Merge c6fed58 into c244172

invenio_oauthclient/contrib/cern.py

@@ -87,7 +87,8 @@
 import re
 
 from flask import current_app, redirect, session, url_for
-from flask_principal import UserNeed, RoleNeed, identity_loaded
+from flask_principal import UserNeed, RoleNeed, identity_loaded, \
+    AnonymousIdentity
 from flask_security import current_user
 from invenio_db import db
 from invenio_oauthclient.models import RemoteAccount
@@ -196,7 +197,7 @@ def get_dict_from_response(response):
 
 def get_resource(remote):
     """Query CERN Resources to get user info and groups."""
-    cached_resource = session.get('cern_resource')
+    cached_resource = session.pop('cern_resource', None)
     if cached_resource:
         return cached_resource
 
@@ -246,25 +247,35 @@ def disconnect_handler(remote, *args, **kwargs):
 def account_setup(remote, token, resp):
     """Perform additional setup after user have been logged in."""
     res = get_resource(remote)
-    session.pop('cern_resource')
 
+    groups = fetch_groups(res['Group'])
     with db.session.begin_nested():
         external_id = res['PersonID'][0]
 
         # Set CERN person ID in extra_date.
-        token.remote_account.extra_data = {'external_id': external_id}
+        token.remote_account.extra_data = {
+            'external_id': external_id,
+            'groups': groups,
+            # TODO: Add timestamp for refreshing token
+        }
         user = token.remote_account.user
 
         # Create user <-> external id link.
         oauth_link_external_id(user, dict(id=external_id, method='cern'))
 
-    groups = fetch_groups(res['Group'])
-    provides = [UserNeed(user.email)] + \
-               [RoleNeed('{0}@cern.ch'.format(group)) for group in groups]
-    session['identity.cern_provides'] = provides
-
 
 @identity_loaded.connect
 def on_identity_loaded(sender, identity):
     """Store groups in session whenever identity changes."""
-    identity.provides.update(session.get('identity.cern_provides', []))
+    if isinstance(identity, AnonymousIdentity):
+        return
+
+    identity.provides |= set([UserNeed(current_user.email)])
+    account = RemoteAccount.get(
+        user_id=current_user.get_id(),
+        client_id=current_app.config['CERN_APP_CREDENTIALS']['consumer_key'],
+    )
+    groups = account.extra_data.get('groups', []) if account else []
+    identity.provides |= set([
+        RoleNeed('{0}@cern.ch'.format(name)) for name in groups
+    ])

invenio_oauthclient/utils.py

@@ -73,8 +73,9 @@ def oauth_get_user(client_id, account_info=None, access_token=None):
                 id=external_id['id'], method=external_id['method']).first()
             if user_identity:
                 return user_identity.user
-        if account_info.get('email'):
-            return User.query.filter_by(email=account_info['email']).first()
+        email = account_info.get('user', {}).get('email')
+        if email:
+            return User.query.filter_by(email=email).one_or_none()
     return None
 
 

tests/test_handlers.py

@@ -111,11 +111,11 @@ def test_unauthorized_signup(remote, models_fixture):
     user = datastore.find_user(email=existing_email)
 
     example_response = {'access_token': 'test_access_token'}
-    example_account_info = {
+    example_account_info = {'user': {
         'email': existing_email,
         'external_id': '1234',
         'external_method': 'test_method'
-    }
+    }}
 
     # Mock remote app's handler
     current_oauthclient.signup_handlers[remote.name] = {

tests/test_utils.py

@@ -58,7 +58,7 @@ def test_utilities(models_fixture):
 
     assert oauth_get_user('dev', access_token=t.access_token) == user
     assert \
-        oauth_get_user('dev', account_info={'email': existing_email}) == user
+        oauth_get_user('dev', account_info={'user': {'email': existing_email}}) == user
 
     # Link user to external id
     external_id = {'id': '123', 'method': 'test_method'}