Add option to login as root user from config (#1116)

Co-authored-by: Paul Sanders <[email protected]>

CHANGELOG.md

@@ -30,7 +30,8 @@ The types of changes are:
 * SaaS Connector Configuration - Testing a Connection [#985](https://github.com/ethyca/fidesops/pull/1099)
 * Add an endpoint for verifying the user's identity before queuing the privacy request. [#1111](https://github.com/ethyca/fidesops/pull/1111)
 * Adds tests for email endpoints and service [#1112](https://github.com/ethyca/fidesops/pull/1112)
-* Adds the ability to verify a subject's identity before processing a Privacy Request  [#1115] https://github.com/ethyca/fidesops/pull/1115
+* Adds the ability to verify a subject's identity before processing a Privacy Request  [#1115](https://github.com/ethyca/fidesops/pull/1115)
+* Add option to login as root user from config[#1116](https://github.com/ethyca/fidesops/pull/1116)
 * Added email templates [#1123](https://github.com/ethyca/fidesops/pull/1123)
 * Add Retry button back into the subject request detail view [#1128](https://github.com/ethyca/fidesops/pull/1131)
 
@@ -57,6 +58,10 @@ The types of changes are:
 
 * Minor formatting updates to [Policy Webhooks](https://ethyca.github.io/fidesops/guides/policy_webhooks/) documentation [#1114](https://github.com/ethyca/fidesops/pull/1114)
 
+### Removed
+
+* Removed create superuser [#1116](https://github.com/ethyca/fidesops/pull/1116)
+
 ## [1.7.0](https://github.com/ethyca/fidesops/compare/1.6.3...1.7.0)
 
 ### Added

docs/fidesops/docs/guides/configuration_reference.md

@@ -44,6 +44,9 @@ The `fidesops.toml` file should specify the following variables:
 | `oauth_root_client_id` | `FIDESOPS__SECURITY__OAUTH_ROOT_CLIENT_ID` | string | fidesopsadmin | N/A | The value used to identify the fidesops application root API client |
 | `oauth_root_client_secret` | `FIDESOPS__SECURITY__OAUTH_ROOT_CLIENT_SECRET` | string | fidesopsadminsecret | N/A | The secret value used to authenticate the fidesops application root API client |
 | `oauth_access_token_expire_minutes` | `FIDESOPS__SECURITY__OAUTH_ACCESS_TOKEN_EXPIRE_MINUTES` | int | 1 | 11520 | The time period fidesops API tokens will be valid |
+| `root_username` | `FIDESOPS__SECURITY__ROOT_USERNAME` | string | root_user | None | If set this can be used in conjunction with `root_password` to log in as a root user without first needing to create a user in the database. |
+| `root_password` | `FIDESOPS__SECURITY__ROOT_PASSWORD` | string | apassword | None | If set this can be used in conjunction with `root_username` to log in as a root user without first needing to create a user in the database. |
+| `root_user_scopes` | `FIDESOPS__SECURITY__ROOT_USER_SCOPES` | list of strings | ["client:create", "client:update"] | All available scopes | The scopes granted to the root user when logging in with `root_username` and `root_password`. |
 | Execution Variables |---|---|---|---|---|
 |`privacy_request_delay_timeout` | `FIDESOPS__EXECUTION__PRIVACY_REQUEST_DELAY_TIMEOUT` | int | 3600 | 3600 | The amount of time to wait for actions delaying privacy requests, for example pre and post processing webhooks.
 |`task_retry_count` | `FIDESOPS__EXECUTION__TASK_RETRY_COUNT` | int | 5 | 0 | The number of times a failed request will be retried
@@ -88,6 +91,8 @@ encoding = "UTF-8"
 oauth_root_client_id = "fidesopsadmin"
 oauth_root_client_secret = "fidesopsadminsecret"
 log_level = "INFO"
+root_username = "root_user"
+root_password = "Testpassword1!"
 
 [execution]
 masking_strict = true

docs/fidesops/docs/ui/local_dev.md

@@ -5,11 +5,12 @@ To test the UI locally, clone the [FidesOps repository](https://github.com/ethyc
 
 ### Creating the root user
 
-In the top-level `fidesops` directory, run `nox -s create_user`.
+A root user can be created by adding a `root_username` and `root_password` to the
+security section of `fidesops.toml` file, or by setting `FIDESOPS__SECURITY__ROOT_USERNAME`
+and `FIDESOPS__SECURITY__ROOT_PASSWORD` environment variables.
 
-A series of prompts will walk you through creating a username and password. Passwords require 8 or more characters, upper and lowercase characters, a number, and a symbol.
-
-This will create an Admin UI Root User that can be used to access additional [user endpoints](#managing-users).
+This will allow you to login in with a root user that can be used to access
+additional [user endpoints](#managing-users).
 
 ### Accessing the Control Panel
 

fidesops.toml

@@ -27,6 +27,8 @@ oauth_root_client_id = "fidesopsadmin"
 oauth_root_client_secret = "fidesopsadminsecret"
 drp_jwt_secret = "secret"
 log_level = "INFO"
+root_username = "root_user"
+root_password = "Testpassword1!"
 
