pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #781 from dod-ccpo/route-rearrange

Browse Source 
Route rearrange
This commit is contained in:
dandds 2019-04-22 11:17:15 -04:00 committed by GitHub
commit e2f495973f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
62 changed files with 2571 additions and 2743 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
atst/app.py
View File

@ -14,6 +14,7 @@ from atst.filters import register_filters
from atst.routes import bp from atst.routes import bp
from atst.routes.portfolios import portfolios_bp as portfolio_routes from atst.routes.portfolios import portfolios_bp as portfolio_routes
from atst.routes.task_orders import task_orders_bp from atst.routes.task_orders import task_orders_bp
from atst.routes.applications import applications_bp
from atst.routes.dev import bp as dev_routes from atst.routes.dev import bp as dev_routes
from atst.routes.users import bp as user_routes from atst.routes.users import bp as user_routes
from atst.routes.errors import make_error_pages from atst.routes.errors import make_error_pages
@ -71,6 +72,7 @@ def make_app(config):
app.register_blueprint(bp) app.register_blueprint(bp)
app.register_blueprint(portfolio_routes) app.register_blueprint(portfolio_routes)
app.register_blueprint(task_orders_bp) app.register_blueprint(task_orders_bp)
app.register_blueprint(applications_bp)
app.register_blueprint(user_routes) app.register_blueprint(user_routes)
if ENV != "prod": if ENV != "prod":

21
atst/domain/environment_roles.py
View File

@ -1,9 +1,7 @@
from flask import current_app as app from flask import current_app as app
from sqlalchemy.orm.exc import NoResultFound
from atst.database import db from atst.database import db
from atst.domain.exceptions import NotFoundError from atst.models import EnvironmentRole
from atst.models import EnvironmentRole, Environment, Application
class EnvironmentRoles(object): class EnvironmentRoles(object):
@ -15,23 +13,6 @@ class EnvironmentRoles(object):
app.csp.cloud.create_role(env_role) app.csp.cloud.create_role(env_role)
return env_role return env_role
@classmethod
def get_for_portfolio(cls, user_id, environment_id, portfolio_id):
try:
return (
db.session.query(EnvironmentRole)
.join(Environment, EnvironmentRole.environment_id == Environment.id)
.join(Application, Environment.application_id == Application.id)
.filter(
EnvironmentRole.user_id == user_id,
EnvironmentRole.environment_id == environment_id,
Application.portfolio_id == portfolio_id,
)
.one()
)
except NoResultFound:
raise NotFoundError("environment_role")
@classmethod @classmethod
def get(cls, user_id, environment_id): def get(cls, user_id, environment_id):
existing_env_role = ( existing_env_role = (

10
atst/routes/__init__.py
View File

@ -71,19 +71,19 @@ def home():
] ]
if is_portfolio_owner: if is_portfolio_owner:
return redirect( return redirect(url_for("portfolios.reports", portfolio_id=portfolio_id))
url_for("portfolios.portfolio_reports", portfolio_id=portfolio_id)
)
else: else:
return redirect( return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio_id) url_for(
"applications.portfolio_applications", portfolio_id=portfolio_id
)
) )
else: else:
portfolios = Portfolios.for_user(g.current_user) portfolios = Portfolios.for_user(g.current_user)
first_portfolio = sorted(portfolios, key=lambda portfolio: portfolio.name)[0] first_portfolio = sorted(portfolios, key=lambda portfolio: portfolio.name)[0]
return redirect( return redirect(
url_for( url_for(
"portfolios.portfolio_applications", portfolio_id=first_portfolio.id "applications.portfolio_applications", portfolio_id=first_portfolio.id
) )
) )

32
atst/routes/applications/__init__.py Normal file
View File

@ -0,0 +1,32 @@
from flask import Blueprint, current_app as app, g, redirect, url_for
applications_bp = Blueprint("applications", __name__)
from . import index
from . import new
from . import settings
from . import team
from atst.domain.environment_roles import EnvironmentRoles
from atst.domain.exceptions import UnauthorizedError
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
from atst.utils.context_processors import portfolio as portfolio_context_processor
applications_bp.context_processor(portfolio_context_processor)
def wrap_environment_role_lookup(user, environment_id=None, **kwargs):
env_role = EnvironmentRoles.get(user.id, environment_id)
if not env_role:
raise UnauthorizedError(user, "access environment {}".format(environment_id))
return True
@applications_bp.route("/environments/<environment_id>/access")
@user_can(None, override=wrap_environment_role_lookup, message="access environment")
def access_environment(environment_id):
env_role = EnvironmentRoles.get(g.current_user.id, environment_id)
token = app.csp.cloud.get_access_token(env_role)
return redirect(url_for("atst.csp_environment_access", token=token))

11
atst/routes/applications/index.py Normal file
View File

@ -0,0 +1,11 @@
from flask import render_template
from . import applications_bp
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
@applications_bp.route("/portfolios/<portfolio_id>/applications")
@user_can(Permissions.VIEW_APPLICATION, message="view portfolio applications")
def portfolio_applications(portfolio_id):
return render_template("portfolios/applications/index.html")

36
atst/routes/applications/new.py Normal file
View File

@ -0,0 +1,36 @@
from flask import redirect, render_template, request as http_request, url_for
from . import applications_bp
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.forms.application import NewApplicationForm
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
@applications_bp.route("/portfolios/<portfolio_id>/applications/new")
@user_can(Permissions.CREATE_APPLICATION, message="view create new application form")
def new(portfolio_id):
form = NewApplicationForm()
return render_template("portfolios/applications/new.html", form=form)
@applications_bp.route("/portfolios/<portfolio_id>/applications", methods=["POST"])
@user_can(Permissions.CREATE_APPLICATION, message="create new application")
def create(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
form = NewApplicationForm(http_request.form)
if form.validate():
application_data = form.data
Applications.create(
portfolio,
application_data["name"],
application_data["description"],
application_data["environment_names"],
)
return redirect(
url_for("applications.portfolio_applications", portfolio_id=portfolio_id)
)
else:
return render_template("portfolios/applications/new.html", form=form)

76
atst/routes/applications/settings.py Normal file
View File

@ -0,0 +1,76 @@
from flask import redirect, render_template, request as http_request, url_for
from . import applications_bp
from atst.domain.environment_roles import EnvironmentRoles
from atst.domain.applications import Applications
from atst.forms.application import ApplicationForm
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
from atst.utils.flash import formatted_flash as flash
def get_environments_obj_for_app(application):
environments_obj = {}
for env in application.environments:
environments_obj[env.name] = []
for user in env.users:
env_role = EnvironmentRoles.get(user.id, env.id)
environments_obj[env.name].append(
{"name": user.full_name, "role": env_role.displayname}
)
return environments_obj
@applications_bp.route("/applications/<application_id>/settings")
@user_can(Permissions.VIEW_APPLICATION, message="view application edit form")
def settings(application_id):
application = Applications.get(application_id)
form = ApplicationForm(name=application.name, description=application.description)
return render_template(
"portfolios/applications/edit.html",
application=application,
form=form,
environments_obj=get_environments_obj_for_app(application=application),
)
@applications_bp.route("/applications/<application_id>/edit", methods=["POST"])
@user_can(Permissions.EDIT_APPLICATION, message="update application")
def update(application_id):
application = Applications.get(application_id)
form = ApplicationForm(http_request.form)
if form.validate():
application_data = form.data
Applications.update(application, application_data)
return redirect(
url_for(
"applications.portfolio_applications",
portfolio_id=application.portfolio_id,
)
)
else:
return render_template(
"portfolios/applications/edit.html",
application=application,
form=form,
environments_obj=get_environments_obj_for_app(application=application),
)
@applications_bp.route("/applications/<application_id>/delete", methods=["POST"])
@user_can(Permissions.DELETE_APPLICATION, message="delete application")
def delete(application_id):
application = Applications.get(application_id)
Applications.delete(application)
flash("application_deleted", application_name=application.name)
return redirect(
url_for(
"applications.portfolio_applications", portfolio_id=application.portfolio_id
)
)

49
atst/routes/applications/team.py Normal file
View File

@ -0,0 +1,49 @@
from flask import render_template
from . import applications_bp
from atst.domain.environments import Environments
from atst.domain.applications import Applications
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
from atst.domain.permission_sets import PermissionSets
from atst.utils.localization import translate
def permission_str(member, edit_perm_set):
if member.has_permission_set(edit_perm_set):
return translate("portfolios.members.permissions.edit_access")
else:
return translate("portfolios.members.permissions.view_only")
@applications_bp.route("/applications/<application_id>/team")
@user_can(Permissions.VIEW_APPLICATION, message="view portfolio applications")
def team(application_id):
application = Applications.get(resource_id=application_id)
environment_users = {}
for member in application.members:
user_id = member.user.id
environment_users[user_id] = {
"permissions": {
"delete_access": permission_str(
member, PermissionSets.DELETE_APPLICATION_ENVIRONMENTS
),
"environment_management": permission_str(
member, PermissionSets.EDIT_APPLICATION_ENVIRONMENTS
),
"team_management": permission_str(
member, PermissionSets.EDIT_APPLICATION_TEAM
),
},
"environments": Environments.for_user(
user=member.user, application=application
),
}
return render_template(
"portfolios/applications/team.html",
application=application,
environment_users=environment_users,
)

45
atst/routes/portfolios/__init__.py
View File

@ -4,49 +4,10 @@ from operator import attrgetter
portfolios_bp = Blueprint("portfolios", __name__) portfolios_bp = Blueprint("portfolios", __name__)
from . import index from . import index
from . import applications
from . import members from . import members
from . import invitations from . import invitations
from . import task_orders from . import admin
from atst.domain.exceptions import UnauthorizedError from atst.utils.context_processors import portfolio as portfolio_context_processor
from atst.domain.portfolios import Portfolios
from atst.domain.authz import Authorization
from atst.models.permissions import Permissions
@portfolios_bp.context_processor portfolios_bp.context_processor(portfolio_context_processor)
def portfolio():
portfolio = None
if "portfolio_id" in http_request.view_args:
portfolio = Portfolios.get(
g.current_user, http_request.view_args["portfolio_id"]
)
def user_can(permission):
if portfolio:
return Authorization.has_portfolio_permission(
g.current_user, portfolio, permission
)
return False
if not portfolio is None:
active_task_orders = [
task_order for task_order in portfolio.task_orders if task_order.is_active
]
funding_end_date = (
sorted(active_task_orders, key=attrgetter("end_date"))[-1].end_date
if active_task_orders
else None
)
funded = len(active_task_orders) > 1
else:
funding_end_date = None
funded = None
return {
"portfolio": portfolio,
"permissions": Permissions,
"user_can": user_can,
"funding_end_date": funding_end_date,
"funded": funded,
}

192
atst/routes/portfolios/admin.py Normal file
View File

@ -0,0 +1,192 @@
from flask import render_template, request as http_request, g, redirect, url_for
from . import portfolios_bp
from atst.domain.portfolios import Portfolios
from atst.domain.portfolio_roles import PortfolioRoles
from atst.domain.permission_sets import PermissionSets
from atst.domain.users import Users
from atst.domain.audit_log import AuditLog
from atst.domain.common import Paginator
from atst.domain.exceptions import NotFoundError
from atst.forms.portfolio import PortfolioForm
import atst.forms.portfolio_member as member_forms
from atst.models.permissions import Permissions
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.utils.flash import formatted_flash as flash
from atst.domain.exceptions import UnauthorizedError
def permission_str(member, edit_perm_set, view_perm_set):
if member.has_permission_set(edit_perm_set):
return edit_perm_set
else:
return view_perm_set
def serialize_member_form_data(member):
return {
"member": member.user.full_name,
"user_id": member.user_id,
"perms_app_mgmt": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT,
PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT,
),
"perms_funding": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_FUNDING,
PermissionSets.VIEW_PORTFOLIO_FUNDING,
),
"perms_reporting": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_REPORTS,
PermissionSets.VIEW_PORTFOLIO_REPORTS,
),
"perms_portfolio_mgmt": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_ADMIN,
PermissionSets.VIEW_PORTFOLIO_ADMIN,
),
}
def get_members_data(portfolio):
members = [serialize_member_form_data(member) for member in portfolio.members]
for member in members:
if member["user_id"] == portfolio.owner.id:
ppoc = member
members.remove(member)
members.insert(0, ppoc)
return members
def render_admin_page(portfolio, form=None):
pagination_opts = Paginator.get_pagination_opts(http_request)
audit_events = AuditLog.get_portfolio_events(portfolio, pagination_opts)
members_data = get_members_data(portfolio)
portfolio_form = PortfolioForm(data={"name": portfolio.name})
member_perms_form = member_forms.MembersPermissionsForm(
data={"members_permissions": members_data}
)
assign_ppoc_form = member_forms.AssignPPOCForm()
assign_ppoc_form.user_id.choices += [
(user.id, user.full_name) for user in portfolio.users if user != portfolio.owner
]
return render_template(
"portfolios/admin.html",
form=form,
portfolio_form=portfolio_form,
member_perms_form=member_perms_form,
member_form=member_forms.NewForm(),
assign_ppoc_form=assign_ppoc_form,
portfolio=portfolio,
audit_events=audit_events,
user=g.current_user,
members_data=members_data,
)
@portfolios_bp.route("/portfolios/<portfolio_id>/admin")
@user_can(Permissions.VIEW_PORTFOLIO_ADMIN, message="view portfolio admin page")
def admin(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
return render_admin_page(portfolio)
@portfolios_bp.route("/portfolios/<portfolio_id>/admin", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_USERS, message="view portfolio admin page")
def edit_members(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
member_perms_form = member_forms.MembersPermissionsForm(http_request.form)
if member_perms_form.validate():
for subform in member_perms_form.members_permissions:
user_id = subform.user_id.data
member = Users.get(user_id=user_id)
if member is not portfolio.owner:
new_perm_set = subform.data["permission_sets"]
portfolio_role = PortfolioRoles.get(portfolio.id, user_id)
PortfolioRoles.update(portfolio_role, new_perm_set)
flash("update_portfolio_members", portfolio=portfolio)
return redirect(
url_for(
"portfolios.admin",
portfolio_id=portfolio_id,
fragment="portfolio-members",
_anchor="portfolio-members",
)
)
else:
return render_admin_page(portfolio)
@portfolios_bp.route("/portfolios/<portfolio_id>/update_ppoc", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_POC, message="update portfolio ppoc")
def update_ppoc(portfolio_id):
user_id = http_request.form.get("user_id")
portfolio = Portfolios.get(g.current_user, portfolio_id)
new_ppoc = Users.get(user_id)
if new_ppoc not in portfolio.users:
raise NotFoundError("user not in portfolio")
portfolio_role = PortfolioRoles.get(portfolio_id=portfolio_id, user_id=user_id)
PortfolioRoles.make_ppoc(portfolio_role=portfolio_role)
flash("primary_point_of_contact_changed", ppoc_name=new_ppoc.full_name)
return redirect(
url_for(
"portfolios.admin",
portfolio_id=portfolio.id,
fragment="primary-point-of-contact",
_anchor="primary-point-of-contact",
)
)
@portfolios_bp.route("/portfolios/<portfolio_id>/edit", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_NAME, message="edit portfolio")
def edit(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
form = PortfolioForm(http_request.form)
if form.validate():
Portfolios.update(portfolio, form.data)
return redirect(
url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
)
else:
# rerender portfolio admin page
return render_admin_page(portfolio, form)
@portfolios_bp.route(
"/portfolios/<portfolio_id>/members/<user_id>/delete", methods=["POST"]
)
@user_can(Permissions.EDIT_PORTFOLIO_USERS, message="update portfolio members")
def remove_member(portfolio_id, user_id):
if str(g.current_user.id) == user_id:
raise UnauthorizedError(
g.current_user, "you cant remove yourself from the portfolio"
)
portfolio_role = PortfolioRoles.get(portfolio_id=portfolio_id, user_id=user_id)
# TODO: should this cascade and disable any application and environment
# roles they might have?
PortfolioRoles.disable(portfolio_role=portfolio_role)
flash("portfolio_member_removed", member_name=portfolio_role.user.full_name)
return redirect(
url_for(
"portfolios.admin",
portfolio_id=portfolio_id,
_anchor="portfolio-members",
fragment="portfolio-members",
)
)

185
atst/routes/portfolios/applications.py
View File

@ -1,185 +0,0 @@
from flask import (
current_app as app,
g,
redirect,
render_template,
request as http_request,
url_for,
)
from . import portfolios_bp
from atst.domain.environment_roles import EnvironmentRoles
from atst.domain.environments import Environments
from atst.domain.exceptions import UnauthorizedError
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.forms.application import NewApplicationForm, ApplicationForm
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
from atst.utils.flash import formatted_flash as flash
from atst.domain.permission_sets import PermissionSets
from atst.utils.localization import translate
@portfolios_bp.route("/portfolios/<portfolio_id>/applications")
@user_can(Permissions.VIEW_APPLICATION, message="view portfolio applications")
def portfolio_applications(portfolio_id):
return render_template("portfolios/applications/index.html")
@portfolios_bp.route("/portfolios/<portfolio_id>/applications/new")
@user_can(Permissions.CREATE_APPLICATION, message="view create new application form")
def new_application(portfolio_id):
form = NewApplicationForm()
return render_template("portfolios/applications/new.html", form=form)
@portfolios_bp.route("/portfolios/<portfolio_id>/applications/new", methods=["POST"])
@user_can(Permissions.CREATE_APPLICATION, message="create new application")
def create_application(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
form = NewApplicationForm(http_request.form)
if form.validate():
application_data = form.data
Applications.create(
portfolio,
application_data["name"],
application_data["description"],
application_data["environment_names"],
)
return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio_id)
)
else:
return render_template("portfolios/applications/new.html", form=form)
def get_environments_obj_for_app(application):
environments_obj = {}
for env in application.environments:
environments_obj[env.name] = []
for user in env.users:
env_role = EnvironmentRoles.get(user.id, env.id)
environments_obj[env.name].append(
{"name": user.full_name, "role": env_role.displayname}
)
return environments_obj
@portfolios_bp.route("/portfolios/<portfolio_id>/applications/<application_id>/edit")
@user_can(Permissions.VIEW_APPLICATION, message="view application edit form")
def edit_application(portfolio_id, application_id):
application = Applications.get(application_id, portfolio_id=portfolio_id)
form = ApplicationForm(name=application.name, description=application.description)
return render_template(
"portfolios/applications/edit.html",
application=application,
form=form,
environments_obj=get_environments_obj_for_app(application=application),
)
@portfolios_bp.route(
"/portfolios/<portfolio_id>/applications/<application_id>/edit", methods=["POST"]
)
@user_can(Permissions.EDIT_APPLICATION, message="update application")
def update_application(portfolio_id, application_id):
application = Applications.get(application_id, portfolio_id=portfolio_id)
form = ApplicationForm(http_request.form)
if form.validate():
application_data = form.data
Applications.update(application, application_data)
return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio_id)
)
else:
return render_template(
"portfolios/applications/edit.html",
application=application,
form=form,
environments_obj=get_environments_obj_for_app(application=application),
)
def wrap_environment_role_lookup(
user, portfolio_id=None, environment_id=None, **kwargs
):
env_role = EnvironmentRoles.get_for_portfolio(
user.id, environment_id, portfolio_id=portfolio_id
)
if not env_role:
raise UnauthorizedError(user, "access environment {}".format(environment_id))
return True
@portfolios_bp.route("/portfolios/<portfolio_id>/environments/<environment_id>/access")
@user_can(None, override=wrap_environment_role_lookup, message="access environment")
def access_environment(portfolio_id, environment_id):
env_role = EnvironmentRoles.get_for_portfolio(
g.current_user.id, environment_id, portfolio_id=portfolio_id
)
token = app.csp.cloud.get_access_token(env_role)
return redirect(url_for("atst.csp_environment_access", token=token))
@portfolios_bp.route(
"/portfolios/<portfolio_id>/applications/<application_id>/delete", methods=["POST"]
)
@user_can(Permissions.DELETE_APPLICATION, message="delete application")
def delete_application(portfolio_id, application_id):
application = Applications.get(application_id, portfolio_id=portfolio_id)
Applications.delete(application)
flash("application_deleted", application_name=application.name)
return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio_id)
)
def permission_str(member, edit_perm_set):
if member.has_permission_set(edit_perm_set):
return translate("portfolios.members.permissions.edit_access")
else:
return translate("portfolios.members.permissions.view_only")
@portfolios_bp.route("/portfolios/<portfolio_id>/applications/<application_id>/team")
@user_can(Permissions.VIEW_APPLICATION, message="view portfolio applications")
def application_team(portfolio_id, application_id):
application = Applications.get(
resource_id=application_id, portfolio_id=portfolio_id
)
environment_users = {}
for member in application.members:
user_id = member.user.id
environment_users[user_id] = {
"permissions": {
"delete_access": permission_str(
member, PermissionSets.DELETE_APPLICATION_ENVIRONMENTS
),
"environment_management": permission_str(
member, PermissionSets.EDIT_APPLICATION_ENVIRONMENTS
),
"team_management": permission_str(
member, PermissionSets.EDIT_APPLICATION_TEAM
),
},
"environments": Environments.for_user(
user=member.user, application=application
),
}
return render_template(
"portfolios/applications/team.html",
application=application,
environment_users=environment_users,
)

