RedHatTraining/repoze.who.git

Merge pull request #1 from m-martinez/jurov-userdata_dict

jurov

2014-06-11 208371434297b37c70989119c5a8ff1a6e949b19

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
4f3525	4	Unreleased
TS	5	----------
	6
19d219	7	- middleware: avoid UnboundLocalError when wrapped generater yields no
TS	8	items. See: http://bugs.repoze.org/issue184
	9
4f3525	10	- Make cookie expiration date RFC-2616 compliant (independent of locale,
TS	11	including 'GMT' zone). See https://github.com/repoze/repoze.who/pull/11
	12
9cd0f8	13	2.2 (2013-05-17)
a4b584	14	----------------
TS	15
1d7c19	16	- Parse INI-file configuration using ``SafeConfigParser``: allows
TS	17	escaping the ``'%'`` so that e.g. a query template using for a DB-API
	18	connection using ``pyformat`` preserves the template.
	19
a4b584	20	- Added support for Python 3.3, PyPy.
TS	21
d96616	22
717490	23	2.1 (2013-03-20)
c72bfe	24	----------------
TS	25
5ecc71	26	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	27	environment. Thanks to Dag Hoidal for the patch.
	28
d96616	29	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	30	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	31	for the patch.
	32
c72bfe	33	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	34
0cfb1a	35
TS	36	2.1b1 (2012-11-05)
	37	------------------
d9f6f4	38
TS	39	- Ported to Py3k using the "compatible subset" mode.
	40	- Dropped support for Python < 2.6.x.
	41	- Dropped dependency on Paste (forking some code from it).
	42	- Added dependency on WebOb instead.
	43	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	44
	45
d03c94	46	2.0 (2011-09-28)
493726	47	----------------
TS	48
7f9907	49	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	50	cookies. http://bugs.repoze.org/issue66
	51
493726	52	- Further harden middleware, calling ``close()`` on the iterable even if
TS	53	raising an exception for a missing challenger.
	54	http://bugs.repoze.org/issue174
	55
	56
1b2443	57	2.0b1 (2011-05-24)
TS	58	------------------
f8ef81	59
d6b53f	60	- Enabled standard use of logging module's configuration mechanism.
TS	61	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	62	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	63
	64
f8ef81	65	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	66
	67
2b9b1f	68	2.0a4 (2011-02-02)
TS	69	------------------
9a8e60	70
b01f44	71	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	72	iterable returned from thw wrapped application, as required by PEP 333.
	73	http://bugs.repoze.org/issue174
	74
03fba8	75	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	76	content for the config file: in such cases, the API factory will have
	77	no configured plugins or policies: it will only be useful for retrieving
	78	the API from an environment populated by middleware.
	79
c61031	80	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	81	methods could return a None if the identifier plugin returned a None.
cfe26c	82
c61031	83	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	84	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	85
c61031	86	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	87	configured with ``secure=True``: these attributes prevent the browser from
	88	sending cookies over insecure channels, which could be vulnerable to some
3b5782	89	XSS attacks.
d7e647	90
15e365	91	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	92	https://bugs.launchpad.net/bugs/674123 .
	93
e8080a	94	- Added a single-file example BFG application demonstrating the use of
TS	95	the new 'login' and 'logout' methods of the API object.
	96
924f24	97	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	98	as a convenience for application-driven login / logout code, which would
95f147	99	otherwise need to use private methods of the API, and reach down into
TS	100	its plugins.
f8ef81	101
9a8e60	102
2c742e	103	2.0a3 (2010-09-30)
eb7071	104	------------------
f80021	105
a446d6	106	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	107	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	108
TS	109	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	110
630a05	111	- ``repoze.who.plugins.form.FormPlugin``
a446d6	112
630a05	113	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	114
TS	115	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	116	``charset`` argument, and use to to encode / decode login and password.
TS	117	See http://bugs.repoze.org/issue155
	118
a446d6	119	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	120	``wsgiref`` from complaining.
