ethyca · ThomasLaPiana · Oct 14, 2022 · Oct 6, 2022 · Oct 10, 2022 · Oct 13, 2022
diff --git a/src/fides/api/ctl/database/database.py b/src/fides/api/ctl/database/database.py
@@ -8,20 +8,42 @@
 from alembic.runtime import migration
 from fideslang import DEFAULT_TAXONOMY
 from fideslib.db.base import Base
+from fideslib.exceptions import KeyOrNameAlreadyExists
+from fideslib.models.client import ClientDetail
+from fideslib.utils.text import to_snake_case
 from loguru import logger as log
 from sqlalchemy.orm import Session
 from sqlalchemy_utils.functions import create_database, database_exists
 
+from fides.api.ctl.database.session import sync_session
 from fides.api.ctl.sql_models import sql_model_map
 from fides.api.ctl.utils.errors import (
     AlreadyExistsError,
     QueryError,
     get_full_exception_name,
 )
+from fides.api.ops.models.policy import (
+    ActionType,
+    DrpAction,
+    Policy,
+    Rule,
+    RuleTarget,
+)
+from fides.api.ops.models.storage import StorageConfig
+from fides.api.ops.schemas.storage.storage import (
+    FileNaming,
+    ResponseFormat,
+    StorageDetails,
+    StorageType,
+)
+from fides.api.ops.util.data_category import DataCategory
+from fides.ctl.core.config import get_config
 from fides.ctl.core.utils import get_db_engine
 
 from .crud import create_resource, list_resource
 
+CONFIG = get_config()
+
 
 def get_alembic_config(database_url: str) -> Config:
     """
@@ -50,6 +72,7 @@ async def init_db(database_url: str) -> None:
     alembic_config = get_alembic_config(database_url)
     upgrade_db(alembic_config)
     await load_default_taxonomy()
+    await load_default_policies()
 
 
 def create_db_if_not_exists(database_url: str) -> None:
@@ -60,6 +83,154 @@ def create_db_if_not_exists(database_url: str) -> None:
         create_database(database_url)
 
 
+async def load_default_policies() -> None:
+    """
+    Checks whether DSR execution policies exist in the database, and
+    inserts them to target a default set of data categories if not.
+    """
+    FIDESOPS_AUTOGENERATED_CLIENT_KEY = "fides_autogenerated_client"
+    FIDESOPS_AUTOGENERATED_STORAGE_KEY = "fidesops_autogenerated_storage_destination"
+    STRING_REWRITE_STRATEGY_NAME = "string_rewrite"
+    db_session = sync_session()
+
+    client = ClientDetail.get_by(
+        db=db_session,
+        field="fides_key",
+        value=FIDESOPS_AUTOGENERATED_CLIENT_KEY,
+    )
+    if not client:
+        client, _ = ClientDetail.create_client_and_secret(
+            db=db_session,
+            client_id_byte_length=CONFIG.security.oauth_client_id_length_bytes,
+            client_secret_byte_length=CONFIG.security.oauth_client_secret_length_bytes,
+            fides_key="fides_autogenerated_client",
+        )
+
+    client_id = client.id
+    default_data_categories = [
+        DataCategory("user.biometric").value,
+        DataCategory("user.biometric_health").value,
+        DataCategory("user.browsing_history").value,
+        DataCategory("user.childrens").value,
+        DataCategory("user.contact").value,
+        DataCategory("user.date_of_birth").value,
+        DataCategory("user.demographic").value,
+        DataCategory("user.device").value,
+        DataCategory("user.gender").value,
+        DataCategory("user.genetic").value,
+        DataCategory("user.government_id").value,
+        DataCategory("user.health_and_medical").value,
+        DataCategory("user.job_title").value,
+        DataCategory("user.location").value,
+        DataCategory("user.media_consumption").value,
+        DataCategory("user.name").value,
+        DataCategory("user.non_specific_age").value,
+        DataCategory("user.observed").value,
+        DataCategory("user.organization").value,
+        DataCategory("user.political_opinion").value,
+        DataCategory("user.profiling").value,
+        DataCategory("user.race").value,
+        DataCategory("user.religious_belief").value,
+        DataCategory("user.search_history").value,
+        DataCategory("user.sensor").value,
+        DataCategory("user.sexual_orientation").value,
+        DataCategory("user.social").value,
+        DataCategory("user.telemetry").value,
+        DataCategory("user.unique_id").value,
+        DataCategory("user.user_sensor").value,
+        DataCategory("user.workplace").value,
+    ]
+    access_policy = Policy.create_or_update(
+        db=db_session,
+        data={
+            "name": "Default Access Policy",
+            "key": "default_access_policy",
+            "execution_timeframe": 45,
+            "client_id": client_id,
+            "drp_action": DrpAction.access.value,
+        },
+    )
+    local_storage_config = StorageConfig.create_or_update(
+        db=db_session,
+        data={
+            "name": "Default Local Storage Config",
+            "key": FIDESOPS_AUTOGENERATED_STORAGE_KEY,
+            "type": StorageType.local,
+            "details": {
+                StorageDetails.NAMING.value: FileNaming.request_id.value,
+            },
+            "format": ResponseFormat.json,
+        },
+    )
+    access_rule = Rule.create_or_update(
+        db=db_session,
+        data={
+            "action_type": ActionType.access.value,
+            "name": "Default Access Policy Rule",
+            "key": "default_access_policy_rule",
+            "policy_id": access_policy.id,
+            "storage_destination_id": local_storage_config.id,
+            "client_id": client_id,
+        },
+    )
+    for target in default_data_categories:
+        data = {
+            "data_category": target,
+            "rule_id": access_rule.id,
+        }
+        compound_key = to_snake_case(RuleTarget.get_compound_key(data=data))
+        data["key"] = compound_key
+        try:
+            RuleTarget.create(
+                db=db_session,
+                data=data,
+            )
+        except KeyOrNameAlreadyExists:
+            # This rule target already exists against the Policy
+            pass
+
+    erasure_policy_key = "default_erasure_policy"
+    erasure_policy = Policy.create_or_update(
+        db=db_session,
+        data={
+            "name": "Default Erasure Policy",
+            "key": erasure_policy_key,
+            "execution_timeframe": 45,
+            "client_id": client_id,
+            "drp_action": DrpAction.deletion.value,
+        },
+    )
+    erasure_rule = Rule.create_or_update(
+        db=db_session,
+        data={
+            "action_type": ActionType.erasure.value,
+            "name": "Default Erasure Policy Rule",
+            "key": "default_erasure_policy_rule",
+            "policy_id": erasure_policy.id,
+            "client_id": client_id,
+            "masking_strategy": {
+                "strategy": STRING_REWRITE_STRATEGY_NAME,
+                "configuration": {"rewrite_value": "MASKED"},
+            },
+        },
+    )
+    for target in default_data_categories:
+        data = {
+            "data_category": target,
+            "rule_id": erasure_rule.id,
+        }
+        compound_key = to_snake_case(RuleTarget.get_compound_key(data=data))
+        data["key"] = compound_key
+        try:
+            RuleTarget.create(
+                db=db_session,
+                data=data,
+            )
+        except KeyOrNameAlreadyExists:
+            # This rule target already exists against the Policy
+            pass
+
+
 async def load_default_taxonomy() -> None:
     """
     Attempts to insert organization resources into the database,

