apply auth requirement to virtually all endpoints

tests/conftest.py

@@ -5,6 +5,7 @@ import alembic.command
 
 from atst.app import make_app, make_config
 from atst.database import db as _db
+from .mocks import MOCK_USER
 
 
 @pytest.fixture(scope='session')
@@ -79,3 +80,11 @@ def dummy_form():
 @pytest.fixture
 def dummy_field():
     return DummyField()
+
+@pytest.fixture
+def user_session(monkeypatch):
+
+    def set_user_session(user = MOCK_USER):
+        monkeypatch.setattr("atst.domain.auth.get_current_user", lambda *args: user)
+
+    return set_user_session

tests/routes/test_financial_verification.py

@@ -32,6 +32,7 @@ class TestPENumberInForm:
     def _set_monkeypatches(self, monkeypatch):
         monkeypatch.setattr("atst.forms.financial.FinancialForm.validate", lambda s: True)
         monkeypatch.setattr("atst.domain.requests.Requests.get", lambda i: MOCK_REQUEST)
+        monkeypatch.setattr("atst.domain.auth.get_current_user", lambda *args: MOCK_USER)
 
     def submit_data(self, client, data):
         response = client.post(

tests/routes/test_request_new.py

@@ -15,7 +15,8 @@ MOCK_REQUEST = RequestFactory.create(
 )
 
 
-def test_submit_invalid_request_form(monkeypatch, client):
+def test_submit_invalid_request_form(monkeypatch, client, user_session):
+    user_session()
     response = client.post(
         "/requests/new/1",
         headers={"Content-Type": "application/x-www-form-urlencoded"},
@@ -24,7 +25,8 @@ def test_submit_invalid_request_form(monkeypatch, client):
     assert re.search(ERROR_CLASS, response.data.decode())
 
 
-def test_submit_valid_request_form(monkeypatch, client):
+def test_submit_valid_request_form(monkeypatch, client, user_session):
+    user_session()
     monkeypatch.setattr("atst.forms.request.RequestForm.validate", lambda s: True)
 
     response = client.post(

tests/routes/test_request_submit.py

@@ -7,7 +7,8 @@ def _mock_func(*args, **kwargs):
     return RequestFactory.create()
 
 
-def test_submit_reviewed_request(monkeypatch, client):
+def test_submit_reviewed_request(monkeypatch, client, user_session):
+    user_session()
     monkeypatch.setattr("atst.domain.requests.Requests.get", _mock_func)
     monkeypatch.setattr("atst.domain.requests.Requests.submit", _mock_func)
     monkeypatch.setattr("atst.models.request.Request.status", "pending")
@@ -22,7 +23,8 @@ def test_submit_reviewed_request(monkeypatch, client):
     assert "modal" not in response.headers["Location"]
 
 
-def test_submit_autoapproved_reviewed_request(monkeypatch, client):
+def test_submit_autoapproved_reviewed_request(monkeypatch, client, user_session):
+    user_session()
     monkeypatch.setattr("atst.domain.requests.Requests.get", _mock_func)
     monkeypatch.setattr("atst.domain.requests.Requests.submit", _mock_func)
     monkeypatch.setattr("atst.models.request.Request.status", "approved")

tests/test_auth.py

@@ -1,4 +1,4 @@
-from flask import session
+from flask import session, url_for
 from .mocks import DOD_SDN
 
 
@@ -31,3 +31,24 @@ def test_unsuccessful_login_redirect(client, monkeypatch):
     assert resp.status_code == 302
     assert "unauthorized" in resp.headers["Location"]
     assert "user_id" not in session
+
+UNPROTECTED_ROUTES = ["/", "/login-dev", "/login-redirect", "/unauthorized"]
+
+# checks that all of the routes in the app are protected by auth
+def test_protected_route(client, app):
+    for rule in app.url_map.iter_rules():
+        args = [1] * len(rule.arguments)
+        mock_args = dict(zip(rule.arguments, args))
+        _n, route = rule.build(mock_args)
+        if route in UNPROTECTED_ROUTES or "/static" in route:
+            continue
+
+        if "GET" in rule.methods:
+            resp = client.get(route)
+            assert resp.status_code == 302
+            assert resp.headers["Location"] == "http://localhost/"
+
+        if "POST" in rule.methods:
+            resp = client.post(route)
+            assert resp.status_code == 302
+            assert resp.headers["Location"] == "http://localhost/"

tests/test_routes.py

@@ -5,14 +5,13 @@ import pytest
         "/home",
         "/workspaces",
         "/requests",
-        "/requests/new",
-        "/requests/new/2",
+        "/requests/new/1",
         "/users",
         "/reports",
         "/calculator",
     ))
-def test_routes(path, client, monkeypatch):
-    monkeypatch.setattr("atst.domain.auth.get_current_user", lambda *args: True)
+def test_routes(path, client, user_session):
+    user_session()
 
     response = client.get(path)
     assert response.status_code == 200