def test_get_create_remote_account(app, example): """Test create remote account.""" created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue")) assert created_acc retrieved_acc = RemoteAccount.get(1, "dev") assert created_acc.id == retrieved_acc.id assert retrieved_acc.extra_data == dict(somekey="somevalue") db.session.delete(retrieved_acc) assert RemoteAccount.get(1, "dev") is None
def test_get_create_remote_account(models_fixture): """Test create remote account.""" app = models_fixture created_acc = RemoteAccount.create(1, 'dev', dict(somekey='somevalue')) assert created_acc retrieved_acc = RemoteAccount.get(1, 'dev') assert created_acc.id == retrieved_acc.id assert retrieved_acc.extra_data == dict(somekey='somevalue') db.session.delete(retrieved_acc) assert RemoteAccount.get(1, 'dev') is None
def test_get_create(self): from invenio_oauthclient.models import RemoteAccount created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue")) assert created_acc retrieved_acc = RemoteAccount.get(1, "dev") assert created_acc.id == retrieved_acc.id assert retrieved_acc.extra_data == dict(somekey="somevalue") db.session.delete(retrieved_acc) assert RemoteAccount.get(1, "dev") is None
def on_identity_changed(sender, identity): """Store groups in session whenever identity changes. :param identity: The user identity where information are stored. """ if isinstance(identity, AnonymousIdentity): return client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key'] account = RemoteAccount.get( user_id=current_user.get_id(), client_id=client_id, ) groups = [] if account: remote = find_remote_by_client_id(client_id) resource = get_resource(remote) refresh = current_app.config.get( 'OAUTHCLIENT_CERN_REFRESH_TIMEDELTA', OAUTHCLIENT_CERN_REFRESH_TIMEDELTA ) groups.extend( account_groups(account, resource, refresh_timedelta=refresh) ) extend_identity(identity, groups)
def test_get_create_remote_token(app, example): """Test create remote token.""" existing_email = "*****@*****.**" datastore = app.extensions["invenio-accounts"].datastore user = datastore.find_user(email=existing_email) t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret") assert t assert t.token() == ("mytoken", "mysecret") acc = RemoteAccount.get(user.id, "dev") assert acc assert t.remote_account.id == acc.id assert t.token_type == "" t2 = RemoteToken.create(user.id, "dev", "mytoken2", "mysecret2", token_type="t2") assert t2.remote_account.id == acc.id assert t2.token_type == "t2" t3 = RemoteToken.get(user.id, "dev") t4 = RemoteToken.get(user.id, "dev", token_type="t2") assert t4.token() != t3.token() assert RemoteToken.query.count() == 2 acc.delete() assert RemoteToken.query.count() == 0
def test_get_create_remote_token(models_fixture): """Test create remote token.""" app = models_fixture existing_email = "*****@*****.**" datastore = app.extensions['invenio-accounts'].datastore user = datastore.find_user(email=existing_email) t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret") assert t assert t.token() == ('mytoken', 'mysecret') acc = RemoteAccount.get(user.id, "dev") assert acc assert t.remote_account.id == acc.id assert t.token_type == '' t2 = RemoteToken.create( user.id, "dev", "mytoken2", "mysecret2", token_type='t2' ) assert t2.remote_account.id == acc.id assert t2.token_type == 't2' t3 = RemoteToken.get(user.id, "dev") t4 = RemoteToken.get(user.id, "dev", token_type="t2") assert t4.token() != t3.token() assert RemoteToken.query.count() == 2 acc.delete() assert RemoteToken.query.count() == 0
def test_get_create(self): from invenio_oauthclient.models import RemoteAccount, RemoteToken t = RemoteToken.create(self.u1, "dev", "mytoken", "mysecret") assert t assert t.token() == ('mytoken', 'mysecret') acc = RemoteAccount.get(self.u1, "dev") assert acc assert t.remote_account.id == acc.id assert t.token_type == '' t2 = RemoteToken.create( self.u1, "dev", "mytoken2", "mysecret2", token_type='t2' ) assert t2.remote_account.id == acc.id assert t2.token_type == 't2' t3 = RemoteToken.get(self.u1, "dev") t4 = RemoteToken.get(self.u1, "dev", token_type="t2") assert t4.token() != t3.token() assert RemoteToken.query.count() == 2 acc.delete() assert RemoteToken.query.count() == 0
