RedHatTraining/repoze.who.git

Tres Seaver

2012-03-19 20d23f553145ab61e52890bc08a8d1093f91b8e6

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
20d23f	4	2.0.1 (unreleased)
TS	5	------------------
	6
	7	- TBD
	8
	9
d03c94	10	2.0 (2011-09-28)
493726	11	----------------
TS	12
7f9907	13	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	14	cookies. http://bugs.repoze.org/issue66
	15
493726	16	- Further harden middleware, calling ``close()`` on the iterable even if
TS	17	raising an exception for a missing challenger.
	18	http://bugs.repoze.org/issue174
	19
	20
1b2443	21	2.0b1 (2011-05-24)
TS	22	------------------
f8ef81	23
d6b53f	24	- Enabled standard use of logging module's configuration mechanism.
TS	25	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	26	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	27
	28
f8ef81	29	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	30
	31
2b9b1f	32	2.0a4 (2011-02-02)
TS	33	------------------
9a8e60	34
b01f44	35	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	36	iterable returned from thw wrapped application, as required by PEP 333.
	37	http://bugs.repoze.org/issue174
	38
03fba8	39	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	40	content for the config file: in such cases, the API factory will have
	41	no configured plugins or policies: it will only be useful for retrieving
	42	the API from an environment populated by middleware.
	43
c61031	44	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	45	methods could return a None if the identifier plugin returned a None.
cfe26c	46
c61031	47	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	48	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	49
c61031	50	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	51	configured with ``secure=True``: these attributes prevent the browser from
	52	sending cookies over insecure channels, which could be vulnerable to some
3b5782	53	XSS attacks.
d7e647	54
15e365	55	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	56	https://bugs.launchpad.net/bugs/674123 .
	57
e8080a	58	- Added a single-file example BFG application demonstrating the use of
TS	59	the new 'login' and 'logout' methods of the API object.
	60
924f24	61	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	62	as a convenience for application-driven login / logout code, which would
95f147	63	otherwise need to use private methods of the API, and reach down into
TS	64	its plugins.
f8ef81	65
9a8e60	66
2c742e	67	2.0a3 (2010-09-30)
eb7071	68	------------------
f80021	69
a446d6	70	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	71	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	72
TS	73	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	74
630a05	75	- ``repoze.who.plugins.form.FormPlugin``
a446d6	76
630a05	77	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	78
TS	79	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	80	``charset`` argument, and use to to encode / decode login and password.
TS	81	See http://bugs.repoze.org/issue155
	82
a446d6	83	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	84	``wsgiref`` from complaining.
5b6365	85
a446d6	86	- Helped default request classifier cope with xml submissions with an
6b7b34	87	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	88	M. Catucci)
	89
a446d6	90	- Corrected the handling of type and subtype when matching an XML post
6b7b34	91	to ``xmlpost`` in the default classifier, which, according to RFC
CM	92	2045, must be matched case-insensitively:
	93	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	94
a349a2	95	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	96	method for applications which want to set up their own API Factory from
	97	a configuration file.
	98
f80021	99	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	100	(added missing ``global_config`` argument). See
	101	http://bugs.repoze.org/issue114
	102
f8ef81	103
c186ae	104	2.0a2 (2010-03-25)
TS	105	------------------
52bc23	106
TS	107	Bugs Fixed
	108	~~~~~~~~~~
	109
	110	- Fixed failure to pass substution values in log message string formatting
	111	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	112	logging done by the API object. See http://bugs.repoze.org/issue122
	113
	114	Backward Incompatibilities
	115	~~~~~~~~~~~~~~~~~~~~~~~~~~
	116
	117	- Adjusted logging level for some lower-level details from ``info``
	118	to ``debug``.
f8ef81	119
52bc23	120
TS	121
e25b84	122	2.0a1 (2010-02-24)
993216	123	------------------
TS	124
b4b8ee	125	Features
TS	126	~~~~~~~~
62cd25	127
c9c1c6	128	- Restored the ability to create the middleware using the old ``classifier``
TS	129	argument. That argument is now a deprecated-but-will-work-forever alias for
	130	``request_classifier``.
cbc983	131
b0f81f	132	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	133	and should normally be used both as an ``IIdentifier`` and an
	134	``IAuthenticator``.
	135
993216	136	- Factored out the API of the middleware object to make it useful from
TS	137	within the application. Applications using ``repoze.who``` now fall into
	138	one of three catgeories:
	139
	140	- "middleware-only" applications are configured with middleware, and
	141	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	142	to determing the authenticated user.
