Allowed Domains Part 3 enforcement

[Linker44]

Ticket ENG-2569

Description Of Changes

Third of a 4-part series. This PR adds domain validation enforcement at the SaaS config update API endpoint and the runtime HTTP client.

API endpoint (saas_config_endpoints.py):

• type and allowed_values are immutable via the API once defined in the connector template.
• All client_config.host placeholders in an incoming config must reference connector params of type="endpoint" with allowed_values defined.
• When no existing SaaS config is found on the connection, falls back to the original connector template definition so restrictions can't be bypassed by deleting and re-creating the config.
• Validation orchestration is extracted into validate_saas_config_patch() in saas_util.py to keep the endpoint focused on HTTP concerns.

Runtime (authenticated_client.py):

• Defense-in-depth validation that checks the resolved request host against allowed_values before every outbound request.

This may be obvious for normal saas configs but not for override use: for request_overrides we don't use client configs but we do hardcode the domains inside the codebase most of the time. This means if allowed_values is present in the config we will be enforcing it at runtime, rejecting whatever requests are made by the override unless they match any of the allowed values.

Code Changes

• Added validate_connector_param_constraints_not_modified, validate_host_references_domain_restricted_params, and validate_saas_config_patch to saas_util.py
• Added domain restriction enforcement to the PATCH SaaS config endpoint in saas_config_endpoints.py, with template fallback when no existing config is found
• Added _validate_request_domain to AuthenticatedClient in authenticated_client.py

Steps to Confirm

1. Verify that updating a SaaS config via the API with unchanged type and allowed_values succeeds
2. Verify that attempting to modify type or allowed_values via the API returns a 422
3. Verify that attempting to change the host of a client_config to something that is not a connector param of type="endpoint" with allowed_values also fails
4. Verify that outbound requests to a domain not in allowed_values are rejected at runtime
5. Verify that all checks are bypassed when disable_domain_validation is true

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 3, 2026 1:36am
fides-privacy-center	Ignored		Mar 3, 2026 1:36am

[greptile-apps]

Greptile Summary

This PR implements defense-in-depth domain validation enforcement for SaaS connectors through API endpoint validation and runtime HTTP client checks.

Key Changes:

• API Enforcement: The PATCH SaaS config endpoint now validates that type and allowed_values cannot be modified via API, and all client_config.host placeholders must reference domain-restricted params when restrictions are defined
• Template Fallback: When no existing SaaS config exists, the endpoint falls back to the connector template to prevent bypass via deletion and recreation
• Runtime Validation: AuthenticatedClient validates every outbound request host against allowed_values, with allowed hosts extracted once at construction for performance
• Schema Validation: ConnectorParam validator ensures default values comply with allowed_values when defined

Security Design:

• Empty allowed_values list correctly handled as self-hosted (permits any value)
• Validation can be disabled via disable_domain_validation config flag or dev mode
• Comprehensive test coverage including attack scenarios (delete-and-repatch, param swapping)

The implementation is solid with no critical issues identified. The validation logic is sound, edge cases are handled correctly, and the test coverage is thorough.

Confidence Score: 5/5

• This PR is safe to merge - the implementation adds important security protections without introducing vulnerabilities
• Score reflects comprehensive security validation, thorough test coverage including attack scenarios, sound logic handling all edge cases, performance optimizations (one-time host extraction), and proper integration with existing validation patterns. The implementation demonstrates defense-in-depth principles with validation at multiple layers (schema, API, runtime).
• No files require special attention

Important Files Changed

Filename	Overview
src/fides/api/api/v1/endpoints/saas_config_endpoints.py	Added template fallback for deleted configs and domain validation enforcement - implementation is secure and well-structured
src/fides/api/util/saas_util.py	Added comprehensive validation functions for connector param restrictions - logic is sound and handles edge cases correctly
src/fides/api/service/connectors/saas/authenticated_client.py	Added defense-in-depth runtime domain validation with performance optimization - correctly extracts allowed hosts once at construction
src/fides/api/schemas/saas/saas_config.py	Added schema-level validation for default values against allowed_values - correctly handles empty lists for self-hosted services

_{Last reviewed commit: de20536}

[greptile-apps]

_{8 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[Linker44]

@greptileai