def test_get_create_remote_account(app, models_fixture):
"""Test create remote account."""
created_acc = RemoteAccount.create(1, 'dev', dict(somekey='somevalue'))
assert created_acc
retrieved_acc = RemoteAccount.get(1, 'dev')
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey='somevalue')
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, 'dev') is None
def test_get_create_remote_account(app, example):
"""Test create remote account."""
created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue"))
assert created_acc
retrieved_acc = RemoteAccount.get(1, "dev")
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey="somevalue")
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, "dev") is None
def test_get_create_remote_account(app, example):
"""Test create remote account."""
created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue"))
assert created_acc
retrieved_acc = RemoteAccount.get(1, "dev")
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey="somevalue")
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, "dev") is None
def test_get_create_remote_account(models_fixture):
"""Test create remote account."""
app = models_fixture
created_acc = RemoteAccount.create(1, 'dev', dict(somekey='somevalue'))
assert created_acc
retrieved_acc = RemoteAccount.get(1, 'dev')
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey='somevalue')
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, 'dev') is None
def test_get_create(self):
from invenio_oauthclient.models import RemoteAccount
created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue"))
assert created_acc
retrieved_acc = RemoteAccount.get(1, "dev")
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey="somevalue")
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, "dev") is None
def test_get_create(self):
from invenio_oauthclient.models import RemoteAccount
created_acc = RemoteAccount.create(1, "dev", dict(somekey="somevalue"))
assert created_acc
retrieved_acc = RemoteAccount.get(1, "dev")
assert created_acc.id == retrieved_acc.id
assert retrieved_acc.extra_data == dict(somekey="somevalue")
db.session.delete(retrieved_acc)
assert RemoteAccount.get(1, "dev") is None
def test_get_create(self):
from invenio_oauthclient.models import RemoteAccount, RemoteToken
t = RemoteToken.create(self.u1, "dev", "mytoken", "mysecret")
assert t
assert t.token() == ('mytoken', 'mysecret')
acc = RemoteAccount.get(self.u1, "dev")
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ''
t2 = RemoteToken.create(self.u1,
"dev",
"mytoken2",
"mysecret2",
token_type='t2')
assert t2.remote_account.id == acc.id
assert t2.token_type == 't2'
t3 = RemoteToken.get(self.u1, "dev")
t4 = RemoteToken.get(self.u1, "dev", token_type="t2")
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def test_get_create_remote_token(models_fixture):
"""Test create remote token."""
app = models_fixture
existing_email = "*****@*****.**"
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email=existing_email)
t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret")
assert t
assert t.token() == ('mytoken', 'mysecret')
acc = RemoteAccount.get(user.id, "dev")
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ''
t2 = RemoteToken.create(
user.id, "dev", "mytoken2", "mysecret2",
token_type='t2'
)
assert t2.remote_account.id == acc.id
assert t2.token_type == 't2'
t3 = RemoteToken.get(user.id, "dev")
t4 = RemoteToken.get(user.id, "dev", token_type="t2")
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def test_get_create_remote_token(app, models_fixture):
"""Test create remote token."""
existing_email = '*****@*****.**'
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email=existing_email)
t = RemoteToken.create(user.id, 'dev', 'mytoken', 'mysecret')
assert t
assert t.token() == ('mytoken', 'mysecret')
acc = RemoteAccount.get(user.id, 'dev')
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ''
t2 = RemoteToken.create(
user.id, 'dev', 'mytoken2', 'mysecret2',
token_type='t2'
)
assert t2.remote_account.id == acc.id
assert t2.token_type == 't2'
t3 = RemoteToken.get(user.id, 'dev')
t4 = RemoteToken.get(user.id, 'dev', token_type='t2')
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def import_users_from_json(dump_file):
"""Imports additional user data from JSON."""