	143
	144	- "bare metal" applications use no ``repoze.who`` middleware at all:
	145	instead, they configure and an ``APIFactory`` object at startup, and
	146	use it to create an ``API`` object when needed on a per-request basis.
	147
	148	- "hybrid" applications are configured with ``repoze.who`` middleware,
	149	but use a new library function to fetch the ``API`` object from the
c9c1c6	150	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	151	login.
993216	152
b4b8ee	153	Bugs Fixed
TS	154	~~~~~~~~~~
	155
	156	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	157	logging would cause an exception.
	158
	159	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	160	distribute).
	161
	162	Backward Incompatibilities
	163	~~~~~~~~~~~~~~~~~~~~~~~~~~
	164
b213af	165	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	166	an identity. This feature is no longer supported: the ``auth_tkt``
	167	plugin, which used to use the feature, is now configured to work as
c9c1c6	168	an authenticator plugin (as well as an identifier).
b213af	169
b4b8ee	170	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	171	no longer has the following (non-API) methods (now made API methods
	172	of the ``repoze.who.api:API`` class):
	173
	174	- ``add_metadata``
	175	- ``authenticate``
	176	- ``challenge``
	177	- ``identify``
	178
	179	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	180	``repoze.who.api``:
	181
	182	- ``make_registries``
	183	- ``match_classification``
	184	- ``verify``
	185
	186
f8ef81	187
060054	188	1.0.18 (2009-11-05)
TS	189	-------------------
798feb	190
TS	191	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	192	headers from ``forget``, and was not setting the ``Max-Age`` and
	193	``Expires`` attributes of those cookies.
	194
b4b8ee	195
f8ef81	196
6e136f	197	1.0.17 (2009-11-05)
TS	198	-------------------
e0d138	199
TS	200	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	201	argument handling, to allow passing in a dotted name (e.g., from a config
	202	file).
	203
b4b8ee	204
f8ef81	205
6b15ee	206	1.0.16 (2009-11-04)
028e4d	207	-------------------
1ec83d	208
8dd881	209	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	210	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	211	Thanks to Roland Hedburg for the report.
21a9c5	212
8dd881	213	- Fixed an issue that caused the following symptom when using the
TS	214	ini configuration parser::
	215
	216	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	217
CM	218	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	219	for the bug report and initial fix.
	220
1ec83d	221
7141c7	222	1.0.15 (2009-06-25)
TS	223	-------------------
299b4c	224
a14163	225	- If the form post value ``max_age`` exists while in the ``identify``
CM	226	method is handling the ``login_handler_path``, pass the max_age
	227	value in the returned identity dictionary as ``max_age``. See the
	228	below bullet point for why.
	229
299b4c	230	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	231	method contains a ``max_age`` key with a string (or integer) value,
	232	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	233	the returned cookies. The cookie ``Max-Age`` is set to the value
	234	and the ``Expires`` is computed from the current time.
	235
7141c7	236
TS	237	1.0.14 (2009-06-17)
	238	-------------------
9318dd	239
1810b2	240	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	241
00a6d9	242	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	243	plugin. See http://bugs.repoze.org/issue81 .
	244
0dd808	245	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	246	responses which have been "pre-challenged" by the application.
	247
9318dd	248	- One-hundred percent unit test coverage.
TS	249
a6f6dc	250	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	251	identifier plugin, courtesty of Paul Johnston.
	252
	253	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	254	courtesty of Gustavo Narea.
	255
	256	If ``userid_checker`` is provided, it must be a dotted Python name
	257	that resolves to a function which accepts a userid and returns a
	258	boolean True or False, indicating whether that user exists in a
	259	database. This is a workaround. Due to a design bug in repoze.who,
	260	the only way who can check for user existence is to use one or more
	261	IAuthenticator plugin ``authenticate`` methods. If an
	262	IAuthenticator's ``authenticate`` method returns true, it means that
	263	the user exists. However most IAuthenticator plugins expect both
	264	a username and a password, and will return False unconditionally if
	265	both aren't supplied. This means that an authenticator can't be
	266	used to check if the user "only" exists. The identity provided by
	267	an auth_tkt does not contain a password to check against. The
	268	actual design bug in repoze.who is this: when a user presents
	269	credentials from an auth_tkt, he is considered "preauthenticated".
	270	IAuthenticator.authenticate is just never called for a
	271	"preauthenticated" identity, which works fine, but it means that the
	272	user will be considered authenticated even if you deleted the user's
	273	record from whatever database you happen to be using. However, if
	274	you use a userid_checker, you can ensure that a user exists for the
	275	auth_tkt supplied userid. If the userid_checker returns False, the
	276	auth_tkt credentials are considered "no good".
