RedHatTraining/repoze.who.git

Atsushi Odagiri

2012-10-07 3ea820763a41d6c40396216fdf23d5493c4c71a2

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
d9f6f4	4	2.1 (unreleased)
TS	5	----------------
	6
	7	- Ported to Py3k using the "compatible subset" mode.
	8	- Dropped support for Python < 2.6.x.
	9	- Dropped dependency on Paste (forking some code from it).
	10	- Added dependency on WebOb instead.
	11	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	12
	13
d03c94	14	2.0 (2011-09-28)
493726	15	----------------
TS	16
7f9907	17	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	18	cookies. http://bugs.repoze.org/issue66
	19
493726	20	- Further harden middleware, calling ``close()`` on the iterable even if
TS	21	raising an exception for a missing challenger.
	22	http://bugs.repoze.org/issue174
	23
	24
1b2443	25	2.0b1 (2011-05-24)
TS	26	------------------
f8ef81	27
d6b53f	28	- Enabled standard use of logging module's configuration mechanism.
TS	29	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	30	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	31
	32
f8ef81	33	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	34
	35
2b9b1f	36	2.0a4 (2011-02-02)
TS	37	------------------
9a8e60	38
b01f44	39	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	40	iterable returned from thw wrapped application, as required by PEP 333.
	41	http://bugs.repoze.org/issue174
	42
03fba8	43	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	44	content for the config file: in such cases, the API factory will have
	45	no configured plugins or policies: it will only be useful for retrieving
	46	the API from an environment populated by middleware.
	47
c61031	48	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	49	methods could return a None if the identifier plugin returned a None.
cfe26c	50
c61031	51	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	52	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	53
c61031	54	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	55	configured with ``secure=True``: these attributes prevent the browser from
	56	sending cookies over insecure channels, which could be vulnerable to some
3b5782	57	XSS attacks.
d7e647	58
15e365	59	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	60	https://bugs.launchpad.net/bugs/674123 .
	61
e8080a	62	- Added a single-file example BFG application demonstrating the use of
TS	63	the new 'login' and 'logout' methods of the API object.
	64
924f24	65	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	66	as a convenience for application-driven login / logout code, which would
95f147	67	otherwise need to use private methods of the API, and reach down into
TS	68	its plugins.
f8ef81	69
9a8e60	70
2c742e	71	2.0a3 (2010-09-30)
eb7071	72	------------------
f80021	73
a446d6	74	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	75	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	76
TS	77	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	78
630a05	79	- ``repoze.who.plugins.form.FormPlugin``
a446d6	80
630a05	81	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	82
TS	83	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	84	``charset`` argument, and use to to encode / decode login and password.
TS	85	See http://bugs.repoze.org/issue155
	86
a446d6	87	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	88	``wsgiref`` from complaining.
5b6365	89
a446d6	90	- Helped default request classifier cope with xml submissions with an
6b7b34	91	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	92	M. Catucci)
	93
a446d6	94	- Corrected the handling of type and subtype when matching an XML post
6b7b34	95	to ``xmlpost`` in the default classifier, which, according to RFC
CM	96	2045, must be matched case-insensitively:
	97	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	98
a349a2	99	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	100	method for applications which want to set up their own API Factory from
	101	a configuration file.
	102
f80021	103	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	104	(added missing ``global_config`` argument). See
	105	http://bugs.repoze.org/issue114
	106
f8ef81	107
c186ae	108	2.0a2 (2010-03-25)
TS	109	------------------
52bc23	110
TS	111	Bugs Fixed
	112	~~~~~~~~~~
	113
	114	- Fixed failure to pass substution values in log message string formatting
	115	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	116	logging done by the API object. See http://bugs.repoze.org/issue122
	117
	118	Backward Incompatibilities
	119	~~~~~~~~~~~~~~~~~~~~~~~~~~
	120
	121	- Adjusted logging level for some lower-level details from ``info``
	122	to ``debug``.
f8ef81	123
52bc23	124
TS	125
e25b84	126	2.0a1 (2010-02-24)
993216	127	------------------
TS	128
b4b8ee	129	Features
TS	130	~~~~~~~~
62cd25	131
c9c1c6	132	- Restored the ability to create the middleware using the old ``classifier``
TS	133	argument. That argument is now a deprecated-but-will-work-forever alias for
	134	``request_classifier``.
cbc983	135
b0f81f	136	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	137	and should normally be used both as an ``IIdentifier`` and an
	138	``IAuthenticator``.