190
atst/routes/portfolios/index.py
View File

@ -5,18 +5,8 @@ from flask import render_template, request as http_request, g, redirect, url_for
from . import portfolios_bp from . import portfolios_bp
from atst.domain.reports import Reports from atst.domain.reports import Reports
from atst.domain.portfolios import Portfolios from atst.domain.portfolios import Portfolios
from atst.domain.portfolio_roles import PortfolioRoles
from atst.domain.permission_sets import PermissionSets
from atst.domain.users import Users
from atst.domain.audit_log import AuditLog
from atst.domain.common import Paginator
from atst.domain.exceptions import NotFoundError
from atst.forms.portfolio import PortfolioForm
import atst.forms.portfolio_member as member_forms
from atst.models.permissions import Permissions from atst.models.permissions import Permissions
from atst.domain.authz.decorator import user_can_access_decorator as user_can from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.utils.flash import formatted_flash as flash
from atst.domain.exceptions import UnauthorizedError
@portfolios_bp.route("/portfolios") @portfolios_bp.route("/portfolios")
@ -29,166 +19,17 @@ def portfolios():
return render_template("portfolios/blank_slate.html") return render_template("portfolios/blank_slate.html")
def permission_str(member, edit_perm_set, view_perm_set):
if member.has_permission_set(edit_perm_set):
return edit_perm_set
else:
return view_perm_set
def serialize_member_form_data(member):
return {
"member": member.user.full_name,
"user_id": member.user_id,
"perms_app_mgmt": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT,
PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT,
),
"perms_funding": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_FUNDING,
PermissionSets.VIEW_PORTFOLIO_FUNDING,
),
"perms_reporting": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_REPORTS,
PermissionSets.VIEW_PORTFOLIO_REPORTS,
),
"perms_portfolio_mgmt": permission_str(
member,
PermissionSets.EDIT_PORTFOLIO_ADMIN,
PermissionSets.VIEW_PORTFOLIO_ADMIN,
),
}
def get_members_data(portfolio):
members = [serialize_member_form_data(member) for member in portfolio.members]
for member in members:
if member["user_id"] == portfolio.owner.id:
ppoc = member
members.remove(member)
members.insert(0, ppoc)
return members
def render_admin_page(portfolio, form=None):
pagination_opts = Paginator.get_pagination_opts(http_request)
audit_events = AuditLog.get_portfolio_events(portfolio, pagination_opts)
members_data = get_members_data(portfolio)
portfolio_form = PortfolioForm(data={"name": portfolio.name})
member_perms_form = member_forms.MembersPermissionsForm(
data={"members_permissions": members_data}
)
assign_ppoc_form = member_forms.AssignPPOCForm()
assign_ppoc_form.user_id.choices += [
(user.id, user.full_name) for user in portfolio.users if user != portfolio.owner
]
return render_template(
"portfolios/admin.html",
form=form,
portfolio_form=portfolio_form,
member_perms_form=member_perms_form,
member_form=member_forms.NewForm(),
assign_ppoc_form=assign_ppoc_form,
portfolio=portfolio,
audit_events=audit_events,
user=g.current_user,
members_data=members_data,
)
@portfolios_bp.route("/portfolios/<portfolio_id>/admin")
@user_can(Permissions.VIEW_PORTFOLIO_ADMIN, message="view portfolio admin page")
def portfolio_admin(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
return render_admin_page(portfolio)
@portfolios_bp.route("/portfolios/<portfolio_id>/admin", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_USERS, message="view portfolio admin page")
def edit_portfolio_members(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
member_perms_form = member_forms.MembersPermissionsForm(http_request.form)
if member_perms_form.validate():
for subform in member_perms_form.members_permissions:
user_id = subform.user_id.data
member = Users.get(user_id=user_id)
if member is not portfolio.owner:
new_perm_set = subform.data["permission_sets"]
portfolio_role = PortfolioRoles.get(portfolio.id, user_id)
PortfolioRoles.update(portfolio_role, new_perm_set)
flash("update_portfolio_members", portfolio=portfolio)
return redirect(
url_for(
"portfolios.portfolio_admin",
portfolio_id=portfolio_id,
fragment="portfolio-members",
_anchor="portfolio-members",
)
)
else:
return render_admin_page(portfolio)
@portfolios_bp.route("/portfolios/<portfolio_id>/update_ppoc", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_POC, message="update portfolio ppoc")
def update_ppoc(portfolio_id):
user_id = http_request.form.get("user_id")
portfolio = Portfolios.get(g.current_user, portfolio_id)
new_ppoc = Users.get(user_id)
if new_ppoc not in portfolio.users:
raise NotFoundError("user not in portfolio")
portfolio_role = PortfolioRoles.get(portfolio_id=portfolio_id, user_id=user_id)
PortfolioRoles.make_ppoc(portfolio_role=portfolio_role)
flash("primary_point_of_contact_changed", ppoc_name=new_ppoc.full_name)
return redirect(
url_for(
"portfolios.portfolio_admin",
portfolio_id=portfolio.id,
fragment="primary-point-of-contact",
_anchor="primary-point-of-contact",
)
)
@portfolios_bp.route("/portfolios/<portfolio_id>/edit", methods=["POST"])
@user_can(Permissions.EDIT_PORTFOLIO_NAME, message="edit portfolio")
def edit_portfolio(portfolio_id):
portfolio = Portfolios.get_for_update(portfolio_id)
form = PortfolioForm(http_request.form)
if form.validate():
Portfolios.update(portfolio, form.data)
return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
)
else:
# rerender portfolio admin page
return render_admin_page(portfolio, form)
@portfolios_bp.route("/portfolios/<portfolio_id>") @portfolios_bp.route("/portfolios/<portfolio_id>")
@user_can(Permissions.VIEW_PORTFOLIO, message="view portfolio") @user_can(Permissions.VIEW_PORTFOLIO, message="view portfolio")
def show_portfolio(portfolio_id): def show_portfolio(portfolio_id):
return redirect( return redirect(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio_id) url_for("applications.portfolio_applications", portfolio_id=portfolio_id)
) )
@portfolios_bp.route("/portfolios/<portfolio_id>/reports") @portfolios_bp.route("/portfolios/<portfolio_id>/reports")
@user_can(Permissions.VIEW_PORTFOLIO_REPORTS, message="view portfolio reports") @user_can(Permissions.VIEW_PORTFOLIO_REPORTS, message="view portfolio reports")
def portfolio_reports(portfolio_id): def reports(portfolio_id):
portfolio = Portfolios.get(g.current_user, portfolio_id) portfolio = Portfolios.get(g.current_user, portfolio_id)
today = date.today() today = date.today()
month = http_request.args.get("month", today.month) month = http_request.args.get("month", today.month)
@ -220,30 +61,3 @@ def portfolio_reports(portfolio_id):
expiration_date=expiration_date, expiration_date=expiration_date,
remaining_days=remaining_days, remaining_days=remaining_days,
) )
@portfolios_bp.route(
"/portfolios/<portfolio_id>/members/<user_id>/delete", methods=["POST"]
)
@user_can(Permissions.EDIT_PORTFOLIO_USERS, message="update portfolio members")
def remove_member(portfolio_id, user_id):
if str(g.current_user.id) == user_id:
raise UnauthorizedError(
g.current_user, "you cant remove yourself from the portfolio"
)
portfolio_role = PortfolioRoles.get(portfolio_id=portfolio_id, user_id=user_id)
# TODO: should this cascade and disable any application and environment
# roles they might have?
PortfolioRoles.disable(portfolio_role=portfolio_role)
flash("portfolio_member_removed", member_name=portfolio_role.user.full_name)
return redirect(
url_for(
"portfolios.portfolio_admin",
portfolio_id=portfolio_id,
_anchor="portfolio-members",
fragment="portfolio-members",
)
)

15
atst/routes/portfolios/invitations.py
View File

@ -21,19 +21,10 @@ def send_invite_email(owner_name, token, new_member_email):
def accept_invitation(token): def accept_invitation(token):
invite = Invitations.accept(g.current_user, token) invite = Invitations.accept(g.current_user, token)
# TODO: this will eventually redirect to different places depending on
# whether the user is an officer for the TO and what kind of officer they
# are. It will also have to manage cases like:
# - the logged-in user has multiple roles on the TO (e.g., KO and COR)
# - the logged-in user has officer roles on multiple unsigned TOs
for task_order in invite.portfolio.task_orders: for task_order in invite.portfolio.task_orders:
if g.current_user in task_order.officers: if g.current_user in task_order.officers:
return redirect( return redirect(
url_for( url_for("task_orders.view_task_order", task_order_id=task_order.id)
"portfolios.view_task_order",
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
)
) )
return redirect( return redirect(
@ -50,7 +41,7 @@ def revoke_invitation(portfolio_id, token):
return redirect( return redirect(
url_for( url_for(
"portfolios.portfolio_admin", "portfolios.admin",
portfolio_id=portfolio_id, portfolio_id=portfolio_id,
_anchor="portfolio-members", _anchor="portfolio-members",
fragment="portfolio-members", fragment="portfolio-members",
@ -68,7 +59,7 @@ def resend_invitation(portfolio_id, token):
flash("resend_portfolio_invitation", user_name=invite.user_name) flash("resend_portfolio_invitation", user_name=invite.user_name)
return redirect( return redirect(
url_for( url_for(
"portfolios.portfolio_admin", "portfolios.admin",
portfolio_id=portfolio_id, portfolio_id=portfolio_id,
fragment="portfolio-members", fragment="portfolio-members",
_anchor="portfolio-members", _anchor="portfolio-members",

2
atst/routes/portfolios/members.py
View File

@ -52,7 +52,7 @@ def create_member(portfolio_id):
return redirect( return redirect(
url_for( url_for(
"portfolios.portfolio_admin", "portfolios.admin",
portfolio_id=portfolio_id, portfolio_id=portfolio_id,
fragment="portfolio-members", fragment="portfolio-members",
_anchor="portfolio-members", _anchor="portfolio-members",

321
atst/routes/portfolios/task_orders.py
View File

@ -1,321 +0,0 @@
from collections import defaultdict
from flask import g, redirect, render_template, url_for, request as http_request
from . import portfolios_bp
from atst.database import db
from atst.domain.authz import Authorization
from atst.domain.exceptions import NotFoundError, NoAccessError
from atst.domain.invitations import Invitations
from atst.domain.portfolios import Portfolios
from atst.domain.task_orders import TaskOrders, DD254s
from atst.utils.localization import translate
from atst.forms.dd_254 import DD254Form
from atst.forms.ko_review import KOReviewForm
from atst.forms.officers import EditTaskOrderOfficersForm
from atst.models.task_order import Status as TaskOrderStatus
from atst.utils.flash import formatted_flash as flash
from atst.services.invitation import (
update_officer_invitations,
OFFICER_INVITATIONS,
Invitation as InvitationService,
)
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
@portfolios_bp.route("/portfolios/<portfolio_id>/task_orders")
@user_can(Permissions.VIEW_PORTFOLIO_FUNDING, message="view portfolio funding")
def portfolio_funding(portfolio_id):
portfolio = Portfolios.get(g.current_user, portfolio_id)
task_orders_by_status = defaultdict(list)
serialize_task_order = lambda task_order: {
key: getattr(task_order, key)
for key in [
"id",
"budget",
"time_created",
"start_date",
"end_date",
"display_status",
"days_to_expiration",
"balance",
]
}
for task_order in portfolio.task_orders:
serialized_task_order = serialize_task_order(task_order)
serialized_task_order["url"] = url_for(
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
task_orders_by_status[task_order.status].append(serialized_task_order)
active_task_orders = task_orders_by_status.get(TaskOrderStatus.ACTIVE, [])
total_balance = sum([task_order["balance"] for task_order in active_task_orders])
return render_template(
"portfolios/task_orders/index.html",
pending_task_orders=(
task_orders_by_status.get(TaskOrderStatus.STARTED, [])
+ task_orders_by_status.get(TaskOrderStatus.PENDING, [])
),
active_task_orders=active_task_orders,
expired_task_orders=task_orders_by_status.get(TaskOrderStatus.EXPIRED, []),
total_balance=total_balance,
)
@portfolios_bp.route("/portfolios/<portfolio_id>/task_order/<task_order_id>")
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="view task order details")
def view_task_order(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
to_form_complete = TaskOrders.all_sections_complete(task_order)
dd_254_complete = DD254s.is_complete(task_order.dd_254)
return render_template(
"portfolios/task_orders/show.html",
dd_254_complete=dd_254_complete,
is_cor=Authorization.is_cor(g.current_user, task_order),
is_ko=Authorization.is_ko(g.current_user, task_order),
is_so=Authorization.is_so(g.current_user, task_order),
is_to_signed=TaskOrders.is_signed_by_ko(task_order),
task_order=task_order,
to_form_complete=to_form_complete,
user=g.current_user,
)
def wrap_check_is_ko_or_cor(user, task_order_id=None, portfolio_id=None, **_kwargs):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
Authorization.check_is_ko_or_cor(user, task_order)
return True
@portfolios_bp.route("/portfolios/<portfolio_id>/task_order/<task_order_id>/review")
@user_can(
None,
override=wrap_check_is_ko_or_cor,
message="view contracting officer review form",
)
def ko_review(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
if TaskOrders.all_sections_complete(task_order):
return render_template(
"/portfolios/task_orders/review.html",
task_order=task_order,
form=KOReviewForm(obj=task_order),
)
else:
raise NoAccessError("task_order")
@portfolios_bp.route(
"/portfolios/<portfolio_id>/task_order/<task_order_id>/resend_invite",
methods=["POST"],
)
@user_can(
Permissions.EDIT_TASK_ORDER_DETAILS, message="resend task order officer invites"
)
def resend_invite(portfolio_id, task_order_id):
invite_type = http_request.args.get("invite_type")
if invite_type not in OFFICER_INVITATIONS:
raise NotFoundError("invite_type")
invite_type_info = OFFICER_INVITATIONS[invite_type]
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
portfolio = Portfolios.get(g.current_user, portfolio_id)
officer = getattr(task_order, invite_type_info["role"])
if not officer:
raise NotFoundError("officer")
invitation = Invitations.lookup_by_portfolio_and_user(portfolio, officer)
if not invitation:
raise NotFoundError("invitation")
if not invitation.can_resend:
raise NoAccessError("invitation")
Invitations.revoke(token=invitation.token)
invite_service = InvitationService(
g.current_user,
invitation.portfolio_role,
invitation.email,
subject=invite_type_info["subject"],
email_template=invite_type_info["template"],
)
invite_service.invite()
flash(
"invitation_resent",
officer_type=translate(
"common.officer_helpers.underscore_to_friendly.{}".format(
invite_type_info["role"]
)
),
)
return redirect(
url_for(
"portfolios.task_order_invitations",
portfolio_id=portfolio_id,
task_order_id=task_order_id,
)
)
@portfolios_bp.route(
"/portfolios/<portfolio_id>/task_order/<task_order_id>/review", methods=["POST"]
)
@user_can(
None, override=wrap_check_is_ko_or_cor, message="submit contracting officer review"
)
def submit_ko_review(portfolio_id, task_order_id, form=None):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
form_data = {**http_request.form, **http_request.files}
form = KOReviewForm(form_data)
if form.validate():
TaskOrders.update(task_order=task_order, **form.data)
if Authorization.is_ko(g.current_user, task_order) and TaskOrders.can_ko_sign(
task_order
):
return redirect(
url_for("task_orders.signature_requested", task_order_id=task_order_id)
)
else:
return redirect(
url_for(
"portfolios.view_task_order",
task_order_id=task_order_id,
portfolio_id=portfolio_id,
)
)
else:
return render_template(
"/portfolios/task_orders/review.html", task_order=task_order, form=form
)
@portfolios_bp.route(
"/portfolios/<portfolio_id>/task_order/<task_order_id>/invitations"
)
@user_can(
Permissions.EDIT_TASK_ORDER_DETAILS, message="view task order invitations page"
)
def task_order_invitations(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
form = EditTaskOrderOfficersForm(obj=task_order)
if TaskOrders.all_sections_complete(task_order):
return render_template(
"portfolios/task_orders/invitations.html",
task_order=task_order,
form=form,
user=g.current_user,
)
else:
raise NotFoundError("task_order")
@portfolios_bp.route(
"/portfolios/<portfolio_id>/task_order/<task_order_id>/invitations",
methods=["POST"],
)
@user_can(Permissions.EDIT_TASK_ORDER_DETAILS, message="edit task order invitations")
def edit_task_order_invitations(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
form = EditTaskOrderOfficersForm(formdata=http_request.form, obj=task_order)
if form.validate():
form.populate_obj(task_order)
db.session.add(task_order)
db.session.commit()
update_officer_invitations(g.current_user, task_order)
return redirect(
url_for(
"portfolios.task_order_invitations",
portfolio_id=portfolio_id,
task_order_id=task_order.id,
)
)
else:
return (
render_template(
"portfolios/task_orders/invitations.html",
task_order=task_order,
form=form,
),
400,
)
def so_review_form(task_order):
if task_order.dd_254:
dd_254 = task_order.dd_254
form = DD254Form(obj=dd_254)
form.required_distribution.data = dd_254.required_distribution
return form
else:
so = task_order.officer_dictionary("security_officer")
form_data = {
"certifying_official": "{}, {}".format(
so.get("last_name", ""), so.get("first_name", "")
),
"co_phone": so.get("phone_number", ""),
}
return DD254Form(data=form_data)
def wrap_check_is_so(user, task_order_id=None, portfolio_id=None, **_kwargs):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
Authorization.check_is_so(user, task_order)
return True
@portfolios_bp.route("/portfolios/<portfolio_id>/task_order/<task_order_id>/dd254")
@user_can(None, override=wrap_check_is_so, message="view security officer review form")
def so_review(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
form = so_review_form(task_order)
return render_template(
"portfolios/task_orders/so_review.html", form=form, task_order=task_order
)
@portfolios_bp.route(
"/portfolios/<portfolio_id>/task_order/<task_order_id>/dd254", methods=["POST"]
)
@user_can(
None, override=wrap_check_is_so, message="submit security officer review form"
)
def submit_so_review(portfolio_id, task_order_id):
task_order = TaskOrders.get(task_order_id, portfolio_id=portfolio_id)
form = DD254Form(http_request.form)
if form.validate():
TaskOrders.add_dd_254(task_order, form.data)
# TODO: will redirect to download, sign, upload page
return redirect(
url_for(
"portfolios.view_task_order",
portfolio_id=task_order.portfolio.id,
task_order_id=task_order.id,
)
)
else:
return render_template(
"portfolios/task_orders/so_review.html", form=form, task_order=task_order
)

9
atst/routes/task_orders/__init__.py
View File

@ -2,7 +2,12 @@ from flask import Blueprint
task_orders_bp = Blueprint("task_orders", __name__) task_orders_bp = Blueprint("task_orders", __name__)
from . import new
from . import index from . import index
from . import invite from . import new
from . import invitations
from . import officer_reviews
from . import signing from . import signing
from . import downloads
from atst.utils.context_processors import portfolio as portfolio_context_processor
task_orders_bp.context_processor(portfolio_context_processor)

56
atst/routes/task_orders/downloads.py Normal file
View File

@ -0,0 +1,56 @@
from io import BytesIO
from flask import Response, current_app as app
from . import task_orders_bp
from atst.domain.task_orders import TaskOrders
from atst.domain.exceptions import NotFoundError
from atst.utils.docx import Docx
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
@task_orders_bp.route("/task_orders/<task_order_id>/download_summary")
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="download task order summary")
def download_summary(task_order_id):
task_order = TaskOrders.get(task_order_id)
byte_str = BytesIO()
Docx.render(byte_str, data=task_order.to_dictionary())
filename = "{}.docx".format(task_order.portfolio_name)
return Response(
byte_str,
headers={"Content-Disposition": "attachment; filename={}".format(filename)},
mimetype="application/vnd.openxmlformats-officedocument.wordprocessingml.document",
)
def send_file(attachment):
generator = app.csp.files.download(attachment.object_name)
return Response(
generator,
headers={
"Content-Disposition": "attachment; filename={}".format(attachment.filename)
},
)
@task_orders_bp.route("/task_orders/<task_order_id>/csp_estimate")
@user_can(
Permissions.VIEW_TASK_ORDER_DETAILS,
message="download task order cloud service provider estimate",
)
def download_csp_estimate(task_order_id):
task_order = TaskOrders.get(task_order_id)
if task_order.csp_estimate:
return send_file(task_order.csp_estimate)
else:
raise NotFoundError("task_order CSP estimate")
@task_orders_bp.route("/task_orders/<task_order_id>/pdf")
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="download task order PDF")
def download_task_order_pdf(task_order_id):
task_order = TaskOrders.get(task_order_id)
if task_order.pdf:
return send_file(task_order.pdf)
else:
raise NotFoundError("task_order pdf")