	277
7141c7	278
TS	279	1.0.13 (2009-04-24)
	280	-------------------
64ba13	281
TS	282	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	283	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	284	second database query in an ``IMetadataProvider`` plugin).
64ba13	285
08b2ae	286	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	287	whereby a downstream app can return a generator, relying on an
	288	upstream component to call start_response. We do this because the
	289	challenge decider needs the status and headers to decide what to do.
	290
56d0c5	291
7141c7	292	1.0.12 (2009-04-19)
TS	293	-------------------
56d0c5	294	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	295	existing tokens data returned by auth_tkt.parse_tkt; this was
	296	incorrect; just overwrite.
0ee58d	297
TS	298	- Extended auth_tkt plugin factory to allow passing secret in a separate
	299	file from the main config file. See http://bugs.repoze.org/issue40 .
	300
7141c7	301
TS	302	1.0.11 (2009-04-10)
	303	-------------------
afbbcd	304
8c20ba	305	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	306	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	307	Pedersen).
8c20ba	308
afbbcd	309	- Fix corner case issue of an exception raised when attempting to log
CM	310	when there are no identifiers or authenticators.
	311
7141c7	312
TS	313	1.0.10 (2009-01-23)
	314	-------------------
7b931d	315
CM	316	- The RedirectingFormPlugin now passes along SetCookie headers set
	317	into the response by the application within the NotFound response
	318	(fixes TG2 "flash" issue).
	319
7141c7	320
TS	321	1.0.9 (2008-12-18)
	322	------------------
30ab69	323
9238cd	324	- The RedirectingFormPlugin now attempts to find a header named
CM	325	``X-Authentication-Failure-Reason`` among the response headers set
	326	by the application when a challenge is issued. If a value for this
	327	header exists (and is non-blank), the value is attached to the
	328	redirect URL's query string as the ``reason`` parameter (or a
	329	user-settable key). This makes it possible for downstream
	330	applications to issue a response that initiates a challenge with
	331	this header and subsequently display the reason in the login form
	332	rendered as a result of the challenge.
30ab69	333
7141c7	334
TS	335	1.0.8 (2008-12-13)
	336	------------------
186ff6	337
9238cd	338	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	339	``log_stream`` argument, which is typically a file. After this
	340	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	341	PEP 333 ``Logger`` instance, this logger will be used as the
	342	repoze.who logger (instead of one being constructed by the
	343	middleware, as was previously always the case). When the
	344	``log_stream`` argument is a PEP 333 Logger object, the
	345	``log_level`` argument is ignored.
186ff6	346
7141c7	347
TS	348	1.0.7 (2008-08-28)
	349	------------------
37de44	350
9238cd	351	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	352	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	353	brownbag release, given that making these packages namespace
	354	packages was the only reason for its release.
37de44	355
7141c7	356
TS	357	1.0.6 (2008-08-28)
	358	------------------
facdf8	359
9238cd	360	- Make repoze.who and repoze.who.plugins into namespace packages
CM	361	mainly so we can allow plugin authors to distribute packages in the
	362	repoze.who.plugins namespace.
facdf8	363
7141c7	364
TS	365	1.0.5 (2008-08-23)
	366	------------------
519300	367
9238cd	368	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	369	method that it does in its ``forget`` method. Previously, logging
	370	out and relogging back in to a site that used auth_tkt identifier
	371	plugin was slightly dicey and would only work sometimes.
facdf8	372
9238cd	373	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	374	Any response from a downstream application that causes a challenge
	375	and includes a Location header will cause a redirect to the value of
	376	the Location header.
dee08c	377
7141c7	378
TS	379	1.0.4 (2008-08-22)
	380	------------------
b95a59	381
9238cd	382	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	383	If you use this key in the config file, it tells who to 1) not
	384	perform any authentication if it exists in the environment during
	385	ingress and 2) to set the key in the environment for the downstream
	386	app to use as the REMOTE_USER variable. The default is
	387	``REMOTE_USER``.
b95a59	388
9238cd	389	- Using unicode user ids in combination with the auth_tkt plugin would
CM	390	cause problems under mod_wsgi.
55dc7a	391
9238cd	392	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	393	constructor). Thanks to Gustavo Narea.
55dc7a	394
7141c7	395
TS	396	1.0.3 (2008-08-16)
	397	------------------
f693fe	398
9238cd	399	- A bug in the middleware's ``authenticate`` method made it impossible
CM	400	to authenticate a user with a userid that was null (e.g. 0, False),
	401	which are valid identifiers. The only invalid userid is now None.
c7e12d	402
9238cd	403	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	404	filename is passed to the HTPasswdPlugin.
c7e12d	405
7141c7	406
TS	407	1.0.2 (2008-06-16)
	408	------------------
cad90d	409
9238cd	410	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	411	method didn't handle userids which are Python "long" instances
	412	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	413	objects in "paste.auth.auth_tkt".
a2c030	414
9238cd	415	- Added predicate-based "restriction" middleware support
CM	416	(repoze.who.restrict), allowing configuratio-driven authorization as
	417	a WSGI filter. One example predicate, 'authenticated_predicate', is
	418	supplied, which requires that the user be authenticated either via
	419	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	420	restrict access::
cad90d	421
TS	422	[filter:authenticated_only]
	423	use = egg:repoze.who#authenticated
	424
	425	or::
	426
	427	[filter:some_predicate]
	428	use = egg:repoze.who#predicate
	429	predicate = my.module:some_predicate
	430	some_option = a value
	431
7141c7	432
TS	433	1.0.1 (2008-05-24)
	434	------------------
8199a1	435
9238cd	436	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	437	from inserting that path into its search paths (the dependencies are
	438	available from PyPI).
8199a1	439
7141c7	440
TS	441	1.0 (2008-05-04)
	442	-----------------
419946	443
9238cd	444	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	445	collecting identification information. Symptom: a downstream app
	446	would receive a POST request with a blank body, which would
	447	sometimes result in a Bad Request error.
f39349	448
9238cd	449	- Fixed interface declarations of
CM	450	'classifiers.default_request_classifier' and
	451	'classifiers.default_password_compare'.
515c69	452
9238cd	453	- Added actual config-driven middleware factory,
CM	454	'config.make_middleware_with_config'
515c69	455
9238cd	456	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	457
7141c7	458	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	459	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	460	with the following changes:
419946	461
7141c7	462	- "Bare" plugins (requiring no configuration options) may be specified
419946	463	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	464	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	465
7141c7	466	- Therefore, the separator between a plugin and its classifier is now
TS	467	a semicolon, rather than a colon. E.g.::
419946	468
TS	469	[plugins:id_plugin]
	470	use = egg:another.package#identify_with_frobnatz
	471	frobnatz = baz
	472
	473	[identifiers]
	474	plugins =
	475	egg:my.egg#identify;browser
	476	dotted.name:identifier
	477	id_plugin
	478
7141c7	479
779caf	480	0.9.1 (2008-04-27)
7141c7	481	------------------
779caf	482
9238cd	483	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	484	ids.
779caf	485
7141c7	486
88e646	487	0.9 (2008-04-01)
7141c7	488	----------------
88e646	489
9238cd	490	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	491	not set).
88e646	492
9238cd	493	- Add PATH_INFO to started and ended log info.
d9f046	494
9238cd	495	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	496
9238cd	497	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	498	"query", "conn_factory", and "compare_fn". The old constructor
	499	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	500	new constructor accepts no DSN; the conn_factory is assumed to do
	501	all the work to make a connection, including knowing the DSN if one
	502	is required. The "conn_factory" should return something that, when
	503	called with no arguments, returns a database connection.
d9f046	504
9238cd	505	- The "make_plugin" helper in plugins/sql has been renamed
CM	506	"make_authenticator_plugin". When called, this helper will return a
	507	SQLAuthenticatorPlugin. A bit of helper logic in the
	508	"make_authenticator_plugin" allows a connection factory to be
	509	computed. The top-level callable referred to by conn_factory in
	510	this helper should return a function that, when called with no
	511	arguments, returns a datbase connection. The top-level callable
	512	itself is called with "who_conf" (global who configuration) and any
	513	number of non-top-level keyword arguments as they are passed into
	514	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	515
9238cd	516	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	517	called, this will make a SQLMetadataProviderPlugin. See the
	518	implementation for details. It is similar to the
	519	"make_authenticator_plugin" helper.
d9f046	520
7141c7	521
cbe4e3	522	0.8 (2008-03-27)
7141c7	523	----------------
b5a331	524
9238cd	525	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	526	redirect to an external (or downstream application) login form to
	527	perform identification. The external login form must post to the
	528	"login_handler_path" of the plugin (optimally with a "came_from"
	529	value to tell the plugin where to redirect the response to if the
	530	authentication works properly). The "logout_handler_path" of this
	531	plugin can be visited to perform a logout. The "came_from" value
	532	also works there.