5b6365	121
a446d6	122	- Helped default request classifier cope with xml submissions with an
6b7b34	123	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	124	M. Catucci)
	125
a446d6	126	- Corrected the handling of type and subtype when matching an XML post
6b7b34	127	to ``xmlpost`` in the default classifier, which, according to RFC
CM	128	2045, must be matched case-insensitively:
	129	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	130
a349a2	131	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	132	method for applications which want to set up their own API Factory from
	133	a configuration file.
	134
f80021	135	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	136	(added missing ``global_config`` argument). See
	137	http://bugs.repoze.org/issue114
	138
f8ef81	139
c186ae	140	2.0a2 (2010-03-25)
TS	141	------------------
52bc23	142
TS	143	Bugs Fixed
	144	~~~~~~~~~~
	145
	146	- Fixed failure to pass substution values in log message string formatting
	147	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	148	logging done by the API object. See http://bugs.repoze.org/issue122
	149
	150	Backward Incompatibilities
	151	~~~~~~~~~~~~~~~~~~~~~~~~~~
	152
	153	- Adjusted logging level for some lower-level details from ``info``
	154	to ``debug``.
f8ef81	155
52bc23	156
TS	157
e25b84	158	2.0a1 (2010-02-24)
993216	159	------------------
TS	160
b4b8ee	161	Features
TS	162	~~~~~~~~
62cd25	163
c9c1c6	164	- Restored the ability to create the middleware using the old ``classifier``
TS	165	argument. That argument is now a deprecated-but-will-work-forever alias for
	166	``request_classifier``.
cbc983	167
b0f81f	168	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	169	and should normally be used both as an ``IIdentifier`` and an
	170	``IAuthenticator``.
	171
993216	172	- Factored out the API of the middleware object to make it useful from
TS	173	within the application. Applications using ``repoze.who``` now fall into
	174	one of three catgeories:
	175
	176	- "middleware-only" applications are configured with middleware, and
	177	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	178	to determing the authenticated user.
	179
	180	- "bare metal" applications use no ``repoze.who`` middleware at all:
	181	instead, they configure and an ``APIFactory`` object at startup, and
	182	use it to create an ``API`` object when needed on a per-request basis.
	183
	184	- "hybrid" applications are configured with ``repoze.who`` middleware,
	185	but use a new library function to fetch the ``API`` object from the
c9c1c6	186	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	187	login.
993216	188
b4b8ee	189	Bugs Fixed
TS	190	~~~~~~~~~~
	191
	192	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	193	logging would cause an exception.
	194
	195	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	196	distribute).
	197
	198	Backward Incompatibilities
	199	~~~~~~~~~~~~~~~~~~~~~~~~~~
	200
b213af	201	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	202	an identity. This feature is no longer supported: the ``auth_tkt``
	203	plugin, which used to use the feature, is now configured to work as
c9c1c6	204	an authenticator plugin (as well as an identifier).
b213af	205
b4b8ee	206	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	207	no longer has the following (non-API) methods (now made API methods
	208	of the ``repoze.who.api:API`` class):
	209
	210	- ``add_metadata``
	211	- ``authenticate``
	212	- ``challenge``
	213	- ``identify``
	214
	215	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	216	``repoze.who.api``:
	217
	218	- ``make_registries``
	219	- ``match_classification``
	220	- ``verify``
	221
	222
f8ef81	223
060054	224	1.0.18 (2009-11-05)
TS	225	-------------------
798feb	226
TS	227	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	228	headers from ``forget``, and was not setting the ``Max-Age`` and
	229	``Expires`` attributes of those cookies.
	230
b4b8ee	231
f8ef81	232
6e136f	233	1.0.17 (2009-11-05)
TS	234	-------------------
e0d138	235
TS	236	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	237	argument handling, to allow passing in a dotted name (e.g., from a config
	238	file).
	239
b4b8ee	240
f8ef81	241
6b15ee	242	1.0.16 (2009-11-04)
028e4d	243	-------------------
1ec83d	244
8dd881	245	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	246	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	247	Thanks to Roland Hedburg for the report.
