diff --git a/CHANGELOG.md b/CHANGELOG.md index 29dc7ec872..dbf0a7d6f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The types of changes are: * The ability to assign users as system managers for a specific system [#2714](https://github.com/ethyca/fides/pull/2714) * New endpoints to add and remove users as system managers [#2726](https://github.com/ethyca/fides/pull/2726) * Adds Role Assignment UI [#2739](https://github.com/ethyca/fides/pull/2739) +* Add an automated migration to give users a `viewer` role [#2821](https://github.com/ethyca/fides/pull/2821) ### Changed diff --git a/src/fides/api/ctl/migrations/versions/50180bbbb959_automigrate_viewer_role.py b/src/fides/api/ctl/migrations/versions/50180bbbb959_automigrate_viewer_role.py new file mode 100644 index 0000000000..3274f00b63 --- /dev/null +++ b/src/fides/api/ctl/migrations/versions/50180bbbb959_automigrate_viewer_role.py @@ -0,0 +1,61 @@ +"""automigrate viewer role + +Revision ID: 50180bbbb959 +Revises: 68a518a3c050 +Create Date: 2023-03-14 14:26:32.910570 + +""" +import sqlalchemy as sa +from alembic import op + +# revision identifiers, used by Alembic. +from sqlalchemy import text + +revision = "50180bbbb959" +down_revision = "68a518a3c050" +branch_labels = None +depends_on = None + + +def upgrade(): + op.drop_constraint( + "messagingconfig_service_type_key", "messagingconfig", type_="unique" + ) + op.create_index( + op.f("ix_messagingconfig_service_type"), + "messagingconfig", + ["service_type"], + unique=True, + ) + + """Automatic data migration: Set user scopes to empty, and set all user roles to viewer""" + bind = op.get_bind() + bind.execute( + text( + """ + UPDATE fidesuserpermissions + SET scopes = '{}', + roles = '{viewer}'; + """ + ) + ) + + """Automatic data migration: Similarly Update all client scopes attached to users""" + bind.execute( + text( + """ + UPDATE client + SET scopes = '{}', + roles = '{viewer}' + FROM fidesuserpermissions + WHERE fidesuserpermissions.user_id = client.user_id; + """ + ) + ) + + +def downgrade(): + op.drop_index(op.f("ix_messagingconfig_service_type"), table_name="messagingconfig") + op.create_unique_constraint( + "messagingconfig_service_type_key", "messagingconfig", ["service_type"] + ) diff --git a/src/fides/api/ops/tasks/storage.py b/src/fides/api/ops/tasks/storage.py index ddee526308..3a37ef9512 100644 --- a/src/fides/api/ops/tasks/storage.py +++ b/src/fides/api/ops/tasks/storage.py @@ -11,7 +11,6 @@ import pandas as pd from boto3 import Session from botocore.exceptions import ClientError, ParamValidationError - from bson import ObjectId from loguru import logger diff --git a/src/fides/data/test_env/fides.test_env.toml b/src/fides/data/test_env/fides.test_env.toml index 855c5a2afb..00729382d8 100644 --- a/src/fides/data/test_env/fides.test_env.toml +++ b/src/fides/data/test_env/fides.test_env.toml @@ -22,6 +22,7 @@ oauth_root_client_id = "fidesadmin" oauth_root_client_secret = "fidesadminsecret" root_username = "root_user" root_password = "Testpassword1!" +env = "prod" [execution] task_retry_count = 0 diff --git a/src/fides/lib/oauth/roles.py b/src/fides/lib/oauth/roles.py index 5c7db80f38..d43543917c 100644 --- a/src/fides/lib/oauth/roles.py +++ b/src/fides/lib/oauth/roles.py @@ -5,6 +5,7 @@ CLI_OBJECTS_READ, CLIENT_READ, CONFIG_READ, + CONFIG_UPDATE, CONNECTION_READ, CONNECTION_TYPE_READ, CONSENT_READ, @@ -114,6 +115,7 @@ class RoleRegistryEnum(Enum): MESSAGING_CREATE_OR_UPDATE, MESSAGING_DELETE, PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE, + CONFIG_UPDATE, ] ROLES_TO_SCOPES_MAPPING: Dict[str, List] = { diff --git a/tests/ops/api/v1/endpoints/test_config_endpoints.py b/tests/ops/api/v1/endpoints/test_config_endpoints.py index f696053901..16992eb0f6 100644 --- a/tests/ops/api/v1/endpoints/test_config_endpoints.py +++ b/tests/ops/api/v1/endpoints/test_config_endpoints.py @@ -10,6 +10,7 @@ from fides.api.ops.api.v1 import urn_registry as urls from fides.api.ops.models.application_config import ApplicationConfig from fides.api.ops.schemas.storage.storage import StorageType +from fides.lib.oauth.roles import CONTRIBUTOR, OWNER, VIEWER class TestPatchApplicationConfig: @@ -46,6 +47,27 @@ def test_patch_application_config_wrong_scope( response = api_client.patch(url, headers=auth_header, json=payload) assert 403 == response.status_code + def test_patch_application_config_viewer_role( + self, api_client: TestClient, payload, url, generate_role_header + ): + auth_header = generate_role_header(roles=[VIEWER]) + response = api_client.patch(url, headers=auth_header, json=payload) + assert 403 == response.status_code + + def test_patch_application_config_contributor_role( + self, api_client: TestClient, payload, url, generate_role_header + ): + auth_header = generate_role_header(roles=[CONTRIBUTOR]) + response = api_client.patch(url, headers=auth_header, json=payload) + assert 403 == response.status_code + + def test_patch_application_config_admin_role( + self, api_client: TestClient, payload, url, generate_role_header + ): + auth_header = generate_role_header(roles=[OWNER]) + response = api_client.patch(url, headers=auth_header, json=payload) + assert 200 == response.status_code + def test_patch_application_config_with_invalid_key( self, api_client: TestClient, diff --git a/tests/ops/service/storage_uploader_service_test.py b/tests/ops/service/storage_uploader_service_test.py index 64041fedc3..b53179814a 100644 --- a/tests/ops/service/storage_uploader_service_test.py +++ b/tests/ops/service/storage_uploader_service_test.py @@ -7,9 +7,9 @@ from unittest.mock import Mock from zipfile import ZipFile -from bson import ObjectId import pandas as pd import pytest +from bson import ObjectId from sqlalchemy.orm import Session from fides.api.ops.common_exceptions import StorageUploadError