104
atst/routes/task_orders/index.py
View File

@ -1,56 +1,74 @@
from io import BytesIO from collections import defaultdict
from flask import Response, current_app as app
from flask import g, render_template, url_for
from . import task_orders_bp from . import task_orders_bp
from atst.domain.task_orders import TaskOrders from atst.domain.authz import Authorization
from atst.domain.exceptions import NotFoundError
from atst.utils.docx import Docx
from atst.domain.authz.decorator import user_can_access_decorator as user_can from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions from atst.domain.portfolios import Portfolios
from atst.domain.task_orders import TaskOrders, DD254s
from atst.models import Permissions
from atst.models.task_order import Status as TaskOrderStatus
@task_orders_bp.route("/task_orders/download_summary/<task_order_id>") @task_orders_bp.route("/task_orders/<task_order_id>")
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="download task order summary") @user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="view task order details")
def download_summary(task_order_id): def view_task_order(task_order_id):
task_order = TaskOrders.get(task_order_id) task_order = TaskOrders.get(task_order_id)
byte_str = BytesIO() to_form_complete = TaskOrders.all_sections_complete(task_order)
Docx.render(byte_str, data=task_order.to_dictionary()) dd_254_complete = DD254s.is_complete(task_order.dd_254)
filename = "{}.docx".format(task_order.portfolio_name) return render_template(
return Response( "portfolios/task_orders/show.html",
byte_str, dd_254_complete=dd_254_complete,
headers={"Content-Disposition": "attachment; filename={}".format(filename)}, is_cor=Authorization.is_cor(g.current_user, task_order),
mimetype="application/vnd.openxmlformats-officedocument.wordprocessingml.document", is_ko=Authorization.is_ko(g.current_user, task_order),
is_so=Authorization.is_so(g.current_user, task_order),
is_to_signed=TaskOrders.is_signed_by_ko(task_order),
task_order=task_order,
to_form_complete=to_form_complete,
user=g.current_user,
) )
def send_file(attachment): def serialize_task_order(task_order):
generator = app.csp.files.download(attachment.object_name) return {
return Response( key: getattr(task_order, key)
generator, for key in [
headers={ "id",
"Content-Disposition": "attachment; filename={}".format(attachment.filename) "budget",
}, "time_created",
"start_date",
"end_date",
"display_status",
"days_to_expiration",
"balance",
]
}
@task_orders_bp.route("/portfolios/<portfolio_id>/task_orders")
@user_can(Permissions.VIEW_PORTFOLIO_FUNDING, message="view portfolio funding")
def portfolio_funding(portfolio_id):
portfolio = Portfolios.get(g.current_user, portfolio_id)
task_orders_by_status = defaultdict(list)
for task_order in portfolio.task_orders:
serialized_task_order = serialize_task_order(task_order)
serialized_task_order["url"] = url_for(
"task_orders.view_task_order", task_order_id=task_order.id
) )
task_orders_by_status[task_order.status].append(serialized_task_order)
active_task_orders = task_orders_by_status.get(TaskOrderStatus.ACTIVE, [])
total_balance = sum([task_order["balance"] for task_order in active_task_orders])
@task_orders_bp.route("/task_orders/csp_estimate/<task_order_id>") return render_template(
@user_can( "portfolios/task_orders/index.html",
Permissions.VIEW_TASK_ORDER_DETAILS, pending_task_orders=(
message="download task order cloud service provider estimate", task_orders_by_status.get(TaskOrderStatus.STARTED, [])
+ task_orders_by_status.get(TaskOrderStatus.PENDING, [])
),
active_task_orders=active_task_orders,
expired_task_orders=task_orders_by_status.get(TaskOrderStatus.EXPIRED, []),
total_balance=total_balance,
) )
def download_csp_estimate(task_order_id):
task_order = TaskOrders.get(task_order_id)
if task_order.csp_estimate:
return send_file(task_order.csp_estimate)
else:
raise NotFoundError("task_order CSP estimate")
@task_orders_bp.route("/task_orders/pdf/<task_order_id>")
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS, message="download task order PDF")
def download_task_order_pdf(task_order_id):
task_order = TaskOrders.get(task_order_id)
if task_order.pdf:
return send_file(task_order.pdf)
else:
raise NotFoundError("task_order pdf")

132
atst/routes/task_orders/invitations.py Normal file
View File

@ -0,0 +1,132 @@
from flask import g, redirect, render_template, url_for, request as http_request
from . import task_orders_bp
from atst.domain.task_orders import TaskOrders
from atst.utils.flash import formatted_flash as flash
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
from atst.database import db
from atst.domain.exceptions import NotFoundError, NoAccessError
from atst.domain.invitations import Invitations
from atst.domain.portfolios import Portfolios
from atst.utils.localization import translate
from atst.forms.officers import EditTaskOrderOfficersForm
from atst.services.invitation import (
update_officer_invitations,
OFFICER_INVITATIONS,
Invitation as InvitationService,
)
@task_orders_bp.route("/task_orders/<task_order_id>/invite", methods=["POST"])
@user_can(Permissions.EDIT_TASK_ORDER_DETAILS, message="invite task order officers")
def invite(task_order_id):
task_order = TaskOrders.get(task_order_id)
if TaskOrders.all_sections_complete(task_order):
update_officer_invitations(g.current_user, task_order)
portfolio = task_order.portfolio
flash("task_order_congrats", portfolio=portfolio)
return redirect(
url_for("task_orders.view_task_order", task_order_id=task_order.id)
)
else:
flash("task_order_incomplete")
return redirect(
url_for("task_orders.new", screen=4, task_order_id=task_order.id)
)
@task_orders_bp.route("/task_orders/<task_order_id>/resend_invite", methods=["POST"])
@user_can(
Permissions.EDIT_TASK_ORDER_DETAILS, message="resend task order officer invites"
)
def resend_invite(task_order_id):
invite_type = http_request.args.get("invite_type")
if invite_type not in OFFICER_INVITATIONS:
raise NotFoundError("invite_type")
invite_type_info = OFFICER_INVITATIONS[invite_type]
task_order = TaskOrders.get(task_order_id)
portfolio = Portfolios.get(g.current_user, task_order.portfolio_id)
officer = getattr(task_order, invite_type_info["role"])
if not officer:
raise NotFoundError("officer")
invitation = Invitations.lookup_by_portfolio_and_user(portfolio, officer)
if not invitation:
raise NotFoundError("invitation")
if not invitation.can_resend:
raise NoAccessError("invitation")
Invitations.revoke(token=invitation.token)
invite_service = InvitationService(
g.current_user,
invitation.portfolio_role,
invitation.email,
subject=invite_type_info["subject"],
email_template=invite_type_info["template"],
)
invite_service.invite()
flash(
"invitation_resent",
officer_type=translate(
"common.officer_helpers.underscore_to_friendly.{}".format(
invite_type_info["role"]
)
),
)
return redirect(url_for("task_orders.invitations", task_order_id=task_order_id))
@task_orders_bp.route("/task_orders/<task_order_id>/invitations")
@user_can(
Permissions.EDIT_TASK_ORDER_DETAILS, message="view task order invitations page"
)
def invitations(task_order_id):
task_order = TaskOrders.get(task_order_id)
form = EditTaskOrderOfficersForm(obj=task_order)
if TaskOrders.all_sections_complete(task_order):
return render_template(
"portfolios/task_orders/invitations.html",
task_order=task_order,
form=form,
user=g.current_user,
)
else:
raise NotFoundError("task_order")
@task_orders_bp.route("/task_orders/<task_order_id>/invitations/edit", methods=["POST"])
@user_can(Permissions.EDIT_TASK_ORDER_DETAILS, message="edit task order invitations")
def invitations_edit(task_order_id):
task_order = TaskOrders.get(task_order_id)
form = EditTaskOrderOfficersForm(formdata=http_request.form, obj=task_order)
if form.validate():
form.populate_obj(task_order)
db.session.add(task_order)
db.session.commit()
update_officer_invitations(g.current_user, task_order)
return redirect(url_for("task_orders.invitations", task_order_id=task_order.id))
else:
return (
render_template(
"portfolios/task_orders/invitations.html",
task_order=task_order,
form=form,
),
400,
)

31
atst/routes/task_orders/invite.py
View File

@ -1,31 +0,0 @@
from flask import redirect, url_for, g
from . import task_orders_bp
from atst.domain.task_orders import TaskOrders
from atst.utils.flash import formatted_flash as flash
from atst.services.invitation import update_officer_invitations
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.permissions import Permissions
@task_orders_bp.route("/task_orders/invite/<task_order_id>", methods=["POST"])
@user_can(Permissions.EDIT_TASK_ORDER_DETAILS, message="invite task order officers")
def invite(task_order_id):
task_order = TaskOrders.get(task_order_id)
if TaskOrders.all_sections_complete(task_order):
update_officer_invitations(g.current_user, task_order)
portfolio = task_order.portfolio
flash("task_order_congrats", portfolio=portfolio)
return redirect(
url_for(
"portfolios.view_task_order",
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
)
)
else:
flash("task_order_incomplete")
return redirect(
url_for("task_orders.new", screen=4, task_order_id=task_order.id)
)

4
atst/routes/task_orders/new.py
View File

@ -305,9 +305,7 @@ def new(screen, task_order_id=None, portfolio_id=None):
if http_request.args.get("ko_edit"): if http_request.args.get("ko_edit"):
template_args["ko_edit"] = True template_args["ko_edit"] = True
template_args["next"] = url_for( template_args["next"] = url_for(
"portfolios.ko_review", "task_orders.ko_review", task_order_id=task_order_id
portfolio_id=workflow.task_order.portfolio.id,
task_order_id=task_order_id,
) )
url_args["next"] = template_args["next"] url_args["next"] = template_args["next"]

117
atst/routes/task_orders/officer_reviews.py Normal file
View File

@ -0,0 +1,117 @@
from flask import g, redirect, render_template, url_for, request as http_request
from . import task_orders_bp
from atst.domain.authz import Authorization
from atst.domain.exceptions import NoAccessError
from atst.domain.task_orders import TaskOrders
from atst.forms.dd_254 import DD254Form
from atst.forms.ko_review import KOReviewForm
from atst.domain.authz.decorator import user_can_access_decorator as user_can
def wrap_check_is_ko_or_cor(user, task_order_id=None, **_kwargs):
task_order = TaskOrders.get(task_order_id)
Authorization.check_is_ko_or_cor(user, task_order)
return True
@task_orders_bp.route("/task_orders/<task_order_id>/review")
@user_can(
None,
override=wrap_check_is_ko_or_cor,
message="view contracting officer review form",
)
def ko_review(task_order_id):
task_order = TaskOrders.get(task_order_id)
if TaskOrders.all_sections_complete(task_order):
return render_template(
"/portfolios/task_orders/review.html",
task_order=task_order,
form=KOReviewForm(obj=task_order),
)
else:
raise NoAccessError("task_order")
@task_orders_bp.route("/task_orders/<task_order_id>/review", methods=["POST"])
@user_can(
None, override=wrap_check_is_ko_or_cor, message="submit contracting officer review"
)
def submit_ko_review(task_order_id, form=None):
task_order = TaskOrders.get(task_order_id)
form_data = {**http_request.form, **http_request.files}
form = KOReviewForm(form_data)
if form.validate():
TaskOrders.update(task_order=task_order, **form.data)
if Authorization.is_ko(g.current_user, task_order) and TaskOrders.can_ko_sign(
task_order
):
return redirect(
url_for("task_orders.signature_requested", task_order_id=task_order_id)
)
else:
return redirect(
url_for("task_orders.view_task_order", task_order_id=task_order_id)
)
else:
return render_template(
"/portfolios/task_orders/review.html", task_order=task_order, form=form
)
def so_review_form(task_order):
if task_order.dd_254:
dd_254 = task_order.dd_254
form = DD254Form(obj=dd_254)
form.required_distribution.data = dd_254.required_distribution
return form
else:
so = task_order.officer_dictionary("security_officer")
form_data = {
"certifying_official": "{}, {}".format(
so.get("last_name", ""), so.get("first_name", "")
),
"co_phone": so.get("phone_number", ""),
}
return DD254Form(data=form_data)
def wrap_check_is_so(user, task_order_id=None, **_kwargs):
task_order = TaskOrders.get(task_order_id)
Authorization.check_is_so(user, task_order)
return True
@task_orders_bp.route("/task_orders/<task_order_id>/dd254")
@user_can(None, override=wrap_check_is_so, message="view security officer review form")
def so_review(task_order_id):
task_order = TaskOrders.get(task_order_id)
form = so_review_form(task_order)
return render_template(
"portfolios/task_orders/so_review.html", form=form, task_order=task_order
)
@task_orders_bp.route("/task_orders/<task_order_id>/dd254", methods=["POST"])
@user_can(
None, override=wrap_check_is_so, message="submit security officer review form"
)
def submit_so_review(task_order_id):
task_order = TaskOrders.get(task_order_id)
form = DD254Form(http_request.form)
if form.validate():
TaskOrders.add_dd_254(task_order, form.data)
# TODO: will redirect to download, sign, upload page
return redirect(
url_for("task_orders.view_task_order", task_order_id=task_order.id)
)
else:
return render_template(
"portfolios/task_orders/so_review.html", form=form, task_order=task_order
)

6
atst/routes/task_orders/signing.py
View File

@ -72,11 +72,7 @@ def record_signature(task_order_id):
flash("task_order_signed") flash("task_order_signed")
return redirect( return redirect(
url_for( url_for("task_orders.view_task_order", task_order_id=task_order.id)
"portfolios.view_task_order",
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
)
) )
else: else:
return ( return (

74
atst/utils/context_processors.py Normal file
View File

@ -0,0 +1,74 @@
from operator import attrgetter
from flask import request as http_request, g
from sqlalchemy.orm.exc import NoResultFound
from atst.database import db
from atst.domain.authz import Authorization
from atst.models import Application, Portfolio, TaskOrder
from atst.models.permissions import Permissions
from atst.domain.portfolios.scopes import ScopedPortfolio
def get_portfolio_from_context(view_args):
query = None
if "portfolio_id" in view_args:
query = db.session.query(Portfolio).filter(
Portfolio.id == view_args["portfolio_id"]
)
elif "application_id" in view_args:
query = (
db.session.query(Portfolio)
.join(Application, Application.portfolio_id == Portfolio.id)
.filter(Application.id == view_args["application_id"])
)
elif "task_order_id" in view_args:
query = (
db.session.query(Portfolio)
.join(TaskOrder, TaskOrder.portfolio_id == Portfolio.id)
.filter(TaskOrder.id == view_args["task_order_id"])
)
if query:
try:
portfolio = query.one()
return ScopedPortfolio(g.current_user, portfolio)
except NoResultFound:
raise NotFoundError("portfolio")
def portfolio():
portfolio = get_portfolio_from_context(http_request.view_args)
def user_can(permission):
if portfolio:
return Authorization.has_portfolio_permission(
g.current_user, portfolio, permission
)
return False
if not portfolio is None:
active_task_orders = [
task_order for task_order in portfolio.task_orders if task_order.is_active
]
funding_end_date = (
sorted(active_task_orders, key=attrgetter("end_date"))[-1].end_date
if active_task_orders
else None
)
funded = len(active_task_orders) > 1
else:
funding_end_date = None
funded = None
return {
"portfolio": portfolio,
"permissions": Permissions,
"user_can": user_can,
"funding_end_date": funding_end_date,
"funded": funded,
}

2
templates/fragments/admin/portfolio_members.html
View File

@ -9,7 +9,7 @@
{% if g.matchesPath("portfolio-members") %} {% if g.matchesPath("portfolio-members") %}
{% include "fragments/flash.html" %} {% include "fragments/flash.html" %}
{% endif %} {% endif %}
<form method='POST' id="member-perms" action='{{ url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id) }}' autocomplete="off" enctype="multipart/form-data"> <form method='POST' id="member-perms" action='{{ url_for("portfolios.edit_members", portfolio_id=portfolio.id) }}' autocomplete="off" enctype="multipart/form-data">
{{ member_perms_form.csrf_token }} {{ member_perms_form.csrf_token }}
<div class='application-list-item'> <div class='application-list-item'>

4
templates/portfolios/admin.html
View File

@ -15,7 +15,7 @@
{% if user_can(permissions.VIEW_PORTFOLIO_NAME) %} {% if user_can(permissions.VIEW_PORTFOLIO_NAME) %}
<base-form inline-template> <base-form inline-template>
<form method="POST" action="{{ url_for('portfolios.edit_portfolio', portfolio_id=portfolio.id) }}" autocomplete="false"> <form method="POST" action="{{ url_for('portfolios.edit', portfolio_id=portfolio.id) }}" autocomplete="false">
{{ portfolio_form.csrf_token }} {{ portfolio_form.csrf_token }}
<div class='form-row'> <div class='form-row'>
<div class='form-col form-col--half'> <div class='form-col form-col--half'>
@ -52,7 +52,7 @@
{% if user_can(permissions.VIEW_PORTFOLIO_ACTIVITY_LOG) %} {% if user_can(permissions.VIEW_PORTFOLIO_ACTIVITY_LOG) %}
{% include "fragments/audit_events_log.html" %} {% include "fragments/audit_events_log.html" %}
{{ Pagination(audit_events, 'portfolios.portfolio_admin', portfolio_id=portfolio.id) }} {{ Pagination(audit_events, 'portfolios.admin', portfolio_id=portfolio.id) }}
{% endif %} {% endif %}
</div> </div>
{% endblock %} {% endblock %}

4
templates/portfolios/applications/edit.html
View File

@ -11,7 +11,7 @@
<div class='subheading'>{{ 'portfolios.applications.settings_heading' | translate }}</div> <div class='subheading'>{{ 'portfolios.applications.settings_heading' | translate }}</div>
<form method="POST" action="{{ url_for('portfolios.edit_application', portfolio_id=portfolio.id, application_id=application.id) }}"> <form method="POST" action="{{ url_for('applications.update', application_id=application.id) }}">
<div class="panel"> <div class="panel">
<div class="panel__content"> <div class="panel__content">
@ -112,7 +112,7 @@
<input id="deleted-text" v-model="deleteText"> <input id="deleted-text" v-model="deleteText">
</div> </div>
<div class="action-group"> <div class="action-group">
<form method="POST" action="{{ url_for('portfolios.delete_application', portfolio_id=portfolio.id, application_id=application.id) }}"> <form method="POST" action="{{ url_for('applications.delete', application_id=application.id) }}">
{{ form.csrf_token }} {{ form.csrf_token }}
<button class="usa-button button-danger" v-bind:disabled="!valid"> <button class="usa-button button-danger" v-bind:disabled="!valid">
{{ "portfolios.applications.delete.button" | translate }} {{ "portfolios.applications.delete.button" | translate }}