def test_settings_view(self): # Create a remove account (linked account) from invenio_oauthclient.models import RemoteAccount RemoteAccount.create(1, 'testid', None) self.assert401(self.client.get(url_for('oauthclient_settings.index'), follow_redirects=True)) self.login("admin", "") res = self.client.get(url_for('oauthclient_settings.index')) self.assert200(res) assert 'MyLinkedTestAccount' in res.data assert url_for('oauthclient.disconnect', remote_app='test') in res.data assert url_for('oauthclient.login', remote_app='full') in res.data assert url_for('oauthclient.login', remote_app='test_invalid') in \ res.data
def g_remoteaccounts(app, db, g_remoteaccounts_data): """Fixture for RemoteAccount objects.""" for rad in g_remoteaccounts_data: ra = RemoteAccount.create(rad['user_id'], 'changeme', rad['extra_data']) db.session.add(ra) db.session.commit() rad['id'] = ra.id return g_remoteaccounts_data
def test_repr(models_fixture): """Test representation of RemoteAccount adn RemoteToken.""" datastore = models_fixture.extensions['invenio-accounts'].datastore user = datastore.find_user(email='*****@*****.**') assert 'Remote Token <token_type=type access_token=mytoken>' == \ repr(RemoteToken.create(user.id, 'dev', 'mytoken', 'mysecret', token_type='type')) assert 'Remote Account <id=1, user_id=1>' == \ repr(RemoteAccount.get(user.id, 'dev'))
def test_settings_view(views_fixture): """Test settings view.""" app = views_fixture app.login_manager.login_view = None login_manager = app.login_manager datastore = app.extensions['invenio-accounts'].datastore @login_manager.user_loader def load_user(user_id): return user @app.route('/foo_login') def login(): user = datastore.find_user(email='*****@*****.**') login_user(user) return 'Logged In' with app.app_context(): with app.test_client() as client: user = datastore.find_user(email='*****@*****.**') RemoteAccount.create(user.get_id(), 'testid', None) resp = client.get(url_for('invenio_oauthclient_settings.index'), follow_redirects=False) assert resp.status_code == 401 # make a fake login (using my login function) client.get('/foo_login', follow_redirects=True) resp = client.get(url_for('invenio_oauthclient_settings.index'), follow_redirects=True) assert resp.status_code == 200 assert b'MyLinkedTestAccount' in resp.data assert url_for('invenio_oauthclient.disconnect', remote_app='test') in resp.data.decode('utf-8') assert url_for('invenio_oauthclient.login', remote_app='full') in resp.data.decode('utf-8') assert url_for( 'invenio_oauthclient.login', remote_app='test_invalid') in resp.data.decode('utf-8')
def test_settings_view(): """Test settings view.""" app = setup_app() app.login_manager.login_view = None login_manager = app.login_manager datastore = app.extensions['invenio-accounts'].datastore datastore.create_user(email="*****@*****.**", password="******") user = datastore.find_user(email="*****@*****.**") @login_manager.user_loader def load_user(user_id): return user @app.route('/foo_login') def login(): login_user(user) return "Logged In" with app.test_client() as client: # Create a remove account (linked account) RemoteAccount.create(user.id, 'testid', None) resp = client.get(url_for('invenio_oauthclient_settings.index'), follow_redirects=False) assert resp.status_code == 401 # make a fake login (using my login function) client.get('/foo_login', follow_redirects=True) resp = client.get(url_for('invenio_oauthclient_settings.index'), follow_redirects=True) assert resp.status_code == 200 assert b'MyLinkedTestAccount' in resp.data assert url_for('invenio_oauthclient.disconnect', remote_app='test') in resp.data.decode("utf-8") assert url_for('invenio_oauthclient.login', remote_app='full') in resp.data.decode("utf-8") assert url_for('invenio_oauthclient.login', remote_app='test_invalid') in resp.data.decode("utf-8")
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account.""" if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) orcid = account.extra_data.get('orcid') if orcid: oauth_unlink_external_id(dict(id=orcid, method='orcid')) if account: with db.session.begin_nested(): account.delete() return redirect(url_for('invenio_oauthclient_settings.index'))
