Merge 5c62027 into 734e5df

invenio_oauthclient/contrib/cern.py

@@ -356,6 +356,7 @@ def extend_identity(identity, groups):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
+    session.pop("cern_resource", None)
     provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, {})
     identity.provides -= provides
 
@@ -504,6 +505,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']

invenio_oauthclient/contrib/cern_openid.py

@@ -210,6 +210,7 @@ def extend_identity(identity, roles):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
+    session.pop("cern_resource", None)
     key = current_app.config.get(
         "OAUTHCLIENT_CERN_OPENID_SESSION_KEY",
         OAUTHCLIENT_CERN_OPENID_SESSION_KEY,
@@ -366,6 +367,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][

tests/conftest.py

@@ -71,6 +71,8 @@ def base_app(request):
         WTF_CSRF_ENABLED=False,
         LOGIN_DISABLED=False,
         CACHE_TYPE='simple',
+        OAUTHCLIENT_CERN_SESSION_KEY='identity.test_provides',
+        OAUTHCLIENT_CERN_OPENID_SESSION_KEY='identity.test_openid_provides',
         OAUTHCLIENT_REMOTE_APPS=dict(
             cern=CERN_REMOTE_APP,
             cern_openid=CERN_OPENID_REMOTE_APP,

tests/test_contrib_cern.py

@@ -10,16 +10,14 @@
 
 from __future__ import absolute_import
 
-import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
 from invenio_oauthclient.contrib.cern import account_info, \
     disconnect_handler, fetch_extra_data, fetch_groups, \
     get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 
 def test_fetch_groups(app, example_cern):
@@ -138,6 +136,11 @@ def test_account_setup(app, example_cern, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 7
+
+        logout_user()
+        assert "cern_resource" not in session
+        assert app.config['OAUTHCLIENT_CERN_SESSION_KEY'] not in session
+
         disconnect_handler(ioc.remote_apps['cern'])
 
 

tests/test_contrib_cern_openid.py

@@ -14,13 +14,12 @@
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
 from invenio_oauthclient.contrib.cern_openid import account_info, \
     disconnect_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -118,6 +117,12 @@ def test_account_setup(app, example_cern_openid, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert "cern_resource" not in session
+        assert app.config['OAUTHCLIENT_CERN_OPENID_SESSION_KEY'] \
+            not in session
+
         disconnect_handler(ioc.remote_apps['cern_openid'])
 
 

tests/test_contrib_cern_openid_rest.py

@@ -14,14 +14,13 @@
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
 from invenio_oauthclient.contrib.cern_openid import account_info_rest, \
     disconnect_rest_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -124,6 +123,12 @@ def test_account_setup(app_rest, example_cern_openid_rest, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert "cern_resource" not in session
+        assert app_rest.config['OAUTHCLIENT_CERN_OPENID_SESSION_KEY'] \
+            not in session
+
         disconnect_rest_handler(ioc.remote_apps['cern_openid'])
 
 
@@ -178,8 +183,8 @@ def test_account_info_not_allowed_account(app_rest, example_cern_openid_rest):
     example_response, _, example_account_info = example_cern_openid_rest
 
     mock_remote_get(ioc, 'cern_openid', example_response)
-
     resp = account_info_rest(ioc.remote_apps['cern_openid'], None)
+
     assert resp.status_code == 302
     expected_url_args = {
         "message": "CERN account not allowed.",

tests/test_contrib_cern_rest.py

@@ -10,17 +10,15 @@
 
 from __future__ import absolute_import
 
-import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
 from invenio_oauthclient.contrib.cern import account_info_rest, \
     disconnect_rest_handler, fetch_extra_data, fetch_groups, \
     get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 
 def test_fetch_groups(app_rest, example_cern):
@@ -131,6 +129,11 @@ def test_account_setup(app_rest, example_cern, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 7
+
+        logout_user()
+        assert "cern_resource" not in session
+        assert app_rest.config['OAUTHCLIENT_CERN_SESSION_KEY'] not in session
+
         disconnect_rest_handler(ioc.remote_apps['cern'])