commit | author | age
|
7141c7
|
1 |
repoze.who Changelog |
TS |
2 |
==================== |
aa8755
|
3 |
|
d39627
|
4 |
2.3.1 (unreleased) |
TS |
5 |
------------------ |
|
6 |
|
|
7 |
- TBD |
|
8 |
|
404eba
|
9 |
2.3 (2016-05-31) |
c46a74
|
10 |
---------------- |
TS |
11 |
|
90fd1c
|
12 |
- Add support for Python 3.4, Python 3.5, and PyPy3. |
c46a74
|
13 |
|
TS |
14 |
- Drop support for Python 2.6 and 3.2. |
4f3525
|
15 |
|
455778
|
16 |
- ``middleware``: avoid passing extracted ``identity`` to ``remember`` |
TS |
17 |
during egress (the app may have called ``api.forget()``). See #21. |
|
18 |
|
41468f
|
19 |
- ``_auth_tkt`` / ``plugins.auth_tkt``: add support for any hash algorithm |
TS |
20 |
supported by the ``hashlib`` module in Python's standard library. |
|
21 |
Fixes #22 via #23. |
|
22 |
|
0a07fc
|
23 |
- ``plugins.auth_tkt``: Fix storage of "userdata" to save dict. Fixes |
41468f
|
24 |
#14 via #18. |
7b0a91
|
25 |
|
19d219
|
26 |
- middleware: avoid UnboundLocalError when wrapped generater yields no |
TS |
27 |
items. See: http://bugs.repoze.org/issue184 |
|
28 |
|
4f3525
|
29 |
- Make cookie expiration date RFC-2616 compliant (independent of locale, |
41468f
|
30 |
including 'GMT' zone). See #11. |
4f3525
|
31 |
|
9cd0f8
|
32 |
2.2 (2013-05-17) |
a4b584
|
33 |
---------------- |
TS |
34 |
|
1d7c19
|
35 |
- Parse INI-file configuration using ``SafeConfigParser``: allows |
TS |
36 |
escaping the ``'%'`` so that e.g. a query template using for a DB-API |
|
37 |
connection using ``pyformat`` preserves the template. |
|
38 |
|
a4b584
|
39 |
- Added support for Python 3.3, PyPy. |
TS |
40 |
|
d96616
|
41 |
|
717490
|
42 |
2.1 (2013-03-20) |
c72bfe
|
43 |
---------------- |
TS |
44 |
|
5ecc71
|
45 |
- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI |
TS |
46 |
environment. Thanks to Dag Hoidal for the patch. |
|
47 |
|
d96616
|
48 |
- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt`` |
TS |
49 |
module is not available on Windows). Thanks to Chandrashekar Jayaraman |
|
50 |
for the patch. |
|
51 |
|
c72bfe
|
52 |
- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri. |
TS |
53 |
|
0cfb1a
|
54 |
|
TS |
55 |
2.1b1 (2012-11-05) |
|
56 |
------------------ |
d9f6f4
|
57 |
|
TS |
58 |
- Ported to Py3k using the "compatible subset" mode. |
|
59 |
- Dropped support for Python < 2.6.x. |
|
60 |
- Dropped dependency on Paste (forking some code from it). |
|
61 |
- Added dependency on WebOb instead. |
|
62 |
Thanks to Atsushi Odagiri (aodag) for the initial effort. |
|
63 |
|
|
64 |
|
d03c94
|
65 |
2.0 (2011-09-28) |
493726
|
66 |
---------------- |
TS |
67 |
|
7f9907
|
68 |
- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated |
TS |
69 |
cookies. http://bugs.repoze.org/issue66 |
|
70 |
|
493726
|
71 |
- Further harden middleware, calling ``close()`` on the iterable even if |
TS |
72 |
raising an exception for a missing challenger. |
|
73 |
http://bugs.repoze.org/issue174 |
|
74 |
|
|
75 |
|
1b2443
|
76 |
2.0b1 (2011-05-24) |
TS |
77 |
------------------ |
f8ef81
|
78 |
|
d6b53f
|
79 |
- Enabled standard use of logging module's configuration mechanism. |
TS |
80 |
See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library |
|
81 |
Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178 |
|
82 |
|
|
83 |
|
f8ef81
|
84 |
- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks. |
TS |
85 |
|
|
86 |
|
2b9b1f
|
87 |
2.0a4 (2011-02-02) |
TS |
88 |
------------------ |
9a8e60
|
89 |
|
b01f44
|
90 |
- Ensure that the middleware calls ``close()`` (if it exists) on the |
TS |
91 |
iterable returned from thw wrapped application, as required by PEP 333. |
|
92 |
http://bugs.repoze.org/issue174 |
|
93 |
|
03fba8
|
94 |
- Make ``make_api_factory_with_config`` tolerant of invalid filenames / |
TS |
95 |
content for the config file: in such cases, the API factory will have |
|
96 |
*no* configured plugins or policies: it will only be useful for retrieving |
|
97 |
the API from an environment populated by middleware. |
|
98 |
|
c61031
|
99 |
- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()`` |