10
templates/portfolios/applications/index.html
View File

@ -13,7 +13,7 @@
<div class='portfolio-applications__header--title col col--grow'>Applications</div> <div class='portfolio-applications__header--title col col--grow'>Applications</div>
<div class='portfolio-applications__header--actions col'> <div class='portfolio-applications__header--actions col'>
{% if can_create_applications %} {% if can_create_applications %}
<a class='icon-link' href='{{ url_for('portfolios.new_application', portfolio_id=portfolio.id) }}'> <a class='icon-link' href='{{ url_for('applications.new', portfolio_id=portfolio.id) }}'>
{{ 'portfolios.applications.add_application_text' | translate }} {{ 'portfolios.applications.add_application_text' | translate }}
{{ Icon("plus", classes="sidenav__link-icon icon--circle") }} {{ Icon("plus", classes="sidenav__link-icon icon--circle") }}
</a> </a>
@ -26,7 +26,7 @@
{{ EmptyState( {{ EmptyState(
'This portfolio doesnt have any applications yet.', 'This portfolio doesnt have any applications yet.',
action_label='Add a new application' if can_create_applications else None, action_label='Add a new application' if can_create_applications else None,
action_href=url_for('portfolios.new_application', portfolio_id=portfolio.id) if can_create_applications else None, action_href=url_for('applications.new', portfolio_id=portfolio.id) if can_create_applications else None,
icon='cloud', icon='cloud',
sub_message=None if can_create_applications else 'Please contact your JEDI Cloud portfolio administrator to set up a new application.' sub_message=None if can_create_applications else 'Please contact your JEDI Cloud portfolio administrator to set up a new application.'
) }} ) }}
@ -43,14 +43,14 @@
<span class='accordion__description'>{{ application.description }}</span> <span class='accordion__description'>{{ application.description }}</span>
<div class='accordion__actions'> <div class='accordion__actions'>
{% if user_can(permissions.VIEW_APPLICATION) %} {% if user_can(permissions.VIEW_APPLICATION) %}
<a class='icon-link' href='{{ url_for("portfolios.edit_application", portfolio_id=portfolio.id, application_id=application.id) }}'> <a class='icon-link' href='{{ url_for("applications.settings", application_id=application.id) }}'>
<span>{{ "portfolios.applications.app_settings_text" | translate }}</span> <span>{{ "portfolios.applications.app_settings_text" | translate }}</span>
</a> </a>
<div class='separator'></div> <div class='separator'></div>
{% endif %} {% endif %}
{% if user_can(permissions.VIEW_PORTFOLIO_USERS) %} {% if user_can(permissions.VIEW_PORTFOLIO_USERS) %}
<a <a
href="{{ url_for('portfolios.application_team', portfolio_id=portfolio.id, application_id=application.id) }}" href="{{ url_for('applications.team', application_id=application.id) }}"
class='icon-link'> class='icon-link'>
<span>{{ "portfolios.applications.team_text" | translate }}</span> <span>{{ "portfolios.applications.team_text" | translate }}</span>
<span class='counter'>{{ application.num_users }}</span> <span class='counter'>{{ application.num_users }}</span>
@ -76,7 +76,7 @@
<span>{{ environment.name }}</span> <span>{{ environment.name }}</span>
</div> </div>
<a href='{{ url_for("portfolios.access_environment", portfolio_id=portfolio.id, environment_id=environment.id)}}' target='_blank' rel='noopener noreferrer' class='application-list-item__environment__csp_link icon-link'> <a href='{{ url_for("applications.access_environment", environment_id=environment.id)}}' target='_blank' rel='noopener noreferrer' class='application-list-item__environment__csp_link icon-link'>
<span>{{ "portfolios.applications.csp_console_text" | translate }}</span> <span>{{ "portfolios.applications.csp_console_text" | translate }}</span>
</a> </a>

2
templates/portfolios/applications/new.html
View File

@ -16,7 +16,7 @@
<div class='subheading'>{{ 'portfolios.applications.settings_heading' | translate }}</div> <div class='subheading'>{{ 'portfolios.applications.settings_heading' | translate }}</div>
<new-application inline-template v-bind:initial-data='{{ form.data|tojson }}' modal-name='{{ modalName }}'> <new-application inline-template v-bind:initial-data='{{ form.data|tojson }}' modal-name='{{ modalName }}'>
<form method="POST" action="{{ url_for('portfolios.create_application', portfolio_id=portfolio.id) }}" v-on:submit="handleSubmit"> <form method="POST" action="{{ url_for('applications.create', portfolio_id=portfolio.id) }}" v-on:submit="handleSubmit">
<div class="panel"> <div class="panel">
<div class="panel__content"> <div class="panel__content">

2
templates/portfolios/applications/team.html
View File

@ -14,7 +14,7 @@
("portfolios.applications.team_settings.blank_slate.title" | translate), ("portfolios.applications.team_settings.blank_slate.title" | translate),
action_label=("portfolios.applications.team_settings.blank_slate.action_label" | translate), action_label=("portfolios.applications.team_settings.blank_slate.action_label" | translate),
action_href='#' if user_can_invite else None, action_href='#' if user_can_invite else None,
sub_message=None if user_can_invite else ("portfolios.team_settings.blank_slate.sub_message" | translate), sub_message=None if user_can_invite else ("portfolios.applications.team_settings.blank_slate.sub_message" | translate),
icon='avatar' icon='avatar'
) }} ) }}

2
templates/portfolios/breadcrumbs.html
View File

@ -1,7 +1,7 @@
{% from "components/icon.html" import Icon %} {% from "components/icon.html" import Icon %}
<div class="row portfolio-breadcrumbs"> <div class="row portfolio-breadcrumbs">
<a class="icon-link portfolio-breadcrumbs__home {{ 'icon-link--disabled' if not secondary_breadcrumb }}" href="{{ url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id) }}"> <a class="icon-link portfolio-breadcrumbs__home {{ 'icon-link--disabled' if not secondary_breadcrumb }}" href="{{ url_for("applications.portfolio_applications", portfolio_id=portfolio.id) }}">
{{ Icon("home") }} {{ Icon("home") }}
<span> <span>
{{ portfolio.name }} Portfolio {{ portfolio.name }} Portfolio

12
templates/portfolios/header.html
View File

@ -60,22 +60,22 @@
{{ Link( {{ Link(
icon='chart-pie', icon='chart-pie',
text='navigation.portfolio_navigation.breadcrumbs.reports' | translate, text='navigation.portfolio_navigation.breadcrumbs.reports' | translate,
url=url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id), url=url_for("portfolios.reports", portfolio_id=portfolio.id),
active=request.url_rule.endpoint == "portfolios.portfolio_reports", active=request.url_rule.endpoint == "portfolios.reports",
) }} ) }}
{% endif %} {% endif %}
{{ Link( {{ Link(
icon='dollar-sign', icon='dollar-sign',
text='navigation.portfolio_navigation.breadcrumbs.funding' | translate, text='navigation.portfolio_navigation.breadcrumbs.funding' | translate,
url=url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id), url=url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id),
active=request.url_rule.endpoint == "portfolios.portfolio_funding", active=request.url_rule.endpoint == "task_orders.portfolio_funding",
) }} ) }}
{% if user_can(permissions.VIEW_PORTFOLIO_ADMIN) %} {% if user_can(permissions.VIEW_PORTFOLIO_ADMIN) %}
{{ Link( {{ Link(
icon='cog', icon='cog',
text='navigation.portfolio_navigation.breadcrumbs.admin' | translate, text='navigation.portfolio_navigation.breadcrumbs.admin' | translate,
url=url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id), url=url_for("portfolios.admin", portfolio_id=portfolio.id),
active=request.url_rule.endpoint == "portfolios.portfolio_admin", active=request.url_rule.endpoint == "portfolios.admin",
) }} ) }}
{% endif %} {% endif %}
</div> </div>

8
templates/portfolios/reports/index.html
View File

@ -76,7 +76,7 @@
- -
{% endif %} {% endif %}
</div> </div>
<a href='{{ url_for("portfolios.view_task_order", portfolio_id=portfolio.id, task_order_id=task_order.id) }}' class='icon-link'> <a href='{{ url_for("task_orders.view_task_order", task_order_id=task_order.id) }}' class='icon-link'>
{{ Icon('cog') }} {{ Icon('cog') }}
Manage Task Order Manage Task Order
</a> </a>
@ -130,7 +130,7 @@
{% set current_month_index = current_month.strftime('%m/%Y') %} {% set current_month_index = current_month.strftime('%m/%Y') %}
{% set prev_month_index = prev_month.strftime('%m/%Y') %} {% set prev_month_index = prev_month.strftime('%m/%Y') %}
{% set two_months_ago_index = two_months_ago.strftime('%m/%Y') %} {% set two_months_ago_index = two_months_ago.strftime('%m/%Y') %}
{% set reports_url = url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id) %} {% set reports_url = url_for("portfolios.reports", portfolio_id=portfolio.id) %}
{% if not portfolio.applications %} {% if not portfolio.applications %}
@ -143,7 +143,7 @@
{{ EmptyState( {{ EmptyState(
'Nothing to report', 'Nothing to report',
action_label='Add a new application' if can_create_applications else None, action_label='Add a new application' if can_create_applications else None,
action_href=url_for('portfolios.new_application', portfolio_id=portfolio.id) if can_create_applications else None, action_href=url_for('applications.new', portfolio_id=portfolio.id) if can_create_applications else None,
icon='chart', icon='chart',
sub_message=message sub_message=message
) }} ) }}
@ -357,7 +357,7 @@
{% if month.month == current_month.month and month.year == current_month.year %} {% if month.month == current_month.month and month.year == current_month.year %}
selected='selected' selected='selected'
{% endif %} {% endif %}
value='{{ url_for("portfolios.portfolio_reports", value='{{ url_for("portfolios.reports",
portfolio_id=portfolio.id, portfolio_id=portfolio.id,
month=month.month, month=month.month,
year=month.year) }}' year=month.year) }}'

2
templates/portfolios/task_orders/index.html
View File

@ -8,7 +8,7 @@
{% block portfolio_content %} {% block portfolio_content %}
{% macro ViewLink(task_order) %} {% macro ViewLink(task_order) %}
<a href="{{ url_for('portfolios.view_task_order', portfolio_id=portfolio.id, task_order_id=task_order.id) }}" class="icon-link view-task-order-link"> <a href="{{ url_for('task_orders.view_task_order', task_order_id=task_order.id) }}" class="icon-link view-task-order-link">
<span>View</span> <span>View</span>
{{ Icon("caret_right", classes="icon--tiny") }} {{ Icon("caret_right", classes="icon--tiny") }}
</a> </a>

5
templates/portfolios/task_orders/invitations.html
View File

@ -17,7 +17,7 @@
{% endmacro %} {% endmacro %}
{% macro EditOfficerInfo(form, officer_type, invited) -%} {% macro EditOfficerInfo(form, officer_type, invited) -%}
<form method='POST' action="{{ url_for("portfolios.edit_task_order_invitations", portfolio_id=portfolio.id, task_order_id=task_order.id) }}" autocomplete="off"> <form method='POST' action="{{ url_for("task_orders.invitations_edit", task_order_id=task_order.id) }}" autocomplete="off">
{{ form.csrf_token }} {{ form.csrf_token }}
<template v-if="editing"> <template v-if="editing">
<div class='officer__form'> <div class='officer__form'>
@ -107,8 +107,7 @@
confirm_btn=('task_orders.invitations.resend_btn' | translate), confirm_btn=('task_orders.invitations.resend_btn' | translate),
confirm_msg=('task_orders.invitations.resend_confirmation_message' | translate), confirm_msg=('task_orders.invitations.resend_confirmation_message' | translate),
action=url_for( action=url_for(
"portfolios.resend_invite", "task_orders.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id, task_order_id=task_order.id,
invite_type=invite_type, invite_type=invite_type,
), ),

2
templates/portfolios/task_orders/review.html
View File

@ -19,7 +19,7 @@
{% include "fragments/flash.html" %} {% include "fragments/flash.html" %}
{% block form_action %} {% block form_action %}
<form method='POST' action="{{ url_for('portfolios.submit_ko_review', portfolio_id=portfolio.id, task_order_id=task_order.id, form=form) }}" autocomplete="off" enctype="multipart/form-data"> <form method='POST' action="{{ url_for('task_orders.submit_ko_review', task_order_id=task_order.id, form=form) }}" autocomplete="off" enctype="multipart/form-data">
{% endblock %} {% endblock %}
{{ form.csrf_token }} {{ form.csrf_token }}

10
templates/portfolios/task_orders/show.html
View File

@ -141,7 +141,7 @@
{{ {{
Step( Step(
button_text=show_dd_254_button and ("common.edit" | translate), button_text=show_dd_254_button and ("common.edit" | translate),
button_url=show_dd_254_button and url_for("portfolios.so_review", portfolio_id=portfolio.id, task_order_id=task_order.id), button_url=show_dd_254_button and url_for("task_orders.so_review", task_order_id=task_order.id),
complete=dd_254_complete, complete=dd_254_complete,
description="task_orders.view.steps.security" | translate({ description="task_orders.view.steps.security" | translate({
"security_officer": officer_name(task_order.security_officer) "security_officer": officer_name(task_order.security_officer)
@ -154,8 +154,7 @@
"contracting_officer_representative": officer_name(task_order.contracting_officer_representative) "contracting_officer_representative": officer_name(task_order.contracting_officer_representative)
}) | safe, }) | safe,
button_url=show_to_info_button and url_for( button_url=show_to_info_button and url_for(
"portfolios.ko_review", "task_orders.ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id, task_order_id=task_order.id,
), ),
button_text=show_to_info_button and ("common.edit" | translate), button_text=show_to_info_button and ("common.edit" | translate),
@ -172,8 +171,7 @@
Step( Step(
button_text=show_sign_to_button and ("common.sign" | translate), button_text=show_sign_to_button and ("common.sign" | translate),
button_url=show_sign_to_button and url_for( button_url=show_sign_to_button and url_for(
"portfolios.ko_review", "task_orders.ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id, task_order_id=task_order.id,
), ),
complete=is_to_signed, complete=is_to_signed,
@ -227,7 +225,7 @@
<div class="task-order-invitations__heading row"> <div class="task-order-invitations__heading row">
<h3>Invitations</h3> <h3>Invitations</h3>
{% if to_form_complete %} {% if to_form_complete %}
<a href="{{ url_for('portfolios.task_order_invitations', portfolio_id=portfolio.id, task_order_id=task_order.id) }}" class="icon-link"> <a href="{{ url_for('task_orders.invitations', task_order_id=task_order.id) }}" class="icon-link">
<span>{{ "common.manage" | translate }}</span> <span>{{ "common.manage" | translate }}</span>
{{ Icon("edit") }} {{ Icon("edit") }}
</a> </a>

2
templates/portfolios/task_orders/so_review.html
View File

@ -19,7 +19,7 @@
<div class="panel__content"> <div class="panel__content">
<form method="POST" action='{{ url_for("portfolios.submit_so_review", portfolio_id=portfolio.id, task_order_id=task_order.id) }}'> <form method="POST" action='{{ url_for("task_orders.submit_so_review", task_order_id=task_order.id) }}'>
{{ form.csrf_token }} {{ form.csrf_token }}
<h3 class="subheading">{{ "task_orders.so_review.certification" | translate }}</h3> <h3 class="subheading">{{ "task_orders.so_review.certification" | translate }}</h3>
{{ TextInput(form.certifying_official) }} {{ TextInput(form.certifying_official) }}

2
templates/task_orders/signing/signature_requested.html
View File

@ -41,7 +41,7 @@
<div class="action-group"> <div class="action-group">
{{ SaveButton(text=('common.sign' | translate), additional_classes="usa-button-big") }} {{ SaveButton(text=('common.sign' | translate), additional_classes="usa-button-big") }}
<a <a
href="{{ url_for("portfolios.ko_review", portfolio_id=portfolio_id, task_order_id=task_order_id) }}" href="{{ url_for("task_orders.ko_review", task_order_id=task_order_id) }}"
class="action-group__action icon-link"> class="action-group__action icon-link">
{{ Icon('caret_left') }} {{ Icon('caret_left') }}
<span class="icon icon--x"></span> <span class="icon icon--x"></span>

27
tests/domain/test_environment_roles.py
View File

@ -1,27 +0,0 @@
import pytest
from atst.domain.environment_roles import EnvironmentRoles
from atst.domain.exceptions import NotFoundError
from tests.factories import *
def test_get_for_portfolio():
user = UserFactory.create()
portfolio = PortfolioFactory.create()
application = ApplicationFactory.create(portfolio=portfolio)
environment = EnvironmentFactory.create(application=application)
env_role = EnvironmentRoleFactory.create(
environment=environment, user=user, role="basic access"
)
assert (
EnvironmentRoles.get_for_portfolio(
user.id, environment.id, portfolio_id=portfolio.id
)
== env_role
)
with pytest.raises(NotFoundError):
EnvironmentRoles.get_for_portfolio(
user.id, environment.id, portfolio_id=application.id
)

70
tests/routes/applications/test_index.py Normal file
View File

@ -0,0 +1,70 @@
from flask import url_for, get_flashed_messages
from tests.factories import (
UserFactory,
PortfolioFactory,
PortfolioRoleFactory,
EnvironmentRoleFactory,
EnvironmentFactory,
ApplicationFactory,
)
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from tests.utils import captured_templates
def test_user_with_permission_has_budget_report_link(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(
url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.reports", portfolio_id=portfolio.id)
in response.data.decode()
)
def test_user_without_permission_has_no_budget_report_link(client, user_session):
user = UserFactory.create()
portfolio = PortfolioFactory.create()
Portfolios._create_portfolio_role(
user, portfolio, status=PortfolioRoleStatus.ACTIVE
)
user_session(user)
response = client.get(
url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.reports", portfolio_id=portfolio.id)
not in response.data.decode()
)
def test_user_with_permission_has_add_application_link(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(
url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("applications.create", portfolio_id=portfolio.id)
in response.data.decode()
)
def test_user_without_permission_has_no_add_application_link(client, user_session):
user = UserFactory.create()
portfolio = PortfolioFactory.create()
Portfolios._create_portfolio_role(user, portfolio)
user_session(user)
response = client.get(
url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("applications.create", portfolio_id=portfolio.id)
not in response.data.decode()
)

47
tests/routes/applications/test_init.py Normal file
View File

@ -0,0 +1,47 @@
from flask import url_for, get_flashed_messages
from tests.factories import (
UserFactory,
PortfolioFactory,
PortfolioRoleFactory,
EnvironmentRoleFactory,
EnvironmentFactory,
ApplicationFactory,
)
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from tests.utils import captured_templates
def create_environment(user):
portfolio = PortfolioFactory.create()
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
application = ApplicationFactory.create(portfolio=portfolio)
return EnvironmentFactory.create(application=application, name="new environment!")
def test_environment_access_with_env_role(client, user_session):
user = UserFactory.create()
environment = create_environment(user)
env_role = EnvironmentRoleFactory.create(
user=user, environment=environment, role="developer"
)
user_session(user)
response = client.get(
url_for("applications.access_environment", environment_id=environment.id)
)
assert response.status_code == 302
assert "csp-environment-access" in response.location
def test_environment_access_with_no_role(client, user_session):
user = UserFactory.create()
environment = create_environment(user)
user_session(user)
response = client.get(
url_for("applications.access_environment", environment_id=environment.id)
)
assert response.status_code == 404

21
tests/routes/applications/test_new.py Normal file
View File

@ -0,0 +1,21 @@
from flask import url_for
from tests.factories import PortfolioFactory
def test_creating_application(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("applications.create", portfolio_id=portfolio.id),
data={
"name": "Test Application",
"description": "This is only a test",
"environment_names-0": "dev",
"environment_names-1": "staging",
"environment_names-2": "prod",
},
)
assert response.status_code == 302
assert len(portfolio.applications) == 1
assert len(portfolio.applications[0].environments) == 3