dump_file = dump_file[0]
with click.progressbar(json.load(dump_file)) as bar:
for record in bar:
click.echo(
'Importing user "{0}({1})"...'.format(
record["id"], record["email"]
)
)
user = get_user_by_person_id(record["ccid"])
if not user:
click.secho(
"User {0}({1}) not synced via LDAP".format(
record["id"], record["email"]
),
fg="red",
)
continue
# todo uncomment when more data
# raise UserMigrationError
else:
client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][
"consumer_key"
]
account = RemoteAccount.get(
user_id=user.id, client_id=client_id
)
extra_data = account.extra_data
# add legacy_id information
account.extra_data.update(legacy_id=record["id"], **extra_data)
db.session.add(account)
patron = Patron(user.id)
PatronIndexer().index(patron)
db.session.commit()
def test_get_create_remote_token(app, example):
"""Test create remote token."""
existing_email = "*****@*****.**"
datastore = app.extensions["invenio-accounts"].datastore
user = datastore.find_user(email=existing_email)
t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret")
assert t
assert t.token() == ("mytoken", "mysecret")
acc = RemoteAccount.get(user.id, "dev")
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ""
t2 = RemoteToken.create(user.id, "dev", "mytoken2", "mysecret2", token_type="t2")
assert t2.remote_account.id == acc.id
assert t2.token_type == "t2"
t3 = RemoteToken.get(user.id, "dev")
t4 = RemoteToken.get(user.id, "dev", token_type="t2")
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def test_get_create(self):
from invenio_oauthclient.models import RemoteAccount, RemoteToken
t = RemoteToken.create(self.u1, "dev", "mytoken", "mysecret")
assert t
assert t.token() == ('mytoken', 'mysecret')
acc = RemoteAccount.get(self.u1, "dev")
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ''
t2 = RemoteToken.create(
self.u1, "dev", "mytoken2", "mysecret2",
token_type='t2'
)
assert t2.remote_account.id == acc.id
assert t2.token_type == 't2'
t3 = RemoteToken.get(self.u1, "dev")
t4 = RemoteToken.get(self.u1, "dev", token_type="t2")
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def on_identity_changed(sender, identity):
"""Store groups in session whenever identity changes.
:param identity: The user identity where information are stored.
"""
if isinstance(identity, AnonymousIdentity):
disconnect_identity(identity)
return
remote = g.get("oauth_logged_in_with_remote", None)
if not remote or remote.name != "cern":
# signal coming from another remote app
return
client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']
account = RemoteAccount.get(
user_id=current_user.get_id(),
client_id=client_id,
)
groups = []
if account:
resource = get_resource(remote)
refresh = current_app.config.get(
'OAUTHCLIENT_CERN_REFRESH_TIMEDELTA',
OAUTHCLIENT_CERN_REFRESH_TIMEDELTA
)
groups.extend(
account_groups_and_extra_data(account, resource,
refresh_timedelta=refresh)
)
extend_identity(identity, groups)
def on_identity_changed(sender, identity):
"""Store roles in session whenever identity changes.
:param identity: The user identity where information are stored.
"""
if isinstance(identity, AnonymousIdentity):
return
client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][
"consumer_key"]
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=client_id)
roles = []
if account:
remote = find_remote_by_client_id(client_id)
resource = get_resource(remote)
refresh = current_app.config.get(
"OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA",
OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA,
)
roles.extend(
account_roles_and_extra_data(account,
resource,
refresh_timedelta=refresh))
extend_identity(identity, roles)
def on_identity_changed(sender, identity):
"""Store groups in session whenever identity changes.
:param identity: The user identity where information are stored.
"""
if isinstance(identity, AnonymousIdentity):
return
client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']
account = RemoteAccount.get(
user_id=current_user.get_id(),
client_id=client_id,
)
groups = []
if account:
remote = find_remote_by_client_id(client_id)
resource = get_resource(remote)
refresh = current_app.config.get(
'OAUTHCLIENT_CERN_REFRESH_TIMEDELTA',
OAUTHCLIENT_CERN_REFRESH_TIMEDELTA
)
groups.extend(
account_groups(account, resource, refresh_timedelta=refresh)
)
extend_identity(identity, groups)
def on_identity_changed(sender, identity):
"""Store groups in session whenever identity changes.
