HJ-138 - Added a security setting that must be set to true to enable the access request download feature

CHANGELOG.md

@@ -21,6 +21,10 @@ The types of changes are:
 - Added DataHub integration config [#5401](https://github.com/ethyca/fides/pull/5401)
 - Added keepalive settings to the Redshift integration [#5433](https://github.com/ethyca/fides/pull/5433)
 
+### Changed
+- Add an environment variable that must be true to enable the Access request download feature [#5451](https://github.com/ethyca/fides/pull/5451)
+
+
 ### Developer Experience
 - Added Carbon Icons to FidesUI [#5416](https://github.com/ethyca/fides/pull/5416)
 

src/fides/api/api/v1/endpoints/privacy_request_endpoints.py

@@ -2,6 +2,7 @@
 
 import csv
 import io
+import os
 from collections import defaultdict
 from datetime import datetime
 from typing import (
@@ -2592,6 +2593,11 @@ def get_access_results_urls(
     """
     Endpoint for retrieving access results URLs for a privacy request.
     """
+    if os.environ.get("SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED") != "true":
+        raise HTTPException(
+            status_code=HTTP_404_NOT_FOUND,
+            detail="Access results download is disabled.",
+        )
     privacy_request: PrivacyRequest = get_privacy_request_or_error(
         db, privacy_request_id
     )

tests/ops/api/v1/endpoints/test_privacy_request_endpoints.py

@@ -62,7 +62,6 @@
     get_should_refresh_automaton,
     manually_reset_automaton,
     remove_refresh_automaton_signal,
-    set_automaton_cache_signal,
 )
 from fides.common.api.scope_registry import (
     DATASET_CREATE_OR_UPDATE,
@@ -72,7 +71,6 @@
     PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
     PRIVACY_REQUEST_NOTIFICATIONS_READ,
     PRIVACY_REQUEST_READ,
-    PRIVACY_REQUEST_READ_ACCESS_RESULTS,
     PRIVACY_REQUEST_REVIEW,
     PRIVACY_REQUEST_TRANSFER,
     PRIVACY_REQUEST_UPLOAD_DATA,
@@ -107,7 +105,8 @@
     V1_URL_PREFIX,
 )
 from fides.config import CONFIG
-from tests.conftest import generate_auth_header_for_user, generate_role_header_for_user
+from tests.conftest import generate_role_header_for_user
+from tests.ops.test_helpers.decorators import override_envvars
 
 page_size = Params().size
 
@@ -8134,21 +8133,6 @@ def test_get_access_results_approver(
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 403
 
-    def test_get_access_results_approver(
-        self,
-        api_client: TestClient,
-        privacy_request: PrivacyRequest,
-        approver_user,
-    ):
-        url = V1_URL_PREFIX + PRIVACY_REQUEST_ACCESS_RESULTS.format(
-            privacy_request_id=privacy_request.id
-        )
-        auth_header = generate_role_header_for_user(
-            approver_user, roles=approver_user.permissions.roles
-        )
-        response = api_client.get(url, headers=auth_header)
-        assert response.status_code == 403
-
     def test_get_access_results_viewer(
         self,
         api_client: TestClient,
@@ -8179,6 +8163,11 @@ def test_get_access_results_viewer_and_approver(
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 403
 
+    @override_envvars(
+        {
+            "SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED": "true",
+        }
+    )
     def test_get_access_results_request_not_complete(
         self,
         privacy_request: PrivacyRequest,
@@ -8201,6 +8190,11 @@ def test_get_access_results_request_not_complete(
             "detail": f"Access results for privacy request '{privacy_request.id}' are not available because the request is not complete."
         }
 
+    @override_envvars(
+        {
+            "SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED": "true",
+        }
+    )
     def test_get_access_results_no_data(
         self,
         privacy_request: PrivacyRequest,
@@ -8223,6 +8217,11 @@ def test_get_access_results_no_data(
             "access_result_urls": [],
         }
 
+    @override_envvars(
+        {
+            "SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED": "true",
+        }
+    )
     def test_get_access_results_owner(
         self,
         privacy_request: PrivacyRequest,
@@ -8254,6 +8253,11 @@ def test_get_access_results_owner(
             ]
         }
 
+    @override_envvars(
+        {
+            "SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED": "true",
+        }
+    )
     def test_get_access_results_contributor(
         self,
         privacy_request: PrivacyRequest,
@@ -8272,3 +8276,27 @@ def test_get_access_results_contributor(
         )
         response = api_client.get(url, headers=auth_header)
         assert response.status_code == 200
+
+    @override_envvars(
+        {
+            "SECURITY__SUBJECT_REQUEST_DOWNLOAD_UI_ENABLED": "false",
+        }
+    )
+    def test_get_access_results_contributor_but_disabled(
+        self,
+        privacy_request: PrivacyRequest,
+        api_client: TestClient,
+        contributor_user,
+        db,
+    ):
+        privacy_request.status = PrivacyRequestStatus.complete
+        privacy_request.save(db)
+
+        url = V1_URL_PREFIX + PRIVACY_REQUEST_ACCESS_RESULTS.format(
+            privacy_request_id=privacy_request.id
+        )
+        auth_header = generate_role_header_for_user(
+            contributor_user, roles=contributor_user.permissions.roles
+        )
+        response = api_client.get(url, headers=auth_header)
+        assert response.status_code == 404

tests/ops/test_helpers/decorators.py

@@ -0,0 +1,29 @@
+import functools
+import os
+
+
+def override_envvars(env_vars):
+    """
+    Decorator to override environment variables for the duration of a test.
+    """
+
+    def decorator(func):
+        @functools.wraps(func)
+        def wrapper(*args, **kwargs):
+            original_env_vars = {}
+            for key, value in env_vars.items():
+                if key in os.environ:
+                    original_env_vars[key] = os.environ.get(key)
+                os.environ[key] = value
+            try:
+                return func(*args, **kwargs)
+            finally:
+                for key in env_vars.keys():
+                    if key in original_env_vars:
+                        os.environ[key] = original_env_vars[key]
+                    else:
+                        os.environ.pop(key, None)
+
+        return wrapper
+
+    return decorator