185
tests/routes/applications/test_settings.py Normal file
View File

@ -0,0 +1,185 @@
from flask import url_for, get_flashed_messages
from tests.factories import (
UserFactory,
PortfolioFactory,
PortfolioRoleFactory,
EnvironmentRoleFactory,
EnvironmentFactory,
ApplicationFactory,
)
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from tests.utils import captured_templates
def test_application_settings(client, user_session):
portfolio = PortfolioFactory.create()
application = Applications.create(
portfolio,
"Snazzy Application",
"A new application for me and my friends",
{"env1", "env2"},
)
user_session(portfolio.owner)
response = client.get(
url_for("applications.settings", application_id=application.id)
)
assert response.status_code == 200
def test_edit_application_environments_obj(app, client, user_session):
portfolio = PortfolioFactory.create()
application = Applications.create(
portfolio,
"Snazzy Application",
"A new application for me and my friends",
{"env1", "env2"},
)
user1 = UserFactory.create()
user2 = UserFactory.create()
env1 = application.environments[0]
env2 = application.environments[1]
env_role1 = EnvironmentRoleFactory.create(environment=env1, user=user1)
env_role2 = EnvironmentRoleFactory.create(environment=env1, user=user2)
env_role3 = EnvironmentRoleFactory.create(environment=env2, user=user1)
user_session(portfolio.owner)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("applications.settings", application_id=application.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["environments_obj"] == {
env1.name: [
{"name": user1.full_name, "role": env_role1.role},
{"name": user2.full_name, "role": env_role2.role},
],
env2.name: [{"name": user1.full_name, "role": env_role3.role}],
}
def test_user_with_permission_can_update_application(client, user_session):
owner = UserFactory.create()
portfolio = PortfolioFactory.create(
owner=owner,
applications=[
{
"name": "Awesome Application",
"description": "It's really awesome!",
"environments": [{"name": "dev"}, {"name": "prod"}],
}
],
)
application = portfolio.applications[0]
user_session(owner)
response = client.post(
url_for("applications.update", application_id=application.id),
data={
"name": "Really Cool Application",
"description": "A very cool application.",
},
follow_redirects=True,
)
assert response.status_code == 200
assert application.name == "Really Cool Application"
assert application.description == "A very cool application."
def test_user_without_permission_cannot_update_application(client, user_session):
dev = UserFactory.create()
owner = UserFactory.create()
portfolio = PortfolioFactory.create(
owner=owner,
members=[{"user": dev, "role_name": "developer"}],
applications=[
{
"name": "Great Application",
"description": "Cool stuff happening here!",
"environments": [{"name": "dev"}, {"name": "prod"}],
}
],
)
application = portfolio.applications[0]
user_session(dev)
response = client.post(
url_for("applications.update", application_id=application.id),
data={"name": "New Name", "description": "A new description."},
follow_redirects=True,
)
assert response.status_code == 404
assert application.name == "Great Application"
assert application.description == "Cool stuff happening here!"
def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
portfolio = PortfolioFactory.create()
other_portfolio = PortfolioFactory.create(
applications=[
{
"name": "Awesome Application",
"description": "More cool stuff happening here!",
"environments": [{"name": "dev"}],
}
]
)
other_application = other_portfolio.applications[0]
user_session(portfolio.owner)
# user can't view application edit form
response = client.get(
url_for("applications.settings", application_id=other_application.id)
)
assert response.status_code == 404
# user can't post update application form
time_updated = other_application.time_updated
response = client.post(
url_for("applications.update", application_id=other_application.id),
data={"name": "New Name", "description": "A new description."},
)
assert response.status_code == 404
assert time_updated == other_application.time_updated
def test_delete_application(client, user_session):
user = UserFactory.create()
port = PortfolioFactory.create(
owner=user,
applications=[
{
"name": "mos eisley",
"environments": [
{"name": "bar"},
{"name": "booth"},
{"name": "band stage"},
],
}
],
)
application = port.applications[0]
user_session(user)
response = client.post(
url_for("applications.delete", application_id=application.id)
)
# appropriate response and redirect
assert response.status_code == 302
assert response.location == url_for(
"applications.portfolio_applications", portfolio_id=port.id, _external=True
)
# appropriate flash message
message = get_flashed_messages()[0]
assert "deleted" in message["message"]
assert application.name in message["message"]
# app and envs are soft deleted
assert len(port.applications) == 0
assert len(application.environments) == 0

14
tests/routes/applications/test_team.py Normal file
View File

@ -0,0 +1,14 @@
from flask import url_for
from tests.factories import PortfolioFactory, ApplicationFactory
def test_application_team(client, user_session):
portfolio = PortfolioFactory.create()
application = ApplicationFactory.create(portfolio=portfolio)
user_session(portfolio.owner)
response = client.get(url_for("applications.team", application_id=application.id))
assert response.status_code == 200

0
tests/routes/portfolios/__init__.py Normal file
View File

207
tests/routes/portfolios/test_admin.py
View File

@ -2,6 +2,10 @@ from flask import url_for
from atst.domain.permission_sets import PermissionSets from atst.domain.permission_sets import PermissionSets
from atst.domain.portfolio_roles import PortfolioRoles from atst.domain.portfolio_roles import PortfolioRoles
from atst.domain.portfolios import Portfolios
from atst.models.permissions import Permissions
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from atst.utils.localization import translate
from tests.factories import PortfolioFactory, PortfolioRoleFactory, UserFactory from tests.factories import PortfolioFactory, PortfolioRoleFactory, UserFactory
@ -16,7 +20,7 @@ def test_member_table_access(client, user_session):
permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)], permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)],
) )
url = url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id) url = url_for("portfolios.admin", portfolio_id=portfolio.id)
# editable # editable
user_session(admin) user_session(admin)
@ -57,7 +61,7 @@ def test_update_member_permissions(client, user_session):
} }
response = client.post( response = client.post(
url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id), url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=form_data, data=form_data,
follow_redirects=True, follow_redirects=True,
) )
@ -94,7 +98,7 @@ def test_no_update_member_permissions_without_edit_access(client, user_session):
} }
response = client.post( response = client.post(
url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id), url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=form_data, data=form_data,
follow_redirects=True, follow_redirects=True,
) )
@ -125,7 +129,7 @@ def test_rerender_admin_page_if_member_perms_form_does_not_validate(
} }
response = client.post( response = client.post(
url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id), url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=form_data, data=form_data,
follow_redirects=True, follow_redirects=True,
) )
@ -153,10 +157,203 @@ def test_cannot_update_portfolio_ppoc_perms(client, user_session):
} }
response = client.post( response = client.post(
url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id), url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=member_perms_data, data=member_perms_data,
follow_redirects=True, follow_redirects=True,
) )
assert response.status_code == 404 assert response.status_code == 404
assert ppoc_pf_role.has_permission_set(PermissionSets.PORTFOLIO_POC) assert ppoc_pf_role.has_permission_set(PermissionSets.PORTFOLIO_POC)
def test_update_portfolio_name(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.edit", portfolio_id=portfolio.id),
data={"name": "a cool new name"},
follow_redirects=True,
)
assert response.status_code == 200
assert portfolio.name == "a cool new name"
def updating_ppoc_successfully(client, old_ppoc, new_ppoc, portfolio):
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"user_id": new_ppoc.id},
follow_redirects=False,
)
assert response.status_code == 302
assert response.headers["Location"] == url_for(
"portfolios.admin",
portfolio_id=portfolio.id,
fragment="primary-point-of-contact",
_anchor="primary-point-of-contact",
_external=True,
)
assert portfolio.owner.id == new_ppoc.id
assert (
Permissions.EDIT_PORTFOLIO_POC
in PortfolioRoles.get(
portfolio_id=portfolio.id, user_id=new_ppoc.id
).permissions
)
assert (
Permissions.EDIT_PORTFOLIO_POC
not in PortfolioRoles.get(portfolio.id, old_ppoc.id).permissions
)
def test_update_ppoc_no_user_id_specified(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
follow_redirects=False,
)
assert response.status_code == 404
def test_update_ppoc_to_member_not_on_portfolio(client, user_session):
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
non_portfolio_member = UserFactory.create()
user_session(original_ppoc)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"user_id": non_portfolio_member.id},
follow_redirects=False,
)
assert response.status_code == 404
assert portfolio.owner.id == original_ppoc.id
def test_update_ppoc_when_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
new_ppoc = UserFactory.create()
Portfolios.add_member(
member=new_ppoc,
portfolio=portfolio,
permission_sets=[PermissionSets.VIEW_PORTFOLIO],
)
user_session(original_ppoc)
updating_ppoc_successfully(
client=client, new_ppoc=new_ppoc, old_ppoc=original_ppoc, portfolio=portfolio
)
def test_update_ppoc_when_cpo(client, user_session):
ccpo = UserFactory.create_ccpo()
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
new_ppoc = UserFactory.create()
Portfolios.add_member(
member=new_ppoc,
portfolio=portfolio,
permission_sets=[PermissionSets.VIEW_PORTFOLIO],
)
user_session(ccpo)
updating_ppoc_successfully(
client=client, new_ppoc=new_ppoc, old_ppoc=original_ppoc, portfolio=portfolio
)
def test_update_ppoc_when_not_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
new_owner = UserFactory.create()
user_session(new_owner)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"dod_id": new_owner.dod_id},
follow_redirects=False,
)
assert response.status_code == 404
def test_portfolio_admin_screen_when_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(url_for("portfolios.admin", portfolio_id=portfolio.id))
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert translate("fragments.ppoc.update_btn").encode("utf8") in response.data
def test_portfolio_admin_screen_when_not_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
permission_sets = PermissionSets.get_many(
[PermissionSets.EDIT_PORTFOLIO_ADMIN, PermissionSets.VIEW_PORTFOLIO_ADMIN]
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, permission_sets=permission_sets
)
user_session(user)
response = client.get(url_for("portfolios.admin", portfolio_id=portfolio.id))
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert translate("fragments.ppoc.update_btn").encode("utf8") not in response.data
def test_remove_portfolio_member(client, user_session):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
PortfolioRoleFactory.create(portfolio=portfolio, user=user)
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.remove_member", portfolio_id=portfolio.id, user_id=user.id),
follow_redirects=False,
)
assert response.status_code == 302
assert response.headers["Location"] == url_for(
"portfolios.admin",
portfolio_id=portfolio.id,
_anchor="portfolio-members",
fragment="portfolio-members",
_external=True,
)
assert (
PortfolioRoles.get(portfolio_id=portfolio.id, user_id=user.id).status
== PortfolioRoleStatus.DISABLED
)
def test_remove_portfolio_member_self(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for(
"portfolios.remove_member",
portfolio_id=portfolio.id,
user_id=portfolio.owner.id,
),
follow_redirects=False,
)
assert response.status_code == 404
assert (
PortfolioRoles.get(portfolio_id=portfolio.id, user_id=portfolio.owner.id).status
== PortfolioRoleStatus.ACTIVE
)

358
tests/routes/portfolios/test_applications.py
View File

@ -1,358 +0,0 @@
from flask import url_for, get_flashed_messages
from tests.factories import (
UserFactory,
PortfolioFactory,
PortfolioRoleFactory,
EnvironmentRoleFactory,
EnvironmentFactory,
ApplicationFactory,
)
from atst.domain.applications import Applications
from atst.domain.portfolios import Portfolios
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from tests.utils import captured_templates
def test_user_with_permission_has_budget_report_link(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id)
in response.data.decode()
)
def test_user_without_permission_has_no_budget_report_link(client, user_session):
user = UserFactory.create()
portfolio = PortfolioFactory.create()
Portfolios._create_portfolio_role(
user, portfolio, status=PortfolioRoleStatus.ACTIVE
)
user_session(user)
response = client.get(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id)
not in response.data.decode()
)
def test_user_with_permission_has_add_application_link(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.create_application", portfolio_id=portfolio.id)
in response.data.decode()
)
def test_user_without_permission_has_no_add_application_link(client, user_session):
user = UserFactory.create()
portfolio = PortfolioFactory.create()
Portfolios._create_portfolio_role(user, portfolio)
user_session(user)
response = client.get(
url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
)
assert (
url_for("portfolios.create_application", portfolio_id=portfolio.id)
not in response.data.decode()
)
def test_creating_application(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.create_application", portfolio_id=portfolio.id),
data={
"name": "Test Application",
"description": "This is only a test",
"environment_names-0": "dev",
"environment_names-1": "staging",
"environment_names-2": "prod",
},
)
assert response.status_code == 302
assert len(portfolio.applications) == 1
assert len(portfolio.applications[0].environments) == 3
def test_view_edit_application(client, user_session):
portfolio = PortfolioFactory.create()
application = Applications.create(
portfolio,
"Snazzy Application",
"A new application for me and my friends",
{"env1", "env2"},
)
user_session(portfolio.owner)
response = client.get(
url_for(
"portfolios.update_application",
portfolio_id=portfolio.id,
application_id=application.id,
)
)
assert response.status_code == 200
def test_edit_application_environments_obj(app, client, user_session):
portfolio = PortfolioFactory.create()
application = Applications.create(
portfolio,
"Snazzy Application",
"A new application for me and my friends",
{"env1", "env2"},
)
user1 = UserFactory.create()
user2 = UserFactory.create()
env1 = application.environments[0]
env2 = application.environments[1]
env_role1 = EnvironmentRoleFactory.create(environment=env1, user=user1)
env_role2 = EnvironmentRoleFactory.create(environment=env1, user=user2)
env_role3 = EnvironmentRoleFactory.create(environment=env2, user=user1)
user_session(portfolio.owner)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for(
"portfolios.edit_application",
portfolio_id=portfolio.id,
application_id=application.id,
)
)
assert response.status_code == 200
_, context = templates[0]
assert context["environments_obj"] == {
env1.name: [
{"name": user1.full_name, "role": env_role1.role},
{"name": user2.full_name, "role": env_role2.role},
],
env2.name: [{"name": user1.full_name, "role": env_role3.role}],
}
def test_user_with_permission_can_update_application(client, user_session):
owner = UserFactory.create()
portfolio = PortfolioFactory.create(
owner=owner,
applications=[
{
"name": "Awesome Application",
"description": "It's really awesome!",
"environments": [{"name": "dev"}, {"name": "prod"}],
}
],
)
application = portfolio.applications[0]
user_session(owner)
response = client.post(
url_for(
"portfolios.update_application",
portfolio_id=portfolio.id,
application_id=application.id,
),
data={
"name": "Really Cool Application",
"description": "A very cool application.",
},
follow_redirects=True,
)
assert response.status_code == 200
assert application.name == "Really Cool Application"
assert application.description == "A very cool application."
def test_user_without_permission_cannot_update_application(client, user_session):
dev = UserFactory.create()
owner = UserFactory.create()
portfolio = PortfolioFactory.create(
owner=owner,
members=[{"user": dev, "role_name": "developer"}],
applications=[
{
"name": "Great Application",
"description": "Cool stuff happening here!",
"environments": [{"name": "dev"}, {"name": "prod"}],
}
],
)
application = portfolio.applications[0]
user_session(dev)
response = client.post(
url_for(
"portfolios.update_application",
portfolio_id=portfolio.id,
application_id=application.id,
),
data={"name": "New Name", "description": "A new description."},
follow_redirects=True,
)
assert response.status_code == 404
assert application.name == "Great Application"
assert application.description == "Cool stuff happening here!"
def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
portfolio = PortfolioFactory.create()
other_portfolio = PortfolioFactory.create(
applications=[
{
"name": "Awesome Application",
"description": "More cool stuff happening here!",
"environments": [{"name": "dev"}],
}
]
)
other_application = other_portfolio.applications[0]
user_session(portfolio.owner)
# user can't view application edit form
response = client.get(
url_for(
"portfolios.edit_application",
portfolio_id=portfolio.id,
application_id=other_application.id,
)
)
assert response.status_code == 404
# user can't post update application form
time_updated = other_application.time_updated
response = client.post(
url_for(
"portfolios.update_application",
portfolio_id=portfolio.id,
application_id=other_application.id,
),
data={"name": "New Name", "description": "A new description."},
)
assert response.status_code == 404
assert time_updated == other_application.time_updated
def create_environment(user):
portfolio = PortfolioFactory.create()
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
application = ApplicationFactory.create(portfolio=portfolio)
return EnvironmentFactory.create(application=application, name="new environment!")
def test_environment_access_with_env_role(client, user_session):
user = UserFactory.create()
environment = create_environment(user)
env_role = EnvironmentRoleFactory.create(
user=user, environment=environment, role="developer"
)
user_session(user)
response = client.get(
url_for(
"portfolios.access_environment",
portfolio_id=environment.portfolio.id,
environment_id=environment.id,
)
)
assert response.status_code == 302
assert "csp-environment-access" in response.location
def test_environment_access_with_no_role(client, user_session):
user = UserFactory.create()
environment = create_environment(user)
user_session(user)
response = client.get(
url_for(
"portfolios.access_environment",
portfolio_id=environment.portfolio.id,
environment_id=environment.id,
)
)
assert response.status_code == 404
def test_delete_application(client, user_session):
user = UserFactory.create()
port = PortfolioFactory.create(
owner=user,
applications=[
{
"name": "mos eisley",
"environments": [
{"name": "bar"},
{"name": "booth"},
{"name": "band stage"},
],
}
],
)
application = port.applications[0]
user_session(user)
response = client.post(
url_for(
"portfolios.delete_application",
portfolio_id=port.id,
application_id=application.id,
)
)
# appropriate response and redirect
assert response.status_code == 302
assert response.location == url_for(
"portfolios.portfolio_applications", portfolio_id=port.id, _external=True
)
# appropriate flash message
message = get_flashed_messages()[0]
assert "deleted" in message["message"]
assert application.name in message["message"]
# app and envs are soft deleted
assert len(port.applications) == 0
assert len(application.environments) == 0
def test_edit_application_scope(client, user_session):
owner = UserFactory.create()
port1 = PortfolioFactory.create(owner=owner, applications=[{"name": "first app"}])
port2 = PortfolioFactory.create(owner=owner, applications=[{"name": "second app"}])
user_session(owner)
response = client.get(
url_for(
"portfolios.edit_application",
portfolio_id=port2.id,
application_id=port1.applications[0].id,
)
)
assert response.status_code == 404
def test_application_team(client, user_session):
portfolio = PortfolioFactory.create()
application = ApplicationFactory.create(portfolio=portfolio)
user_session(portfolio.owner)
response = client.get(
url_for(
"portfolios.application_team",
portfolio_id=portfolio.id,
application_id=application.id,
)
)
assert response.status_code == 200

65
tests/routes/portfolios/test_index.py Normal file
View File

@ -0,0 +1,65 @@
from flask import url_for
from tests.factories import (
random_future_date,
random_past_date,
PortfolioFactory,
TaskOrderFactory,
UserFactory,
)
from atst.utils.localization import translate
def test_portfolio_index_with_existing_portfolios(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(url_for("portfolios.portfolios"))
assert response.status_code == 200
assert portfolio.name.encode("utf8") in response.data
assert (
translate("portfolios.index.empty.start_button").encode("utf8")
not in response.data
)
def test_portfolio_index_without_existing_portfolios(client, user_session):
user = UserFactory.create()
user_session(user)
response = client.get(url_for("portfolios.portfolios"))
assert response.status_code == 200
assert (
translate("portfolios.index.empty.start_button").encode("utf8") in response.data
)
def test_portfolio_reports(client, user_session):
portfolio = PortfolioFactory.create(
applications=[
{"name": "application1", "environments": [{"name": "application1 prod"}]}
]
)
task_order = TaskOrderFactory.create(
number="42",
start_date=random_past_date(),
end_date=random_future_date(),
portfolio=portfolio,
)
user_session(portfolio.owner)
response = client.get(url_for("portfolios.reports", portfolio_id=portfolio.id))
assert response.status_code == 200
assert portfolio.name in response.data.decode()
expiration_date = task_order.end_date.strftime("%Y-%m-%d")
assert expiration_date in response.data.decode()
def test_portfolio_reports_with_mock_portfolio(client, user_session):
portfolio = PortfolioFactory.create(name="A-Wing")
user_session(portfolio.owner)
response = client.get(url_for("portfolios.reports", portfolio_id=portfolio.id))
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert "$251,626.00 Total spend to date" in response.data.decode()

15
tests/routes/portfolios/test_invitations.py
View File

@ -300,10 +300,7 @@ def test_contracting_officer_accepts_invite(monkeypatch, client, user_session):
# user is redirected to the task order review page # user is redirected to the task order review page
assert response.status_code == 302 assert response.status_code == 302
to_review_url = url_for( to_review_url = url_for(
"portfolios.view_task_order", "task_orders.view_task_order", task_order_id=task_order.id, _external=True
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
_external=True,
) )
assert response.headers["Location"] == to_review_url assert response.headers["Location"] == to_review_url
@ -337,10 +334,7 @@ def test_cor_accepts_invite(monkeypatch, client, user_session):
# user is redirected to the task order review page # user is redirected to the task order review page
assert response.status_code == 302 assert response.status_code == 302
to_review_url = url_for( to_review_url = url_for(
"portfolios.view_task_order", "task_orders.view_task_order", task_order_id=task_order.id, _external=True
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
_external=True,
) )
assert response.headers["Location"] == to_review_url assert response.headers["Location"] == to_review_url
@ -374,9 +368,6 @@ def test_so_accepts_invite(monkeypatch, client, user_session):
# user is redirected to the task order review page # user is redirected to the task order review page
assert response.status_code == 302 assert response.status_code == 302
to_review_url = url_for( to_review_url = url_for(
"portfolios.view_task_order", "task_orders.view_task_order", task_order_id=task_order.id, _external=True
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
_external=True,
) )
assert response.headers["Location"] == to_review_url assert response.headers["Location"] == to_review_url

4
tests/routes/portfolios/test_members.py
View File

@ -15,9 +15,7 @@ _DEFAULT_PERMS_FORM_DATA = {
def test_user_with_permission_has_add_member_link(client, user_session): def test_user_with_permission_has_add_member_link(client, user_session):
portfolio = PortfolioFactory.create() portfolio = PortfolioFactory.create()
user_session(portfolio.owner) user_session(portfolio.owner)
response = client.get( response = client.get(url_for("portfolios.admin", portfolio_id=portfolio.id))
url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id)
)
assert response.status_code == 200 assert response.status_code == 200
assert ( assert (
url_for("portfolios.create_member", portfolio_id=portfolio.id).encode() url_for("portfolios.create_member", portfolio_id=portfolio.id).encode()