21a9c5	248
8dd881	249	- Fixed an issue that caused the following symptom when using the
TS	250	ini configuration parser::
	251
	252	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	253
CM	254	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	255	for the bug report and initial fix.
	256
1ec83d	257
7141c7	258	1.0.15 (2009-06-25)
TS	259	-------------------
299b4c	260
a14163	261	- If the form post value ``max_age`` exists while in the ``identify``
CM	262	method is handling the ``login_handler_path``, pass the max_age
	263	value in the returned identity dictionary as ``max_age``. See the
	264	below bullet point for why.
	265
299b4c	266	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	267	method contains a ``max_age`` key with a string (or integer) value,
	268	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	269	the returned cookies. The cookie ``Max-Age`` is set to the value
	270	and the ``Expires`` is computed from the current time.
	271
7141c7	272
TS	273	1.0.14 (2009-06-17)
	274	-------------------
9318dd	275
1810b2	276	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	277
00a6d9	278	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	279	plugin. See http://bugs.repoze.org/issue81 .
	280
0dd808	281	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	282	responses which have been "pre-challenged" by the application.
	283
9318dd	284	- One-hundred percent unit test coverage.
TS	285
a6f6dc	286	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	287	identifier plugin, courtesty of Paul Johnston.
	288
	289	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	290	courtesty of Gustavo Narea.
	291
	292	If ``userid_checker`` is provided, it must be a dotted Python name
	293	that resolves to a function which accepts a userid and returns a
	294	boolean True or False, indicating whether that user exists in a
	295	database. This is a workaround. Due to a design bug in repoze.who,
	296	the only way who can check for user existence is to use one or more
	297	IAuthenticator plugin ``authenticate`` methods. If an
	298	IAuthenticator's ``authenticate`` method returns true, it means that
	299	the user exists. However most IAuthenticator plugins expect both
	300	a username and a password, and will return False unconditionally if
	301	both aren't supplied. This means that an authenticator can't be
	302	used to check if the user "only" exists. The identity provided by
	303	an auth_tkt does not contain a password to check against. The
	304	actual design bug in repoze.who is this: when a user presents
	305	credentials from an auth_tkt, he is considered "preauthenticated".
	306	IAuthenticator.authenticate is just never called for a
	307	"preauthenticated" identity, which works fine, but it means that the
	308	user will be considered authenticated even if you deleted the user's
	309	record from whatever database you happen to be using. However, if
	310	you use a userid_checker, you can ensure that a user exists for the
	311	auth_tkt supplied userid. If the userid_checker returns False, the
	312	auth_tkt credentials are considered "no good".
	313
7141c7	314
TS	315	1.0.13 (2009-04-24)
	316	-------------------
64ba13	317
TS	318	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	319	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	320	second database query in an ``IMetadataProvider`` plugin).
64ba13	321
08b2ae	322	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	323	whereby a downstream app can return a generator, relying on an
	324	upstream component to call start_response. We do this because the
	325	challenge decider needs the status and headers to decide what to do.
	326
56d0c5	327
7141c7	328	1.0.12 (2009-04-19)
TS	329	-------------------
56d0c5	330	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	331	existing tokens data returned by auth_tkt.parse_tkt; this was
	332	incorrect; just overwrite.
0ee58d	333
TS	334	- Extended auth_tkt plugin factory to allow passing secret in a separate
	335	file from the main config file. See http://bugs.repoze.org/issue40 .
	336
7141c7	337
TS	338	1.0.11 (2009-04-10)
	339	-------------------
afbbcd	340
8c20ba	341	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	342	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	343	Pedersen).
8c20ba	344
afbbcd	345	- Fix corner case issue of an exception raised when attempting to log
CM	346	when there are no identifiers or authenticators.
	347
7141c7	348
TS	349	1.0.10 (2009-01-23)
	350	-------------------
7b931d	351
CM	352	- The RedirectingFormPlugin now passes along SetCookie headers set
	353	into the response by the application within the NotFound response
	354	(fixes TG2 "flash" issue).