diff --git a/src/fides/api/ctl/database/session.py b/src/fides/api/ctl/database/session.py
@@ -13,5 +13,8 @@
 
 sync_engine = create_engine(config.database.sync_database_uri, echo=False)
 sync_session = sessionmaker(
-    sync_engine, class_=Session, expire_on_commit=False, autocommit=False
+    sync_engine,
+    class_=Session,
+    expire_on_commit=False,
+    autocommit=False,
 )
diff --git a/src/fides/api/ops/models/policy.py b/src/fides/api/ops/models/policy.py
@@ -359,6 +359,21 @@ class RuleTarget(Base):
         UniqueConstraint("rule_id", "data_category", name="_rule_id_data_category_uc"),
     )
 
+    @classmethod
+    def get_compound_key(cls, data: Dict[str, Any]) -> str:
+        data_category = data.get("data_category")
+        if not data_category:
+            raise common_exceptions.RuleTargetValidationError(
+                "A data_category must be supplied."
+            )
+        rule_id = data.get("rule_id")
+        if not rule_id:
+            raise common_exceptions.RuleTargetValidationError(
+                "A rule_id must be supplied."
+            )
+
+        return f"{rule_id}-{data_category}"
+
     @classmethod
     def create_or_update(cls, db: Session, *, data: Dict[str, Any]) -> FidesBase:
         """
@@ -401,7 +416,7 @@ def create(cls, db: Session, *, data: Dict[str, Any]) -> FidesBase:
                 "A rule_id must be supplied."
             )
 
-        default_name = f"{rule_id}-{data_category}"
+        default_name = cls.get_compound_key(data=data)
         if data.get("name") is None:
             data["name"] = default_name
 
@@ -436,10 +451,15 @@ def save(self, db: Session) -> FidesBase:
     def update(self, db: Session, *, data: Dict[str, Any]) -> FidesBase:
         """Validate data_category on object update."""
         updated_data_category = data.get("data_category")
-        if data.get("name") is None:
-            # Don't pass explcit `None` through for `name` because the field
-            # is non-nullable
-            del data["name"]
+        try:
+            name = data["name"]
+        except KeyError:
+            pass
+        else:
+            if name is None:
+                # Don't pass explcit `None` through for `name` because
+                # the field is non-nullable
+                del data["name"]
 
         if (
             updated_data_category is not None