	139
993216	140	- Factored out the API of the middleware object to make it useful from
TS	141	within the application. Applications using ``repoze.who``` now fall into
	142	one of three catgeories:
	143
	144	- "middleware-only" applications are configured with middleware, and
	145	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	146	to determing the authenticated user.
	147
	148	- "bare metal" applications use no ``repoze.who`` middleware at all:
	149	instead, they configure and an ``APIFactory`` object at startup, and
	150	use it to create an ``API`` object when needed on a per-request basis.
	151
	152	- "hybrid" applications are configured with ``repoze.who`` middleware,
	153	but use a new library function to fetch the ``API`` object from the
c9c1c6	154	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	155	login.
993216	156
b4b8ee	157	Bugs Fixed
TS	158	~~~~~~~~~~
	159
	160	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	161	logging would cause an exception.
	162
	163	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	164	distribute).
	165
	166	Backward Incompatibilities
	167	~~~~~~~~~~~~~~~~~~~~~~~~~~
	168
b213af	169	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	170	an identity. This feature is no longer supported: the ``auth_tkt``
	171	plugin, which used to use the feature, is now configured to work as
c9c1c6	172	an authenticator plugin (as well as an identifier).
b213af	173
b4b8ee	174	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	175	no longer has the following (non-API) methods (now made API methods
	176	of the ``repoze.who.api:API`` class):
	177
	178	- ``add_metadata``
	179	- ``authenticate``
	180	- ``challenge``
	181	- ``identify``
	182
	183	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	184	``repoze.who.api``:
	185
	186	- ``make_registries``
	187	- ``match_classification``
	188	- ``verify``
	189
	190
f8ef81	191
060054	192	1.0.18 (2009-11-05)
TS	193	-------------------
798feb	194
TS	195	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	196	headers from ``forget``, and was not setting the ``Max-Age`` and
	197	``Expires`` attributes of those cookies.
	198
b4b8ee	199
f8ef81	200
6e136f	201	1.0.17 (2009-11-05)
TS	202	-------------------
e0d138	203
TS	204	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	205	argument handling, to allow passing in a dotted name (e.g., from a config
	206	file).
	207
b4b8ee	208
f8ef81	209
6b15ee	210	1.0.16 (2009-11-04)
028e4d	211	-------------------
1ec83d	212
8dd881	213	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	214	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	215	Thanks to Roland Hedburg for the report.
21a9c5	216
8dd881	217	- Fixed an issue that caused the following symptom when using the
TS	218	ini configuration parser::
	219
	220	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	221
CM	222	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	223	for the bug report and initial fix.
	224
1ec83d	225
7141c7	226	1.0.15 (2009-06-25)
TS	227	-------------------
299b4c	228
a14163	229	- If the form post value ``max_age`` exists while in the ``identify``
CM	230	method is handling the ``login_handler_path``, pass the max_age
	231	value in the returned identity dictionary as ``max_age``. See the
	232	below bullet point for why.
	233
299b4c	234	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	235	method contains a ``max_age`` key with a string (or integer) value,
	236	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	237	the returned cookies. The cookie ``Max-Age`` is set to the value
	238	and the ``Expires`` is computed from the current time.
	239
7141c7	240
TS	241	1.0.14 (2009-06-17)
	242	-------------------
9318dd	243
1810b2	244	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	245
00a6d9	246	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	247	plugin. See http://bugs.repoze.org/issue81 .
	248
0dd808	249	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	250	responses which have been "pre-challenged" by the application.
	251
9318dd	252	- One-hundred percent unit test coverage.
TS	253
a6f6dc	254	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	255	identifier plugin, courtesty of Paul Johnston.
	256
	257	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	258	courtesty of Gustavo Narea.
	259
	260	If ``userid_checker`` is provided, it must be a dotted Python name
	261	that resolves to a function which accepts a userid and returns a
	262	boolean True or False, indicating whether that user exists in a
	263	database. This is a workaround. Due to a design bug in repoze.who,
	264	the only way who can check for user existence is to use one or more
	265	IAuthenticator plugin ``authenticate`` methods. If an
	266	IAuthenticator's ``authenticate`` method returns true, it means that
	267	the user exists. However most IAuthenticator plugins expect both
	268	a username and a password, and will return False unconditionally if
	269	both aren't supplied. This means that an authenticator can't be
	270	used to check if the user "only" exists. The identity provided by
	271	an auth_tkt does not contain a password to check against. The
	272	actual design bug in repoze.who is this: when a user presents
	273	credentials from an auth_tkt, he is considered "preauthenticated".