	355
7141c7	356
TS	357	1.0.9 (2008-12-18)
	358	------------------
30ab69	359
9238cd	360	- The RedirectingFormPlugin now attempts to find a header named
CM	361	``X-Authentication-Failure-Reason`` among the response headers set
	362	by the application when a challenge is issued. If a value for this
	363	header exists (and is non-blank), the value is attached to the
	364	redirect URL's query string as the ``reason`` parameter (or a
	365	user-settable key). This makes it possible for downstream
	366	applications to issue a response that initiates a challenge with
	367	this header and subsequently display the reason in the login form
	368	rendered as a result of the challenge.
30ab69	369
7141c7	370
TS	371	1.0.8 (2008-12-13)
	372	------------------
186ff6	373
9238cd	374	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	375	``log_stream`` argument, which is typically a file. After this
	376	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	377	PEP 333 ``Logger`` instance, this logger will be used as the
	378	repoze.who logger (instead of one being constructed by the
	379	middleware, as was previously always the case). When the
	380	``log_stream`` argument is a PEP 333 Logger object, the
	381	``log_level`` argument is ignored.
186ff6	382
7141c7	383
TS	384	1.0.7 (2008-08-28)
	385	------------------
37de44	386
9238cd	387	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	388	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	389	brownbag release, given that making these packages namespace
	390	packages was the only reason for its release.
37de44	391
7141c7	392
TS	393	1.0.6 (2008-08-28)
	394	------------------
facdf8	395
9238cd	396	- Make repoze.who and repoze.who.plugins into namespace packages
CM	397	mainly so we can allow plugin authors to distribute packages in the
	398	repoze.who.plugins namespace.
facdf8	399
7141c7	400
TS	401	1.0.5 (2008-08-23)
	402	------------------
519300	403
9238cd	404	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	405	method that it does in its ``forget`` method. Previously, logging
	406	out and relogging back in to a site that used auth_tkt identifier
	407	plugin was slightly dicey and would only work sometimes.
facdf8	408
9238cd	409	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	410	Any response from a downstream application that causes a challenge
	411	and includes a Location header will cause a redirect to the value of
	412	the Location header.
dee08c	413
7141c7	414
TS	415	1.0.4 (2008-08-22)
	416	------------------
b95a59	417
9238cd	418	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	419	If you use this key in the config file, it tells who to 1) not
	420	perform any authentication if it exists in the environment during
	421	ingress and 2) to set the key in the environment for the downstream
	422	app to use as the REMOTE_USER variable. The default is
	423	``REMOTE_USER``.
b95a59	424
9238cd	425	- Using unicode user ids in combination with the auth_tkt plugin would
CM	426	cause problems under mod_wsgi.
55dc7a	427
9238cd	428	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	429	constructor). Thanks to Gustavo Narea.
55dc7a	430
7141c7	431
TS	432	1.0.3 (2008-08-16)
	433	------------------
f693fe	434
9238cd	435	- A bug in the middleware's ``authenticate`` method made it impossible
CM	436	to authenticate a user with a userid that was null (e.g. 0, False),
	437	which are valid identifiers. The only invalid userid is now None.
c7e12d	438
9238cd	439	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	440	filename is passed to the HTPasswdPlugin.
c7e12d	441
7141c7	442
TS	443	1.0.2 (2008-06-16)
	444	------------------
cad90d	445
9238cd	446	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	447	method didn't handle userids which are Python "long" instances
	448	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	449	objects in "paste.auth.auth_tkt".
a2c030	450
9238cd	451	- Added predicate-based "restriction" middleware support
CM	452	(repoze.who.restrict), allowing configuratio-driven authorization as
	453	a WSGI filter. One example predicate, 'authenticated_predicate', is
	454	supplied, which requires that the user be authenticated either via
	455	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	456	restrict access::
cad90d	457
TS	458	[filter:authenticated_only]
	459	use = egg:repoze.who#authenticated
	460
	461	or::
	462
	463	[filter:some_predicate]
	464	use = egg:repoze.who#predicate
	465	predicate = my.module:some_predicate
	466	some_option = a value
	467
7141c7	468
TS	469	1.0.1 (2008-05-24)
	470	------------------
8199a1	471
9238cd	472	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	473	from inserting that path into its search paths (the dependencies are
	474	available from PyPI).