:param identity: The user identity where information are stored.
"""
if isinstance(identity, AnonymousIdentity):
return
client_id = current_app.config['CERN_APP_CREDENTIALS']['consumer_key']
account = RemoteAccount.get(
user_id=current_user.get_id(),
client_id=client_id,
)
groups = []
if account:
groups = account.extra_data.get('groups', [])
remote = find_remote_by_client_id(client_id)
resource = get_resource(remote)
refresh = current_app.config.get('OAUTHCLIENT_CERN_REFRESH_TIMEDELTA',
OAUTHCLIENT_CERN_REFRESH_TIMEDELTA)
# if 'resource' exists, update groups with new ones received
# else keep old ones from 'extra_data'
if resource:
oauth_groups = account_groups(account,
resource,
refresh_timedelta=refresh)
groups = groups + list(set(oauth_groups) - set(groups))
extend_identity(identity, groups)
def test_get_create_remote_token(models_fixture, example):
"""Test create remote token."""
app = models_fixture
existing_email = "*****@*****.**"
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email=existing_email)
t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret")
assert t
assert t.token() == ('mytoken', 'mysecret')
acc = RemoteAccount.get(user.id, "dev")
assert acc
assert t.remote_account.id == acc.id
assert t.token_type == ''
t2 = RemoteToken.create(user.id,
"dev",
"mytoken2",
"mysecret2",
token_type='t2')
assert t2.remote_account.id == acc.id
assert t2.token_type == 't2'
t3 = RemoteToken.get(user.id, "dev")
t4 = RemoteToken.get(user.id, "dev", token_type="t2")
assert t4.token() != t3.token()
assert RemoteToken.query.count() == 2
acc.delete()
assert RemoteToken.query.count() == 0
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account.
:param remote: The remote application.
:returns: The HTML response.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
remote_account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
external_method = 'github'
external_ids = [
i.id for i in current_user.external_identifiers
if i.method == external_method
]
if external_ids:
oauth_unlink_external_id(
dict(id=external_ids[0], method=external_method))
if remote_account:
with db.session.begin_nested():
remote_account.delete()
return redirect(url_for('invenio_oauthclient_settings.index'))
def __init__(self, id, revision_id=None):
"""Create a `Patron` instance."""
super(Patron, self).__init__(id, revision_id)
client_id = current_app.config.get(
"CERN_APP_CREDENTIALS", {}).get("consumer_key") or "CLIENT_ID"
remote_user = RemoteAccount.get(id, client_id)
self.extra_info = None
if remote_user:
self.extra_info = remote_user.extra_data
def __init__(self, id, revision_id=None):
"""Create a `Patron` instance."""
super().__init__(id, revision_id)
self.extra_info = None
client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][
"consumer_key"]
remote_user = RemoteAccount.get(id, client_id)
if remote_user:
self.extra_info = remote_user.extra_data
def get_remote_account_by_id(user_id):
cern_app_id = current_app.config.get('CERN_APP_CREDENTIALS_KEY')
account = RemoteAccount.get(user_id=user_id, client_id=cern_app_id)
email = account.user.email if account else get_user_email_by_id(user_id)
profile = account.extra_data if account else {}
if 'groups' in profile.keys():
del profile['groups']
return dict(email=email, profile=profile)
def test_repr(models_fixture):
"""Test representation of RemoteAccount adn RemoteToken."""
datastore = models_fixture.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
assert 'Remote Token <token_type=type access_token=mytoken>' == \
repr(RemoteToken.create(user.id, 'dev',
'mytoken', 'mysecret',
token_type='type'))
assert 'Remote Account <id=1, user_id=1>' == \
repr(RemoteAccount.get(user.id, 'dev'))
def test_repr(app, models_fixture):
"""Test representation of RemoteAccount and RemoteToken."""
