Default SecuritySettings.env to prod (#5326)

CHANGELOG.md

@@ -28,6 +28,7 @@ The types of changes are:
 
 ### Changed
 - Updated privacy notices to support notice hierarchies [#5272](https://github.com/ethyca/fides/pull/5272)
+- Defaulting SecuritySettings.env to prod [#5326](https://github.com/ethyca/fides/pull/5326)
 
 ## [2.45.2](https://github.com/ethyca/fides/compare/2.45.1...2.45.2)
 

src/fides/config/security_settings.py

@@ -51,7 +51,7 @@ class SecuritySettings(FidesSettings):
         default="UTF-8", description="Text encoding to use for the application."
     )
     env: str = Field(
-        default="dev",
+        default="prod",
         description="The default, `dev`, does not apply authentication to endpoints typically used by the CLI. The other option, `prod`, requires authentication for _all_ endpoints that may contain sensitive information.",
     )
     identity_verification_attempt_limit: int = Field(

tests/ctl/core/config/test_security_settings.py

@@ -57,3 +57,7 @@ def test_assemble_root_access_token_none(self):
     def test_validate_request_rate_limit_invalid_format(self):
         with pytest.raises(ValueError):
             SecuritySettings(request_rate_limit="invalid")
+
+    def test_security_settings_env_default_to_prod(self):
+        settings = SecuritySettings()
+        assert settings.env == "prod"

tests/ops/api/v1/test_main.py

@@ -2,6 +2,7 @@
 
 import pytest
 from fastapi import FastAPI
+from httpx import AsyncClient
 from starlette.testclient import TestClient
 
 from fides.api.main import create_fides_app, lifespan
@@ -10,6 +11,8 @@
     verify_oauth_client,
     verify_oauth_client_prod,
 )
+from fides.common.api.v1.urn_registry import V1_URL_PREFIX
+from fides.config.security_settings import SecuritySettings
 
 
 def test_read_autogenerated_docs(api_client: TestClient):
@@ -19,6 +22,7 @@ def test_read_autogenerated_docs(api_client: TestClient):
 
 
 class TestConfigureSecurityEnvOverrides:
+
     def test_configure_security_env_overrides_dev(self) -> None:
         """
         This test verifies that when set to 'dev', only the
@@ -31,7 +35,8 @@ def test_configure_security_env_overrides_dev(self) -> None:
             test_app.dependency_overrides[verify_oauth_client_prod] == get_root_client
         )
 
-    def test_configure_security_env_overrides_prod(self) -> None:
+    @pytest.mark.asyncio
+    async def test_configure_security_env_overrides_prod(self) -> None:
         """
         This test verifies that when set to 'prod', there are no
         dependency overrides for the oauth clients.
@@ -44,3 +49,36 @@ def test_configure_security_env_overrides_prod(self) -> None:
 
         with pytest.raises(KeyError):
             test_app.dependency_overrides[verify_oauth_client_prod]
+
+        # an endpoint using verify_oauth_client_prod
+        async with AsyncClient(
+            app=test_app, base_url="http://0.0.0.0:8080", follow_redirects=True
+        ) as client:
+            response = await client.get(V1_URL_PREFIX + "/system")
+            assert response.status_code == 401
+
+    @pytest.mark.asyncio
+    async def test_configure_security_env_defaults_to_prod(self) -> None:
+        """
+        This test verifies that when env is not set, there are no
+        dependency overrides for the oauth clients.
+        """
+
+        # simulates a config with default settings, not loading from any env variables
+        default_security_settings = SecuritySettings()
+        test_app = FastAPI(title="test")
+        test_app = create_fides_app(
+            lifespan=lifespan, security_env=default_security_settings.env
+        )
+        with pytest.raises(KeyError):
+            test_app.dependency_overrides[verify_oauth_client]
+
+        with pytest.raises(KeyError):
+            test_app.dependency_overrides[verify_oauth_client_prod]
+
+        # an endpoint using verify_oauth_client_prod
+        async with AsyncClient(
+            app=test_app, base_url="http://0.0.0.0:8080", follow_redirects=True
+        ) as client:
+            response = await client.get(V1_URL_PREFIX + "/system")
+            assert response.status_code == 401