TS |
100 |
methods could return a None if the identifier plugin returned a None. |
cfe26c
|
101 |
|
c61031
|
102 |
- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See |
fc9a88
|
103 |
http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html |
BS |
104 |
|
c61031
|
105 |
- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when |
TS |
106 |
configured with ``secure=True``: these attributes prevent the browser from |
|
107 |
sending cookies over insecure channels, which could be vulnerable to some |
3b5782
|
108 |
XSS attacks. |
d7e647
|
109 |
|
15e365
|
110 |
- Avoid propagating unicode 'max_age' value into cookie headers. See |
TS |
111 |
https://bugs.launchpad.net/bugs/674123 . |
|
112 |
|
e8080a
|
113 |
- Added a single-file example BFG application demonstrating the use of |
TS |
114 |
the new 'login' and 'logout' methods of the API object. |
|
115 |
|
924f24
|
116 |
- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object, |
TS |
117 |
as a convenience for application-driven login / logout code, which would |
95f147
|
118 |
otherwise need to use private methods of the API, and reach down into |
TS |
119 |
its plugins. |
f8ef81
|
120 |
|
9a8e60
|
121 |
|
2c742e
|
122 |
2.0a3 (2010-09-30) |
eb7071
|
123 |
------------------ |
f80021
|
124 |
|
a446d6
|
125 |
- Deprecated the following plugins, moving their modules, tests, and docs |
ff604c
|
126 |
to a new project, ``repoze.who.deprecatedplugins``: |
a446d6
|
127 |
|
TS |
128 |
- ``repoze.who.plugins.cookie.InsecureCookiePlugin`` |
|
129 |
|
630a05
|
130 |
- ``repoze.who.plugins.form.FormPlugin`` |
a446d6
|
131 |
|
630a05
|
132 |
- ``repoze.who.plugins.form.RedirectingFormPlugin`` |
a446d6
|
133 |
|
TS |
134 |
- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a |
76e951
|
135 |
``charset`` argument, and use to to encode / decode login and password. |
TS |
136 |
See http://bugs.repoze.org/issue155 |
|
137 |
|
a446d6
|
138 |
- Updated ``repoze.who.restrict`` to return headers as a list, to keep |
TS |
139 |
``wsgiref`` from complaining. |
5b6365
|
140 |
|
a446d6
|
141 |
- Helped default request classifier cope with xml submissions with an |
6b7b34
|
142 |
explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo |
CM |
143 |
M. Catucci) |
|
144 |
|
a446d6
|
145 |
- Corrected the handling of type and subtype when matching an XML post |
6b7b34
|
146 |
to ``xmlpost`` in the default classifier, which, according to RFC |
CM |
147 |
2045, must be matched case-insensitively: |
|
148 |
http://bugs.repoze.org/issue145 (Lorenzo M. Catucci) |
|
149 |
|
a349a2
|
150 |
- Added ``repoze.who.config:make_api_factory_with_config``, a convenience |
TS |
151 |
method for applications which want to set up their own API Factory from |
|
152 |
a configuration file. |
|
153 |
|
f80021
|
154 |
- Fixed example call to ``repoze.who.config:make_middleware_with_config`` |
TS |
155 |
(added missing ``global_config`` argument). See |
|
156 |
http://bugs.repoze.org/issue114 |
|
157 |
|
f8ef81
|
158 |
|
c186ae
|
159 |
2.0a2 (2010-03-25) |
TS |
160 |
------------------ |
52bc23
|
161 |
|
TS |
162 |
Bugs Fixed |
|
163 |
~~~~~~~~~~ |
|
164 |
|
|
165 |
- Fixed failure to pass substution values in log message string formatting |
|
166 |
for ``repoze.who.api:API.challenge``. Fix included adding tests for all |
|
167 |
logging done by the API object. See http://bugs.repoze.org/issue122 |
|
168 |
|
|
169 |
Backward Incompatibilities |
|
170 |
~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
171 |
|
|
172 |
- Adjusted logging level for some lower-level details from ``info`` |
|
173 |
to ``debug``. |
f8ef81
|
174 |
|
52bc23
|
175 |
|
TS |
176 |
|
e25b84
|
177 |
2.0a1 (2010-02-24) |
993216
|
178 |
------------------ |
TS |
179 |
|
b4b8ee
|
180 |
Features |
TS |
181 |
~~~~~~~~ |
62cd25
|
182 |
|
c9c1c6
|
183 |
- Restored the ability to create the middleware using the old ``classifier`` |
TS |
184 |
argument. That argument is now a deprecated-but-will-work-forever alias for |
|
185 |
``request_classifier``. |
cbc983
|
186 |
|
b0f81f
|
187 |
- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface, |
