ethyca · tvandort · Jan 10, 2025 · Jan 10, 2025 · Jan 10, 2025 · Jan 10, 2025
diff --git a/src/fides/api/api/v1/endpoints/consent_request_endpoints.py b/src/fides/api/api/v1/endpoints/consent_request_endpoints.py
@@ -64,6 +64,7 @@
 from fides.api.util.endpoint_utils import validate_start_and_end_filters
 from fides.api.util.logger import Pii
 from fides.common.api.scope_registry import CONSENT_READ
+from fides.common.api.v1.tag_registry import PUBLIC_INTERNET
 from fides.common.api.v1.urn_registry import (
     CONSENT_REQUEST,
     CONSENT_REQUEST_PREFERENCES,
@@ -178,6 +179,7 @@ def report_consent_requests(
     CONSENT_REQUEST,
     status_code=HTTP_200_OK,
     response_model=ConsentRequestResponse,
+    tags=[PUBLIC_INTERNET],
 )
 def create_consent_request(
     *,
@@ -255,6 +257,7 @@ def create_consent_request(
     CONSENT_REQUEST_VERIFY,
     status_code=HTTP_200_OK,
     response_model=ConsentPreferences,
+    tags=[PUBLIC_INTERNET],
 )
 def consent_request_verify(
     *,
@@ -309,6 +312,7 @@ def consent_request_verify(
             "only supported with disable_consent_identity_verification set to true"
         },
     },
+    tags=[PUBLIC_INTERNET],
 )
 def get_consent_preferences_no_id(
     *,
@@ -451,6 +455,7 @@ def queue_privacy_request_to_propagate_consent_old_workflow(
     CONSENT_REQUEST_PREFERENCES_WITH_ID,
     status_code=HTTP_200_OK,
     response_model=ConsentPreferences,
+    tags=[PUBLIC_INTERNET],
 )
 def set_consent_preferences(
     *,

diff --git a/src/fides/api/api/v1/endpoints/identity_verification_endpoints.py b/src/fides/api/api/v1/endpoints/identity_verification_endpoints.py
@@ -8,6 +8,7 @@
 from fides.api.schemas.identity_verification import IdentityVerificationConfigResponse
 from fides.api.util.api_router import APIRouter
 from fides.common.api.v1 import urn_registry as urls
+from fides.common.api.v1.tag_registry import PUBLIC_INTERNET
 from fides.config.config_proxy import ConfigProxy
 
 router = APIRouter(tags=["Identity Verification"], prefix=urls.V1_URL_PREFIX)
@@ -16,6 +17,7 @@
 @router.get(
     urls.ID_VERIFICATION_CONFIG,
     response_model=IdentityVerificationConfigResponse,
+    tags=[PUBLIC_INTERNET],
 )
 def get_id_verification_config(
     *,

diff --git a/src/fides/api/api/v1/endpoints/oauth_endpoints.py b/src/fides/api/api/v1/endpoints/oauth_endpoints.py
@@ -46,6 +46,7 @@
     SCOPE_REGISTRY,
     ScopeRegistryEnum,
 )
+from fides.common.api.v1.tag_registry import PUBLIC_INTERNET
 from fides.common.api.v1.urn_registry import (
     CLIENT,
     CLIENT_BY_ID,
@@ -223,7 +224,7 @@ def read_roles_to_scopes_mapping() -> Dict[str, List]:
     return ROLES_TO_SCOPES_MAPPING
 
 
-@router.get(OAUTH_CALLBACK)
+@router.get(OAUTH_CALLBACK, tags=[PUBLIC_INTERNET])
 def oauth_callback(code: str, state: str, db: Session = Depends(get_db)) -> Response:
     """
     Uses the passed in code to generate the token access request

diff --git a/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py b/src/fides/api/api/v1/endpoints/privacy_request_endpoints.py
@@ -163,6 +163,7 @@
     PRIVACY_REQUEST_UPLOAD_DATA,
     PRIVACY_REQUEST_VIEW_DATA,
 )
+from fides.common.api.v1.tag_registry import PUBLIC_INTERNET
 from fides.common.api.v1.urn_registry import (
     PRIVACY_REQUEST_ACCESS_RESULTS,
     PRIVACY_REQUEST_APPROVE,
@@ -226,6 +227,7 @@ def get_privacy_request_or_error(
     PRIVACY_REQUESTS,
     status_code=HTTP_200_OK,
     response_model=BulkPostPrivacyRequests,
+    tags=[PUBLIC_INTERNET],
 )
 def create_privacy_request(
     *,
@@ -1386,6 +1388,7 @@ def _trigger_pre_approval_webhooks(
     PRIVACY_REQUEST_VERIFY_IDENTITY,
     status_code=HTTP_200_OK,
     response_model=PrivacyRequestResponse,
+    tags=[PUBLIC_INTERNET],
 )
 def verify_identification_code(
     privacy_request_id: str,

diff --git a/src/fides/api/app_setup.py b/src/fides/api/app_setup.py
@@ -45,6 +45,7 @@
 from fides.api.util.endpoint_utils import fides_limiter
 from fides.api.util.errors import FidesError
 from fides.api.util.logger import setup as setup_logging
+from fides.common.api.v1.tag_registry import tags_metadata
 from fides.config import CONFIG
 from fides.config.config_proxy import ConfigProxy
 
@@ -75,7 +76,7 @@ def create_fides_app(
         "Logger configuration options in use"
     )
 
-    fastapi_app = FastAPI(title="fides", version=app_version, lifespan=lifespan, separate_input_output_schemas=False)  # type: ignore
+    fastapi_app = FastAPI(title="fides", version=app_version, lifespan=lifespan, separate_input_output_schemas=False, openapi_tags=tags_metadata)  # type: ignore
     fastapi_app.state.limiter = fides_limiter
     # Starlette bug causing this to fail mypy
     fastapi_app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)  # type: ignore

diff --git a/src/fides/common/api/v1/tag_registry.py b/src/fides/common/api/v1/tag_registry.py
@@ -0,0 +1,12 @@
+PUBLIC_INTERNET = "Public Internet"
+
+tags_metadata = [
+    {
+        "name": PUBLIC_INTERNET,
+        "description": "The following endpoints should be allow-listed from the public Internet to the Fides webserver.",
+        "externalDocs": {
+            "description": "Security Best Practices Documentation",
+            "url": "https://ethyca.com/docs/dev-docs/configuration/security-practices#public-internet-----fides-webserver",
+        },
+    }
+]