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
assert 'Remote Token <token_type=type access_token=****oken>' == \
repr(RemoteToken.create(user.id, 'dev',
'mytoken', 'mysecret',
token_type='type'))
assert 'Remote Account <id=1, user_id=1>' == \
repr(RemoteAccount.get(user.id, 'dev'))
def test_utilities(models_fixture):
"""Test utilities."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
assert obj_or_import_string('invenio_oauthclient.errors')
# User
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Authenticate
assert not _get_external_id({})
assert not oauth_authenticate('dev', user, require_existing_link=True)
_security.confirmable = True
_security.login_without_confirmation = False
user.confirmed_at = None
assert not oauth_authenticate('dev', user)
# Tokens
t = RemoteToken.create(user.id, 'dev', 'mytoken', 'mysecret')
assert \
RemoteToken.get(user.id, 'dev', access_token='mytoken') == \
RemoteToken.get_by_token('dev', 'mytoken')
assert oauth_get_user('dev', access_token=t.access_token) == user
assert \
oauth_get_user('dev', account_info={
'user': {
'email': existing_email
}
}) == user
# Link user to external id
external_id = {'id': '123', 'method': 'test_method'}
oauth_link_external_id(user, external_id)
with pytest.raises(AlreadyLinkedError):
oauth_link_external_id(user, external_id)
assert oauth_get_user('dev',
account_info={
'external_id': external_id['id'],
'external_method': external_id['method']
}) == user
# Cleanup
oauth_unlink_external_id(external_id)
acc = RemoteAccount.get(user.id, 'dev')
acc.delete()
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account."""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
orcid = account.extra_data.get('orcid')
if orcid:
oauth_unlink_external_id(dict(id=orcid, method='orcid'))
if account:
with db.session.begin_nested():
account.delete()
return redirect(url_for('invenio_oauthclient_settings.index'))
def _disconnect(remote, *args, **kwargs):
"""Handle unlinking of remote account."""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
external_id = account.extra_data.get("external_id")
if external_id:
oauth_unlink_external_id(dict(id=external_id, method="cern_openid"))
if account:
with db.session.begin_nested():
account.delete()
disconnect_identity(g.identity)
def test_utilities(models_fixture):
"""Test utilities."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
assert obj_or_import_string('invenio_oauthclient.errors')
# User
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Authenticate
assert not _get_external_id({})
assert not oauth_authenticate('dev', user, require_existing_link=True)
_security.confirmable = True
_security.login_without_confirmation = False
user.confirmed_at = None
assert not oauth_authenticate('dev', user)
# Tokens
t = RemoteToken.create(user.id, 'dev', 'mytoken', 'mysecret')
assert \
RemoteToken.get(user.id, 'dev', access_token='mytoken') == \
RemoteToken.get_by_token('dev', 'mytoken')
assert oauth_get_user('dev', access_token=t.access_token) == user
assert \
oauth_get_user('dev', account_info={'user': {'email': existing_email}}) == user
# Link user to external id
external_id = {'id': '123', 'method': 'test_method'}
oauth_link_external_id(user, external_id)
with pytest.raises(AlreadyLinkedError):
oauth_link_external_id(user, external_id)
assert oauth_get_user('dev',
account_info={
'external_id': external_id['id'],
'external_method': external_id['method']
}) == user
# Cleanup
oauth_unlink_external_id(external_id)
acc = RemoteAccount.get(user.id, 'dev')
acc.delete()
def _disconnect(remote, *args, **kwargs):
"""Handle unlinking of remote account.