TS |
188 |
and should normally be used both as an ``IIdentifier`` and an |
|
189 |
``IAuthenticator``. |
|
190 |
|
993216
|
191 |
- Factored out the API of the middleware object to make it useful from |
TS |
192 |
within the application. Applications using ``repoze.who``` now fall into |
|
193 |
one of three catgeories: |
|
194 |
|
|
195 |
- "middleware-only" applications are configured with middleware, and |
|
196 |
use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment |
|
197 |
to determing the authenticated user. |
|
198 |
|
|
199 |
- "bare metal" applications use no ``repoze.who`` middleware at all: |
|
200 |
instead, they configure and an ``APIFactory`` object at startup, and |
|
201 |
use it to create an ``API`` object when needed on a per-request basis. |
|
202 |
|
|
203 |
- "hybrid" applications are configured with ``repoze.who`` middleware, |
|
204 |
but use a new library function to fetch the ``API`` object from the |
c9c1c6
|
205 |
environ, e.g. to permit calling ``remember`` after a signup or successful |
TS |
206 |
login. |
993216
|
207 |
|
b4b8ee
|
208 |
Bugs Fixed |
TS |
209 |
~~~~~~~~~~ |
|
210 |
|
|
211 |
- Fix http://bugs.repoze.org/issue102: when no challengers existed, |
|
212 |
logging would cause an exception. |
|
213 |
|
|
214 |
- Remove ``ez_setup.py`` and dependency on it in setup.py (support |
|
215 |
distribute). |
|
216 |
|
|
217 |
Backward Incompatibilities |
|
218 |
~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
219 |
|
b213af
|
220 |
- The middleware used to allow identifier plugins to "pre-authenticate" |
TS |
221 |
an identity. This feature is no longer supported: the ``auth_tkt`` |
|
222 |
plugin, which used to use the feature, is now configured to work as |
c9c1c6
|
223 |
an authenticator plugin (as well as an identifier). |
b213af
|
224 |
|
b4b8ee
|
225 |
- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class |
TS |
226 |
no longer has the following (non-API) methods (now made API methods |
|
227 |
of the ``repoze.who.api:API`` class): |
|
228 |
|
|
229 |
- ``add_metadata`` |
|
230 |
- ``authenticate`` |
|
231 |
- ``challenge`` |
|
232 |
- ``identify`` |
|
233 |
|
|
234 |
- The following (non-API) functions moved from ``repoze.who.middleware`` to |
|
235 |
``repoze.who.api``: |
|
236 |
|
|
237 |
- ``make_registries`` |
|
238 |
- ``match_classification`` |
|
239 |
- ``verify`` |
|
240 |
|
|
241 |
|
f8ef81
|
242 |
|
060054
|
243 |
1.0.18 (2009-11-05) |
TS |
244 |
------------------- |
798feb
|
245 |
|
TS |
246 |
- Issue #104: AuthTkt plugin was passing an invalid cookie value in |
|
247 |
headers from ``forget``, and was not setting the ``Max-Age`` and |
|
248 |
``Expires`` attributes of those cookies. |
|
249 |
|
b4b8ee
|
250 |
|
f8ef81
|
251 |
|
6e136f
|
252 |
1.0.17 (2009-11-05) |
TS |
253 |
------------------- |
e0d138
|
254 |
|
TS |
255 |
- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable`` |
|
256 |
argument handling, to allow passing in a dotted name (e.g., from a config |
|
257 |
file). |
|
258 |
|
b4b8ee
|
259 |
|
f8ef81
|
260 |
|
6b15ee
|
261 |
1.0.16 (2009-11-04) |
028e4d
|
262 |
------------------- |
1ec83d
|
263 |
|
8dd881
|
264 |
- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin`` |
TS |
265 |
to the callers of the ``repoze.who.plugins.form.make_plugin`` factory. |
|
266 |
Thanks to Roland Hedburg for the report. |
21a9c5
|
267 |
|
8dd881
|
268 |
- Fixed an issue that caused the following symptom when using the |
TS |
269 |
ini configuration parser:: |
|
270 |
|
|
271 |
TypeError: _makePlugin() got multiple values for keyword argument 'name' |
21a9c5
|
272 |
|
CM |
273 |
See http://bugs.repoze.org/issue92 for more details. Thanks to vaab |
|
274 |
for the bug report and initial fix. |
|
275 |
|
1ec83d
|
276 |
|
7141c7
|
277 |
1.0.15 (2009-06-25) |
TS |
278 |
------------------- |
299b4c
|
279 |
|
a14163
|
280 |
- If the form post value ``max_age`` exists while in the ``identify`` |
CM |
281 |
method is handling the ``login_handler_path``, pass the max_age |
|
282 |
value in the returned identity dictionary as ``max_age``. See the |