def _disconnect(remote, *args, **kwargs): """Handle unlinking of remote account.""" if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) external_id = account.extra_data.get("external_id") if external_id: oauth_unlink_external_id(dict(id=external_id, method="cern_openid")) if account: with db.session.begin_nested(): account.delete() disconnect_identity(g.identity)
def patrons(app, db): """Create a patron user.""" db.session.execute("ALTER SEQUENCE IF EXISTS accounts_user_id_seq RESTART") db.session.commit() user = User(**dict(email="*****@*****.**", active=True)) db.session.add(user) db.session.commit() user_id = user.id identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id)) db.session.add(identity) profile = UserProfile(**dict( user_id=user_id, _displayname="id_" + str(user_id), full_name="System User", )) db.session.add(profile) client_id = app.config["CERN_APP_OPENID_CREDENTIALS"]["consumer_key"] remote_account = RemoteAccount(client_id=client_id, **dict( user_id=user_id, extra_data=dict(person_id="1", department="Department", legacy_id="1"), )) db.session.add(remote_account) db.session.commit() user2 = User(**dict(email="*****@*****.**", active=True)) db.session.add(user2) db.session.commit() user2_id = user2.id profile = UserProfile(**dict( user_id=user2_id, _displayname="id_" + str(user2_id), full_name="System User", )) db.session.add(profile) db.session.commit() return user, user2
def github_remote_accounts(datadir, users, db): """Load GitHub remote account objects.""" # Create records and PIDs for GitHub releases for recid in ('100', '101', '200', '201'): r = Record.create({}) PersistentIdentifier.create('recid', recid, object_uuid=r.id) db.session.commit() with open(join(datadir, 'github_remote_accounts.json')) as fp: gh_remote_accounts = json.load(fp) remote_accounts = [] for idx, gh_ra in enumerate(gh_remote_accounts): assert users[idx]['id'] == gh_ra['user_id'] ra = RemoteAccount.create(gh_ra['user_id'], 'clientid', gh_ra['extra_data']) remote_accounts.append(ra) return remote_accounts
def test_utilities(models_fixture): """Test utilities.""" app = models_fixture datastore = app.extensions['invenio-accounts'].datastore assert obj_or_import_string('invenio_oauthclient.errors') # User existing_email = '*****@*****.**' user = datastore.find_user(email=existing_email) # Authenticate assert not _get_external_id({}) assert not oauth_authenticate('dev', user, require_existing_link=True) _security.confirmable = True _security.login_without_confirmation = False user.confirmed_at = None assert not oauth_authenticate('dev', user) # Tokens t = RemoteToken.create(user.id, 'dev', 'mytoken', 'mysecret') assert \ RemoteToken.get(user.id, 'dev', access_token='mytoken') == \ RemoteToken.get_by_token('dev', 'mytoken') assert oauth_get_user('dev', access_token=t.access_token) == user assert \ oauth_get_user('dev', account_info={'user': {'email': existing_email}}) == user # Link user to external id external_id = {'id': '123', 'method': 'test_method'} oauth_link_external_id(user, external_id) with pytest.raises(AlreadyLinkedError): oauth_link_external_id(user, external_id) assert oauth_get_user('dev', account_info={ 'external_id': external_id['id'], 'external_method': external_id['method'] }) == user # Cleanup oauth_unlink_external_id(external_id) acc = RemoteAccount.get(user.id, 'dev') acc.delete()
def _disconnect(remote, *args, **kwargs): """Handle unlinking of remote account. :param remote: The remote application. """ if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) orcid = account.extra_data.get('orcid') if orcid: oauth_unlink_external_id({'id': orcid, 'method': 'orcid'}) if account: with db.session.begin_nested(): account.delete()