	274	IAuthenticator.authenticate is just never called for a
	275	"preauthenticated" identity, which works fine, but it means that the
	276	user will be considered authenticated even if you deleted the user's
	277	record from whatever database you happen to be using. However, if
	278	you use a userid_checker, you can ensure that a user exists for the
	279	auth_tkt supplied userid. If the userid_checker returns False, the
	280	auth_tkt credentials are considered "no good".
	281
7141c7	282
TS	283	1.0.13 (2009-04-24)
	284	-------------------
64ba13	285
TS	286	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	287	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	288	second database query in an ``IMetadataProvider`` plugin).
64ba13	289
08b2ae	290	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	291	whereby a downstream app can return a generator, relying on an
	292	upstream component to call start_response. We do this because the
	293	challenge decider needs the status and headers to decide what to do.
	294
56d0c5	295
7141c7	296	1.0.12 (2009-04-19)
TS	297	-------------------
56d0c5	298	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	299	existing tokens data returned by auth_tkt.parse_tkt; this was
	300	incorrect; just overwrite.
0ee58d	301
TS	302	- Extended auth_tkt plugin factory to allow passing secret in a separate
	303	file from the main config file. See http://bugs.repoze.org/issue40 .
	304
7141c7	305
TS	306	1.0.11 (2009-04-10)
	307	-------------------
afbbcd	308
8c20ba	309	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	310	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	311	Pedersen).
8c20ba	312
afbbcd	313	- Fix corner case issue of an exception raised when attempting to log
CM	314	when there are no identifiers or authenticators.
	315
7141c7	316
TS	317	1.0.10 (2009-01-23)
	318	-------------------
7b931d	319
CM	320	- The RedirectingFormPlugin now passes along SetCookie headers set
	321	into the response by the application within the NotFound response
	322	(fixes TG2 "flash" issue).
	323
7141c7	324
TS	325	1.0.9 (2008-12-18)
	326	------------------
30ab69	327
9238cd	328	- The RedirectingFormPlugin now attempts to find a header named
CM	329	``X-Authentication-Failure-Reason`` among the response headers set
	330	by the application when a challenge is issued. If a value for this
	331	header exists (and is non-blank), the value is attached to the
	332	redirect URL's query string as the ``reason`` parameter (or a
	333	user-settable key). This makes it possible for downstream
	334	applications to issue a response that initiates a challenge with
	335	this header and subsequently display the reason in the login form
	336	rendered as a result of the challenge.
30ab69	337
7141c7	338
TS	339	1.0.8 (2008-12-13)
	340	------------------
186ff6	341
9238cd	342	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	343	``log_stream`` argument, which is typically a file. After this
	344	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	345	PEP 333 ``Logger`` instance, this logger will be used as the
	346	repoze.who logger (instead of one being constructed by the
	347	middleware, as was previously always the case). When the
	348	``log_stream`` argument is a PEP 333 Logger object, the
	349	``log_level`` argument is ignored.
186ff6	350
7141c7	351
TS	352	1.0.7 (2008-08-28)
	353	------------------
37de44	354
9238cd	355	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	356	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	357	brownbag release, given that making these packages namespace
	358	packages was the only reason for its release.
37de44	359
7141c7	360
TS	361	1.0.6 (2008-08-28)
	362	------------------
facdf8	363
9238cd	364	- Make repoze.who and repoze.who.plugins into namespace packages
CM	365	mainly so we can allow plugin authors to distribute packages in the
	366	repoze.who.plugins namespace.
facdf8	367
7141c7	368
TS	369	1.0.5 (2008-08-23)
	370	------------------
519300	371
9238cd	372	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	373	method that it does in its ``forget`` method. Previously, logging
	374	out and relogging back in to a site that used auth_tkt identifier
	375	plugin was slightly dicey and would only work sometimes.
facdf8	376
9238cd	377	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	378	Any response from a downstream application that causes a challenge
	379	and includes a Location header will cause a redirect to the value of
	380	the Location header.
dee08c	381
7141c7	382
TS	383	1.0.4 (2008-08-22)
	384	------------------
b95a59	385
9238cd	386	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	387	If you use this key in the config file, it tells who to 1) not
	388	perform any authentication if it exists in the environment during
	389	ingress and 2) to set the key in the environment for the downstream
	390	app to use as the REMOTE_USER variable. The default is
	391	``REMOTE_USER``.
b95a59	392
9238cd	393	- Using unicode user ids in combination with the auth_tkt plugin would
CM	394	cause problems under mod_wsgi.
55dc7a	395
9238cd	396	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	397	constructor). Thanks to Gustavo Narea.
