From 6dce89df1bf940850dc56706ec1ee4b816675928 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Fri, 3 Aug 2018 15:04:23 -0400
Subject: [PATCH] 401 unauthorized page for bad logins

---
 atst/routes/__init__.py     | 17 +++++++++--------
 templates/unauthorized.html | 12 ++++++++++++
 tests/test_auth.py          | 10 +++++++++-
 3 files changed, 30 insertions(+), 9 deletions(-)
 create mode 100644 templates/unauthorized.html

diff --git a/atst/routes/__init__.py b/atst/routes/__init__.py
index 29cadc2e..b1f75fbd 100644
--- a/atst/routes/__init__.py
+++ b/atst/routes/__init__.py
@@ -29,25 +29,26 @@ def catch_all(path):
 
 
 @bp.route('/login-redirect')
-def log_in_user():
-    # FIXME: Find or create user based on the X-Ssl-Client-S-Dn header
-    # TODO: Store/log the X-Ssl-Client-Cert in case it's needed?
+def login_redirect():
     if request.environ.get('HTTP_X_SSL_CLIENT_VERIFY') == 'SUCCESS' and is_valid_certificate(request):
         sdn = request.environ.get('HTTP_X_SSL_CLIENT_S_DN')
-        # TODO: error handling for bad SDN, database errors, etc
         sdn_parts = parse_sdn(sdn)
         user = Users.get_or_create_by_dod_id(**sdn_parts)
-
         session["user_id"] = user.id
 
         return redirect(url_for("atst.home"))
     else:
-        template = render_template('not_authorized.html', atst_url=app.config['ATST_PASSTHROUGH'])
-        response = app.make_response(template)
-        response.status_code = 403
+        return redirect(url_for("atst.unauthorized"))
 
+
+@bp.route("/unauthorized")
+def unauthorized():
+    template = render_template('unauthorized.html')
+    response = app.make_response(template)
+    response.status_code = 401
     return response
 
+
 def is_valid_certificate(request):
     cert = request.environ.get('HTTP_X_SSL_CLIENT_CERT')
     if cert:
diff --git a/templates/unauthorized.html b/templates/unauthorized.html
new file mode 100644
index 00000000..56b3a57b
--- /dev/null
+++ b/templates/unauthorized.html
@@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+<main class="usa-section usa-content">
+
+<h1>Unauthorized</h1>
+
+</main>
+
+{% endblock %}
+
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 5e7a37c0..fb036869 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -14,7 +14,7 @@ def _fetch_user_info(c, t):
     return MOCK_USER
 
 
-def test_login(client, monkeypatch):
+def test_successful_login_redirect(client, monkeypatch):
     monkeypatch.setattr("atst.routes.is_valid_certificate", lambda *args: True)
 
     resp = client.get(
@@ -28,3 +28,11 @@ def test_login(client, monkeypatch):
     assert resp.status_code == 302
     assert "home" in resp.headers["Location"]
     assert session["user_id"]
+
+
+def test_unsuccessful_login_redirect(client, monkeypatch):
+    resp = client.get("/login-redirect")
+
+    assert resp.status_code == 302
+    assert "unauthorized" in resp.headers["Location"]
+    assert "user_id" not in session