def mock_user(app, request): def teardown(app): with app.app_context(): user = User.query.filter_by(email='*****@*****.**').first() token = RemoteToken.query.filter_by(access_token='123').first() user_identity = UserIdentity.query.filter_by( id='0000-0001-9412-8627', method='orcid').first() remote_account = RemoteAccount.query.filter_by(user_id=user.id).first() with db.session.begin_nested(): db.session.delete(token) db.session.delete(user_identity) db.session.delete(remote_account) db.session.delete(user) db.session.commit() request.addfinalizer(lambda: teardown(app)) user = User( email='*****@*****.**', ) db.session.add(user) db.session.commit() token = RemoteToken( id_remote_account=1, access_token='123' ) user_identity = UserIdentity( id='0000-0001-9412-8627', id_user=str(user.id), method='orcid') remote_account = RemoteAccount( id=1, user_id=user.id, extra_data={}, client_id=1, user=user) with app.app_context(): with db.session.begin_nested(): db.session.add(user_identity) db.session.add(remote_account) db.session.add(token) db.session.commit() return MockUser(app)
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account.""" if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) external_id = account.extra_data.get('external_id') if external_id: oauth_unlink_external_id(dict(id=external_id, method='cern')) if account: with db.session.begin_nested(): account.delete() disconnect_identity(g.identity) return redirect(url_for('invenio_oauthclient_settings.index'))
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account.""" from invenio_oauthclient.utils import oauth_unlink_external_id from invenio_oauthclient.models import RemoteAccount if not current_user.is_authenticated(): return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) orcid = account.extra_data.get('orcid') if orcid: oauth_unlink_external_id(dict(id=orcid, method='orcid')) if account: account.delete() return redirect(url_for('oauthclient_settings.index'))
def _disconnect(remote, *args, **kwargs): """Common logic for handling disconnection of remote accounts.""" if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) keycloak_id = account.extra_data.get("keycloak_id") if keycloak_id: external_id = {"id": keycloak_id, "method": remote.name} oauth_unlink_external_id(external_id) if account: with db.session.begin_nested(): account.delete()
def handle_disconnect(self, remote, *args, **kwargs): """Handle unlinking of remote account. :param remote: The remote application. """ if not current_user.is_authenticated: return current_app.login_manager.unauthorized() account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) sub = account.extra_data.get('sub') if sub: oauth_unlink_external_id({'id': sub, 'method': self.name}) if account: with db.session.begin_nested(): account.delete() return redirect(url_for('invenio_oauthclient_settings.index'))
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account.""" if not current_user.is_authenticated: return current_app.login_manager.unauthorized() remote_account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) external_method = 'github' external_ids = [i.id for i in current_user.external_identifiers if i.method == external_method] if external_ids: oauth_unlink_external_id(dict(id=external_ids[0], method=external_method)) if remote_account: with db.session.begin_nested(): remote_account.delete() return redirect(url_for('invenio_oauthclient_settings.index'))
def test_utilities(models_fixture): """Test utilities.""" app = models_fixture datastore = app.extensions["invenio-accounts"].datastore assert obj_or_import_string("invenio_oauthclient.errors") # User existing_email = "*****@*****.**" user = datastore.find_user(email=existing_email) # Authenticate assert not _get_external_id({}) assert not oauth_authenticate("dev", user, require_existing_link=True) _security.confirmable = True _security.login_without_confirmation = False user.confirmed_at = None assert not oauth_authenticate("dev", user) # Tokens t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret") assert RemoteToken.get(user.id, "dev", access_token="mytoken") == RemoteToken.get_by_token("dev", "mytoken") assert oauth_get_user("dev", access_token=t.access_token) == user assert oauth_get_user("dev", account_info={"user": {"email": existing_email}}) == user # Link user to external id external_id = {"id": "123", "method": "test_method"} oauth_link_external_id(user, external_id) with pytest.raises(AlreadyLinkedError): oauth_link_external_id(user, external_id) assert ( oauth_get_user("dev", account_info={"external_id": external_id["id"], "external_method": external_id["method"]}) == user ) # Cleanup oauth_unlink_external_id(external_id) acc = RemoteAccount.get(user.id, "dev") acc.delete()