|
283 |
below bullet point for why. |
|
284 |
|
299b4c
|
285 |
- If the ``identity`` dict passed to the ``auth_tkt`` ``remember`` |
CM |
286 |
method contains a ``max_age`` key with a string (or integer) value, |
|
287 |
treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in |
|
288 |
the returned cookies. The cookie ``Max-Age`` is set to the value |
|
289 |
and the ``Expires`` is computed from the current time. |
|
290 |
|
7141c7
|
291 |
|
TS |
292 |
1.0.14 (2009-06-17) |
|
293 |
------------------- |
9318dd
|
294 |
|
1810b2
|
295 |
- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 . |
TS |
296 |
|
00a6d9
|
297 |
- Documented issue with using ``include_ip`` setting in the ``auth_tkt`` |
TS |
298 |
plugin. See http://bugs.repoze.org/issue81 . |
|
299 |
|
0dd808
|
300 |
- Added 'passthrough_challenge_decider', which avoids re-challenging 401 |
TS |
301 |
responses which have been "pre-challenged" by the application. |
|
302 |
|
9318dd
|
303 |
- One-hundred percent unit test coverage. |
TS |
304 |
|
a6f6dc
|
305 |
- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt |
CM |
306 |
identifier plugin, courtesty of Paul Johnston. |
|
307 |
|
|
308 |
- Add a ``userid_checker`` argument to the auth_tkt identifier plugin, |
|
309 |
courtesty of Gustavo Narea. |
|
310 |
|
|
311 |
If ``userid_checker`` is provided, it must be a dotted Python name |
|
312 |
that resolves to a function which accepts a userid and returns a |
|
313 |
boolean True or False, indicating whether that user exists in a |
|
314 |
database. This is a workaround. Due to a design bug in repoze.who, |
|
315 |
the only way who can check for user existence is to use one or more |
|
316 |
IAuthenticator plugin ``authenticate`` methods. If an |
|
317 |
IAuthenticator's ``authenticate`` method returns true, it means that |
|
318 |
the user exists. However most IAuthenticator plugins expect *both* |
|
319 |
a username and a password, and will return False unconditionally if |
|
320 |
both aren't supplied. This means that an authenticator can't be |
|
321 |
used to check if the user "only" exists. The identity provided by |
|
322 |
an auth_tkt does not contain a password to check against. The |
|
323 |
actual design bug in repoze.who is this: when a user presents |
|
324 |
credentials from an auth_tkt, he is considered "preauthenticated". |
|
325 |
IAuthenticator.authenticate is just never called for a |
|
326 |
"preauthenticated" identity, which works fine, but it means that the |
|
327 |
user will be considered authenticated even if you deleted the user's |
|
328 |
record from whatever database you happen to be using. However, if |
|
329 |
you use a userid_checker, you can ensure that a user exists for the |
|
330 |
auth_tkt supplied userid. If the userid_checker returns False, the |
|
331 |
auth_tkt credentials are considered "no good". |
|
332 |
|
7141c7
|
333 |
|
TS |
334 |
1.0.13 (2009-04-24) |
|
335 |
------------------- |
64ba13
|
336 |
|
TS |
337 |
- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins |
|
338 |
are allowed to add keys to the ``identity`` dictionary (e.g., to save a |
ced7bd
|
339 |
second database query in an ``IMetadataProvider`` plugin). |
64ba13
|
340 |
|
08b2ae
|
341 |
- Patch supplied for issue #71 (http://bugs.repoze.org/issue71) |
CM |
342 |
whereby a downstream app can return a generator, relying on an |
|
343 |
upstream component to call start_response. We do this because the |
|
344 |
challenge decider needs the status and headers to decide what to do. |
|
345 |
|
56d0c5
|
346 |
|
7141c7
|
347 |
1.0.12 (2009-04-19) |
TS |
348 |
------------------- |
56d0c5
|
349 |
- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to |
CM |
350 |
existing tokens data returned by auth_tkt.parse_tkt; this was |
|
351 |
incorrect; just overwrite. |
0ee58d
|
352 |
|
TS |
353 |
- Extended auth_tkt plugin factory to allow passing secret in a separate |
|
354 |
file from the main config file. See http://bugs.repoze.org/issue40 . |
|
355 |
|
7141c7
|
356 |
|
TS |
357 |
1.0.11 (2009-04-10) |
|
358 |
