     ProvidedIdentity,
     ProvidedIdentityType,
 )
+from fides.api.ops.schemas.privacy_request import BulkPostPrivacyRequests
 from fides.api.ops.schemas.privacy_request import Consent as ConsentSchema
 from fides.api.ops.schemas.privacy_request import (
     ConsentPreferences,
     ConsentPreferencesWithVerificationCode,
     ConsentRequestResponse,
+    PrivacyRequestCreate,
     VerificationCode,
 )
 from fides.api.ops.schemas.redis_cache import Identity
@@ -122,7 +128,7 @@ def consent_request_verify(
     data: VerificationCode,
 ) -> ConsentPreferences:
     """Verifies the verification code and returns the current consent preferences if successful."""
-    provided_identity = _get_consent_request_and_provided_identity(
+    _, provided_identity = _get_consent_request_and_provided_identity(
         db=db, consent_request_id=consent_request_id, verification_code=data.code
     )
 
@@ -178,7 +184,7 @@ def get_consent_preferences_no_id(
             "turned off.",
         )
 
-    provided_identity = _get_consent_request_and_provided_identity(
+    _, provided_identity = _get_consent_request_and_provided_identity(
         db=db, consent_request_id=consent_request_id, verification_code=None
     )
 
@@ -235,7 +241,7 @@ def set_consent_preferences(
     data: ConsentPreferencesWithVerificationCode,
 ) -> ConsentPreferences:
     """Verifies the verification code and saves the user's consent preferences if successful."""
-    provided_identity = _get_consent_request_and_provided_identity(
+    consent_request, provided_identity = _get_consent_request_and_provided_identity(
         db=db,
         consent_request_id=consent_request_id,
         verification_code=data.code,
@@ -264,15 +270,48 @@ def set_consent_preferences(
                 raise HTTPException(
                     status_code=HTTP_400_BAD_REQUEST, detail=Pii(str(exc))
                 )
+    identity = Identity()
+    setattr(
+        identity,
+        provided_identity.field_name.value,  # type:ignore[attr-defined]
+        provided_identity.encrypted_value["value"],  # type:ignore[index]
+    )
 
-    return _prepare_consent_preferences(db, provided_identity)
+    consent_preferences: ConsentPreferences = _prepare_consent_preferences(
+        db, provided_identity
+    )
+
+    privacy_request_results: BulkPostPrivacyRequests = create_privacy_request_func(
+        db=db,
+        data=[
+            PrivacyRequestCreate(
+                identity=identity,
+                policy_key=DEFAULT_CONSENT_POLICY,
+                consent_preferences=[
+                    consent.dict() for consent in consent_preferences.consent if consent
+                ],
+            )
+        ],
+        authenticated=True,
+    )
+
+    if privacy_request_results.failed or not privacy_request_results.succeeded:
+        raise HTTPException(
+            status_code=HTTP_400_BAD_REQUEST,
+            detail=privacy_request_results.failed[0].message,
+        )
+
+    consent_request.privacy_request_id = privacy_request_results.succeeded[0].id
+    consent_request.save(db=db)
+
+    return consent_preferences
 
 
 def _get_consent_request_and_provided_identity(
     db: Session,
     consent_request_id: str,
     verification_code: Optional[str],
-) -> ProvidedIdentity:
+) -> Tuple[ConsentRequest, ProvidedIdentity]:
     """Verifies the consent request and verification code, then return the ProvidedIdentity if successful."""
     consent_request = ConsentRequest.get_by_key_or_id(
         db=db, data={"id": consent_request_id}
@@ -306,7 +345,7 @@ def _get_consent_request_and_provided_identity(
             detail="No identity found for consent request id",
         )
 
-    return provided_identity
+    return consent_request, provided_identity
 
 
 def _prepare_consent_preferences(

src/fides/api/ops/api/v1/endpoints/privacy_request_endpoints.py

@@ -90,6 +90,7 @@
 )
 from fides.api.ops.models.privacy_request import (
     CheckpointActionRequired,
+    ConsentRequest,
     ExecutionLog,
     PrivacyRequest,
     PrivacyRequestNotifications,
@@ -187,7 +188,7 @@ def create_privacy_request(
     or report failure and execute them within the Fidesops system.
     You cannot update privacy requests after they've been created.
     """
-    return _create_privacy_request(db, data, False)
+    return create_privacy_request_func(db, data, False)
 
 
 @router.post(
@@ -207,7 +208,7 @@ def create_privacy_request_authenticated(
     You cannot update privacy requests after they've been created.
     This route requires authentication instead of using verification codes.
     """
-    return _create_privacy_request(db, data, True)
+    return create_privacy_request_func(db, data, True)
 
 
 def _send_privacy_request_receipt_message_to_user(
@@ -1551,7 +1552,7 @@ def resume_privacy_request_from_requires_input(
     return privacy_request
 
 
-def _create_privacy_request(
+def create_privacy_request_func(
     db: Session,
     data: conlist(PrivacyRequestCreate),  # type: ignore
     authenticated: bool = False,
@@ -1572,7 +1573,12 @@ def _create_privacy_request(
 
     logger.info("Starting creation for {} privacy requests", len(data))
 
-    optional_fields = ["external_id", "started_processing_at", "finished_processing_at"]
+    optional_fields = [
+        "external_id",
+        "started_processing_at",
+        "finished_processing_at",
+        "consent_preferences",
+    ]
     for privacy_request_data in data:
         if not any(privacy_request_data.identity.dict().values()):
             logger.warning(
@@ -1609,6 +1615,8 @@ def _create_privacy_request(
         )
         for field in optional_fields:
             attr = getattr(privacy_request_data, field)
+            if field == "consent_preferences":
+                attr = [consent.dict() for consent in attr]
             if attr is not None:
                 kwargs[field] = attr
 

src/fides/api/ops/common_exceptions.py

@@ -65,6 +65,10 @@ class RuleTargetValidationError(ValueError):
     """The Rule you are trying to create has invalid data"""
 
 
+class RuleUseValidationError(ValueError):
+    """The Data Use you are trying to create is inalid"""
+
+
 class DataCategoryNotSupported(ValueError):
     """The data category you have supplied is not supported."""
 
@@ -101,6 +105,10 @@ class CollectionDisabled(BaseException):
     """Collection is attached to disabled ConnectionConfig"""
 
 
+class NotSupportedForCollection(BaseException):
+    """The given action is not supported for this type of collection"""
+
+
 class PrivacyRequestPaused(BaseException):
     """Halt Instruction Received on Privacy Request"""