:param remote: The remote application.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
orcid = account.extra_data.get('orcid')
if orcid:
oauth_unlink_external_id({'id': orcid, 'method': 'orcid'})
if account:
with db.session.begin_nested():
account.delete()
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account."""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
external_id = account.extra_data.get('external_id')
if external_id:
oauth_unlink_external_id(dict(id=external_id, method='cern'))
if account:
with db.session.begin_nested():
account.delete()
disconnect_identity(g.identity)
return redirect(url_for('invenio_oauthclient_settings.index'))
def _disconnect(remote, *args, **kwargs):
"""Common logic for handling disconnection of remote accounts."""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
keycloak_id = account.extra_data.get("keycloak_id")
if keycloak_id:
external_id = {"id": keycloak_id, "method": remote.name}
oauth_unlink_external_id(external_id)
if account:
with db.session.begin_nested():
account.delete()
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account."""
from invenio_oauthclient.utils import oauth_unlink_external_id
from invenio_oauthclient.models import RemoteAccount
if not current_user.is_authenticated():
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
orcid = account.extra_data.get('orcid')
if orcid:
oauth_unlink_external_id(dict(id=orcid, method='orcid'))
if account:
account.delete()
return redirect(url_for('oauthclient_settings.index'))
def handle_disconnect(self, remote, *args, **kwargs):
"""Handle unlinking of remote account.
:param remote: The remote application.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
sub = account.extra_data.get('sub')
if sub:
oauth_unlink_external_id({'id': sub, 'method': self.name})
if account:
with db.session.begin_nested():
account.delete()
return redirect(url_for('invenio_oauthclient_settings.index'))
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account."""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
remote_account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
external_method = 'github'
external_ids = [i.id for i in current_user.external_identifiers
if i.method == external_method]
if external_ids:
oauth_unlink_external_id(dict(id=external_ids[0],
method=external_method))
if remote_account:
with db.session.begin_nested():
remote_account.delete()
return redirect(url_for('invenio_oauthclient_settings.index'))
def test_utilities(models_fixture):
"""Test utilities."""
app = models_fixture
datastore = app.extensions["invenio-accounts"].datastore
assert obj_or_import_string("invenio_oauthclient.errors")
# User
existing_email = "*****@*****.**"
user = datastore.find_user(email=existing_email)
# Authenticate
assert not _get_external_id({})
assert not oauth_authenticate("dev", user, require_existing_link=True)
_security.confirmable = True
_security.login_without_confirmation = False
user.confirmed_at = None
assert not oauth_authenticate("dev", user)
# Tokens
t = RemoteToken.create(user.id, "dev", "mytoken", "mysecret")
assert RemoteToken.get(user.id, "dev", access_token="mytoken") == RemoteToken.get_by_token("dev", "mytoken")
assert oauth_get_user("dev", access_token=t.access_token) == user
assert oauth_get_user("dev", account_info={"user": {"email": existing_email}}) == user
# Link user to external id
external_id = {"id": "123", "method": "test_method"}
oauth_link_external_id(user, external_id)
with pytest.raises(AlreadyLinkedError):
oauth_link_external_id(user, external_id)
assert (
oauth_get_user("dev", account_info={"external_id": external_id["id"], "external_method": external_id["method"]})
== user
)
# Cleanup
oauth_unlink_external_id(external_id)
acc = RemoteAccount.get(user.id, "dev")
acc.delete()
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account.
This default handler will just delete the remote account link. You may
wish to extend this module to perform clean-up in the remote service
before removing the link (e.g. removing install webhooks).
:param remote: The remote application.
:returns: Redirect response.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
with db.session.begin_nested():
account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
if account:
account.delete()
db.session.commit()
return redirect('/')
def on_identity_changed(sender, identity):
"""Store roles in session whenever identity changes.
:param identity: The user identity where information are stored.
"""
if isinstance(identity, AnonymousIdentity):
disconnect_identity(identity)
return
remote = g.get("oauth_logged_in_with_remote", None)
if not remote or remote.name != "cern_openid":
# signal coming from another remote app
return
logged_in_via_token = hasattr(current_user, 'login_via_oauth2') \
and getattr(current_user, 'login_via_oauth2')
client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][
"consumer_key"]
remote_account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=client_id)
roles = []
if remote_account and not logged_in_via_token:
refresh = current_app.config.get(
"OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA",
OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA,
)
if refresh:
resource = get_resource(remote)
roles.extend(
account_roles_and_extra_data(remote_account,
resource,
refresh_timedelta=refresh))
else:
roles.extend(remote_account.extra_data["roles"])
elif remote_account and logged_in_via_token:
roles.extend(remote_account.extra_data["roles"])
extend_identity(identity, roles)
def _disconnect(remote, *args, **kwargs):
"""Handle unlinking of remote account.
