def test_account_setup(app, example_cern, models_fixture):
"""Test account setup after login."""
with app.test_client() as c:
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(url_for('invenio_oauthclient.login', remote_app='cern'))
assert resp.status_code == 302
example_response, example_token, example_account_info = example_cern
mock_response(app.extensions['oauthlib.client'], 'cern',
example_token)
mock_remote_get(ioc, 'cern', example_response)
resp = c.get(url_for(
'invenio_oauthclient.authorized',
remote_app='cern', code='test',
state=get_state('cern')))
assert resp.status_code == 302
assert resp.location == ('http://localhost/account/settings/'
'linkedaccounts/')
assert len(g.identity.provides) == 7
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
assert user
with app.test_request_context():
resp = disconnect_handler(ioc.remote_apps['cern'])
assert resp.status_code >= 300
login_user(user)
assert len(g.identity.provides) == 7
disconnect_handler(ioc.remote_apps['cern'])
def test_account_info(app, example_cern):
"""Test account info extraction."""
client = app.test_client()
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
client.get(url_for('invenio_oauthclient.login', remote_app='cern'))
example_response, _, example_account_info = example_cern
mock_remote_get(ioc, 'cern', example_response)
assert account_info(
ioc.remote_apps['cern'], None) == example_account_info
assert account_info(ioc.remote_apps['cern'], {}) == \
dict(
user=dict(
email='*****@*****.**',
profile={
'full_name': u'Test Account', 'username': u'taccount'
},
),
external_id='123456', external_method='cern',
active=True
)
def test_account_setup(app, example_cern_openid, models_fixture):
"""Test account setup after login."""
with app.test_client() as c:
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(
url_for('invenio_oauthclient.login', remote_app='cern_openid'))
assert resp.status_code == 302
example_response, example_token, example_account_info = \
example_cern_openid
mock_response(app.extensions['oauthlib.client'], 'cern_openid',
example_token)
mock_remote_get(ioc, 'cern_openid', example_response)
resp = c.get(
url_for('invenio_oauthclient.authorized',
remote_app='cern_openid',
code='test',
state=get_state('cern_openid')))
assert resp.status_code == 302
assert resp.location == ('http://localhost/account/settings/'
'linkedaccounts/')
assert len(g.identity.provides) == 3
datastore = app.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
user.password = hash_password("1234")
assert user
with app.test_request_context():
resp = disconnect_handler(ioc.remote_apps['cern_openid'])
assert resp.status_code >= 300
login_user(user)
assert len(g.identity.provides) == 3
logout_user()
assert len(g.identity.provides) == 1
assert "cern_resource" not in session
assert OAUTHCLIENT_CERN_OPENID_SESSION_KEY not in session
# Login again to test the disconnect handler
login_user(user)
assert len(g.identity.provides) == 3
disconnect_handler(ioc.remote_apps['cern_openid'])
def test_account_info_rest(app_rest, example_cern_openid_rest):
"""Test account info extraction."""
client = app_rest.test_client()
ioc = app_rest.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
client.get(
url_for('invenio_oauthclient.rest_login', remote_app='cern_openid'))
example_response, _, example_account_info = example_cern_openid_rest
mock_remote_get(ioc, 'cern_openid', example_response)
assert account_info_rest(ioc.remote_apps['cern_openid'],
None) == example_account_info
def test_account_info_not_allowed_account(app, example_cern_openid):
"""Test account info extraction."""
client = app.test_client()
app.config['OAUTHCLIENT_CERN_OPENID_ALLOWED_ROLES'] = ['another cern role']
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
client.get(url_for('invenio_oauthclient.login', remote_app='cern_openid'))
example_response, _, example_account_info = example_cern_openid
mock_remote_get(ioc, 'cern_openid', example_response)
resp = account_info(ioc.remote_apps['cern_openid'], None)
assert resp.status_code == 302
assert session['_flashes'][0][0] == 'danger'
assert session['_flashes'][0][1] == 'CERN account not allowed.'
def test_account_info_not_allowed_account(app, example_cern):
"""Test account info extraction."""
client = app.test_client()
app.config['OAUTHCLIENT_CERN_ALLOWED_IDENTITY_CLASSES'] = [
'another cern type'
]
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
client.get(url_for('invenio_oauthclient.login', remote_app='cern'))
example_response, _, example_account_info = example_cern
mock_remote_get(ioc, 'cern', example_response)
with pytest.raises(OAuthCERNRejectedAccountError):
account_info(ioc.remote_apps['cern'], None)
def test_account_setup(app_rest, example_cern_openid_rest, models_fixture):
"""Test account setup after login."""
