diff --git a/invenio_oauthclient/contrib/cern.py b/invenio_oauthclient/contrib/cern.py index 4cca799c..a7d2979a 100644 --- a/invenio_oauthclient/contrib/cern.py +++ b/invenio_oauthclient/contrib/cern.py @@ -356,6 +356,7 @@ def extend_identity(identity, groups): def disconnect_identity(identity): """Disconnect identity from CERN groups.""" + session.pop("cern_resource", None) provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, {}) identity.provides -= provides @@ -504,6 +505,7 @@ def on_identity_changed(sender, identity): :param identity: The user identity where information are stored. """ if isinstance(identity, AnonymousIdentity): + disconnect_identity(identity) return client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key'] diff --git a/invenio_oauthclient/contrib/cern_openid.py b/invenio_oauthclient/contrib/cern_openid.py index fa3780f3..04b89345 100644 --- a/invenio_oauthclient/contrib/cern_openid.py +++ b/invenio_oauthclient/contrib/cern_openid.py @@ -210,6 +210,7 @@ def extend_identity(identity, roles): def disconnect_identity(identity): """Disconnect identity from CERN groups.""" + session.pop("cern_resource", None) key = current_app.config.get( "OAUTHCLIENT_CERN_OPENID_SESSION_KEY", OAUTHCLIENT_CERN_OPENID_SESSION_KEY, @@ -366,6 +367,7 @@ def on_identity_changed(sender, identity): :param identity: The user identity where information are stored. """ if isinstance(identity, AnonymousIdentity): + disconnect_identity(identity) return client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][ diff --git a/tests/test_contrib_cern.py b/tests/test_contrib_cern.py index 45888303..e52ba7f1 100644 --- a/tests/test_contrib_cern.py +++ b/tests/test_contrib_cern.py @@ -10,16 +10,14 @@ from __future__ import absolute_import -import pytest from flask import g, session, url_for -from flask_security import login_user +from flask_security import login_user, logout_user from helpers import get_state, mock_remote_get, mock_response from six.moves.urllib_parse import parse_qs, urlparse -from invenio_oauthclient.contrib.cern import account_info, \ - disconnect_handler, fetch_extra_data, fetch_groups, \ +from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \ + account_info, disconnect_handler, fetch_extra_data, fetch_groups, \ get_dict_from_response -from invenio_oauthclient.errors import OAuthCERNRejectedAccountError def test_fetch_groups(app, example_cern): @@ -138,6 +136,16 @@ def test_account_setup(app, example_cern, models_fixture): login_user(user) assert len(g.identity.provides) == 7 + + logout_user() + assert len(g.identity.provides) == 1 + assert "cern_resource" not in session + assert OAUTHCLIENT_CERN_SESSION_KEY not in session + + # Login again to test the disconnect handler + login_user(user) + assert len(g.identity.provides) == 7 + disconnect_handler(ioc.remote_apps['cern']) diff --git a/tests/test_contrib_cern_openid.py b/tests/test_contrib_cern_openid.py index 00aa8921..d77bbd0c 100644 --- a/tests/test_contrib_cern_openid.py +++ b/tests/test_contrib_cern_openid.py @@ -14,13 +14,13 @@ import pytest from flask import g, session, url_for -from flask_security import login_user +from flask_security import login_user, logout_user from helpers import get_state, mock_remote_get, mock_response from six.moves.urllib_parse import parse_qs, urlparse -from invenio_oauthclient.contrib.cern_openid import account_info, \ - disconnect_handler, fetch_extra_data, get_dict_from_response -from invenio_oauthclient.errors import OAuthCERNRejectedAccountError +from invenio_oauthclient.contrib.cern_openid import \ + OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info, disconnect_handler, \ + fetch_extra_data, get_dict_from_response from flask_oauthlib.client import OAuthResponse # noqa isort:skip @@ -118,6 +118,16 @@ def test_account_setup(app, example_cern_openid, models_fixture): login_user(user) assert len(g.identity.provides) == 3 + + logout_user() + assert len(g.identity.provides) == 1 + assert "cern_resource" not in session + assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session + + # Login again to test the disconnect handler + login_user(user) + assert len(g.identity.provides) == 3 + disconnect_handler(ioc.remote_apps['cern_openid']) diff --git a/tests/test_contrib_cern_openid_rest.py b/tests/test_contrib_cern_openid_rest.py index 475ddf19..62aeb3ed 100644 --- a/tests/test_contrib_cern_openid_rest.py +++ b/tests/test_contrib_cern_openid_rest.py @@ -14,14 +14,14 @@ import pytest from flask import g, session, url_for -from flask_security import login_user +from flask_security import login_user, logout_user from helpers import check_response_redirect_url_args, get_state, \ mock_remote_get, mock_response from six.moves.urllib_parse import parse_qs, urlparse -from invenio_oauthclient.contrib.cern_openid import account_info_rest, \ +from invenio_oauthclient.contrib.cern_openid import \ + OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info_rest, \ disconnect_rest_handler, fetch_extra_data, get_dict_from_response -from invenio_oauthclient.errors import OAuthCERNRejectedAccountError from flask_oauthlib.client import OAuthResponse # noqa isort:skip @@ -124,6 +124,16 @@ def test_account_setup(app_rest, example_cern_openid_rest, models_fixture): login_user(user) assert len(g.identity.provides) == 3 + + logout_user() + assert len(g.identity.provides) == 1 + assert "cern_resource" not in session + assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session + + # Login again to test the disconnect handler + login_user(user) + assert len(g.identity.provides) == 3 + disconnect_rest_handler(ioc.remote_apps['cern_openid']) @@ -178,8 +188,8 @@ def test_account_info_not_allowed_account(app_rest, example_cern_openid_rest): example_response, _, example_account_info = example_cern_openid_rest mock_remote_get(ioc, 'cern_openid', example_response) - resp = account_info_rest(ioc.remote_apps['cern_openid'], None) + assert resp.status_code == 302 expected_url_args = { "message": "CERN account not allowed.", diff --git a/tests/test_contrib_cern_rest.py b/tests/test_contrib_cern_rest.py index 1ce319e7..eb9c926c 100644 --- a/tests/test_contrib_cern_rest.py +++ b/tests/test_contrib_cern_rest.py @@ -10,17 +10,15 @@ from __future__ import absolute_import -import pytest from flask import g, session, url_for -from flask_security import login_user +from flask_security import login_user, logout_user from helpers import check_response_redirect_url_args, get_state, \ mock_remote_get, mock_response from six.moves.urllib_parse import parse_qs, urlparse -from invenio_oauthclient.contrib.cern import account_info_rest, \ - disconnect_rest_handler, fetch_extra_data, fetch_groups, \ - get_dict_from_response -from invenio_oauthclient.errors import OAuthCERNRejectedAccountError +from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \ + account_info_rest, disconnect_rest_handler, fetch_extra_data, \ + fetch_groups, get_dict_from_response def test_fetch_groups(app_rest, example_cern): @@ -131,6 +129,16 @@ def test_account_setup(app_rest, example_cern, models_fixture): login_user(user) assert len(g.identity.provides) == 7 + + logout_user() + assert len(g.identity.provides) == 1 + assert "cern_resource" not in session + assert OAUTHCLIENT_CERN_SESSION_KEY not in session + + # Login again to test the disconnect handler + login_user(user) + assert len(g.identity.provides) == 7 + disconnect_rest_handler(ioc.remote_apps['cern'])