Merge 2d04df0 into 734e5df

inveniosoftware · Sep 30, 2020 · 5f6995e · 5f6995e
2 parents 734e5df + 2d04df0
commit 5f6995e
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 24 deletions.
diff --git a/invenio_oauthclient/contrib/cern.py b/invenio_oauthclient/contrib/cern.py
@@ -356,7 +356,8 @@ def extend_identity(identity, groups):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
-    provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, {})
+    session.pop("cern_resource", None)
+    provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, set())
     identity.provides -= provides
 
 
@@ -504,6 +505,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']

diff --git a/invenio_oauthclient/contrib/cern_openid.py b/invenio_oauthclient/contrib/cern_openid.py
@@ -210,11 +210,12 @@ def extend_identity(identity, roles):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
+    session.pop("cern_resource", None)
     key = current_app.config.get(
         "OAUTHCLIENT_CERN_OPENID_SESSION_KEY",
         OAUTHCLIENT_CERN_OPENID_SESSION_KEY,
     )
-    provides = session.pop(key, {})
+    provides = session.pop(key, set())
     identity.provides -= provides
 
 
@@ -366,6 +367,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][

diff --git a/setup.py b/setup.py
@@ -68,7 +68,7 @@
     'Flask-OAuthlib>=0.9.5',
     'blinker>=1.4',
     'invenio-accounts>=1.3.0',
-    'invenio-base>=1.2.2',
+    'invenio-base>=1.2.3',
     'invenio-i18n>=1.2.0',
     'invenio-mail>=1.0.0',
     'uritools>=1.0.1',

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -17,12 +17,11 @@
 import tempfile
 
 import pytest
-import werkzeug
 from flask import Flask
 from flask_babelex import Babel
 from flask_mail import Mail
 from flask_menu import Menu as FlaskMenu
-from invenio_accounts import InvenioAccounts, InvenioAccountsREST
+from invenio_accounts import InvenioAccounts
 from invenio_db import InvenioDB, db
 from invenio_userprofiles import InvenioUserProfiles, UserProfile
 from invenio_userprofiles.views import blueprint_ui_init

diff --git a/tests/test_contrib_cern.py b/tests/test_contrib_cern.py
@@ -10,16 +10,14 @@
 
 from __future__ import absolute_import
 
-import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern import account_info, \
-    disconnect_handler, fetch_extra_data, fetch_groups, \
+from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \
+    account_info, disconnect_handler, fetch_extra_data, fetch_groups, \
     get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 
 def test_fetch_groups(app, example_cern):
@@ -138,6 +136,16 @@ def test_account_setup(app, example_cern, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 7
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 7
+
         disconnect_handler(ioc.remote_apps['cern'])
 
 

diff --git a/tests/test_contrib_cern_openid.py b/tests/test_contrib_cern_openid.py
@@ -14,13 +14,13 @@
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern_openid import account_info, \
-    disconnect_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern_openid import \
+    OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info, disconnect_handler, \
+    fetch_extra_data, get_dict_from_response
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -118,6 +118,16 @@ def test_account_setup(app, example_cern_openid, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 3
+
         disconnect_handler(ioc.remote_apps['cern_openid'])
 
 

diff --git a/tests/test_contrib_cern_openid_rest.py b/tests/test_contrib_cern_openid_rest.py
@@ -14,14 +14,14 @@
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern_openid import account_info_rest, \
+from invenio_oauthclient.contrib.cern_openid import \
+    OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info_rest, \
     disconnect_rest_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -124,6 +124,16 @@ def test_account_setup(app_rest, example_cern_openid_rest, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 3
+
         disconnect_rest_handler(ioc.remote_apps['cern_openid'])
 
 
@@ -178,8 +188,8 @@ def test_account_info_not_allowed_account(app_rest, example_cern_openid_rest):
     example_response, _, example_account_info = example_cern_openid_rest
 
     mock_remote_get(ioc, 'cern_openid', example_response)
-
     resp = account_info_rest(ioc.remote_apps['cern_openid'], None)
+
     assert resp.status_code == 302
     expected_url_args = {
         "message": "CERN account not allowed.",

diff --git a/tests/test_contrib_cern_rest.py b/tests/test_contrib_cern_rest.py
@@ -10,17 +10,16 @@
 
 from __future__ import absolute_import
 
-import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_principal import AnonymousIdentity, Identity, RoleNeed, UserNeed
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern import account_info_rest, \
-    disconnect_rest_handler, fetch_extra_data, fetch_groups, \
-    get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \
+    account_info_rest, disconnect_rest_handler, fetch_extra_data, \
+    fetch_groups, get_dict_from_response
 
 
 def test_fetch_groups(app_rest, example_cern):
@@ -130,7 +129,31 @@ def test_account_setup(app_rest, example_cern, models_fixture):
         assert resp.status_code >= 300
 
         login_user(user)
+        assert isinstance(g.identity, Identity)
+        assert g.identity.provides == set([
+            UserNeed(4),
+            UserNeed('test.account@cern.ch'),
+            RoleNeed('Group1@cern.ch'),
+            RoleNeed('Group2@cern.ch'),
+            RoleNeed('Group3@cern.ch'),
+            RoleNeed('Group4@cern.ch'),
+            RoleNeed('Group5@cern.ch'),
+        ])
+
+        logout_user()
+        assert isinstance(g.identity, AnonymousIdentity)
+        # NOTE: Wrong role, g.identity.provides = {Need(['id', 4])} read more
+        # https://github.com/inveniosoftware/invenio-access/blob/e28e76d5361a29202b94d498f1968454c24c5c80/tests/test_loaders.py#L47
+        assert len(g.identity.provides) == 1
+
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert isinstance(g.identity, Identity)
         assert len(g.identity.provides) == 7
+
         disconnect_rest_handler(ioc.remote_apps['cern'])