275
tests/routes/portfolios/test_portfolios_index.py
View File

@ -1,275 +0,0 @@
import pytest
from flask import url_for
from atst.domain.permission_sets import PermissionSets
from atst.domain.portfolios import Portfolios
from atst.models.permissions import Permissions
from atst.domain.portfolio_roles import PortfolioRoles
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from atst.domain.exceptions import UnauthorizedError
from tests.factories import (
random_future_date,
random_past_date,
PortfolioFactory,
PortfolioRoleFactory,
TaskOrderFactory,
UserFactory,
)
from atst.utils.localization import translate
def test_update_portfolio_name(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.edit_portfolio", portfolio_id=portfolio.id),
data={"name": "a cool new name"},
follow_redirects=True,
)
assert response.status_code == 200
assert portfolio.name == "a cool new name"
def updating_ppoc_successfully(client, old_ppoc, new_ppoc, portfolio):
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"user_id": new_ppoc.id},
follow_redirects=False,
)
assert response.status_code == 302
assert response.headers["Location"] == url_for(
"portfolios.portfolio_admin",
portfolio_id=portfolio.id,
fragment="primary-point-of-contact",
_anchor="primary-point-of-contact",
_external=True,
)
assert portfolio.owner.id == new_ppoc.id
assert (
Permissions.EDIT_PORTFOLIO_POC
in PortfolioRoles.get(
portfolio_id=portfolio.id, user_id=new_ppoc.id
).permissions
)
assert (
Permissions.EDIT_PORTFOLIO_POC
not in PortfolioRoles.get(portfolio.id, old_ppoc.id).permissions
)
def test_update_ppoc_no_user_id_specified(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
follow_redirects=False,
)
assert response.status_code == 404
def test_update_ppoc_to_member_not_on_portfolio(client, user_session):
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
non_portfolio_member = UserFactory.create()
user_session(original_ppoc)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"user_id": non_portfolio_member.id},
follow_redirects=False,
)
assert response.status_code == 404
assert portfolio.owner.id == original_ppoc.id
def test_update_ppoc_when_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
new_ppoc = UserFactory.create()
Portfolios.add_member(
member=new_ppoc,
portfolio=portfolio,
permission_sets=[PermissionSets.VIEW_PORTFOLIO],
)
user_session(original_ppoc)
updating_ppoc_successfully(
client=client, new_ppoc=new_ppoc, old_ppoc=original_ppoc, portfolio=portfolio
)
def test_update_ppoc_when_cpo(client, user_session):
ccpo = UserFactory.create_ccpo()
portfolio = PortfolioFactory.create()
original_ppoc = portfolio.owner
new_ppoc = UserFactory.create()
Portfolios.add_member(
member=new_ppoc,
portfolio=portfolio,
permission_sets=[PermissionSets.VIEW_PORTFOLIO],
)
user_session(ccpo)
updating_ppoc_successfully(
client=client, new_ppoc=new_ppoc, old_ppoc=original_ppoc, portfolio=portfolio
)
def test_update_ppoc_when_not_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
new_owner = UserFactory.create()
user_session(new_owner)
response = client.post(
url_for("portfolios.update_ppoc", portfolio_id=portfolio.id, _external=True),
data={"dod_id": new_owner.dod_id},
follow_redirects=False,
)
assert response.status_code == 404
def test_portfolio_index_with_existing_portfolios(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(url_for("portfolios.portfolios"))
assert response.status_code == 200
assert portfolio.name.encode("utf8") in response.data
assert (
translate("portfolios.index.empty.start_button").encode("utf8")
not in response.data
)
def test_portfolio_index_without_existing_portfolios(client, user_session):
user = UserFactory.create()
user_session(user)
response = client.get(url_for("portfolios.portfolios"))
assert response.status_code == 200
assert (
translate("portfolios.index.empty.start_button").encode("utf8") in response.data
)
def test_portfolio_admin_screen_when_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.get(
url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id)
)
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert translate("fragments.ppoc.update_btn").encode("utf8") in response.data
def test_portfolio_admin_screen_when_not_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
permission_sets = PermissionSets.get_many(
[PermissionSets.EDIT_PORTFOLIO_ADMIN, PermissionSets.VIEW_PORTFOLIO_ADMIN]
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, permission_sets=permission_sets
)
user_session(user)
response = client.get(
url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id)
)
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert translate("fragments.ppoc.update_btn").encode("utf8") not in response.data
def test_remove_portfolio_member(client, user_session):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
PortfolioRoleFactory.create(portfolio=portfolio, user=user)
user_session(portfolio.owner)
response = client.post(
url_for("portfolios.remove_member", portfolio_id=portfolio.id, user_id=user.id),
follow_redirects=False,
)
assert response.status_code == 302
assert response.headers["Location"] == url_for(
"portfolios.portfolio_admin",
portfolio_id=portfolio.id,
_anchor="portfolio-members",
fragment="portfolio-members",
_external=True,
)
assert (
PortfolioRoles.get(portfolio_id=portfolio.id, user_id=user.id).status
== PortfolioRoleStatus.DISABLED
)
def test_remove_portfolio_member_self(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
response = client.post(
url_for(
"portfolios.remove_member",
portfolio_id=portfolio.id,
user_id=portfolio.owner.id,
),
follow_redirects=False,
)
assert response.status_code == 404
assert (
PortfolioRoles.get(portfolio_id=portfolio.id, user_id=portfolio.owner.id).status
== PortfolioRoleStatus.ACTIVE
)
def test_portfolio_reports(client, user_session):
portfolio = PortfolioFactory.create(
applications=[
{"name": "application1", "environments": [{"name": "application1 prod"}]}
]
)
task_order = TaskOrderFactory.create(
number="42",
start_date=random_past_date(),
end_date=random_future_date(),
portfolio=portfolio,
)
user_session(portfolio.owner)
response = client.get(
url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id)
)
assert response.status_code == 200
assert portfolio.name in response.data.decode()
expiration_date = task_order.end_date.strftime("%Y-%m-%d")
assert expiration_date in response.data.decode()
def test_portfolio_reports_with_mock_portfolio(client, user_session):
portfolio = PortfolioFactory.create(name="A-Wing")
user_session(portfolio.owner)
response = client.get(
url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id)
)
assert response.status_code == 200
assert portfolio.name in response.data.decode()
assert "$251,626.00 Total spend to date" in response.data.decode()

898
tests/routes/portfolios/test_task_orders.py
View File

@ -1,898 +0,0 @@
from flask import url_for
import pytest
from datetime import timedelta, date, datetime
from atst.domain.permission_sets import PermissionSets
from atst.domain.task_orders import TaskOrders
from atst.models.portfolio_role import Status as PortfolioStatus
from atst.models.invitation import Status as InvitationStatus
from atst.utils.localization import translate
from atst.queue import queue
from atst.domain.invitations import Invitations
from tests.factories import (
PortfolioFactory,
InvitationFactory,
PortfolioRoleFactory,
TaskOrderFactory,
UserFactory,
DD254Factory,
random_future_date,
random_past_date,
)
from tests.utils import captured_templates
@pytest.fixture
def portfolio():
return PortfolioFactory.create()
@pytest.fixture
def user():
return UserFactory.create()
class TestPortfolioFunding:
def test_portfolio_with_no_task_orders(self, app, user_session, portfolio):
user_session(portfolio.owner)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is None
assert context["total_balance"] == 0
assert context["pending_task_orders"] == []
assert context["active_task_orders"] == []
assert context["expired_task_orders"] == []
def test_funded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
pending_to = TaskOrderFactory.create(portfolio=portfolio)
active_to1 = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(),
number="42",
)
active_to2 = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(),
number="43",
)
end_date = (
active_to1.end_date
if active_to1.end_date > active_to2.end_date
else active_to2.end_date
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is end_date
assert context["total_balance"] == active_to1.budget + active_to2.budget
def test_expiring_and_funded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
expiring_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=(date.today() + timedelta(days=10)),
number="42",
)
active_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(year_min=1, year_max=2),
number="43",
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is active_to.end_date
assert context["funded"] == True
def test_expiring_and_unfunded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
expiring_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=(date.today() + timedelta(days=10)),
number="42",
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is expiring_to.end_date
assert context["funded"] == False
def test_user_can_only_access_to_in_their_portfolio(
self, app, user_session, portfolio
):
other_task_order = TaskOrderFactory.create()
user_session(portfolio.owner)
response = app.test_client().get(
url_for(
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
)
)
assert response.status_code == 404
class TestTaskOrderInvitations:
def setup(self):
self.portfolio = PortfolioFactory.create()
self.task_order = TaskOrderFactory.create(portfolio=self.portfolio)
def _post(self, client, updates):
return client.post(
url_for(
"portfolios.edit_task_order_invitations",
portfolio_id=self.portfolio.id,
task_order_id=self.task_order.id,
),
headers={"Content-Type": "application/x-www-form-urlencoded"},
data=updates,
)
def test_editing_with_partial_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"security_officer-first_name": "Boba",
"security_officer-last_name": "Fett",
},
)
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.ko_first_name == "Luke"
assert updated_task_order.ko_last_name == "Skywalker"
assert updated_task_order.so_first_name == "Boba"
assert updated_task_order.so_last_name == "Fett"
assert len(queue.get_queue()) == queue_length
assert response.status_code == 302
assert (
url_for(
"portfolios.task_order_invitations",
portfolio_id=self.portfolio.id,
task_order_id=self.task_order.id,
_external=True,
)
== response.headers["Location"]
)
def test_editing_with_complete_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"contracting_officer-dod_id": "0123456789",
"contracting_officer-email": "luke@skywalker.mil",
"contracting_officer-phone_number": "0123456789",
"contracting_officer-invite": "y",
},
)
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.ko_invite == True
assert updated_task_order.ko_first_name == "Luke"
assert updated_task_order.ko_last_name == "Skywalker"
assert updated_task_order.ko_email == "luke@skywalker.mil"
assert updated_task_order.ko_phone_number == "0123456789"
assert len(queue.get_queue()) == queue_length + 1
assert response.status_code == 302
assert (
url_for(
"portfolios.task_order_invitations",
portfolio_id=self.portfolio.id,
task_order_id=self.task_order.id,
_external=True,
)
== response.headers["Location"]
)
def test_editing_with_invalid_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-phone_number": "invalid input",
"security_officer-first_name": "Boba",
"security_officer-last_name": "Fett",
},
)
assert "There were some errors" in response.data.decode()
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.so_first_name != "Boba"
assert len(queue.get_queue()) == queue_length
assert response.status_code == 400
def test_user_can_only_invite_to_task_order_in_their_portfolio(
self, user_session, client, portfolio
):
other_task_order = TaskOrderFactory.create()
user_session(portfolio.owner)
# user can't see invites
response = client.get(
url_for(
"portfolios.task_order_invitations",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
)
)
assert response.status_code == 404
# user can't send invites
time_updated = other_task_order.time_updated
response = client.post(
url_for(
"portfolios.edit_task_order_invitations",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
),
data={
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"contracting_officer-dod_id": "0123456789",
"contracting_officer-email": "luke@skywalker.mil",
"contracting_officer-phone_number": "0123456789",
"contracting_officer-invite": "y",
},
)
assert response.status_code == 404
assert time_updated == other_task_order.time_updated
# user can't resend invites
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
invite_type="ko_invite",
)
)
assert response.status_code == 404
assert time_updated == other_task_order.time_updated
def test_does_not_render_resend_invite_if_user_is_mo_and_user_is_cor(
self, client, user_session
):
task_order = TaskOrderFactory.create(
portfolio=self.portfolio,
creator=self.portfolio.owner,
cor_first_name=self.portfolio.owner.first_name,
cor_last_name=self.portfolio.owner.last_name,
cor_email=self.portfolio.owner.email,
cor_phone_number=self.portfolio.owner.phone_number,
cor_dod_id=self.portfolio.owner.dod_id,
cor_invite=True,
)
user_session(self.portfolio.owner)
response = client.get(
url_for(
"portfolios.task_order_invitations",
portfolio_id=self.portfolio.id,
task_order_id=task_order.id,
)
)
assert "Resend Invitation" not in response.data.decode()
def test_renders_resend_invite_if_user_is_mo_and_user_is_not_cor(
self, client, user_session
):
cor = UserFactory.create()
task_order = TaskOrderFactory.create(
portfolio=self.portfolio,
creator=self.portfolio.owner,
contracting_officer_representative=cor,
cor_invite=True,
)
portfolio_role = PortfolioRoleFactory.create(portfolio=self.portfolio, user=cor)
invitation = InvitationFactory.create(
inviter=self.portfolio.owner,
portfolio_role=portfolio_role,
user=cor,
status=InvitationStatus.PENDING,
)
user_session(self.portfolio.owner)
response = client.get(
url_for(
"portfolios.task_order_invitations",
portfolio_id=self.portfolio.id,
task_order_id=task_order.id,
)
)
assert "Resend Invitation" in response.data.decode()
def test_ko_can_view_task_order(client, user_session, portfolio, user):
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=user)
user_session(user)
response = client.get(
url_for(
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert response.status_code == 200
assert translate("common.manage") in response.data.decode()
TaskOrders.update(task_order, clin_01=None)
response = client.get(
url_for(
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert response.status_code == 200
assert translate("common.manage") not in response.data.decode()
def test_can_view_task_order_invitations_when_complete(client, user_session, portfolio):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio)
response = client.get(
url_for(
"portfolios.task_order_invitations",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert response.status_code == 200
def test_cant_view_task_order_invitations_when_not_complete(
client, user_session, portfolio
):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio, clin_01=None)
response = client.get(
url_for(
"portfolios.task_order_invitations",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert response.status_code == 404
def test_ko_can_view_ko_review_page(client, user_session):
portfolio = PortfolioFactory.create()
ko = UserFactory.create()
cor = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
PortfolioRoleFactory.create(
portfolio=portfolio,
user=cor,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(
portfolio=portfolio,
contracting_officer=ko,
contracting_officer_representative=cor,
)
request_url = url_for(
"portfolios.ko_review", portfolio_id=portfolio.id, task_order_id=task_order.id
)
#
# KO returns 200
#
user_session(ko)
response = client.get(request_url)
assert response.status_code == 200
#
# COR returns 200
#
user_session(cor)
response = client.get(request_url)
assert response.status_code == 200
#
# Random user raises UnauthorizedError
#
user_session(UserFactory.create())
response = client.get(request_url)
assert response.status_code == 404
def test_cor_cant_view_review_until_to_completed(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(
portfolio=portfolio, clin_01=None, cor_dod_id=portfolio.owner.dod_id
)
response = client.get(
url_for(
"portfolios.ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert response.status_code == 404
def test_mo_redirected_to_build_page(client, user_session, portfolio):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio)
response = client.get(
url_for("task_orders.new", screen=1, task_order_id=task_order.id)
)
assert response.status_code == 200
def test_submit_completed_ko_review_page_as_cor(
client, user_session, pdf_upload, portfolio, user
):
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer_representative=user
)
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": "0813458013405",
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
user_session(user)
response = client.post(
url_for(
"portfolios.ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
),
data=form_data,
)
assert task_order.pdf
assert response.headers["Location"] == url_for(
"portfolios.view_task_order",
task_order_id=task_order.id,
portfolio_id=portfolio.id,
_external=True,
)
def test_submit_completed_ko_review_page_as_ko(
client, user_session, pdf_upload, portfolio
):
ko = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=ko)
dd_254 = DD254Factory.create()
TaskOrders.add_dd_254(task_order, dd_254.to_dictionary())
user_session(ko)
loa_list = ["123123123", "456456456", "789789789"]
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": loa_list[0],
"loas-1": loa_list[1],
"loas-2": loa_list[2],
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
response = client.post(
url_for(
"portfolios.ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
),
data=form_data,
)
assert task_order.pdf
assert response.headers["Location"] == url_for(
"task_orders.signature_requested", task_order_id=task_order.id, _external=True
)
assert task_order.loas == loa_list
def test_ko_can_only_access_their_to(app, user_session, client, portfolio, pdf_upload):
ko = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=ko)
dd_254 = DD254Factory.create()
TaskOrders.add_dd_254(task_order, dd_254.to_dictionary())
other_task_order = TaskOrderFactory.create()
user_session(ko)
# KO can't see TO
response = client.get(
url_for(
"portfolios.ko_review",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
)
)
assert response.status_code == 404
# KO can't submit review for TO
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": "1231231231",
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
response = client.post(
url_for(
"portfolios.submit_ko_review",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
),
data=form_data,
)
assert response.status_code == 404
assert not TaskOrders.is_signed_by_ko(other_task_order)
def test_so_review_page(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
user_session(portfolio.owner)
owner_response = client.get(
url_for(
"portfolios.so_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
assert owner_response.status_code == 404
with captured_templates(app) as templates:
user_session(so)
so_response = app.test_client().get(
url_for(
"portfolios.so_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
)
_, context = templates[0]
form = context["form"]
co_name = form.certifying_official.data
assert so_response.status_code == 200
assert (
task_order.so_first_name in co_name and task_order.so_last_name in co_name
)
def test_submit_so_review(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
dd_254_data = DD254Factory.dictionary()
user_session(so)
response = client.post(
url_for(
"portfolios.submit_so_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
),
data=dd_254_data,
)
expected_redirect = url_for(
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
_external=True,
)
assert response.status_code == 302
assert response.headers["Location"] == expected_redirect
assert task_order.dd_254
assert task_order.dd_254.certifying_official == dd_254_data["certifying_official"]
def test_so_can_only_access_their_to(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
dd_254_data = DD254Factory.dictionary()
other_task_order = TaskOrderFactory.create()
user_session(so)
# SO can't view dd254
response = client.get(
url_for(
"portfolios.so_review",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
)
)
assert response.status_code == 404
# SO can't submit dd254
response = client.post(
url_for(
"portfolios.submit_so_review",
portfolio_id=portfolio.id,
task_order_id=other_task_order.id,
),
data=dd_254_data,
)
assert response.status_code == 404
assert not other_task_order.dd_254
def test_resend_invite_when_invalid_invite_officer(
app, client, user_session, portfolio, user
):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
user_session(user)
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
_external=True,
),
data={"invite_type": "invalid_invite_type"},
)
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resend_invite_when_officer_type_missing(
app, client, user_session, portfolio, user
):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=None, ko_invite=True
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
user_session(user)
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
_external=True,
),
data={"invite_type": "contracting_officer_invite"},
)
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resend_invite_when_not_pending(app, client, user_session, portfolio, user):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
original_invitation = InvitationFactory.create(
inviter=user,
portfolio_role=portfolio_role,
email=user.email,
status=InvitationStatus.ACCEPTED,
)
user_session(user)
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
_external=True,
),
data={"invite_type": "ko_invite"},
)
assert original_invitation.status == InvitationStatus.ACCEPTED
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resending_revoked_invite(app, client, user_session, portfolio, user):
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
invite = InvitationFactory.create(
inviter=user,
portfolio_role=portfolio_role,
email=user.email,
status=InvitationStatus.REVOKED,
)
user_session(user)
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
invite_type="ko_invite",
_external=True,
)
)
assert invite.is_revoked
assert response.status_code == 404
def test_resending_expired_invite(app, client, user_session, portfolio):
queue_length = len(queue.get_queue())
ko = UserFactory.create()
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=ko, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=ko)
invite = InvitationFactory.create(
inviter=portfolio.owner,
portfolio_role=portfolio_role,
email=ko.email,
expiration_time=datetime.now() - timedelta(days=1),
)
user_session(portfolio.owner)
response = client.post(
url_for(
"portfolios.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
invite_type="ko_invite",
_external=True,
)
)
assert invite.is_expired
assert response.status_code == 302
assert len(queue.get_queue()) == queue_length + 1

0
tests/routes/task_orders/__init__.py Normal file
View File

74
tests/routes/task_orders/test_downloads.py Normal file
View File

@ -0,0 +1,74 @@
import pytest
from flask import url_for
from io import BytesIO
import re
from zipfile import ZipFile
from atst.utils.docx import Docx
from tests.factories import TaskOrderFactory, PortfolioFactory, UserFactory
def xml_translated(val):
val = re.sub("'", "&#39;", str(val))
val = re.sub(" & ", " &amp; ", str(val))
return val
def test_download_summary(client, user_session):
user = UserFactory.create()
portfolio = PortfolioFactory.create(owner=user)
task_order = TaskOrderFactory.create(creator=user, portfolio=portfolio)
user_session(user)
response = client.get(
url_for("task_orders.download_summary", task_order_id=task_order.id)
)
bytes_str = BytesIO(response.data)
zip_ = ZipFile(bytes_str, mode="r")
doc = zip_.read(Docx.DOCUMENT_FILE).decode()
for attr, val in task_order.to_dictionary().items():
assert attr in doc
assert xml_translated(val) in doc
class TestDownloadCSPEstimate:
def setup(self):
self.user = UserFactory.create()
self.portfolio = PortfolioFactory.create(owner=self.user)
self.task_order = TaskOrderFactory.create(
creator=self.user, portfolio=self.portfolio
)
def test_successful_download(self, client, user_session, pdf_upload):
self.task_order.csp_estimate = pdf_upload
user_session(self.user)
response = client.get(
url_for(
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
)
)
assert response.status_code == 200
pdf_upload.seek(0)
expected_contents = pdf_upload.read()
assert expected_contents == response.data
def test_download_without_attachment(self, client, user_session):
self.task_order.csp_attachment_id = None
user_session(self.user)
response = client.get(
url_for(
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
)
)
assert response.status_code == 404
def test_download_with_wrong_user(self, client, user_session):
other_user = UserFactory.create()
user_session(other_user)
response = client.get(
url_for(
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
)
)
assert response.status_code == 404

207
tests/routes/task_orders/test_index.py
View File

@ -1,74 +1,161 @@
import pytest
from flask import url_for from flask import url_for
from io import BytesIO import pytest
import re from datetime import timedelta, date
from zipfile import ZipFile
from atst.utils.docx import Docx from atst.domain.permission_sets import PermissionSets
from atst.domain.task_orders import TaskOrders
from atst.models.portfolio_role import Status as PortfolioStatus
from atst.utils.localization import translate
from tests.factories import TaskOrderFactory, PortfolioFactory, UserFactory from tests.factories import (
PortfolioFactory,
PortfolioRoleFactory,
TaskOrderFactory,
UserFactory,
random_future_date,
random_past_date,
)
from tests.utils import captured_templates
def xml_translated(val): @pytest.fixture
val = re.sub("'", "&#39;", str(val)) def portfolio():
val = re.sub(" & ", " &amp; ", str(val)) return PortfolioFactory.create()
return val
def test_download_summary(client, user_session): @pytest.fixture
user = UserFactory.create() def user():
portfolio = PortfolioFactory.create(owner=user) return UserFactory.create()
task_order = TaskOrderFactory.create(creator=user, portfolio=portfolio)
class TestPortfolioFunding:
def test_portfolio_with_no_task_orders(self, app, user_session, portfolio):
user_session(portfolio.owner)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is None
assert context["total_balance"] == 0
assert context["pending_task_orders"] == []
assert context["active_task_orders"] == []
assert context["expired_task_orders"] == []
def test_funded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
pending_to = TaskOrderFactory.create(portfolio=portfolio)
active_to1 = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(),
number="42",
)
active_to2 = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(),
number="43",
)
end_date = (
active_to1.end_date
if active_to1.end_date > active_to2.end_date
else active_to2.end_date
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is end_date
assert context["total_balance"] == active_to1.budget + active_to2.budget
def test_expiring_and_funded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
expiring_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=(date.today() + timedelta(days=10)),
number="42",
)
active_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=random_future_date(year_min=1, year_max=2),
number="43",
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is active_to.end_date
assert context["funded"] == True
def test_expiring_and_unfunded_portfolio(self, app, user_session, portfolio):
user_session(portfolio.owner)
expiring_to = TaskOrderFactory.create(
portfolio=portfolio,
start_date=random_past_date(),
end_date=(date.today() + timedelta(days=10)),
number="42",
)
with captured_templates(app) as templates:
response = app.test_client().get(
url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id)
)
assert response.status_code == 200
_, context = templates[0]
assert context["funding_end_date"] is expiring_to.end_date
assert context["funded"] == False
def test_user_can_only_access_to_in_their_portfolio(
self, app, user_session, portfolio
):
other_task_order = TaskOrderFactory.create()
user_session(portfolio.owner)
response = app.test_client().get(
url_for("task_orders.view_task_order", task_order_id=other_task_order.id)
)
assert response.status_code == 404
def test_ko_can_view_task_order(client, user_session, portfolio, user):
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=user)
user_session(user) user_session(user)
response = client.get( response = client.get(
url_for("task_orders.download_summary", task_order_id=task_order.id) url_for("task_orders.view_task_order", task_order_id=task_order.id)
)
bytes_str = BytesIO(response.data)
zip_ = ZipFile(bytes_str, mode="r")
doc = zip_.read(Docx.DOCUMENT_FILE).decode()
for attr, val in task_order.to_dictionary().items():
assert attr in doc
assert xml_translated(val) in doc
class TestDownloadCSPEstimate:
def setup(self):
self.user = UserFactory.create()
self.portfolio = PortfolioFactory.create(owner=self.user)
self.task_order = TaskOrderFactory.create(
creator=self.user, portfolio=self.portfolio
)
def test_successful_download(self, client, user_session, pdf_upload):
self.task_order.csp_estimate = pdf_upload
user_session(self.user)
response = client.get(
url_for(
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
)
) )
assert response.status_code == 200 assert response.status_code == 200
assert translate("common.manage") in response.data.decode()
pdf_upload.seek(0) TaskOrders.update(task_order, clin_01=None)
expected_contents = pdf_upload.read()
assert expected_contents == response.data
def test_download_without_attachment(self, client, user_session):
self.task_order.csp_attachment_id = None
user_session(self.user)
response = client.get( response = client.get(
url_for( url_for("task_orders.view_task_order", task_order_id=task_order.id)
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
) )
) assert response.status_code == 200
assert response.status_code == 404 assert translate("common.manage") not in response.data.decode()
def test_download_with_wrong_user(self, client, user_session):
other_user = UserFactory.create()
user_session(other_user)
response = client.get(
url_for(
"task_orders.download_csp_estimate", task_order_id=self.task_order.id
)
)
assert response.status_code == 404

449
tests/routes/task_orders/test_invitations.py Normal file
View File

@ -0,0 +1,449 @@
from datetime import datetime, timedelta
from flask import url_for
import pytest
from atst.domain.task_orders import TaskOrders
from atst.models.invitation import Status as InvitationStatus
from atst.models.portfolio_role import Status as PortfolioStatus
from atst.queue import queue
from tests.factories import (
PortfolioFactory,
TaskOrderFactory,
UserFactory,
PortfolioRoleFactory,
InvitationFactory,
)
def test_invite(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
to = TaskOrderFactory.create(portfolio=portfolio)
response = client.post(
url_for("task_orders.invite", task_order_id=to.id), follow_redirects=False
)
redirect = url_for("task_orders.view_task_order", task_order_id=to.id)
assert redirect in response.headers["Location"]
def test_invite_officers_to_task_order(client, user_session, queue):
task_order = TaskOrderFactory.create(
ko_invite=True, cor_invite=True, so_invite=True
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
# owner and three officers are portfolio members
assert len(portfolio.members) == 4
# email invitations are enqueued
assert len(queue.get_queue()) == 3
# task order has relationship to user for each officer role
assert task_order.contracting_officer.dod_id == task_order.ko_dod_id
assert task_order.contracting_officer_representative.dod_id == task_order.cor_dod_id
assert task_order.security_officer.dod_id == task_order.so_dod_id
def test_add_officer_but_do_not_invite(client, user_session, queue):
task_order = TaskOrderFactory.create(
ko_invite=False, cor_invite=False, so_invite=False
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
portfolio = task_order.portfolio
# owner is only portfolio member
assert len(portfolio.members) == 1
# no invitations are enqueued
assert len(queue.get_queue()) == 0
def test_does_not_resend_officer_invitation(client, user_session):
user = UserFactory.create()
contracting_officer = UserFactory.create()
portfolio = PortfolioFactory.create(owner=user)
task_order = TaskOrderFactory.create(
creator=user,
portfolio=portfolio,
ko_first_name=contracting_officer.first_name,
ko_last_name=contracting_officer.last_name,
ko_dod_id=contracting_officer.dod_id,
ko_invite=True,
)
user_session(user)
for i in range(2):
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
assert len(contracting_officer.invitations) == 1
def test_does_not_invite_if_task_order_incomplete(client, user_session, queue):
task_order = TaskOrderFactory.create(
scope=None, ko_invite=True, cor_invite=True, so_invite=True
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
response = client.post(url_for("task_orders.invite", task_order_id=task_order.id))
# redirected to review screen
assert response.headers["Location"] == url_for(
"task_orders.new", screen=4, task_order_id=task_order.id, _external=True
)
# only owner is portfolio member
assert len(portfolio.members) == 1
# no email invitations are enqueued
assert len(queue.get_queue()) == 0
@pytest.fixture
def portfolio():
return PortfolioFactory.create()
@pytest.fixture
def user():
return UserFactory.create()
class TestTaskOrderInvitations:
def setup(self):
self.portfolio = PortfolioFactory.create()
self.task_order = TaskOrderFactory.create(portfolio=self.portfolio)
def _post(self, client, updates):
return client.post(
url_for("task_orders.invitations_edit", task_order_id=self.task_order.id),
headers={"Content-Type": "application/x-www-form-urlencoded"},
data=updates,
)
def test_editing_with_partial_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"security_officer-first_name": "Boba",
"security_officer-last_name": "Fett",
},
)
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.ko_first_name == "Luke"
assert updated_task_order.ko_last_name == "Skywalker"
assert updated_task_order.so_first_name == "Boba"
assert updated_task_order.so_last_name == "Fett"
assert len(queue.get_queue()) == queue_length
assert response.status_code == 302
assert (
url_for(
"task_orders.invitations",
task_order_id=self.task_order.id,
_external=True,
)
== response.headers["Location"]
)
def test_editing_with_complete_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"contracting_officer-dod_id": "0123456789",
"contracting_officer-email": "luke@skywalker.mil",
"contracting_officer-phone_number": "0123456789",
"contracting_officer-invite": "y",
},
)
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.ko_invite == True
assert updated_task_order.ko_first_name == "Luke"
assert updated_task_order.ko_last_name == "Skywalker"
assert updated_task_order.ko_email == "luke@skywalker.mil"
assert updated_task_order.ko_phone_number == "0123456789"
assert len(queue.get_queue()) == queue_length + 1
assert response.status_code == 302
assert (
url_for(
"task_orders.invitations",
task_order_id=self.task_order.id,
_external=True,
)
== response.headers["Location"]
)
def test_editing_with_invalid_data(self, user_session, client):
queue_length = len(queue.get_queue())
user_session(self.portfolio.owner)
response = self._post(
client,
{
"contracting_officer-phone_number": "invalid input",
"security_officer-first_name": "Boba",
"security_officer-last_name": "Fett",
},
)
assert "There were some errors" in response.data.decode()
updated_task_order = TaskOrders.get(self.task_order.id)
assert updated_task_order.so_first_name != "Boba"
assert len(queue.get_queue()) == queue_length
assert response.status_code == 400
def test_user_can_only_invite_to_task_order_in_their_portfolio(
self, user_session, client, portfolio
):
other_task_order = TaskOrderFactory.create()
user_session(portfolio.owner)
# user can't see invites
response = client.get(
url_for("task_orders.invitations", task_order_id=other_task_order.id)
)
assert response.status_code == 404
# user can't send invites
time_updated = other_task_order.time_updated
response = client.post(
url_for("task_orders.invitations_edit", task_order_id=other_task_order.id),
data={
"contracting_officer-first_name": "Luke",
"contracting_officer-last_name": "Skywalker",
"contracting_officer-dod_id": "0123456789",
"contracting_officer-email": "luke@skywalker.mil",
"contracting_officer-phone_number": "0123456789",
"contracting_officer-invite": "y",
},
)
assert response.status_code == 404
assert time_updated == other_task_order.time_updated
# user can't resend invites
response = client.post(
url_for(
"task_orders.resend_invite",
task_order_id=other_task_order.id,
invite_type="ko_invite",
)
)
assert response.status_code == 404
assert time_updated == other_task_order.time_updated
def test_does_not_render_resend_invite_if_user_is_mo_and_user_is_cor(
self, client, user_session
):
task_order = TaskOrderFactory.create(
portfolio=self.portfolio,
creator=self.portfolio.owner,
cor_first_name=self.portfolio.owner.first_name,
cor_last_name=self.portfolio.owner.last_name,
cor_email=self.portfolio.owner.email,
cor_phone_number=self.portfolio.owner.phone_number,
cor_dod_id=self.portfolio.owner.dod_id,
cor_invite=True,
)
user_session(self.portfolio.owner)
response = client.get(
url_for("task_orders.invitations", task_order_id=task_order.id)
)
assert "Resend Invitation" not in response.data.decode()
def test_renders_resend_invite_if_user_is_mo_and_user_is_not_cor(
self, client, user_session
):
cor = UserFactory.create()
task_order = TaskOrderFactory.create(
portfolio=self.portfolio,
creator=self.portfolio.owner,
contracting_officer_representative=cor,
cor_invite=True,
)
portfolio_role = PortfolioRoleFactory.create(portfolio=self.portfolio, user=cor)
invitation = InvitationFactory.create(
inviter=self.portfolio.owner,
portfolio_role=portfolio_role,
user=cor,
status=InvitationStatus.PENDING,
)
user_session(self.portfolio.owner)
response = client.get(
url_for("task_orders.invitations", task_order_id=task_order.id)
)
assert "Resend Invitation" in response.data.decode()
def test_can_view_task_order_invitations_when_complete(client, user_session, portfolio):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio)
response = client.get(
url_for("task_orders.invitations", task_order_id=task_order.id)
)
assert response.status_code == 200
def test_cant_view_task_order_invitations_when_not_complete(
client, user_session, portfolio
):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio, clin_01=None)
response = client.get(
url_for("task_orders.invitations", task_order_id=task_order.id)
)
assert response.status_code == 404
def test_resend_invite_when_invalid_invite_officer(
app, client, user_session, portfolio, user
):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
user_session(user)
response = client.post(
url_for(
"task_orders.resend_invite", task_order_id=task_order.id, _external=True
),
data={"invite_type": "invalid_invite_type"},
)
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resend_invite_when_officer_type_missing(
app, client, user_session, portfolio, user
):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=None, ko_invite=True
)
PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
user_session(user)
response = client.post(
url_for(
"task_orders.resend_invite", task_order_id=task_order.id, _external=True
),
data={"invite_type": "contracting_officer_invite"},
)
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resend_invite_when_not_pending(app, client, user_session, portfolio, user):
queue_length = len(queue.get_queue())
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(
portfolio=portfolio, user=user, status=PortfolioStatus.ACTIVE
)
original_invitation = InvitationFactory.create(
inviter=user,
portfolio_role=portfolio_role,
email=user.email,
status=InvitationStatus.ACCEPTED,
)
user_session(user)
response = client.post(
url_for(
"task_orders.resend_invite", task_order_id=task_order.id, _external=True
),
data={"invite_type": "ko_invite"},
)
assert original_invitation.status == InvitationStatus.ACCEPTED
assert response.status_code == 404
assert len(queue.get_queue()) == queue_length
def test_resending_revoked_invite(app, client, user_session, portfolio, user):
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=user, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
invite = InvitationFactory.create(
inviter=user,
portfolio_role=portfolio_role,
email=user.email,
status=InvitationStatus.REVOKED,
)
user_session(user)
response = client.post(
url_for(
"task_orders.resend_invite",
task_order_id=task_order.id,
invite_type="ko_invite",
_external=True,
)
)
assert invite.is_revoked
assert response.status_code == 404
def test_resending_expired_invite(app, client, user_session, portfolio):
queue_length = len(queue.get_queue())
ko = UserFactory.create()
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer=ko, ko_invite=True
)
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=ko)
invite = InvitationFactory.create(
inviter=portfolio.owner,
portfolio_role=portfolio_role,
email=ko.email,
expiration_time=datetime.now() - timedelta(days=1),
)
user_session(portfolio.owner)
response = client.post(
url_for(
"task_orders.resend_invite",
task_order_id=task_order.id,
invite_type="ko_invite",
_external=True,
)
)
assert invite.is_expired
assert response.status_code == 302
assert len(queue.get_queue()) == queue_length + 1

90
tests/routes/task_orders/test_invite.py
View File

@ -1,90 +0,0 @@
import pytest
from flask import url_for
from tests.factories import PortfolioFactory, TaskOrderFactory, UserFactory
def test_invite(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
to = TaskOrderFactory.create(portfolio=portfolio)
response = client.post(
url_for("task_orders.invite", task_order_id=to.id), follow_redirects=False
)
redirect = url_for(
"portfolios.view_task_order", portfolio_id=to.portfolio_id, task_order_id=to.id
)
assert redirect in response.headers["Location"]
def test_invite_officers_to_task_order(client, user_session, queue):
task_order = TaskOrderFactory.create(
ko_invite=True, cor_invite=True, so_invite=True
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
# owner and three officers are portfolio members
assert len(portfolio.members) == 4
# email invitations are enqueued
assert len(queue.get_queue()) == 3
# task order has relationship to user for each officer role
assert task_order.contracting_officer.dod_id == task_order.ko_dod_id
assert task_order.contracting_officer_representative.dod_id == task_order.cor_dod_id
assert task_order.security_officer.dod_id == task_order.so_dod_id
def test_add_officer_but_do_not_invite(client, user_session, queue):
task_order = TaskOrderFactory.create(
ko_invite=False, cor_invite=False, so_invite=False
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
portfolio = task_order.portfolio
# owner is only portfolio member
assert len(portfolio.members) == 1
# no invitations are enqueued
assert len(queue.get_queue()) == 0
def test_does_not_resend_officer_invitation(client, user_session):
user = UserFactory.create()
contracting_officer = UserFactory.create()
portfolio = PortfolioFactory.create(owner=user)
task_order = TaskOrderFactory.create(
creator=user,
portfolio=portfolio,
ko_first_name=contracting_officer.first_name,
ko_last_name=contracting_officer.last_name,
ko_dod_id=contracting_officer.dod_id,
ko_invite=True,
)
user_session(user)
for i in range(2):
client.post(url_for("task_orders.invite", task_order_id=task_order.id))
assert len(contracting_officer.invitations) == 1
def test_does_not_invite_if_task_order_incomplete(client, user_session, queue):
task_order = TaskOrderFactory.create(
scope=None, ko_invite=True, cor_invite=True, so_invite=True
)
portfolio = task_order.portfolio
user_session(portfolio.owner)
response = client.post(url_for("task_orders.invite", task_order_id=task_order.id))
# redirected to review screen
assert response.headers["Location"] == url_for(
"task_orders.new", screen=4, task_order_id=task_order.id, _external=True
)
# only owner is portfolio member
assert len(portfolio.members) == 1
# no email invitations are enqueued
assert len(queue.get_queue()) == 0

26
tests/routes/task_orders/test_new_task_order.py → tests/routes/task_orders/test_new.py
View File

@ -15,6 +15,16 @@ from tests.factories import (
) )
@pytest.fixture
def portfolio():
return PortfolioFactory.create()
@pytest.fixture
def user():
return UserFactory.create()
class TestShowTaskOrderWorkflow: class TestShowTaskOrderWorkflow:
def test_portfolio_when_task_order_exists(self): def test_portfolio_when_task_order_exists(self):
portfolio = PortfolioFactory.create() portfolio = PortfolioFactory.create()
@ -306,11 +316,7 @@ def test_update_to_redirects_to_ko_review(client, user_session, task_order):
permission_sets=[PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_FUNDING)], permission_sets=[PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_FUNDING)],
) )
user_session(ko) user_session(ko)
url = url_for( url = url_for("task_orders.ko_review", task_order_id=task_order.id)
"portfolios.ko_review",
portfolio_id=task_order.portfolio.id,
task_order_id=task_order.id,
)
response = client.post( response = client.post(
url_for("task_orders.new", screen=1, task_order_id=task_order.id, next=url) url_for("task_orders.new", screen=1, task_order_id=task_order.id, next=url)
) )
@ -361,3 +367,13 @@ def test_update_task_order_clears_unnecessary_other_responses():
workflow = UpdateTaskOrderWorkflow(user, to_data) workflow = UpdateTaskOrderWorkflow(user, to_data)
assert workflow.task_order_form_data["complexity_other"] is None assert workflow.task_order_form_data["complexity_other"] is None
assert workflow.task_order_form_data["dev_team_other"] is None assert workflow.task_order_form_data["dev_team_other"] is None
def test_mo_redirected_to_build_page(client, user_session, portfolio):
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(portfolio=portfolio)
response = client.get(
url_for("task_orders.new", screen=1, task_order_id=task_order.id)
)
assert response.status_code == 200