------------------- |
afbbcd
|
359 |
|
8c20ba
|
360 |
- Fix auth_tkt plugin; cookie values are now quoted, making it possible |
CM |
361 |
to put spaces and other whitespace, etc in usernames. (thanks to Michael |
95736b
|
362 |
Pedersen). |
8c20ba
|
363 |
|
afbbcd
|
364 |
- Fix corner case issue of an exception raised when attempting to log |
CM |
365 |
when there are no identifiers or authenticators. |
|
366 |
|
7141c7
|
367 |
|
TS |
368 |
1.0.10 (2009-01-23) |
|
369 |
------------------- |
7b931d
|
370 |
|
CM |
371 |
- The RedirectingFormPlugin now passes along SetCookie headers set |
|
372 |
into the response by the application within the NotFound response |
|
373 |
(fixes TG2 "flash" issue). |
|
374 |
|
7141c7
|
375 |
|
TS |
376 |
1.0.9 (2008-12-18) |
|
377 |
------------------ |
30ab69
|
378 |
|
9238cd
|
379 |
- The RedirectingFormPlugin now attempts to find a header named |
CM |
380 |
``X-Authentication-Failure-Reason`` among the response headers set |
|
381 |
by the application when a challenge is issued. If a value for this |
|
382 |
header exists (and is non-blank), the value is attached to the |
|
383 |
redirect URL's query string as the ``reason`` parameter (or a |
|
384 |
user-settable key). This makes it possible for downstream |
|
385 |
applications to issue a response that initiates a challenge with |
|
386 |
this header and subsequently display the reason in the login form |
|
387 |
rendered as a result of the challenge. |
30ab69
|
388 |
|
7141c7
|
389 |
|
TS |
390 |
1.0.8 (2008-12-13) |
|
391 |
------------------ |
186ff6
|
392 |
|
9238cd
|
393 |
- The ``PluggableAuthenticationMiddleware`` constructor accepts a |
CM |
394 |
``log_stream`` argument, which is typically a file. After this |
|
395 |
release, it can also be a PEP 333 ``Logger`` instance; if it is a |
|
396 |
PEP 333 ``Logger`` instance, this logger will be used as the |
|
397 |
repoze.who logger (instead of one being constructed by the |
|
398 |
middleware, as was previously always the case). When the |
|
399 |
``log_stream`` argument is a PEP 333 Logger object, the |
|
400 |
``log_level`` argument is ignored. |
186ff6
|
401 |
|
7141c7
|
402 |
|
TS |
403 |
1.0.7 (2008-08-28) |
|
404 |
------------------ |
37de44
|
405 |
|
9238cd
|
406 |
- ``repoze.who`` and ``repoze.who.plugins`` were not added to the |
CM |
407 |
``namespace_packages`` list in setup.py, potentially making 1.0.6 a |
|
408 |
brownbag release, given that making these packages namespace |
|
409 |
packages was the only reason for its release. |
37de44
|
410 |
|
7141c7
|
411 |
|
TS |
412 |
1.0.6 (2008-08-28) |
|
413 |
------------------ |
facdf8
|
414 |
|
9238cd
|
415 |
- Make repoze.who and repoze.who.plugins into namespace packages |
CM |
416 |
mainly so we can allow plugin authors to distribute packages in the |
|
417 |
repoze.who.plugins namespace. |
facdf8
|
418 |
|
7141c7
|
419 |
|
TS |
420 |
1.0.5 (2008-08-23) |
|
421 |
------------------ |
519300
|
422 |
|
9238cd
|
423 |
- Fix auth_tkt plugin to set the same cookies in its ``remember`` |
CM |
424 |
method that it does in its ``forget`` method. Previously, logging |
|
425 |
out and relogging back in to a site that used auth_tkt identifier |
|
426 |
plugin was slightly dicey and would only work sometimes. |
facdf8
|
427 |
|
9238cd
|
428 |
- The FormPlugin plugin has grown a redirect-on-unauthorized feature. |
CM |
429 |
Any response from a downstream application that causes a challenge |
|
430 |
and includes a Location header will cause a redirect to the value of |
|
431 |
the Location header. |
dee08c
|
432 |
|
7141c7
|
433 |
|
TS |
434 |
1.0.4 (2008-08-22) |
|
435 |
------------------ |
b95a59
|
436 |
|
9238cd
|
437 |
- Added a key to the '[general]' config section: ``remote_user_key``. |
CM |
438 |
If you use this key in the config file, it tells who to 1) not |
|
439 |
perform any authentication if it exists in the environment during |
|
440 |
ingress and 2) to set the key in the environment for the downstream |
|
441 |
app to use as the REMOTE_USER variable. The default is |
|
442 |
``REMOTE_USER``. |
b95a59
|
443 |