55dc7a	398
7141c7	399
TS	400	1.0.3 (2008-08-16)
	401	------------------
f693fe	402
9238cd	403	- A bug in the middleware's ``authenticate`` method made it impossible
CM	404	to authenticate a user with a userid that was null (e.g. 0, False),
	405	which are valid identifiers. The only invalid userid is now None.
c7e12d	406
9238cd	407	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	408	filename is passed to the HTPasswdPlugin.
c7e12d	409
7141c7	410
TS	411	1.0.2 (2008-06-16)
	412	------------------
cad90d	413
9238cd	414	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	415	method didn't handle userids which are Python "long" instances
	416	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	417	objects in "paste.auth.auth_tkt".
a2c030	418
9238cd	419	- Added predicate-based "restriction" middleware support
CM	420	(repoze.who.restrict), allowing configuratio-driven authorization as
	421	a WSGI filter. One example predicate, 'authenticated_predicate', is
	422	supplied, which requires that the user be authenticated either via
	423	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	424	restrict access::
cad90d	425
TS	426	[filter:authenticated_only]
	427	use = egg:repoze.who#authenticated
	428
	429	or::
	430
	431	[filter:some_predicate]
	432	use = egg:repoze.who#predicate
	433	predicate = my.module:some_predicate
	434	some_option = a value
	435
7141c7	436
TS	437	1.0.1 (2008-05-24)
	438	------------------
8199a1	439
9238cd	440	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	441	from inserting that path into its search paths (the dependencies are
	442	available from PyPI).
8199a1	443
7141c7	444
TS	445	1.0 (2008-05-04)
	446	-----------------
419946	447
9238cd	448	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	449	collecting identification information. Symptom: a downstream app
	450	would receive a POST request with a blank body, which would
	451	sometimes result in a Bad Request error.
f39349	452
9238cd	453	- Fixed interface declarations of
CM	454	'classifiers.default_request_classifier' and
	455	'classifiers.default_password_compare'.
515c69	456
9238cd	457	- Added actual config-driven middleware factory,
CM	458	'config.make_middleware_with_config'
515c69	459
9238cd	460	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	461
7141c7	462	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	463	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	464	with the following changes:
419946	465
7141c7	466	- "Bare" plugins (requiring no configuration options) may be specified
419946	467	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	468	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	469
7141c7	470	- Therefore, the separator between a plugin and its classifier is now
TS	471	a semicolon, rather than a colon. E.g.::
419946	472
TS	473	[plugins:id_plugin]
	474	use = egg:another.package#identify_with_frobnatz
	475	frobnatz = baz
	476
	477	[identifiers]
	478	plugins =
	479	egg:my.egg#identify;browser
	480	dotted.name:identifier
	481	id_plugin
	482
7141c7	483
779caf	484	0.9.1 (2008-04-27)
7141c7	485	------------------
779caf	486
9238cd	487	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	488	ids.
779caf	489
7141c7	490
88e646	491	0.9 (2008-04-01)
7141c7	492	----------------
88e646	493
9238cd	494	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	495	not set).
88e646	496
9238cd	497	- Add PATH_INFO to started and ended log info.
d9f046	498
9238cd	499	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	500
9238cd	501	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	502	"query", "conn_factory", and "compare_fn". The old constructor
	503	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	504	new constructor accepts no DSN; the conn_factory is assumed to do
	505	all the work to make a connection, including knowing the DSN if one
	506	is required. The "conn_factory" should return something that, when
	507	called with no arguments, returns a database connection.
d9f046	508
9238cd	509	- The "make_plugin" helper in plugins/sql has been renamed
CM	510	"make_authenticator_plugin". When called, this helper will return a
	511	SQLAuthenticatorPlugin. A bit of helper logic in the
	512	"make_authenticator_plugin" allows a connection factory to be
	513	computed. The top-level callable referred to by conn_factory in
	514	this helper should return a function that, when called with no
	515	arguments, returns a datbase connection. The top-level callable
	516	itself is called with "who_conf" (global who configuration) and any
	517	number of non-top-level keyword arguments as they are passed into
	518	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	519
9238cd	520	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	521	called, this will make a SQLMetadataProviderPlugin. See the
	522	implementation for details. It is similar to the
	523	"make_authenticator_plugin" helper.
d9f046	524
7141c7	525
cbe4e3	526	0.8 (2008-03-27)
7141c7	527	----------------
b5a331	528
9238cd	529	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	530	redirect to an external (or downstream application) login form to
	531	perform identification. The external login form must post to the
	532	"login_handler_path" of the plugin (optimally with a "came_from"
	533	value to tell the plugin where to redirect the response to if the
	534	authentication works properly). The "logout_handler_path" of this
	535	plugin can be visited to perform a logout. The "came_from" value
	536	also works there.