a400b0	533
9238cd	534	- Identifier plugins are now permitted to set a key in the environment
CM	535	named 'repoze.who.application' on ingress (in 'identify'). If an
	536	identifier plugin does so, this application is used instead of the
	537	"normal" downstream application. This feature was added to more
	538	simply support the redirecting form identifier plugin.
a400b0	539
7141c7	540
a400b0	541	0.7 (2008-03-26)
7141c7	542	----------------
a400b0	543
9238cd	544	- Change the IMetadataProvider interface: this interface used to have
CM	545	a "metadata" method which returned a dictionary. This method is not
	546	part of that API anymore. It's been replaced with an "add_metadata"
	547	method which has the signature::
b5a331	548
CM	549	def add_metadata(environ, identity):
	550	"""
	551	Add metadata to the identity (which is a dictionary)
	552	"""
	553
	554	The return value is ignored. IMetadataProvider plugins are now
	555	assumed to be responsible for 'scribbling' directly on the identity
	556	that is passed in (it's a dictionary). The user id can always be
	557	retrieved from the identity via identity['repoze.who.userid'] for
	558	metadata plugins that rely on that value.
	559
7141c7	560
a400b0	561	0.6 (2008-03-20)
7141c7	562	----------------
e35c64	563
9238cd	564	- Renaming: repoze.pam is now repoze.who
cb5426	565
9238cd	566	- Bump ez_setup.py version.
e35c64	567
9238cd	568	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	569
7141c7	570
3b67e9	571	0.5 (2008-03-09)
7141c7	572	----------------
db4cf5	573
9238cd	574	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	575	(pass in remote_user_key to middleware constructor).
db4cf5	576
9238cd	577	- Allow form plugin to override the default form.
db4cf5	578
9238cd	579	- API change: IIdentifiers are no longer required to put both 'login'
CM	580	and 'password' in a returned identity dictionary. Instead, an
	581	IIdentifier can place arbitrary key/value pairs in the identity
	582	dictionary (or return an empty dictionary).
40a968	583
9238cd	584	- API return value change: the "failure" identity which IIdentifiers
CM	585	return is now None rather than an empty dictionary.
40a968	586
9238cd	587	- The IAuthenticator interface now specifies that IAuthenticators must
CM	588	not raise an exception when evaluating an identity that does not
	589	have "expected" key/value pairs (e.g. when an IAuthenticator that
	590	expects login and password inspects an identity returned by an
	591	IP-based auth system which only puts the IP address in the
	592	identity); instead they fail gracefully by returning None.
40a968	593
9238cd	594	- Add (cookie) "auth_tkt" identification plugin.
a5b033	595
9238cd	596	- Stamp identity dictionaries with a userid by placing a key named
CM	597	'repoze.pam.userid' into the identity for each authenticated
	598	identity.
a5b033	599
9238cd	600	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	601	identity dictionary, consider this identity "preauthenticated". No
	602	authenticator plugins will be asked to authenticate this identity.
	603	This is designed for things like the recently added auth_tkt plugin,
	604	which embeds the user id into the ticket. This effectively alllows
	605	an IIdentifier plugin to become an IAuthenticator plugin when
	606	breaking apart the responsibility into two separate plugins is
	607	"make-work". Preauthenticated identities will be selected first
	608	when deciding which identity to use for any given request.
a5b033	609
9238cd	610	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	611	ingress if an identity is found. Its value will be the identity
	612	dictionary related to the identity selected by repoze.pam on
	613	ingress. Downstream consumers are allowed to mutate this
	614	dictionary; this value is passed to "remember" and "forget", so its
	615	main use is to do a "credentials reset"; e.g. a user has changed his
	616	username or password within the application, but we don't want to
	617	force him to log in again after he does so.
a5b033	618
7141c7	619
247f34	620	0.4 (03-07-2008)
7141c7	621	----------------
247f34	622
9238cd	623	- Allow plugins to specify a classifiers list per interface (instead
CM	624	of a single classifiers list per plugin).
247f34	625
7141c7	626
fb510d	627	0.3 (03-05-2008)
7141c7	628	----------------
fb510d	629
9238cd	630	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	631	sha instead of base64'ed binary sha for simpler conversion.
fb510d	632
7141c7	633
196bc2	634	0.2 (03-04-2008)
7141c7	635	----------------
196bc2	636
9238cd	637	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	638
7141c7	639
318832	640	0.1 (02-27-2008)
7141c7	641	----------------
318832	642
9238cd	643	- Initial release (no configuration file support yet).