hobo_notify: reset user.roles before adding roles from the notification (#8444)

tests/test_hobo_notify.py

@@ -397,3 +397,37 @@ def test_process_notification_user_provision():
     assert user.form_data['_last_name'] == 'Doe'
     assert user.name_identifiers == ['a'*32]
     assert set(user.roles) == set(['12345', old_role.id])
+
+    notification = {
+        u'@type': u'provision',
+        u'issuer': 'http://idp.example.net/idp/saml/metadata',
+        u'audience': [u'test'],
+        u'objects': {
+            u'@type': 'user',
+            u'data': [
+                {
+                    u'uuid': u'a' * 32,
+                    u'first_name': u'John',
+                    u'last_name': u'Doe',
+                    u'email': u'john.doe@example.net',
+                    u'roles': [
+                        {
+                            u'uuid': u'xyz',
+                            u'name': u'Service état civil',
+                            u'description': u'etc.',
+                        },
+                    ],
+                }
+            ]
+        }
+    }
+    CmdHoboNotify.process_notification(notification)
+    assert User.count() == 1
+    user = User.select()[0]
+    assert user.form_data is not None
+    assert user.form_data['_email'] == 'john.doe@example.net'
+    assert user.email == 'john.doe@example.net'
+    assert user.form_data['_first_name'] == 'John'
+    assert user.form_data['_last_name'] == 'Doe'
+    assert user.name_identifiers == ['a'*32]
+    assert set(user.roles) == set([old_role.id])

wcs/ctl/hobo_notify.py

@@ -177,6 +177,8 @@ class CmdHoboNotify(Command):
                     user.form_data['_last_name'] = o['last_name']
                     user.name_identifiers = [uuid]
                     role_uuids = [role['uuid'] for role in o['roles']]
+                    # reset roles
+                    user.roles = []
                     for role_uuid in role_uuids:
                         try:
                             role = Role.get(role_uuid)