8199a1	475
7141c7	476
TS	477	1.0 (2008-05-04)
	478	-----------------
419946	479
9238cd	480	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	481	collecting identification information. Symptom: a downstream app
	482	would receive a POST request with a blank body, which would
	483	sometimes result in a Bad Request error.
f39349	484
9238cd	485	- Fixed interface declarations of
CM	486	'classifiers.default_request_classifier' and
	487	'classifiers.default_password_compare'.
515c69	488
9238cd	489	- Added actual config-driven middleware factory,
CM	490	'config.make_middleware_with_config'
515c69	491
9238cd	492	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	493
7141c7	494	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	495	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	496	with the following changes:
419946	497
7141c7	498	- "Bare" plugins (requiring no configuration options) may be specified
419946	499	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	500	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	501
7141c7	502	- Therefore, the separator between a plugin and its classifier is now
TS	503	a semicolon, rather than a colon. E.g.::
419946	504
TS	505	[plugins:id_plugin]
	506	use = egg:another.package#identify_with_frobnatz
	507	frobnatz = baz
	508
	509	[identifiers]
	510	plugins =
	511	egg:my.egg#identify;browser
	512	dotted.name:identifier
	513	id_plugin
	514
7141c7	515
779caf	516	0.9.1 (2008-04-27)
7141c7	517	------------------
779caf	518
9238cd	519	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	520	ids.
779caf	521
7141c7	522
88e646	523	0.9 (2008-04-01)
7141c7	524	----------------
88e646	525
9238cd	526	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	527	not set).
88e646	528
9238cd	529	- Add PATH_INFO to started and ended log info.
d9f046	530
9238cd	531	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	532
9238cd	533	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	534	"query", "conn_factory", and "compare_fn". The old constructor
	535	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	536	new constructor accepts no DSN; the conn_factory is assumed to do
	537	all the work to make a connection, including knowing the DSN if one
	538	is required. The "conn_factory" should return something that, when
	539	called with no arguments, returns a database connection.
d9f046	540
9238cd	541	- The "make_plugin" helper in plugins/sql has been renamed
CM	542	"make_authenticator_plugin". When called, this helper will return a
	543	SQLAuthenticatorPlugin. A bit of helper logic in the
	544	"make_authenticator_plugin" allows a connection factory to be
	545	computed. The top-level callable referred to by conn_factory in
	546	this helper should return a function that, when called with no
	547	arguments, returns a datbase connection. The top-level callable
	548	itself is called with "who_conf" (global who configuration) and any
	549	number of non-top-level keyword arguments as they are passed into
	550	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	551
9238cd	552	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	553	called, this will make a SQLMetadataProviderPlugin. See the
	554	implementation for details. It is similar to the
	555	"make_authenticator_plugin" helper.
d9f046	556
7141c7	557
cbe4e3	558	0.8 (2008-03-27)
7141c7	559	----------------
b5a331	560
9238cd	561	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	562	redirect to an external (or downstream application) login form to
	563	perform identification. The external login form must post to the
	564	"login_handler_path" of the plugin (optimally with a "came_from"
	565	value to tell the plugin where to redirect the response to if the
	566	authentication works properly). The "logout_handler_path" of this
	567	plugin can be visited to perform a logout. The "came_from" value
	568	also works there.
a400b0	569
9238cd	570	- Identifier plugins are now permitted to set a key in the environment
CM	571	named 'repoze.who.application' on ingress (in 'identify'). If an
	572	identifier plugin does so, this application is used instead of the
	573	"normal" downstream application. This feature was added to more
	574	simply support the redirecting form identifier plugin.