with app_rest.test_client() as c:
ioc = app_rest.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(
url_for('invenio_oauthclient.rest_login',
remote_app='cern_openid'))
assert resp.status_code == 302
example_response, example_token, example_account_info = \
example_cern_openid_rest
mock_response(app_rest.extensions['oauthlib.client'], 'cern_openid',
example_token)
mock_remote_get(ioc, 'cern_openid', example_response)
resp = c.get(
url_for('invenio_oauthclient.rest_authorized',
remote_app='cern_openid',
code='test',
state=get_state('cern_openid')))
assert resp.status_code == 302
expected_url_args = {
"message": "Successfully authorized.",
"code": 200,
}
check_response_redirect_url_args(resp, expected_url_args)
assert len(g.identity.provides) == 3
datastore = app_rest.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
assert user
with app_rest.test_request_context():
resp = disconnect_rest_handler(ioc.remote_apps['cern_openid'])
assert resp.status_code >= 300
login_user(user)
assert len(g.identity.provides) == 3
disconnect_rest_handler(ioc.remote_apps['cern_openid'])
def test_account_info_not_allowed_account(app_rest, example_cern):
"""Test account info extraction."""
client = app_rest.test_client()
app_rest.config['OAUTHCLIENT_CERN_ALLOWED_IDENTITY_CLASSES'] = [
'another cern type'
]
ioc = app_rest.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
client.get(url_for('invenio_oauthclient.rest_login', remote_app='cern'))
example_response, _, example_account_info = example_cern
mock_remote_get(ioc, 'cern', example_response)
resp = account_info_rest(ioc.remote_apps['cern'], None)
assert resp.status_code == 302
expected_url_args = {
"message": "CERN account not allowed.",
"code": 400,
}
check_response_redirect_url_args(resp, expected_url_args)
def test_invalid_user_id_response(app, example_globus):
with app.test_client() as c:
# User login with email 'info'
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(url_for('invenio_oauthclient.login', remote_app='globus'))
assert resp.status_code == 302
example_info, example_token, _ = example_globus
mock_response(app.extensions['oauthlib.client'], 'globus',
example_token)
oauth_resp = OAuthResponse(resp=None,
content=json.dumps(example_info),
content_type='application/json')
mock_remote_get(ioc, 'globus', oauth_resp)
with pytest.raises(OAuthResponseError):
c.get(
url_for('invenio_oauthclient.authorized',
remote_app='globus',
code='test',
state=_get_state()))
def test_authorized_signup_valid_user(app, example_globus):
"""Test authorized callback with sign-up."""
with app.test_client() as c:
# User login with email 'info'
ioc = app.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(url_for('invenio_oauthclient.login', remote_app='globus'))
assert resp.status_code == 302
example_info, example_token, example_account_id = example_globus
mock_response(app.extensions['oauthlib.client'], 'globus',
example_token)
example_info.update(example_account_id)
oauth_resp = OAuthResponse(resp=None,
content=json.dumps(example_info),
content_type='application/json')
mock_remote_get(ioc, 'globus', oauth_resp)
# User authorized the requests and is redirect back
resp = c.get(
url_for('invenio_oauthclient.authorized',
remote_app='globus',
code='test',
state=_get_state()))
assert resp.status_code == 302
assert resp.location == ('http://localhost/account/settings/' +
'linkedaccounts/')
# Assert database state (Sign-up complete)
user = User.query.filter_by(email='*****@*****.**').one()
remote = RemoteAccount.query.filter_by(user_id=user.id).one()
RemoteToken.query.filter_by(id_remote_account=remote.id).one()
assert user.active
# Disconnect link
# should not work, because it's the user's only means of login
resp = c.get(
url_for('invenio_oauthclient.disconnect', remote_app='globus'))
assert resp.status_code == 400
user = User.query.filter_by(email='*****@*****.**').one()
assert 1 == UserIdentity.query.filter_by(
method='globus',
id_user=user.id,
).count()
# set a password for the user
user.password = hash_password("1234")
db.session.commit()
# Disconnect again
resp = c.get(
url_for('invenio_oauthclient.disconnect', remote_app='globus'))
assert resp.status_code == 302
# User exists
user = User.query.filter_by(email='*****@*****.**').one()
assert 0 == UserIdentity.query.filter_by(
method='globus',
id_user=user.id,
).count()
assert RemoteAccount.query.filter_by(user_id=user.id).count() == 0
assert RemoteToken.query.count() == 0
# User authorized the requests and is redirect back
resp = c.get(
url_for('invenio_oauthclient.authorized',
remote_app='globus',
code='test',
state=_get_state()))
assert resp.status_code == 302
assert resp.location == ('http://localhost/' +
'account/settings/linkedaccounts/')
# check that exist only one account
user = User.query.filter_by(email='*****@*****.**').one()
assert User.query.count() == 1
def test_authorized_already_authenticated(app, models_fixture, example_globus):
"""Test authorized callback with sign-up."""
