Allowed Domains Part 2 secrets validation

[Linker44]

Ticket ENG-2569

Description Of Changes

Second of a 4-part series. This PR validates endpoint values against allowed_values at the time connection secrets are set, and fixes a pre-existing Pydantic V2 issue with get_connector_param.

The old get_connector_param used PrivateAttr + __private_attributes__ to store connector param metadata on dynamically created models. This was brittle in Pydantic V2 — the code had multiple defensive guards and a TODO acknowledging the fragility. This PR replaces that approach by storing metadata in json_schema_extra on each field (the same mechanism already used for sensitive), making it accessible via the stable cls.model_fields API.

Code Changes

• Replaced _connector_params PrivateAttr with per-field json_schema_extra containing sensitive, options, multiselect, param_type, and allowed_values in connection_secrets_saas.py
• Rewrote SaaSSchema.get_connector_param to read from cls.model_fields[name].json_schema_extra
• Added value validation in required_components_supplied that checks values against allowed_values when param_type == "endpoint" and secrets are set
• Updated test_connection_template_endpoints.py hubspot schema test to include the new json_schema_extra keys in the expected response

Steps to Confirm

1. Verify that setting a connector secret with a value matching allowed_values succeeds
2. Verify that setting a value not in allowed_values raises a validation error
3. Verify that validation is skipped when disable_domain_validation is true or allowed_values is None
4. Verify that existing options/multiselect validation still works (e.g., test_value_not_in_options)

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Mar 2, 2026 11:21pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		Mar 2, 2026 11:21pm

[greptile-apps]

Greptile Summary

This PR implements domain validation for SaaS connector endpoint parameters and refactors connector param metadata storage from Pydantic V2's fragile PrivateAttr mechanism to the stable json_schema_extra field API.

Key changes:

• Replaced _connector_params PrivateAttr with per-field metadata in json_schema_extra containing sensitive, options, multiselect, param_type, and allowed_values
• Rewrote SaaSSchema.get_connector_param() to read from cls.model_fields[name].json_schema_extra instead of __private_attributes__
• Added domain validation in required_components_supplied() that checks endpoint values against allowed_values patterns (supporting wildcards like *.salesforce.com)
• Validation is skipped when disable_domain_validation config flag is true or allowed_values is None/empty
• Test coverage includes allowed/disallowed domains, validation toggles, wildcard patterns, and edge cases

Confidence Score: 5/5

• This PR is safe to merge with no concerns
• The implementation is clean and well-tested. The refactoring from PrivateAttr to json_schema_extra removes technical debt and uses Pydantic's stable API. Domain validation logic properly handles edge cases (None, empty lists, wildcards) with appropriate guard clauses. Comprehensive test coverage validates all paths including validation toggles and pattern matching.
• No files require special attention

Important Files Changed

Filename	Overview
src/fides/api/schemas/connection_configuration/connection_secrets_saas.py	Refactored metadata storage from fragile PrivateAttr to stable json_schema_extra and added domain validation for endpoint params. Clean implementation with proper guard clauses.
tests/ops/api/v1/endpoints/test_connection_template_endpoints.py	Updated expected schema to include new json_schema_extra fields (options, multiselect, param_type, allowed_values). Straightforward test maintenance.
tests/ops/schemas/connection_configuration/test_connection_secrets_saas.py	Added comprehensive domain validation tests covering allowed/disallowed domains, validation toggle, empty/None allowed_values, and wildcard patterns. Excellent edge case coverage.

_{Last reviewed commit: c1c3ce1}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[daveqnet]

Commenting just to let you know I've reviewed this and have no issues with it @Linker44

[Linker44]

@greptileai