def _disconnect(remote, *args, **kwargs): """Handle unlinking of remote account. :param remote: The remote application. :returns: The HTML response. """ if not current_user.is_authenticated: return current_app.login_manager.unauthorized() remote_account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) external_method = 'github' external_ids = [i.id for i in current_user.external_identifiers if i.method == external_method] if external_ids: oauth_unlink_external_id(dict(id=external_ids[0], method=external_method)) if remote_account: with db.session.begin_nested(): remote_account.delete()
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account. This default handler will just delete the remote account link. You may wish to extend this module to perform clean-up in the remote service before removing the link (e.g. removing install webhooks). :param remote: The remote application. :returns: Redirect response. """ if not current_user.is_authenticated: return current_app.login_manager.unauthorized() with db.session.begin_nested(): account = RemoteAccount.get(user_id=current_user.get_id(), client_id=remote.consumer_key) if account: account.delete() db.session.commit() return redirect('/')
def on_identity_changed(sender, identity): """Store roles in session whenever identity changes. :param identity: The user identity where information are stored. """ if isinstance(identity, AnonymousIdentity): disconnect_identity(identity) return remote = g.get("oauth_logged_in_with_remote", None) if not remote or remote.name != "cern_openid": # signal coming from another remote app return logged_in_via_token = hasattr(current_user, 'login_via_oauth2') \ and getattr(current_user, 'login_via_oauth2') client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][ "consumer_key"] remote_account = RemoteAccount.get(user_id=current_user.get_id(), client_id=client_id) roles = [] if remote_account and not logged_in_via_token: refresh = current_app.config.get( "OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA", OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA, ) if refresh: resource = get_resource(remote) roles.extend( account_roles_and_extra_data(remote_account, resource, refresh_timedelta=refresh)) else: roles.extend(remote_account.extra_data["roles"]) elif remote_account and logged_in_via_token: roles.extend(remote_account.extra_data["roles"]) extend_identity(identity, roles)
def import_users_from_json(dump_file): """Imports additional user data from JSON.""" dump_file = dump_file[0] with click.progressbar(json.load(dump_file)) as bar: for record in bar: click.echo('Importing user "{0}({1})"...'.format( record["id"], record["email"])) ccid = record.get("ccid") if not ccid: click.secho( "User {0}({1}) does not have ccid".format( record["id"], record["email"]), fg="magenta", ) continue user = get_user_by_person_id(ccid) if not user: click.secho( "User {0}({1}) not synced via LDAP".format( record["id"], record["email"]), fg="yellow", ) continue # todo uncomment when more data # raise UserMigrationError else: client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][ "consumer_key"] account = RemoteAccount.get(user_id=user.id, client_id=client_id) extra_data = account.extra_data if "legacy_id" in extra_data: del extra_data["legacy_id"] # add legacy_id information account.extra_data.update(legacy_id=str(record["id"]), **extra_data) db.session.add(account) patron = Patron(user.id) PatronIndexer().index(patron) db.session.commit()
def disconnect_handler(remote, *args, **kwargs): """Handle unlinking of remote account. This default handler will just delete the remote account link. You may wish to extend this module to perform clean-up in the remote service before removing the link (e.g. removing install webhooks). :param remote: The remote application. :returns: Redirect response. """ if not current_user.is_authenticated: return current_app.login_manager.unauthorized() with db.session.begin_nested(): account = RemoteAccount.get( user_id=current_user.get_id(), client_id=remote.consumer_key ) if account: account.delete() db.session.commit() return redirect('/')