|
9238cd
|
444 |
- Using unicode user ids in combination with the auth_tkt plugin would |
CM |
445 |
cause problems under mod_wsgi. |
55dc7a
|
446 |
|
9238cd
|
447 |
- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config |
CM |
448 |
constructor). Thanks to Gustavo Narea. |
55dc7a
|
449 |
|
7141c7
|
450 |
|
TS |
451 |
1.0.3 (2008-08-16) |
|
452 |
------------------ |
f693fe
|
453 |
|
9238cd
|
454 |
- A bug in the middleware's ``authenticate`` method made it impossible |
CM |
455 |
to authenticate a user with a userid that was null (e.g. 0, False), |
|
456 |
which are valid identifiers. The only invalid userid is now None. |
c7e12d
|
457 |
|
9238cd
|
458 |
- Applied patch from Olaf Conradi which logs an error when an invalid |
CM |
459 |
filename is passed to the HTPasswdPlugin. |
c7e12d
|
460 |
|
7141c7
|
461 |
|
TS |
462 |
1.0.2 (2008-06-16) |
|
463 |
------------------ |
cad90d
|
464 |
|
9238cd
|
465 |
- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember" |
CM |
466 |
method didn't handle userids which are Python "long" instances |
|
467 |
properly. Symptom: TypeError: cannot concatenate 'str' and 'long' |
|
468 |
objects in "paste.auth.auth_tkt". |
a2c030
|
469 |
|
9238cd
|
470 |
- Added predicate-based "restriction" middleware support |
CM |
471 |
(repoze.who.restrict), allowing configuratio-driven authorization as |
|
472 |
a WSGI filter. One example predicate, 'authenticated_predicate', is |
|
473 |
supplied, which requires that the user be authenticated either via |
|
474 |
'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to |
|
475 |
restrict access:: |
cad90d
|
476 |
|
TS |
477 |
[filter:authenticated_only] |
|
478 |
use = egg:repoze.who#authenticated |
|
479 |
|
|
480 |
or:: |
|
481 |
|
|
482 |
[filter:some_predicate] |
|
483 |
use = egg:repoze.who#predicate |
|
484 |
predicate = my.module:some_predicate |
|
485 |
some_option = a value |
|
486 |
|
7141c7
|
487 |
|
TS |
488 |
1.0.1 (2008-05-24) |
|
489 |
------------------ |
8199a1
|
490 |
|
9238cd
|
491 |
- Remove dependency-link to dist.repoze.org to prevent easy_install |
CM |
492 |
from inserting that path into its search paths (the dependencies are |
|
493 |
available from PyPI). |
8199a1
|
494 |
|
7141c7
|
495 |
|
TS |
496 |
1.0 (2008-05-04) |
|
497 |
----------------- |
419946
|
498 |
|
9238cd
|
499 |
- The plugin at plugins.form.FormPlugin didn't redirect properly after |
CM |
500 |
collecting identification information. Symptom: a downstream app |
|
501 |
would receive a POST request with a blank body, which would |
|
502 |
sometimes result in a Bad Request error. |
f39349
|
503 |
|
9238cd
|
504 |
- Fixed interface declarations of |
CM |
505 |
'classifiers.default_request_classifier' and |
|
506 |
'classifiers.default_password_compare'. |
515c69
|
507 |
|
9238cd
|
508 |
- Added actual config-driven middleware factory, |
CM |
509 |
'config.make_middleware_with_config' |
515c69
|
510 |
|
9238cd
|
511 |
- Removed fossilized 'who_conf' argument from plugin factory functions. |
515c69
|
512 |
|
7141c7
|
513 |
- Added ConfigParser-based WhoConfig, implementing the spec outlined at |
9238cd
|
514 |
http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file, |
CM |
515 |
with the following changes: |
419946
|
516 |
|
7141c7
|
517 |
- "Bare" plugins (requiring no configuration options) may be specified |
419946
|
518 |
as either egg entry points (e.g., 'egg:distname#entry_point_name') or |
TS |
519 |
as dotted-path-with-colon (e.g., 'dotted.name:object_id'). |
|
520 |
|
7141c7
|
521 |
- Therefore, the separator between a plugin and its classifier is now |
TS |
522 |
a semicolon, rather than a colon. E.g.:: |
419946
|
523 |
|
TS |
524 |
[plugins:id_plugin] |
|
525 |
use = egg:another.package#identify_with_frobnatz |
|
526 |
frobnatz = baz |
|
527 |
|
|
528 |
[identifiers] |
|
529 |
plugins = |
|
530 |
egg:my.egg#identify;browser |
|
531 |
dotted.name:identifier |
|
532 |
id_plugin |
|
533 |
|
7141c7
|
534 |
|
779caf
|
535 |
0.9.1 (2008-04-27) |
7141c7
|
536 |
------------------ |
779caf
|
537 |
|
9238cd
|
538 |
