401 unauthorized page for bad logins

2018-08-03 15:04:23 -04:00 · 2018-08-03 15:04:23 -04:00 · 6dce89df1b
commit 6dce89df1b
parent 2ff5c604e1
3 changed files with 30 additions and 9 deletions
--- a/atst/routes/init.py
+++ b/atst/routes/init.py
@ -29,25 +29,26 @@ def catch_all(path):


@bp.route('/login-redirect')
-def log_in_user():
-    # FIXME: Find or create user based on the X-Ssl-Client-S-Dn header
-    # TODO: Store/log the X-Ssl-Client-Cert in case it's needed?
+def login_redirect():
    if request.environ.get('HTTP_X_SSL_CLIENT_VERIFY') == 'SUCCESS' and is_valid_certificate(request):
        sdn = request.environ.get('HTTP_X_SSL_CLIENT_S_DN')
-        # TODO: error handling for bad SDN, database errors, etc
        sdn_parts = parse_sdn(sdn)
        user = Users.get_or_create_by_dod_id(**sdn_parts)
-
        session["user_id"] = user.id

        return redirect(url_for("atst.home"))
    else:
-        template = render_template('not_authorized.html', atst_url=app.config['ATST_PASSTHROUGH'])
-        response = app.make_response(template)
-        response.status_code = 403
+        return redirect(url_for("atst.unauthorized"))

+
+@bp.route("/unauthorized")
+def unauthorized():
+    template = render_template('unauthorized.html')
+    response = app.make_response(template)
+    response.status_code = 401
    return response

+
 def is_valid_certificate(request):
    cert = request.environ.get('HTTP_X_SSL_CLIENT_CERT')
    if cert:
--- a/templates/unauthorized.html
+++ b/templates/unauthorized.html
@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+<main class="usa-section usa-content">
+
+<h1>Unauthorized</h1>
+
+</main>
+
+{% endblock %}
+
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@ -14,7 +14,7 @@ def _fetch_user_info(c, t):
    return MOCK_USER


-def test_login(client, monkeypatch):
+def test_successful_login_redirect(client, monkeypatch):
    monkeypatch.setattr("atst.routes.is_valid_certificate", lambda *args: True)

    resp = client.get(
@ -28,3 +28,11 @@ def test_login(client, monkeypatch):
    assert resp.status_code == 302
    assert "home" in resp.headers["Location"]
    assert session["user_id"]
+
+
+def test_unsuccessful_login_redirect(client, monkeypatch):
+    resp = client.get("/login-redirect")
+
+    assert resp.status_code == 302
+    assert "unauthorized" in resp.headers["Location"]
+    assert "user_id" not in session