def on_identity_changed(sender, identity): """Store groups in session whenever identity changes. :param identity: The user identity where information are stored. """ if isinstance(identity, AnonymousIdentity): return client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key'] account = RemoteAccount.get( user_id=current_user.get_id(), client_id=client_id, ) groups = [] if account: remote = find_remote_by_client_id(client_id) resource = get_resource(remote) refresh = current_app.config.get('OAUTHCLIENT_CERN_REFRESH_TIMEDELTA', OAUTHCLIENT_CERN_REFRESH_TIMEDELTA) groups.extend( account_groups(account, resource, refresh_timedelta=refresh)) extend_identity(identity, groups)
def system_user(app, db): """Create a regular system user.""" user = User(**dict(email="*****@*****.**", active=True)) db.session.add(user) db.session.commit() user_id = user.id identity = UserIdentity(**dict(id="1", method="cern", id_user=user_id)) db.session.add(identity) profile = UserProfile(**dict(user_id=user_id, _displayname="id_" + str(user_id), full_name="System User")) db.session.add(profile) remote_account = RemoteAccount(client_id="CLIENT_ID", **dict(user_id=user_id, extra_data=dict( person_id="1", department="Department"))) db.session.add(remote_account) db.session.commit() return user
def account(self): """Return remote account.""" return RemoteAccount.get(self.user_id, self.remote.consumer_key)
def get_account(user_id=None): """Retrieve linked GitHub account.""" return RemoteAccount.get(user_id or current_user.get_id(), get_client_id())
def test_identity_changed(app_rest, example_cern_openid_rest, models_fixture): def _init(): ioc = app_rest.extensions['oauthlib.client'] # setup the user account via cern_openid with app_rest.test_client() as c: # Ensure remote apps have been loaded (due to before first request) resp = c.get( url_for('invenio_oauthclient.rest_login', remote_app='cern_openid')) assert resp.status_code == 302 example_response, example_token, example_account_info = \ example_cern_openid_rest mock_response(app_rest.extensions['oauthlib.client'], 'cern_openid', example_token) mock_remote_get(ioc, 'cern_openid', example_response) resp = c.get( url_for('invenio_oauthclient.rest_authorized', remote_app='cern_openid', code='test', state=get_state('cern_openid'))) assert resp.status_code == 302 expected_url_args = { "message": "Successfully authorized.", "code": 200, } check_response_redirect_url_args(resp, expected_url_args) assert len(g.identity.provides) == 3 def _test_with_token(user, remote_account): with app_rest.test_request_context(): # mark user as logged in via token user.login_via_oauth2 = True # check if the initial roles are there login_user(user) assert current_user.login_via_oauth2 assert len(g.identity.provides) == 3 logout_user() # remove the cern roles remote_account.extra_data.update(roles=[]) # login the user again login_user(user) # check if the cern roles are not fetched from the provider assert len(g.identity.provides) == 2 logout_user() def _test_without_token(user, remote_account): user.login_via_oauth2 = False current_app.config['OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA'] = False login_user(user) # check that the roles are not refreshed from provider assert len(g.identity.provides) == 2 logout_user() current_app.config['OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA'] \ = timedelta(microseconds=1) login_user(user) # check if roles refreshed from the provider assert len(g.identity.provides) == 3 _init() datastore = app_rest.extensions['invenio-accounts'].datastore user = datastore.find_user(email='*****@*****.**') assert user client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][ "consumer_key"] # make sure the roles are cleaned remote_account = RemoteAccount.get(user_id=user.get_id(), client_id=client_id) _test_with_token(user, remote_account) _test_without_token(user, remote_account)