Remove Scopes and Add Viewer Role

CHANGELOG.md

@@ -22,7 +22,7 @@ The types of changes are:
 * Serialise `bson.ObjectId` types in SAR data packages [#2785](https://github.com/ethyca/fides/pull/2785)
 * The ability to assign users as system managers for a specific system [#2714](https://github.com/ethyca/fides/pull/2714)
 * New endpoints to add and remove users as system managers [#2726](https://github.com/ethyca/fides/pull/2726)
-
+* Add an automated migration to give users a `viewer` role [#2821](https://github.com/ethyca/fides/pull/2821)
 
 ### Changed
 

src/fides/api/ctl/migrations/versions/50180bbbb959_automigrate_viewer_role.py

@@ -0,0 +1,61 @@
+"""automigrate viewer role
+
+Revision ID: 50180bbbb959
+Revises: 68a518a3c050
+Create Date: 2023-03-14 14:26:32.910570
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+from sqlalchemy import text
+
+revision = "50180bbbb959"
+down_revision = "68a518a3c050"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.drop_constraint(
+        "messagingconfig_service_type_key", "messagingconfig", type_="unique"
+    )
+    op.create_index(
+        op.f("ix_messagingconfig_service_type"),
+        "messagingconfig",
+        ["service_type"],
+        unique=True,
+    )
+
+    """Automatic data migration: Set user scopes to empty, and set all user roles to viewer"""
+    bind = op.get_bind()
+    bind.execute(
+        text(
+            """
+            UPDATE fidesuserpermissions 
+            SET scopes = '{}', 
+                roles = '{viewer}';
+        """
+        )
+    )
+
+    """Automatic data migration: Similarly Update all client scopes attached to users"""
+    bind.execute(
+        text(
+            """
+                UPDATE client 
+                SET scopes = '{}', 
+                    roles = '{viewer}'
+                FROM fidesuserpermissions
+                WHERE fidesuserpermissions.user_id = client.user_id;
+            """
+        )
+    )
+
+
+def downgrade():
+    op.drop_index(op.f("ix_messagingconfig_service_type"), table_name="messagingconfig")
+    op.create_unique_constraint(
+        "messagingconfig_service_type_key", "messagingconfig", ["service_type"]
+    )

src/fides/api/ops/tasks/storage.py

@@ -11,7 +11,6 @@
 import pandas as pd
 from boto3 import Session
 from botocore.exceptions import ClientError, ParamValidationError
-
 from bson import ObjectId
 from loguru import logger
 

src/fides/lib/oauth/roles.py

@@ -5,6 +5,7 @@
     CLI_OBJECTS_READ,
     CLIENT_READ,
     CONFIG_READ,
+    CONFIG_UPDATE,
     CONNECTION_READ,
     CONNECTION_TYPE_READ,
     CONSENT_READ,
@@ -114,6 +115,7 @@ class RoleRegistryEnum(Enum):
     MESSAGING_CREATE_OR_UPDATE,
     MESSAGING_DELETE,
     PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
+    CONFIG_UPDATE,
 ]
 
 ROLES_TO_SCOPES_MAPPING: Dict[str, List] = {

tests/ops/api/v1/endpoints/test_config_endpoints.py

@@ -10,6 +10,7 @@
 from fides.api.ops.api.v1 import urn_registry as urls
 from fides.api.ops.models.application_config import ApplicationConfig
 from fides.api.ops.schemas.storage.storage import StorageType
+from fides.lib.oauth.roles import CONTRIBUTOR, OWNER, VIEWER
 
 
 class TestPatchApplicationConfig:
@@ -46,6 +47,27 @@ def test_patch_application_config_wrong_scope(
         response = api_client.patch(url, headers=auth_header, json=payload)
         assert 403 == response.status_code
 
+    def test_patch_application_config_viewer_role(
+        self, api_client: TestClient, payload, url, generate_role_header
+    ):
+        auth_header = generate_role_header(roles=[VIEWER])
+        response = api_client.patch(url, headers=auth_header, json=payload)
+        assert 403 == response.status_code
+
+    def test_patch_application_config_contributor_role(
+        self, api_client: TestClient, payload, url, generate_role_header
+    ):
+        auth_header = generate_role_header(roles=[CONTRIBUTOR])
+        response = api_client.patch(url, headers=auth_header, json=payload)
+        assert 403 == response.status_code
+
+    def test_patch_application_config_admin_role(
+        self, api_client: TestClient, payload, url, generate_role_header
+    ):
+        auth_header = generate_role_header(roles=[OWNER])
+        response = api_client.patch(url, headers=auth_header, json=payload)
+        assert 200 == response.status_code
+
     def test_patch_application_config_with_invalid_key(
         self,
         api_client: TestClient,

tests/ops/service/storage_uploader_service_test.py

@@ -7,9 +7,9 @@
 from unittest.mock import Mock
 from zipfile import ZipFile
 
-from bson import ObjectId
 import pandas as pd
 import pytest
+from bson import ObjectId
 from sqlalchemy.orm import Session
 
 from fides.api.ops.common_exceptions import StorageUploadError