From 11c61da9bb4cbff42725ba6b6a91d5ceab83fd28 Mon Sep 17 00:00:00 2001
From: Mark Hobson <mark.hobson@activetravelengland.gov.uk>
Date: Mon, 23 Oct 2023 12:24:10 +0100
Subject: [PATCH] GH-4: Register API when API key configured

---
 README.md                       |  2 +-
 schemes/__init__.py             |  3 +-
 tests/integration/test_users.py | 98 +++++++++++++++------------------
 3 files changed, 47 insertions(+), 56 deletions(-)

diff --git a/README.md b/README.md
index cdd1dd94..9c12168e 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ The application can also be configured with the following environment variables:
 | FLASK_SECRET_KEY                 | Flask session [secret key](https://flask.palletsprojects.com/en/2.3.x/quickstart/#sessions) |
 | FLASK_BASIC_AUTH_USERNAME        | HTTP Basic Auth username                                                                    |
 | FLASK_BASIC_AUTH_PASSWORD        | HTTP Basic Auth password                                                                    |
-| FLASK_API_KEY                    | API key                                                                                     |
+| FLASK_API_KEY                    | API key (unset to disable)                                                                  |
 | FLASK_GOVUK_CLIENT_ID            | OIDC client id                                                                              |
 | FLASK_GOVUK_CLIENT_SECRET        | OIDC client secret                                                                          |
 | FLASK_GOVUK_SERVER_METADATA_URL  | OIDC discovery endpoint                                                                     |
diff --git a/schemes/__init__.py b/schemes/__init__.py
index 57f04d18..e3a1a8e1 100644
--- a/schemes/__init__.py
+++ b/schemes/__init__.py
@@ -37,8 +37,7 @@ def bindings(binder: Binder) -> None:
     app.register_blueprint(start.bp)
     app.register_blueprint(auth.bp, url_prefix="/auth")
     app.register_blueprint(home.bp, url_prefix="/home")
-    if app.testing:
-        app.register_blueprint(users.bp, url_prefix="/users")
+    app.register_blueprint(users.bp, url_prefix="/users")
 
     _create_database()
     if not app.testing:
diff --git a/tests/integration/test_users.py b/tests/integration/test_users.py
index f6fb5066..dfc15802 100644
--- a/tests/integration/test_users.py
+++ b/tests/integration/test_users.py
@@ -7,76 +7,68 @@
 from schemes.users import User, UserRepository
 
 
-@pytest.fixture(name="config")
-def config_fixture(config: Mapping[str, Any]) -> Mapping[str, Any]:
-    return config | {"API_KEY": "boardman"}
-
-
-@pytest.fixture(name="users")
-def users_fixture() -> UserRepository:
-    return inject.instance(UserRepository)
-
-
-def test_add_users(users: UserRepository, client: FlaskClient) -> None:
-    response = client.post(
-        "/users",
-        headers={"Authorization": "API-Key boardman"},
-        json=[{"email": "boardman@example.com"}, {"email": "obree@example.com"}],
-    )
-
-    assert response.status_code == 201
-    assert users.get_all() == [User("boardman@example.com"), User("obree@example.com")]
-
-
-def test_cannot_add_users_when_no_credentials(users: UserRepository, client: FlaskClient) -> None:
-    response = client.post("/users", json=[{"email": "boardman@example.com"}])
-
-    assert response.status_code == 401
-    assert not users.get_all()
+class TestApiEnabled:
+    @pytest.fixture(name="config")
+    def config_fixture(self, config: Mapping[str, Any]) -> Mapping[str, Any]:
+        return config | {"API_KEY": "boardman"}
 
+    @pytest.fixture(name="users")
+    def users_fixture(self) -> UserRepository:
+        return inject.instance(UserRepository)
 
-def test_cannot_add_users_when_incorrect_credentials(users: UserRepository, client: FlaskClient) -> None:
-    response = client.post(
-        "/users", headers={"Authorization": "API-Key obree"}, json=[{"email": "boardman@example.com"}]
-    )
+    def test_add_users(self, users: UserRepository, client: FlaskClient) -> None:
+        response = client.post(
+            "/users",
+            headers={"Authorization": "API-Key boardman"},
+            json=[{"email": "boardman@example.com"}, {"email": "obree@example.com"}],
+        )
 
-    assert response.status_code == 401
-    assert not users.get_all()
+        assert response.status_code == 201
+        assert users.get_all() == [User("boardman@example.com"), User("obree@example.com")]
 
+    def test_cannot_add_users_when_no_credentials(self, users: UserRepository, client: FlaskClient) -> None:
+        response = client.post("/users", json=[{"email": "boardman@example.com"}])
 
-def test_clear_users(users: UserRepository, client: FlaskClient) -> None:
-    users.add(User("boardman@example.com"))
+        assert response.status_code == 401
+        assert not users.get_all()
 
-    response = client.delete("/users", headers={"Authorization": "API-Key boardman"})
+    def test_cannot_add_users_when_incorrect_credentials(self, users: UserRepository, client: FlaskClient) -> None:
+        response = client.post(
+            "/users", headers={"Authorization": "API-Key obree"}, json=[{"email": "boardman@example.com"}]
+        )
 
-    assert response.status_code == 204
-    assert not users.get_all()
+        assert response.status_code == 401
+        assert not users.get_all()
 
+    def test_clear_users(self, users: UserRepository, client: FlaskClient) -> None:
+        users.add(User("boardman@example.com"))
 
-def test_cannot_clear_users_when_no_credentials(users: UserRepository, client: FlaskClient) -> None:
-    users.add(User("boardman@example.com"))
+        response = client.delete("/users", headers={"Authorization": "API-Key boardman"})
 
-    response = client.delete("/users")
+        assert response.status_code == 204
+        assert not users.get_all()
 
-    assert response.status_code == 401
-    assert users.get_all() == [User("boardman@example.com")]
+    def test_cannot_clear_users_when_no_credentials(self, users: UserRepository, client: FlaskClient) -> None:
+        users.add(User("boardman@example.com"))
 
+        response = client.delete("/users")
 
-def test_cannot_clear_users_when_incorrect_credentials(users: UserRepository, client: FlaskClient) -> None:
-    users.add(User("boardman@example.com"))
+        assert response.status_code == 401
+        assert users.get_all() == [User("boardman@example.com")]
 
-    response = client.delete("/users", headers={"Authorization": "API-Key obree"})
+    def test_cannot_clear_users_when_incorrect_credentials(self, users: UserRepository, client: FlaskClient) -> None:
+        users.add(User("boardman@example.com"))
 
-    assert response.status_code == 401
-    assert users.get_all() == [User("boardman@example.com")]
+        response = client.delete("/users", headers={"Authorization": "API-Key obree"})
 
+        assert response.status_code == 401
+        assert users.get_all() == [User("boardman@example.com")]
 
-class TestProduction:
-    @pytest.fixture(name="config")
-    def config_fixture(self, config: Mapping[str, Any]) -> Mapping[str, Any]:
-        return config | {"TESTING": False}
 
+class TestApiDisabled:
     def test_cannot_add_user(self, client: FlaskClient) -> None:
-        response = client.post("/users", json={"email": "boardman@example.com"})
+        response = client.post(
+            "/users", headers={"Authorization": "API-Key boardman"}, json={"email": "boardman@example.com"}
+        )
 
-        assert response.status_code == 404
+        assert response.status_code == 401