a400b0	575
7141c7	576
a400b0	577	0.7 (2008-03-26)
7141c7	578	----------------
a400b0	579
9238cd	580	- Change the IMetadataProvider interface: this interface used to have
CM	581	a "metadata" method which returned a dictionary. This method is not
	582	part of that API anymore. It's been replaced with an "add_metadata"
	583	method which has the signature::
b5a331	584
CM	585	def add_metadata(environ, identity):
	586	"""
	587	Add metadata to the identity (which is a dictionary)
	588	"""
	589
	590	The return value is ignored. IMetadataProvider plugins are now
	591	assumed to be responsible for 'scribbling' directly on the identity
	592	that is passed in (it's a dictionary). The user id can always be
	593	retrieved from the identity via identity['repoze.who.userid'] for
	594	metadata plugins that rely on that value.
	595
7141c7	596
a400b0	597	0.6 (2008-03-20)
7141c7	598	----------------
e35c64	599
9238cd	600	- Renaming: repoze.pam is now repoze.who
cb5426	601
9238cd	602	- Bump ez_setup.py version.
e35c64	603
9238cd	604	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	605
7141c7	606
3b67e9	607	0.5 (2008-03-09)
7141c7	608	----------------
db4cf5	609
9238cd	610	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	611	(pass in remote_user_key to middleware constructor).
db4cf5	612
9238cd	613	- Allow form plugin to override the default form.
db4cf5	614
9238cd	615	- API change: IIdentifiers are no longer required to put both 'login'
CM	616	and 'password' in a returned identity dictionary. Instead, an
	617	IIdentifier can place arbitrary key/value pairs in the identity
	618	dictionary (or return an empty dictionary).
40a968	619
9238cd	620	- API return value change: the "failure" identity which IIdentifiers
CM	621	return is now None rather than an empty dictionary.
40a968	622
9238cd	623	- The IAuthenticator interface now specifies that IAuthenticators must
CM	624	not raise an exception when evaluating an identity that does not
	625	have "expected" key/value pairs (e.g. when an IAuthenticator that
	626	expects login and password inspects an identity returned by an
	627	IP-based auth system which only puts the IP address in the
	628	identity); instead they fail gracefully by returning None.
40a968	629
9238cd	630	- Add (cookie) "auth_tkt" identification plugin.
a5b033	631
9238cd	632	- Stamp identity dictionaries with a userid by placing a key named
CM	633	'repoze.pam.userid' into the identity for each authenticated
	634	identity.
a5b033	635
9238cd	636	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	637	identity dictionary, consider this identity "preauthenticated". No
	638	authenticator plugins will be asked to authenticate this identity.
	639	This is designed for things like the recently added auth_tkt plugin,
	640	which embeds the user id into the ticket. This effectively alllows
	641	an IIdentifier plugin to become an IAuthenticator plugin when
	642	breaking apart the responsibility into two separate plugins is
	643	"make-work". Preauthenticated identities will be selected first
	644	when deciding which identity to use for any given request.
a5b033	645
9238cd	646	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	647	ingress if an identity is found. Its value will be the identity
	648	dictionary related to the identity selected by repoze.pam on
	649	ingress. Downstream consumers are allowed to mutate this
	650	dictionary; this value is passed to "remember" and "forget", so its
	651	main use is to do a "credentials reset"; e.g. a user has changed his
	652	username or password within the application, but we don't want to
	653	force him to log in again after he does so.
a5b033	654
7141c7	655
247f34	656	0.4 (03-07-2008)
7141c7	657	----------------
247f34	658
9238cd	659	- Allow plugins to specify a classifiers list per interface (instead
CM	660	of a single classifiers list per plugin).
247f34	661
7141c7	662
fb510d	663	0.3 (03-05-2008)
7141c7	664	----------------
fb510d	665
9238cd	666	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	667	sha instead of base64'ed binary sha for simpler conversion.
fb510d	668
7141c7	669
196bc2	670	0.2 (03-04-2008)
7141c7	671	----------------
196bc2	672
9238cd	673	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	674
7141c7	675
318832	676	0.1 (02-27-2008)
7141c7	677	----------------
318832	678
9238cd	679	- Initial release (no configuration file support yet).