 [execution]
 masking_strict = true

noxfiles/run_infrastructure.py

@@ -36,7 +36,6 @@ def run_infrastructure(
     run_application: bool = False,  # Should we run the Fidesops webserver?
     run_quickstart: bool = False,  # Should we run the quickstart command?
     run_tests: bool = False,  # Should we run the tests after creating the infra?
-    run_create_superuser: bool = False,  # Should we run the create_superuser command?
     run_create_test_data: bool = False,  # Should we run the create_test_data command?
     analytics_opt_out: bool = False,  # Should we opt out of analytics?
 ) -> None:
@@ -100,9 +99,6 @@ def run_infrastructure(
             analytics_opt_out=analytics_opt_out,
         )
 
-    if run_create_superuser:
-        return _run_create_superuser(path, COMPOSE_SERVICE_NAME)
-
     if run_create_test_data:
         return _run_create_test_data(path, COMPOSE_SERVICE_NAME)
 
@@ -167,20 +163,6 @@ def _run_quickstart(
     _run_cmd_or_err(f"docker-compose run {service_name} python scripts/quickstart.py")
 
 
-def _run_create_superuser(
-    path: str,
-    service_name: str,
-) -> None:
-    """
-    Invokes the Fidesops create_user_and_client command
-    """
-    _run_cmd_or_err('echo "Running create superuser..."')
-    _run_cmd_or_err(f"docker-compose {path} up -d")
-    _run_cmd_or_err(
-        f"docker-compose run {service_name} python scripts/create_superuser.py"
-    )
-
-
 def _run_create_test_data(
     path: str,
     service_name: str,

noxfiles/utils_nox.py

@@ -22,12 +22,6 @@
 )
 
 
-@nox.session()
-def create_user(session: nox.Session) -> None:
-    """Create a super user in the fidesops database."""
-    run_infrastructure(datastores=["postgres"], run_create_superuser=True)
-
-
 @nox.session()
 def seed_test_data(session: nox.Session) -> None:
     """Seed test data in the Postgres application database."""

requirements.txt

@@ -10,7 +10,7 @@ fastapi[all]==0.79.1
 fastapi-caching[redis]
 fastapi-pagination[sqlalchemy]~= 0.9.3
 fideslang==1.2.0
-fideslib==3.0.3
+fideslib==3.1.0
 fideslog==1.2.3
 hvac==0.11.2
 Jinja2==3.1.2

src/fidesops/main.py

@@ -10,6 +10,7 @@
 from fastapi import FastAPI, Request, Response
 from fastapi.exceptions import HTTPException
 from fastapi.responses import FileResponse
+from fideslib.oauth.api.deps import get_config as lib_get_config
 from fideslib.oauth.api.deps import get_db as lib_get_db
 from fideslib.oauth.api.deps import verify_oauth_client as lib_verify_oauth_client
 from fideslib.oauth.api.routes.user_endpoints import router as user_router
@@ -24,6 +25,7 @@
     in_docker_container,
     send_analytics_event,
 )
+from fidesops.ops.api.deps import get_config, get_db
 from fidesops.ops.api.v1.api import api_router
 from fidesops.ops.api.v1.exception_handlers import ExceptionHandlers
 from fidesops.ops.api.v1.urn_registry import V1_URL_PREFIX
@@ -42,7 +44,7 @@
 from fidesops.ops.tasks.scheduled.tasks import initiate_scheduled_request_intake
 from fidesops.ops.util.cache import get_cache
 from fidesops.ops.util.logger import get_fides_log_record_factory
-from fidesops.ops.util.oauth_util import get_db, verify_oauth_client
+from fidesops.ops.util.oauth_util import verify_oauth_client
 
 logging.basicConfig(level=config.security.log_level)
 logging.setLogRecordFactory(get_fides_log_record_factory())
@@ -129,8 +131,10 @@ def prepare_and_log_request(
 
 app.include_router(api_router)
 app.include_router(user_router, tags=["Users"], prefix=f"{V1_URL_PREFIX}")
+app.dependency_overrides[lib_get_config] = get_config
 app.dependency_overrides[lib_get_db] = get_db
 app.dependency_overrides[lib_verify_oauth_client] = verify_oauth_client
+
 for handler in ExceptionHandlers.get_handlers():
     app.add_exception_handler(FunctionalityNotConfigured, handler)
 

src/fidesops/ops/api/deps.py

@@ -4,12 +4,17 @@
 from sqlalchemy.orm import Session
 
 from fidesops.ops.common_exceptions import FunctionalityNotConfigured
-from fidesops.ops.core.config import config
+from fidesops.ops.core.config import FidesopsConfig, config
 from fidesops.ops.util.cache import get_cache as get_redis_connection
 
 _engine = None
 
 
+def get_config() -> FidesopsConfig:
+    """Returns the config for use in dependency injection."""
+    return config
+
+
 def get_db() -> Generator:
     """Return our database session"""
     if not config.database.enabled:

src/fidesops/ops/core/config.py

@@ -2,7 +2,7 @@
 
 import logging
 import os
-from typing import Any, Dict, MutableMapping, Optional
+from typing import Any, Dict, List, MutableMapping, Optional
 from urllib.parse import quote_plus
 
 import toml
@@ -17,6 +17,7 @@
 from fideslog.sdk.python.utils import FIDESOPS, generate_client_id
 from pydantic import validator
 
+from fidesops.ops.api.v1.scope_registry import SCOPE_REGISTRY
 from fidesops.ops.util.logger import NotPii
 
 logger = logging.getLogger(__name__)
@@ -87,6 +88,7 @@ class FidesopsSecuritySettings(SecuritySettings):
     """Configuration settings for Security variables."""
 
     log_level: str = "INFO"
+    root_user_scopes: Optional[List[str]] = SCOPE_REGISTRY
 
     @validator("log_level", pre=True)
     def validate_log_level(cls, value: str) -> str: