ENG-1487 Fix query to retrieve a PrivacyNotice's cookies (#6636)

Author: erosselli

CHANGELOG.md

@@ -19,7 +19,7 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - https://github.com/ethyca/fides/labels/high-risk: to indicate that a change is a "high-risk" change that could potentially lead to unanticipated regressions or degradations
 - https://github.com/ethyca/fides/labels/db-migration: to indicate that a given change includes a DB migration
 
-## [Unreleased](https://github.com/ethyca/fides/compare/2.70.3...main)
+## [Unreleased](https://github.com/ethyca/fides/compare/2.70.4...main)
 
 ### Added
 - Added SRV and SSL support for MongoDB [#6590](https://github.com/ethyca/fides/pull/6590)
@@ -42,6 +42,11 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - Fixed an issue that allowed new taxonomy items to be submitted multiple times [#6609](https://github.com/ethyca/fides/pull/6609)
 - Fixed an error on trying to submit optional integer fields in the integration form [#6626](https://github.com/ethyca/fides/pull/6626)
 
+## [2.70.4](https://github.com/ethyca/fides/compare/2.70.3...2.70.4)
+
+### Fixed
+- Fixed query to retrieve a `PrivacyNotice`'s cookies [#6636](https://github.com/ethyca/fides/pull/6636)
+
 ## [2.70.3](https://github.com/ethyca/fides/compare/2.70.2...2.70.3)
 
 ### Fixed

src/fides/api/models/privacy_notice.py

@@ -191,16 +191,36 @@ def default_preference(self) -> UserConsentPreference:
 
     @property
     def cookies(self) -> List[Asset]:
-        """Return relevant assets of type 'cookie' (via the data use)"""
+        """
+        Return the privacy notice's assets of type 'cookie'.
+        Cookies are matched to the privacy notice if they have at least one data use
+        that is either an exact match or a hierarchical descendant of a one of the
+        data uses in the privacy notice.
+        """
         db = Session.object_session(self)
-        or_queries = [
-            f"array_to_string(data_uses, ',') ILIKE '{data_use}%'"
-            for data_use in self.data_uses
+
+        if not self.data_uses:
+            return []
+
+        # Use array overlap operator (&&) for exact matches - GIN index friendly
+        exact_matches_condition = Asset.data_uses.op("&&")(self.data_uses)
+
+        # For hierarchical children, we still need to check individual elements with LIKE
+        # They have to match the data_use and the period separator, so we know it's a hierarchical descendant
+        hierarchical_conditions = [
+            text(
+                f"EXISTS(SELECT 1 FROM unnest(data_uses) AS data_use WHERE data_use LIKE :pattern_{i})"
+            ).bindparams(**{f"pattern_{i}": f"{data_use}.%"})
+            for i, data_use in enumerate(self.data_uses)
         ]
 
+        asset_matching_condition = or_(
+            exact_matches_condition, *hierarchical_conditions
+        )
+
         query = db.query(Asset).filter(
             Asset.asset_type == "Cookie",
-            or_(*[text(query) for query in or_queries]),
+            asset_matching_condition,
         )
 
         return query.all()

tests/fixtures/application_fixtures.py

@@ -2106,6 +2106,218 @@ def failed_privacy_request(db: Session, policy: Policy) -> PrivacyRequest:
     pr.delete(db)
 
 
+@pytest.fixture(scope="function")
+def privacy_notice_targeted_advertising(db: Session) -> Generator:
+    """
+    Privacy notice fixture for targeted advertising use cases.
+
+    Creates a privacy notice with targeted advertising data uses that can be used
+    to test matching with various cookie assets.
+    """
+    template = PrivacyNoticeTemplate.create(
+        db,
+        check_name=False,
+        data={
+            "name": "targeted advertising notice",
+            "notice_key": "targeted_advertising_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_out,
+            "data_uses": [
+                "marketing.advertising.first_party.targeted",
+                "marketing.advertising.third_party.targeted",
+            ],
+            "enforcement_level": EnforcementLevel.system_wide,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Targeted Advertising Notice",
+                    "description": "Notice for targeted advertising",
+                }
+            ],
+        },
+    )
+    privacy_notice = PrivacyNotice.create(
+        db=db,
+        data={
+            "name": "targeted advertising notice",
+            "notice_key": "targeted_advertising_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_out,
+            "data_uses": [
+                "marketing.advertising.first_party.targeted",
+                "marketing.advertising.third_party.targeted",
+            ],
+            "enforcement_level": EnforcementLevel.system_wide,
+            "origin": template.id,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Targeted Advertising Notice",
+                    "description": "Notice for targeted advertising",
+                }
+            ],
+        },
+    )
+
+    yield privacy_notice
+
+    # Clean up translations and histories
+    for translation in privacy_notice.translations:
+        for history in translation.histories:
+            history.delete(db)
+        translation.delete(db)
+    privacy_notice.delete(db)
+    template.delete(db)
+
+
+@pytest.fixture(scope="function")
+def multi_data_use_cookie_asset(db: Session, system) -> Generator:
+    """
+    Asset that mimics a real-world cookie with multiple data uses.
+    """
+    asset = Asset(
+        name="_gcl_au",
+        asset_type="Cookie",
+        domain="*",
+        system_id=system.id,
+        data_uses=[
+            "marketing.advertising.first_party.contextual",
+            "marketing.advertising.negative_targeting",
+            "analytics.reporting.campaign_insights",
+            "marketing.advertising.first_party.targeted",  # Should match targeted advertising notices
+            "analytics.reporting.ad_performance",
+            "functional.service.improve",
+            "marketing.advertising.third_party.targeted",  # Should match targeted advertising notices
+            "marketing.advertising.profiling",
+            "marketing.advertising.frequency_capping",
+            "functional.storage",
+        ],
+        locations=[],
+        parent=[],
+        consent_status="unknown",
+        page=[],
+    )
+    asset.save(db)
+
+    yield asset
+
+    # Clean up
+    try:
+        asset.delete(db)
+    except ObjectDeletedError:
+        # Skip if already deleted
+        pass
+
+
+@pytest.fixture(scope="function")
+def privacy_notice_fun_data_use(db: Session) -> Generator:
+    """
+    Privacy notice fixture for testing substring matching edge cases.
+
+    Creates a privacy notice with 'fun' data use to test against 'funding' assets.
+    """
+    template = PrivacyNoticeTemplate.create(
+        db,
+        check_name=False,
+        data={
+            "name": "fun activities notice",
+            "notice_key": "fun_activities_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_in,
+            "data_uses": ["fun"],
+            "enforcement_level": EnforcementLevel.system_wide,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Fun Activities Notice",
+                    "description": "Notice for fun activities",
+                }
+            ],
+        },
+    )
+    privacy_notice = PrivacyNotice.create(
+        db=db,
+        data={
+            "name": "fun activities notice",
+            "notice_key": "fun_activities_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_in,
+            "data_uses": ["fun"],
+            "enforcement_level": EnforcementLevel.system_wide,
+            "origin": template.id,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Fun Activities Notice",
+                    "description": "Notice for fun activities",
+                }
+            ],
+        },
+    )
+
+    yield privacy_notice
+
+    # Clean up
+    for translation in privacy_notice.translations:
+        for history in translation.histories:
+            history.delete(db)
+        translation.delete(db)
+    privacy_notice.delete(db)
+    template.delete(db)
+
+
+@pytest.fixture(scope="function")
+def privacy_notice_empty_data_uses(db: Session) -> Generator:
+    """
+    Privacy notice fixture with no data uses for testing edge cases.
+
+    Creates a privacy notice with empty data uses list to test that it returns
+    no cookies regardless of what cookie assets exist.
+    """
+    template = PrivacyNoticeTemplate.create(
+        db,
+        check_name=False,
+        data={
+            "name": "Empty Notice",
+            "notice_key": "empty_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_in,
+            "data_uses": [],  # Empty data uses
+            "enforcement_level": EnforcementLevel.system_wide,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Empty Notice",
+                    "description": "This notice has no data uses.",
+                }
+            ],
+        },
+    )
+    privacy_notice = PrivacyNotice.create(
+        db=db,
+        data={
+            "name": "Empty Notice",
+            "notice_key": "empty_notice_1",
+            "consent_mechanism": ConsentMechanism.opt_in,
+            "data_uses": [],  # Empty data uses
+            "enforcement_level": EnforcementLevel.system_wide,
+            "origin": template.id,
+            "translations": [
+                {
+                    "language": "en",
+                    "title": "Empty Notice",
+                    "description": "This notice has no data uses.",
+                }
+            ],
+        },
+    )
+
+    yield privacy_notice
+
+    # Clean up
+    for translation in privacy_notice.translations:
+        for history in translation.histories:
+            history.delete(db)
+        translation.delete(db)
+    privacy_notice.delete(db)
+    template.delete(db)
+
+
 @pytest.fixture(scope="function")
 def privacy_notice_2(db: Session) -> Generator:
     template = PrivacyNoticeTemplate.create(