a400b0	537
9238cd	538	- Identifier plugins are now permitted to set a key in the environment
CM	539	named 'repoze.who.application' on ingress (in 'identify'). If an
	540	identifier plugin does so, this application is used instead of the
	541	"normal" downstream application. This feature was added to more
	542	simply support the redirecting form identifier plugin.
a400b0	543
7141c7	544
a400b0	545	0.7 (2008-03-26)
7141c7	546	----------------
a400b0	547
9238cd	548	- Change the IMetadataProvider interface: this interface used to have
CM	549	a "metadata" method which returned a dictionary. This method is not
	550	part of that API anymore. It's been replaced with an "add_metadata"
	551	method which has the signature::
b5a331	552
CM	553	def add_metadata(environ, identity):
	554	"""
	555	Add metadata to the identity (which is a dictionary)
	556	"""
	557
	558	The return value is ignored. IMetadataProvider plugins are now
	559	assumed to be responsible for 'scribbling' directly on the identity
	560	that is passed in (it's a dictionary). The user id can always be
	561	retrieved from the identity via identity['repoze.who.userid'] for
	562	metadata plugins that rely on that value.
	563
7141c7	564
a400b0	565	0.6 (2008-03-20)
7141c7	566	----------------
e35c64	567
9238cd	568	- Renaming: repoze.pam is now repoze.who
cb5426	569
9238cd	570	- Bump ez_setup.py version.
e35c64	571
9238cd	572	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	573
7141c7	574
3b67e9	575	0.5 (2008-03-09)
7141c7	576	----------------
db4cf5	577
9238cd	578	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	579	(pass in remote_user_key to middleware constructor).
db4cf5	580
9238cd	581	- Allow form plugin to override the default form.
db4cf5	582
9238cd	583	- API change: IIdentifiers are no longer required to put both 'login'
CM	584	and 'password' in a returned identity dictionary. Instead, an
	585	IIdentifier can place arbitrary key/value pairs in the identity
	586	dictionary (or return an empty dictionary).
40a968	587
9238cd	588	- API return value change: the "failure" identity which IIdentifiers
CM	589	return is now None rather than an empty dictionary.
40a968	590
9238cd	591	- The IAuthenticator interface now specifies that IAuthenticators must
CM	592	not raise an exception when evaluating an identity that does not
	593	have "expected" key/value pairs (e.g. when an IAuthenticator that
	594	expects login and password inspects an identity returned by an
	595	IP-based auth system which only puts the IP address in the
	596	identity); instead they fail gracefully by returning None.
40a968	597
9238cd	598	- Add (cookie) "auth_tkt" identification plugin.
a5b033	599
9238cd	600	- Stamp identity dictionaries with a userid by placing a key named
CM	601	'repoze.pam.userid' into the identity for each authenticated
	602	identity.
a5b033	603
9238cd	604	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	605	identity dictionary, consider this identity "preauthenticated". No
	606	authenticator plugins will be asked to authenticate this identity.
	607	This is designed for things like the recently added auth_tkt plugin,
	608	which embeds the user id into the ticket. This effectively alllows
	609	an IIdentifier plugin to become an IAuthenticator plugin when
	610	breaking apart the responsibility into two separate plugins is
	611	"make-work". Preauthenticated identities will be selected first
	612	when deciding which identity to use for any given request.
a5b033	613
9238cd	614	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	615	ingress if an identity is found. Its value will be the identity
	616	dictionary related to the identity selected by repoze.pam on
	617	ingress. Downstream consumers are allowed to mutate this
	618	dictionary; this value is passed to "remember" and "forget", so its
	619	main use is to do a "credentials reset"; e.g. a user has changed his
	620	username or password within the application, but we don't want to
	621	force him to log in again after he does so.
a5b033	622
7141c7	623
247f34	624	0.4 (03-07-2008)
7141c7	625	----------------
247f34	626
9238cd	627	- Allow plugins to specify a classifiers list per interface (instead
CM	628	of a single classifiers list per plugin).
247f34	629
7141c7	630
fb510d	631	0.3 (03-05-2008)
7141c7	632	----------------
fb510d	633
9238cd	634	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	635	sha instead of base64'ed binary sha for simpler conversion.
fb510d	636
7141c7	637
196bc2	638	0.2 (03-04-2008)
7141c7	639	----------------
196bc2	640
9238cd	641	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	642
7141c7	643
318832	644	0.1 (02-27-2008)
7141c7	645	----------------
318832	646
9238cd	647	- Initial release (no configuration file support yet).