datastore = app.extensions['invenio-accounts'].datastore
login_manager = app.login_manager
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
@login_manager.user_loader
def load_user(user_id):
return user
@app.route('/foo_login')
def login():
login_user(user)
return 'Logged In'
with app.test_client() as client:
# make a fake login (using my login function)
client.get('/foo_login', follow_redirects=True)
# Ensure remote apps have been loaded (due to before first request)
client.get(url_for('invenio_oauthclient.login', remote_app='globus'))
ioc = app.extensions['oauthlib.client']
example_info, example_token, example_account_id = example_globus
mock_response(app.extensions['oauthlib.client'], 'globus',
example_token)
example_info.update(example_account_id)
oauth_resp = OAuthResponse(resp=None,
content=json.dumps(example_info),
content_type='application/json')
mock_remote_get(ioc, 'globus', oauth_resp)
# User then goes to 'Linked accounts' and clicks 'Connect'
resp = client.get(
url_for('invenio_oauthclient.login',
remote_app='globus',
next='/someurl/'))
assert resp.status_code == 302
# User authorized the requests and is redirected back
resp = client.get(
url_for('invenio_oauthclient.authorized',
remote_app='globus',
code='test',
state=_get_state()))
# Assert database state (Sign-up complete)
u = User.query.filter_by(email=existing_email).one()
remote = RemoteAccount.query.filter_by(user_id=u.id).one()
RemoteToken.query.filter_by(id_remote_account=remote.id).one()
# Disconnect link
resp = client.get(
url_for('invenio_oauthclient.disconnect', remote_app='globus'))
assert resp.status_code == 302
# User exists
u = User.query.filter_by(email=existing_email).one()
assert 0 == UserIdentity.query.filter_by(method='globus',
id_user=u.id,
id='globususer').count()
assert RemoteAccount.query.filter_by(user_id=u.id).count() == 0
assert RemoteToken.query.count() == 0
def test_account_setup(app_rest, example_cern, models_fixture):
"""Test account setup after login."""
with app_rest.test_client() as c:
ioc = app_rest.extensions['oauthlib.client']
# Ensure remote apps have been loaded (due to before first request)
resp = c.get(
url_for('invenio_oauthclient.rest_login', remote_app='cern'))
assert resp.status_code == 302
example_response, example_token, example_account_info = example_cern
mock_response(app_rest.extensions['oauthlib.client'], 'cern',
example_token)
mock_remote_get(ioc, 'cern', example_response)
resp = c.get(
url_for('invenio_oauthclient.rest_authorized',
remote_app='cern',
code='test',
state=get_state('cern')))
assert resp.status_code == 302
expected_url_args = {
"message": "Successfully authorized.",
"code": 200,
}
check_response_redirect_url_args(resp, expected_url_args)
assert len(g.identity.provides) == 7
datastore = app_rest.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
user.password = hash_password("1234")
assert user
with app_rest.test_request_context():
resp = disconnect_rest_handler(ioc.remote_apps['cern'])
assert resp.status_code >= 300
# simulate login (account_info fetch)
g.oauth_logged_in_with_remote = ioc.remote_apps['cern']
login_user(user)
assert isinstance(g.identity, Identity)
assert g.identity.provides == set([
UserNeed(4),
UserNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
])
logout_user()
assert isinstance(g.identity, AnonymousIdentity)
# NOTE: Wrong role, g.identity.provides = {Need(['id', 4])} read more
# https://github.com/inveniosoftware/invenio-access/blob/e28e76d5361a29202b94d498f1968454c24c5c80/tests/test_loaders.py#L47
assert len(g.identity.provides) == 1
assert "cern_resource" not in session
assert OAUTHCLIENT_CERN_SESSION_KEY not in session
# Login again to test the disconnect handler
g.oauth_logged_in_with_remote = ioc.remote_apps['cern']
login_user(user)
assert isinstance(g.identity, Identity)
assert len(g.identity.provides) == 7
disconnect_rest_handler(ioc.remote_apps['cern'])