- Fix auth_tkt plugin to be able to encode and decode integer user |
CM |
539 |
ids. |
779caf
|
540 |
|
7141c7
|
541 |
|
88e646
|
542 |
0.9 (2008-04-01) |
7141c7
|
543 |
---------------- |
88e646
|
544 |
|
9238cd
|
545 |
- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers |
CM |
546 |
not set). |
88e646
|
547 |
|
9238cd
|
548 |
- Add PATH_INFO to started and ended log info. |
d9f046
|
549 |
|
9238cd
|
550 |
- Add a SQLMetadataProviderPlugin (in plugins/sql). |
d9f046
|
551 |
|
9238cd
|
552 |
- Change constructor of SQLAuthenticatorPlugin: it now accepts only |
CM |
553 |
"query", "conn_factory", and "compare_fn". The old constructor |
|
554 |
accepted a DSN, but some database systems don't use DBAPI DSNs. The |
|
555 |
new constructor accepts no DSN; the conn_factory is assumed to do |
|
556 |
all the work to make a connection, including knowing the DSN if one |
|
557 |
is required. The "conn_factory" should return something that, when |
|
558 |
called with no arguments, returns a database connection. |
d9f046
|
559 |
|
9238cd
|
560 |
- The "make_plugin" helper in plugins/sql has been renamed |
CM |
561 |
"make_authenticator_plugin". When called, this helper will return a |
|
562 |
SQLAuthenticatorPlugin. A bit of helper logic in the |
|
563 |
"make_authenticator_plugin" allows a connection factory to be |
|
564 |
computed. The top-level callable referred to by conn_factory in |
|
565 |
this helper should return a function that, when called with no |
|
566 |
arguments, returns a datbase connection. The top-level callable |
|
567 |
itself is called with "who_conf" (global who configuration) and any |
|
568 |
number of non-top-level keyword arguments as they are passed into |
|
569 |
the helper, to allow for a DSN or URL or whatever to be passed in. |
d9f046
|
570 |
|
9238cd
|
571 |
- A "make_metatata_plugin" helper has been added to plugins/sql. When |
CM |
572 |
called, this will make a SQLMetadataProviderPlugin. See the |
|
573 |
implementation for details. It is similar to the |
|
574 |
"make_authenticator_plugin" helper. |
d9f046
|
575 |
|
7141c7
|
576 |
|
cbe4e3
|
577 |
0.8 (2008-03-27) |
7141c7
|
578 |
---------------- |
b5a331
|
579 |
|
9238cd
|
580 |
- Add a RedirectingFormIdentifier plugin. This plugin is willing to |
CM |
581 |
redirect to an external (or downstream application) login form to |
|
582 |
perform identification. The external login form must post to the |
|
583 |
"login_handler_path" of the plugin (optimally with a "came_from" |
|
584 |
value to tell the plugin where to redirect the response to if the |
|
585 |
authentication works properly). The "logout_handler_path" of this |
|
586 |
plugin can be visited to perform a logout. The "came_from" value |
|
587 |
also works there. |
a400b0
|
588 |
|
9238cd
|
589 |
- Identifier plugins are now permitted to set a key in the environment |
CM |
590 |
named 'repoze.who.application' on ingress (in 'identify'). If an |
|
591 |
identifier plugin does so, this application is used instead of the |
|
592 |
"normal" downstream application. This feature was added to more |
|
593 |
simply support the redirecting form identifier plugin. |
a400b0
|
594 |
|
7141c7
|
595 |
|
a400b0
|
596 |
0.7 (2008-03-26) |
7141c7
|
597 |
---------------- |
a400b0
|
598 |
|
9238cd
|
599 |
- Change the IMetadataProvider interface: this interface used to have |
CM |
600 |
a "metadata" method which returned a dictionary. This method is not |
|
601 |
part of that API anymore. It's been replaced with an "add_metadata" |
|
602 |
method which has the signature:: |
b5a331
|
603 |
|
CM |
604 |
def add_metadata(environ, identity): |
|
605 |
""" |
|
606 |
Add metadata to the identity (which is a dictionary) |
|
607 |
""" |
|
608 |
|
|
609 |
The return value is ignored. IMetadataProvider plugins are now |
|
610 |
assumed to be responsible for 'scribbling' directly on the identity |
|
611 |
that is passed in (it's a dictionary). The user id can always be |
|
612 |
retrieved from the identity via identity['repoze.who.userid'] for |
|
613 |
metadata plugins that rely on that value. |
|
614 |
|
7141c7
|