:param remote: The remote application.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
remote_account = RemoteAccount.get(user_id=current_user.get_id(),
client_id=remote.consumer_key)
external_method = 'openaire_aai'
external_ids = [
i.id for i in current_user.external_identifiers
if i.method == external_method
]
if external_ids:
oauth_unlink_external_id(
dict(id=external_ids[0], method=external_method))
if remote_account:
with db.session.begin_nested():
remote_account.delete()
def disconnect_handler(remote, *args, **kwargs):
"""Handle unlinking of remote account.
This default handler will just delete the remote account link. You may
wish to extend this module to perform clean-up in the remote service
before removing the link (e.g. removing install webhooks).
:param remote: The remote application.
:returns: Redirect response.
"""
if not current_user.is_authenticated:
return current_app.login_manager.unauthorized()
with db.session.begin_nested():
account = RemoteAccount.get(
user_id=current_user.get_id(),
client_id=remote.consumer_key
)
if account:
account.delete()
db.session.commit()
return redirect('/')
def account(self):
"""Return remote account."""
return RemoteAccount.get(self.user_id, self.remote.consumer_key)
def get_account(user_id=None):
"""Retrieve linked GitHub account."""
return RemoteAccount.get(user_id or current_user.get_id(), get_client_id())
def account(self):
"""Return remote account."""
return RemoteAccount.get(self.user_id, self.remote.consumer_key)
def test_identity_changed(app_rest, example_cern_openid_rest, models_fixture):
def _init():
ioc = app_rest.extensions['oauthlib.client']
# setup the user account via cern_openid
with app_rest.test_client() as c:
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(
url_for('invenio_oauthclient.rest_login',
remote_app='cern_openid'))
assert resp.status_code == 302
example_response, example_token, example_account_info = \
example_cern_openid_rest
mock_response(app_rest.extensions['oauthlib.client'],
'cern_openid', example_token)
mock_remote_get(ioc, 'cern_openid', example_response)
resp = c.get(
url_for('invenio_oauthclient.rest_authorized',
remote_app='cern_openid',
code='test',
state=get_state('cern_openid')))
assert resp.status_code == 302
expected_url_args = {
"message": "Successfully authorized.",
"code": 200,
}
check_response_redirect_url_args(resp, expected_url_args)
assert len(g.identity.provides) == 3
def _test_with_token(user, remote_account):
with app_rest.test_request_context():
# mark user as logged in via token
user.login_via_oauth2 = True
# check if the initial roles are there
login_user(user)
assert current_user.login_via_oauth2
assert len(g.identity.provides) == 3
logout_user()
# remove the cern roles
remote_account.extra_data.update(roles=[])
# login the user again
login_user(user)
# check if the cern roles are not fetched from the provider
assert len(g.identity.provides) == 2
logout_user()
def _test_without_token(user, remote_account):
user.login_via_oauth2 = False
current_app.config['OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA'] = False
login_user(user)
# check that the roles are not refreshed from provider
assert len(g.identity.provides) == 2
logout_user()
current_app.config['OAUTHCLIENT_CERN_OPENID_REFRESH_TIMEDELTA'] \
= timedelta(microseconds=1)
login_user(user)
# check if roles refreshed from the provider
assert len(g.identity.provides) == 3
_init()
datastore = app_rest.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
assert user
client_id = current_app.config["CERN_APP_OPENID_CREDENTIALS"][
"consumer_key"]
# make sure the roles are cleaned
remote_account = RemoteAccount.get(user_id=user.get_id(),
client_id=client_id)
_test_with_token(user, remote_account)
_test_without_token(user, remote_account)