303
tests/routes/task_orders/test_officer_reviews.py Normal file
View File

@ -0,0 +1,303 @@
import pytest
from flask import url_for
from atst.domain.permission_sets import PermissionSets
from atst.domain.task_orders import TaskOrders
from atst.models.portfolio_role import Status as PortfolioStatus
from tests.factories import (
PortfolioFactory,
PortfolioRoleFactory,
TaskOrderFactory,
UserFactory,
DD254Factory,
)
from tests.utils import captured_templates
@pytest.fixture
def portfolio():
return PortfolioFactory.create()
@pytest.fixture
def user():
return UserFactory.create()
def test_ko_can_view_ko_review_page(client, user_session):
portfolio = PortfolioFactory.create()
ko = UserFactory.create()
cor = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
PortfolioRoleFactory.create(
portfolio=portfolio,
user=cor,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(
portfolio=portfolio,
contracting_officer=ko,
contracting_officer_representative=cor,
)
request_url = url_for("task_orders.ko_review", task_order_id=task_order.id)
#
# KO returns 200
#
user_session(ko)
response = client.get(request_url)
assert response.status_code == 200
#
# COR returns 200
#
user_session(cor)
response = client.get(request_url)
assert response.status_code == 200
#
# Random user raises UnauthorizedError
#
user_session(UserFactory.create())
response = client.get(request_url)
assert response.status_code == 404
def test_cor_cant_view_review_until_to_completed(client, user_session):
portfolio = PortfolioFactory.create()
user_session(portfolio.owner)
task_order = TaskOrderFactory.create(
portfolio=portfolio, clin_01=None, cor_dod_id=portfolio.owner.dod_id
)
response = client.get(url_for("task_orders.ko_review", task_order_id=task_order.id))
assert response.status_code == 404
def test_submit_completed_ko_review_page_as_cor(
client, user_session, pdf_upload, portfolio, user
):
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(
portfolio=portfolio, contracting_officer_representative=user
)
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": "0813458013405",
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
user_session(user)
response = client.post(
url_for("task_orders.ko_review", task_order_id=task_order.id), data=form_data
)
assert task_order.pdf
assert response.headers["Location"] == url_for(
"task_orders.view_task_order", task_order_id=task_order.id, _external=True
)
def test_submit_completed_ko_review_page_as_ko(
client, user_session, pdf_upload, portfolio
):
ko = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=ko)
dd_254 = DD254Factory.create()
TaskOrders.add_dd_254(task_order, dd_254.to_dictionary())
user_session(ko)
loa_list = ["123123123", "456456456", "789789789"]
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": loa_list[0],
"loas-1": loa_list[1],
"loas-2": loa_list[2],
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
response = client.post(
url_for("task_orders.ko_review", task_order_id=task_order.id), data=form_data
)
assert task_order.pdf
assert response.headers["Location"] == url_for(
"task_orders.signature_requested", task_order_id=task_order.id, _external=True
)
assert task_order.loas == loa_list
def test_ko_can_only_access_their_to(app, user_session, client, portfolio, pdf_upload):
ko = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=ko,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, contracting_officer=ko)
dd_254 = DD254Factory.create()
TaskOrders.add_dd_254(task_order, dd_254.to_dictionary())
other_task_order = TaskOrderFactory.create()
user_session(ko)
# KO can't see TO
response = client.get(
url_for("task_orders.ko_review", task_order_id=other_task_order.id)
)
assert response.status_code == 404
# KO can't submit review for TO
form_data = {
"start_date": "02/10/2019",
"end_date": "03/10/2019",
"number": "1938745981",
"loas-0": "1231231231",
"custom_clauses": "hi im a custom clause",
"pdf": pdf_upload,
}
response = client.post(
url_for("task_orders.submit_ko_review", task_order_id=other_task_order.id),
data=form_data,
)
assert response.status_code == 404
assert not TaskOrders.is_signed_by_ko(other_task_order)
def test_so_review_page(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
user_session(portfolio.owner)
owner_response = client.get(
url_for("task_orders.so_review", task_order_id=task_order.id)
)
assert owner_response.status_code == 404
with captured_templates(app) as templates:
user_session(so)
so_response = app.test_client().get(
url_for("task_orders.so_review", task_order_id=task_order.id)
)
_, context = templates[0]
form = context["form"]
co_name = form.certifying_official.data
assert so_response.status_code == 200
assert (
task_order.so_first_name in co_name and task_order.so_last_name in co_name
)
def test_submit_so_review(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
dd_254_data = DD254Factory.dictionary()
user_session(so)
response = client.post(
url_for("task_orders.submit_so_review", task_order_id=task_order.id),
data=dd_254_data,
)
expected_redirect = url_for(
"task_orders.view_task_order", task_order_id=task_order.id, _external=True
)
assert response.status_code == 302
assert response.headers["Location"] == expected_redirect
assert task_order.dd_254
assert task_order.dd_254.certifying_official == dd_254_data["certifying_official"]
def test_so_can_only_access_their_to(app, client, user_session, portfolio):
so = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=so,
status=PortfolioStatus.ACTIVE,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
],
)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
dd_254_data = DD254Factory.dictionary()
other_task_order = TaskOrderFactory.create()
user_session(so)
# SO can't view dd254
response = client.get(
url_for("task_orders.so_review", task_order_id=other_task_order.id)
)
assert response.status_code == 404
# SO can't submit dd254
response = client.post(
url_for("task_orders.submit_so_review", task_order_id=other_task_order.id),
data=dd_254_data,
)
assert response.status_code == 404
assert not other_task_order.dd_254

12
tests/routes/task_orders/test_sign.py → tests/routes/task_orders/test_signing.py
View File

@ -120,11 +120,7 @@ def test_signing_a_task_order(client, user_session):
) )
assert ( assert (
url_for( url_for("task_orders.view_task_order", task_order_id=task_order.id)
"portfolios.view_task_order",
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
)
in response.headers["Location"] in response.headers["Location"]
) )
@ -161,11 +157,7 @@ def test_signing_a_task_order_unlimited_level_of_warrant(client, user_session):
) )
assert ( assert (
url_for( url_for("task_orders.view_task_order", task_order_id=task_order.id)
"portfolios.view_task_order",
portfolio_id=task_order.portfolio_id,
task_order_id=task_order.id,
)
in response.headers["Location"] in response.headers["Location"]
) )

164
tests/test_access.py
View File

@ -71,6 +71,11 @@ def test_all_protected_routes_have_access_control(
monkeypatch.setattr("atst.domain.portfolios.Portfolios.for_user", lambda *a: []) monkeypatch.setattr("atst.domain.portfolios.Portfolios.for_user", lambda *a: [])
monkeypatch.setattr("atst.domain.portfolios.Portfolios.get", lambda *a: None) monkeypatch.setattr("atst.domain.portfolios.Portfolios.get", lambda *a: None)
monkeypatch.setattr("atst.domain.task_orders.TaskOrders.get", lambda *a: Mock()) monkeypatch.setattr("atst.domain.task_orders.TaskOrders.get", lambda *a: Mock())
monkeypatch.setattr("atst.domain.applications.Applications.get", lambda *a: Mock())
monkeypatch.setattr("atst.domain.invitations.Invitations._get", lambda *a: Mock())
monkeypatch.setattr(
"atst.utils.context_processors.get_portfolio_from_context", lambda *a: None
)
# patch the internal function the access decorator uses so that # patch the internal function the access decorator uses so that
# we can check that it was called # we can check that it was called
@ -121,8 +126,8 @@ def test_atst_activity_history_access(get_url_assert_status):
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.access_environment # applications.access_environment
def test_portfolios_access_environment_access(get_url_assert_status): def test_applications_access_environment_access(get_url_assert_status):
dev = UserFactory.create() dev = UserFactory.create()
rando = UserFactory.create() rando = UserFactory.create()
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
@ -144,24 +149,20 @@ def test_portfolios_access_environment_access(get_url_assert_status):
) )
env = portfolio.applications[0].environments[0] env = portfolio.applications[0].environments[0]
url = url_for( url = url_for("applications.access_environment", environment_id=env.id)
"portfolios.access_environment",
portfolio_id=portfolio.id,
environment_id=env.id,
)
get_url_assert_status(dev, url, 302) get_url_assert_status(dev, url, 302)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
get_url_assert_status(ccpo, url, 404) get_url_assert_status(ccpo, url, 404)
# portfolios.create_application # applications.create
def test_portfolios_create_application_access(post_url_assert_status): def test_applications_create_access(post_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.create_application", portfolio_id=portfolio.id) url = url_for("applications.create", portfolio_id=portfolio.id)
post_url_assert_status(ccpo, url, 200) post_url_assert_status(ccpo, url, 200)
post_url_assert_status(owner, url, 200) post_url_assert_status(owner, url, 200)
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
@ -180,8 +181,8 @@ def test_portfolios_create_member_access(post_url_assert_status):
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.delete_application # applications.delete
def test_portfolios_delete_application_access(post_url_assert_status, monkeypatch): def test_applications_delete_access(post_url_assert_status, monkeypatch):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
app_admin = user_with() app_admin = user_with()
@ -207,19 +208,15 @@ def test_portfolios_delete_application_access(post_url_assert_status, monkeypatc
monkeypatch.setattr("atst.domain.applications.Applications.delete", lambda *a: True) monkeypatch.setattr("atst.domain.applications.Applications.delete", lambda *a: True)
url = url_for( url = url_for("applications.delete", application_id=application.id)
"portfolios.delete_application",
portfolio_id=portfolio.id,
application_id=application.id,
)
post_url_assert_status(app_admin, url, 404) post_url_assert_status(app_admin, url, 404)
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
post_url_assert_status(owner, url, 302) post_url_assert_status(owner, url, 302)
post_url_assert_status(ccpo, url, 302) post_url_assert_status(ccpo, url, 302)
# portfolios.edit_application # applications.settings
def test_portfolios_edit_application_access(get_url_assert_status): def test_application_settings_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -229,29 +226,27 @@ def test_portfolios_edit_application_access(get_url_assert_status):
) )
app = portfolio.applications[0] app = portfolio.applications[0]
url = url_for( url = url_for("applications.settings", application_id=app.id)
"portfolios.edit_application", portfolio_id=portfolio.id, application_id=app.id
)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.edit_portfolio # portfolios.edit
def test_portfolios_edit_portfolio_access(post_url_assert_status): def test_portfolios_edit_access(post_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_ADMIN) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_ADMIN)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.edit_portfolio", portfolio_id=portfolio.id) url = url_for("portfolios.edit", portfolio_id=portfolio.id)
post_url_assert_status(ccpo, url, 200) post_url_assert_status(ccpo, url, 200)
post_url_assert_status(owner, url, 200) post_url_assert_status(owner, url, 200)
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.edit_task_order_invitations # task_orders.invitations_edit
def test_portfolios_edit_task_order_invitations_access(post_url_assert_status): def test_task_orders_invitations_edit_access(post_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -259,7 +254,7 @@ def test_portfolios_edit_task_order_invitations_access(post_url_assert_status):
task_order = TaskOrderFactory.create(portfolio=portfolio) task_order = TaskOrderFactory.create(portfolio=portfolio)
url = url_for( url = url_for(
"portfolios.edit_task_order_invitations", "task_orders.invitations_edit",
portfolio_id=portfolio.id, portfolio_id=portfolio.id,
task_order_id=task_order.id, task_order_id=task_order.id,
) )
@ -268,8 +263,8 @@ def test_portfolios_edit_task_order_invitations_access(post_url_assert_status):
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.ko_review # task_orders.ko_review
def test_portfolios_ko_review_access(get_url_assert_status): def test_task_orders_ko_review_access(get_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
cor = user_with() cor = user_with()
@ -281,75 +276,73 @@ def test_portfolios_ko_review_access(get_url_assert_status):
contracting_officer_representative=cor, contracting_officer_representative=cor,
) )
url = url_for( url = url_for("task_orders.ko_review", task_order_id=task_order.id)
"portfolios.ko_review", portfolio_id=portfolio.id, task_order_id=task_order.id
)
get_url_assert_status(ccpo, url, 404) get_url_assert_status(ccpo, url, 404)
get_url_assert_status(owner, url, 404) get_url_assert_status(owner, url, 404)
get_url_assert_status(ko, url, 200) get_url_assert_status(ko, url, 200)
get_url_assert_status(cor, url, 200) get_url_assert_status(cor, url, 200)
# portfolios.new_application # applications.new
def test_portfolios_new_application_access(get_url_assert_status): def test_applications_new_access(get_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.new_application", portfolio_id=portfolio.id) url = url_for("applications.new", portfolio_id=portfolio.id)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.portfolio_admin # portfolios.admin
def test_portfolios_portfolio_admin_access(get_url_assert_status): def test_portfolios_admin_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_ADMIN) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_ADMIN)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.portfolio_admin", portfolio_id=portfolio.id) url = url_for("portfolios.admin", portfolio_id=portfolio.id)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.portfolio_applications # applications.portfolio_applications
def test_portfolios_portfolio_applications_access(get_url_assert_status): def test_applications_portfolio_applications_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id) url = url_for("applications.portfolio_applications", portfolio_id=portfolio.id)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.portfolio_funding # task_orders.portfolio_funding
def test_portfolios_portfolio_funding_access(get_url_assert_status): def test_task_orders_portfolio_funding_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.portfolio_funding", portfolio_id=portfolio.id) url = url_for("task_orders.portfolio_funding", portfolio_id=portfolio.id)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.portfolio_reports # portfolios.reports
def test_portfolios_portfolio_reports_access(get_url_assert_status): def test_portfolios_portfolio_reports_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_REPORTS) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_REPORTS)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
url = url_for("portfolios.portfolio_reports", portfolio_id=portfolio.id) url = url_for("portfolios.reports", portfolio_id=portfolio.id)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
@ -375,8 +368,8 @@ def test_portfolios_resend_invitation_access(post_url_assert_status):
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.resend_invite # task_orders.resend_invite
def test_portfolios_resend_invite_access(post_url_assert_status): def test_task_orders_resend_invite_access(post_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -388,8 +381,7 @@ def test_portfolios_resend_invite_access(post_url_assert_status):
invite = InvitationFactory.create(user=UserFactory.create(), portfolio_role=prr) invite = InvitationFactory.create(user=UserFactory.create(), portfolio_role=prr)
url = url_for( url = url_for(
"portfolios.resend_invite", "task_orders.resend_invite",
portfolio_id=portfolio.id,
task_order_id=task_order.id, task_order_id=task_order.id,
invite_type="ko_invite", invite_type="ko_invite",
) )
@ -434,8 +426,8 @@ def test_portfolios_show_portfolio_access(get_url_assert_status):
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.so_review # task_orders.so_review
def test_portfolios_so_review_access(get_url_assert_status): def test_task_orders_so_review_access(get_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -443,17 +435,15 @@ def test_portfolios_so_review_access(get_url_assert_status):
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so) task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
url = url_for( url = url_for("task_orders.so_review", task_order_id=task_order.id)
"portfolios.so_review", portfolio_id=portfolio.id, task_order_id=task_order.id
)
get_url_assert_status(so, url, 200) get_url_assert_status(so, url, 200)
get_url_assert_status(ccpo, url, 404) get_url_assert_status(ccpo, url, 404)
get_url_assert_status(owner, url, 404) get_url_assert_status(owner, url, 404)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.submit_ko_review # task_orders.submit_ko_review
def test_portfolios_submit_ko_review_access(post_url_assert_status): def test_task_orders_submit_ko_review_access(post_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
cor = user_with() cor = user_with()
@ -465,19 +455,15 @@ def test_portfolios_submit_ko_review_access(post_url_assert_status):
contracting_officer_representative=cor, contracting_officer_representative=cor,
) )
url = url_for( url = url_for("task_orders.submit_ko_review", task_order_id=task_order.id)
"portfolios.submit_ko_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
post_url_assert_status(ccpo, url, 404) post_url_assert_status(ccpo, url, 404)
post_url_assert_status(owner, url, 404) post_url_assert_status(owner, url, 404)
post_url_assert_status(ko, url, 200) post_url_assert_status(ko, url, 200)
post_url_assert_status(cor, url, 200) post_url_assert_status(cor, url, 200)
# portfolios.submit_so_review # task_orders.submit_so_review
def test_portfolios_submit_so_review_access(post_url_assert_status): def test_task_orders_submit_so_review_access(post_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -485,37 +471,29 @@ def test_portfolios_submit_so_review_access(post_url_assert_status):
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so) task_order = TaskOrderFactory.create(portfolio=portfolio, security_officer=so)
url = url_for( url = url_for("task_orders.submit_so_review", task_order_id=task_order.id)
"portfolios.submit_so_review",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
post_url_assert_status(so, url, 200) post_url_assert_status(so, url, 200)
post_url_assert_status(ccpo, url, 404) post_url_assert_status(ccpo, url, 404)
post_url_assert_status(owner, url, 404) post_url_assert_status(owner, url, 404)
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.task_order_invitations # task_orders.invitations
def test_portfolios_task_order_invitations_access(get_url_assert_status): def test_task_orders_invitations_access(get_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
task_order = TaskOrderFactory.create(portfolio=portfolio) task_order = TaskOrderFactory.create(portfolio=portfolio)
url = url_for( url = url_for("task_orders.invitations", task_order_id=task_order.id)
"portfolios.task_order_invitations",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
# portfolios.update_application # applications.update
def test_portfolios_update_application_access(post_url_assert_status): def test_applications_update_access(post_url_assert_status):
ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT) ccpo = user_with(PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
dev = UserFactory.create() dev = UserFactory.create()
rando = UserFactory.create() rando = UserFactory.create()
@ -526,18 +504,14 @@ def test_portfolios_update_application_access(post_url_assert_status):
) )
app = portfolio.applications[0] app = portfolio.applications[0]
url = url_for( url = url_for("applications.update", application_id=app.id)
"portfolios.update_application",
portfolio_id=portfolio.id,
application_id=app.id,
)
post_url_assert_status(dev, url, 200) post_url_assert_status(dev, url, 200)
post_url_assert_status(ccpo, url, 200) post_url_assert_status(ccpo, url, 200)
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
# portfolios.view_task_order # task_orders.view_task_order
def test_portfolios_view_task_order_access(get_url_assert_status): def test_task_orders_view_task_order_access(get_url_assert_status):
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
rando = user_with() rando = user_with()
@ -545,11 +519,7 @@ def test_portfolios_view_task_order_access(get_url_assert_status):
portfolio = PortfolioFactory.create(owner=owner) portfolio = PortfolioFactory.create(owner=owner)
task_order = TaskOrderFactory.create(portfolio=portfolio) task_order = TaskOrderFactory.create(portfolio=portfolio)
url = url_for( url = url_for("task_orders.view_task_order", task_order_id=task_order.id)
"portfolios.view_task_order",
portfolio_id=portfolio.id,
task_order_id=task_order.id,
)
get_url_assert_status(owner, url, 200) get_url_assert_status(owner, url, 200)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(rando, url, 404) get_url_assert_status(rando, url, 404)
@ -558,7 +528,7 @@ def test_portfolios_view_task_order_access(get_url_assert_status):
# task_orders.download_csp_estimate # task_orders.download_csp_estimate
def test_task_orders_download_csp_estimate_access(get_url_assert_status, monkeypatch): def test_task_orders_download_csp_estimate_access(get_url_assert_status, monkeypatch):
monkeypatch.setattr( monkeypatch.setattr(
"atst.routes.task_orders.index.send_file", lambda a: Response("") "atst.routes.task_orders.downloads.send_file", lambda a: Response("")
) )
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
@ -591,7 +561,7 @@ def test_task_orders_download_summary_access(get_url_assert_status):
# task_orders.download_task_order_pdf # task_orders.download_task_order_pdf
def test_task_orders_download_task_order_pdf_access(get_url_assert_status, monkeypatch): def test_task_orders_download_task_order_pdf_access(get_url_assert_status, monkeypatch):
monkeypatch.setattr( monkeypatch.setattr(
"atst.routes.task_orders.index.send_file", lambda a: Response("") "atst.routes.task_orders.downloads.send_file", lambda a: Response("")
) )
ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING) ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_FUNDING)
owner = user_with() owner = user_with()
@ -713,18 +683,14 @@ def test_task_orders_update_access(post_url_assert_status):
post_url_assert_status(rando, url, 404) post_url_assert_status(rando, url, 404)
def test_portfolio_application_team_access(get_url_assert_status): def test_applications_application_team_access(get_url_assert_status):
ccpo = UserFactory.create_ccpo() ccpo = UserFactory.create_ccpo()
rando = UserFactory.create() rando = UserFactory.create()
portfolio = PortfolioFactory.create() portfolio = PortfolioFactory.create()
application = ApplicationFactory.create(portfolio=portfolio) application = ApplicationFactory.create(portfolio=portfolio)
url = url_for( url = url_for("applications.team", application_id=application.id)
"portfolios.application_team",
portfolio_id=portfolio.id,
application_id=application.id,
)
get_url_assert_status(ccpo, url, 200) get_url_assert_status(ccpo, url, 200)
get_url_assert_status(portfolio.owner, url, 200) get_url_assert_status(portfolio.owner, url, 200)