615 |
|
a400b0
|
616 |
0.6 (2008-03-20) |
7141c7
|
617 |
---------------- |
e35c64
|
618 |
|
9238cd
|
619 |
- Renaming: repoze.pam is now repoze.who |
cb5426
|
620 |
|
9238cd
|
621 |
- Bump ez_setup.py version. |
e35c64
|
622 |
|
9238cd
|
623 |
- Add IMetadataProvider plugin type. Chris says 'Whit rules'. |
fa9581
|
624 |
|
7141c7
|
625 |
|
3b67e9
|
626 |
0.5 (2008-03-09) |
7141c7
|
627 |
---------------- |
db4cf5
|
628 |
|
9238cd
|
629 |
- Allow "remote user key" (default: REMOTE_USER) to be overridden |
CM |
630 |
(pass in remote_user_key to middleware constructor). |
db4cf5
|
631 |
|
9238cd
|
632 |
- Allow form plugin to override the default form. |
db4cf5
|
633 |
|
9238cd
|
634 |
- API change: IIdentifiers are no longer required to put both 'login' |
CM |
635 |
and 'password' in a returned identity dictionary. Instead, an |
|
636 |
IIdentifier can place arbitrary key/value pairs in the identity |
|
637 |
dictionary (or return an empty dictionary). |
40a968
|
638 |
|
9238cd
|
639 |
- API return value change: the "failure" identity which IIdentifiers |
CM |
640 |
return is now None rather than an empty dictionary. |
40a968
|
641 |
|
9238cd
|
642 |
- The IAuthenticator interface now specifies that IAuthenticators must |
CM |
643 |
not raise an exception when evaluating an identity that does not |
|
644 |
have "expected" key/value pairs (e.g. when an IAuthenticator that |
|
645 |
expects login and password inspects an identity returned by an |
|
646 |
IP-based auth system which only puts the IP address in the |
|
647 |
identity); instead they fail gracefully by returning None. |
40a968
|
648 |
|
9238cd
|
649 |
- Add (cookie) "auth_tkt" identification plugin. |
a5b033
|
650 |
|
9238cd
|
651 |
- Stamp identity dictionaries with a userid by placing a key named |
CM |
652 |
'repoze.pam.userid' into the identity for each authenticated |
|
653 |
identity. |
a5b033
|
654 |
|
9238cd
|
655 |
- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the |
CM |
656 |
identity dictionary, consider this identity "preauthenticated". No |
|
657 |
authenticator plugins will be asked to authenticate this identity. |
|
658 |
This is designed for things like the recently added auth_tkt plugin, |
|
659 |
which embeds the user id into the ticket. This effectively alllows |
|
660 |
an IIdentifier plugin to become an IAuthenticator plugin when |
|
661 |
breaking apart the responsibility into two separate plugins is |
|
662 |
"make-work". Preauthenticated identities will be selected first |
|
663 |
when deciding which identity to use for any given request. |
a5b033
|
664 |
|
9238cd
|
665 |
- Insert a 'repoze.pam.identity' key into the WSGI environment on |
CM |
666 |
ingress if an identity is found. Its value will be the identity |
|
667 |
dictionary related to the identity selected by repoze.pam on |
|
668 |
ingress. Downstream consumers are allowed to mutate this |
|
669 |
dictionary; this value is passed to "remember" and "forget", so its |
|
670 |
main use is to do a "credentials reset"; e.g. a user has changed his |
|
671 |
username or password within the application, but we don't want to |
|
672 |
force him to log in again after he does so. |
a5b033
|
673 |
|
7141c7
|
674 |
|
247f34
|
675 |
0.4 (03-07-2008) |
7141c7
|
676 |
---------------- |
247f34
|
677 |
|
9238cd
|
678 |
- Allow plugins to specify a classifiers list per interface (instead |
CM |
679 |
of a single classifiers list per plugin). |
247f34
|
680 |
|
7141c7
|
681 |
|
fb510d
|
682 |
0.3 (03-05-2008) |
7141c7
|
683 |
---------------- |
fb510d
|
684 |
|
9238cd
|
685 |
- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest |
CM |
686 |
sha instead of base64'ed binary sha for simpler conversion. |
fb510d
|
687 |
|
7141c7
|
688 |
|
196bc2
|
689 |
0.2 (03-04-2008) |
7141c7
|
690 |
---------------- |
196bc2
|
691 |
|
9238cd
|
692 |
- Added SQLAuthenticatorPlugin (see plugins/sql.py). |
196bc2
|
693 |
|
7141c7
|
694 |
|
318832
|
695 |
0.1 (02-27-2008) |
7141c7
|
696 |
---------------- |
318832
|
697 |
|
9238cd
|
698 |
- Initial release (no configuration file support yet). |