Merge 05cd1be into 734e5df

inveniosoftware · Sep 28, 2020 · badd576 · badd576
2 parents 734e5df + 05cd1be
commit badd576
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 25 deletions.
diff --git a/invenio_oauthclient/contrib/cern.py b/invenio_oauthclient/contrib/cern.py
@@ -356,7 +356,8 @@ def extend_identity(identity, groups):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
-    provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, {})
+    session.pop("cern_resource", None)
+    provides = session.pop(OAUTHCLIENT_CERN_SESSION_KEY, set())
     identity.provides -= provides
 
 
@@ -504,6 +505,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']

diff --git a/invenio_oauthclient/contrib/cern_openid.py b/invenio_oauthclient/contrib/cern_openid.py
@@ -68,7 +68,7 @@
 
 from flask import Blueprint, current_app, flash, g, redirect, session, url_for
 from flask_babelex import gettext as _
-from flask_login import current_user
+from flask_login import current_user, user_logged_in, user_logged_out
 from flask_principal import AnonymousIdentity, RoleNeed, UserNeed, \
     identity_changed, identity_loaded
 from invenio_db import db
@@ -210,11 +210,12 @@ def extend_identity(identity, roles):
 
 def disconnect_identity(identity):
     """Disconnect identity from CERN groups."""
+    session.pop("cern_resource", None)
     key = current_app.config.get(
         "OAUTHCLIENT_CERN_OPENID_SESSION_KEY",
         OAUTHCLIENT_CERN_OPENID_SESSION_KEY,
     )
-    provides = session.pop(key, {})
+    provides = session.pop(key, set())
     identity.provides -= provides
 
 
@@ -366,6 +367,7 @@ def on_identity_changed(sender, identity):
     :param identity: The user identity where information are stored.
     """
     if isinstance(identity, AnonymousIdentity):
+        disconnect_identity(identity)
         return
 
     client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -17,12 +17,11 @@
 import tempfile
 
 import pytest
-import werkzeug
 from flask import Flask
 from flask_babelex import Babel
 from flask_mail import Mail
 from flask_menu import Menu as FlaskMenu
-from invenio_accounts import InvenioAccounts, InvenioAccountsREST
+from invenio_accounts import InvenioAccounts
 from invenio_db import InvenioDB, db
 from invenio_userprofiles import InvenioUserProfiles, UserProfile
 from invenio_userprofiles.views import blueprint_ui_init

diff --git a/tests/test_contrib_cern.py b/tests/test_contrib_cern.py
@@ -10,16 +10,17 @@
 
 from __future__ import absolute_import
 
+from unittest.mock import Mock
+
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern import account_info, \
-    disconnect_handler, fetch_extra_data, fetch_groups, \
-    get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \
+    account_info, disconnect_handler, disconnect_identity, fetch_extra_data, \
+    fetch_groups, get_dict_from_response
 
 
 def test_fetch_groups(app, example_cern):
@@ -138,6 +139,16 @@ def test_account_setup(app, example_cern, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 7
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 7
+
         disconnect_handler(ioc.remote_apps['cern'])
 
 

diff --git a/tests/test_contrib_cern_openid.py b/tests/test_contrib_cern_openid.py
@@ -11,16 +11,17 @@
 from __future__ import absolute_import
 
 import os
+from unittest.mock import Mock
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import get_state, mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern_openid import account_info, \
-    disconnect_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern_openid import \
+    OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info, disconnect_handler, \
+    disconnect_identity, fetch_extra_data, get_dict_from_response
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -118,6 +119,16 @@ def test_account_setup(app, example_cern_openid, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 3
+
         disconnect_handler(ioc.remote_apps['cern_openid'])
 
 

diff --git a/tests/test_contrib_cern_openid_rest.py b/tests/test_contrib_cern_openid_rest.py
@@ -11,17 +11,19 @@
 from __future__ import absolute_import
 
 import os
+from unittest.mock import Mock
 
 import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern_openid import account_info_rest, \
-    disconnect_rest_handler, fetch_extra_data, get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern_openid import \
+    OAUTHCLIENT_CERN_OPENID_SESSION_KEY, account_info_rest, \
+    disconnect_identity, disconnect_rest_handler, fetch_extra_data, \
+    get_dict_from_response
 
 from flask_oauthlib.client import OAuthResponse  # noqa isort:skip
 
@@ -124,6 +126,16 @@ def test_account_setup(app_rest, example_cern_openid_rest, models_fixture):
 
         login_user(user)
         assert len(g.identity.provides) == 3
+
+        logout_user()
+        assert len(g.identity.provides) == 1
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert len(g.identity.provides) == 3
+
         disconnect_rest_handler(ioc.remote_apps['cern_openid'])
 
 
@@ -178,8 +190,8 @@ def test_account_info_not_allowed_account(app_rest, example_cern_openid_rest):
     example_response, _, example_account_info = example_cern_openid_rest
 
     mock_remote_get(ioc, 'cern_openid', example_response)
-
     resp = account_info_rest(ioc.remote_apps['cern_openid'], None)
+
     assert resp.status_code == 302
     expected_url_args = {
         "message": "CERN account not allowed.",

diff --git a/tests/test_contrib_cern_rest.py b/tests/test_contrib_cern_rest.py
@@ -10,17 +10,16 @@
 
 from __future__ import absolute_import
 
-import pytest
 from flask import g, session, url_for
-from flask_security import login_user
+from flask_principal import AnonymousIdentity, Identity, RoleNeed, UserNeed
+from flask_security import login_user, logout_user
 from helpers import check_response_redirect_url_args, get_state, \
     mock_remote_get, mock_response
 from six.moves.urllib_parse import parse_qs, urlparse
 
-from invenio_oauthclient.contrib.cern import account_info_rest, \
-    disconnect_rest_handler, fetch_extra_data, fetch_groups, \
-    get_dict_from_response
-from invenio_oauthclient.errors import OAuthCERNRejectedAccountError
+from invenio_oauthclient.contrib.cern import OAUTHCLIENT_CERN_SESSION_KEY, \
+    account_info_rest, disconnect_rest_handler, fetch_extra_data, \
+    fetch_groups, get_dict_from_response
 
 
 def test_fetch_groups(app_rest, example_cern):
@@ -130,7 +129,30 @@ def test_account_setup(app_rest, example_cern, models_fixture):
         assert resp.status_code >= 300
 
         login_user(user)
+        assert isinstance(g.identity, Identity)
+        assert g.identity.provides == set([
+            UserNeed(4),
+            UserNeed('test.account@cern.ch'),
+            RoleNeed('Group1@cern.ch'),
+            RoleNeed('Group2@cern.ch'),
+            RoleNeed('Group3@cern.ch'),
+            RoleNeed('Group4@cern.ch'),
+            RoleNeed('Group5@cern.ch'),
+        ])
+
+        logout_user()
+        assert isinstance(g.identity, AnonymousIdentity)
+        # NOTE: Wrong role, g.identity.provides = {Need(['id', 4])}
+        assert len(g.identity.provides) == 1
+
+        assert "cern_resource" not in session
+        assert OAUTHCLIENT_CERN_SESSION_KEY not in session
+
+        # Login again to test the disconnect handler
+        login_user(user)
+        assert isinstance(g.identity, Identity)
         assert len(g.identity.provides) == 7
+
         disconnect_rest_handler(ioc.remote_apps['cern'])