RedHatTraining/repoze.who.git

Tres Seaver

2012-11-09 4cc78d522a125aaea864c910d67117a82592d1a3

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
d96616	4
c72bfe	5	2.1 (unreleased)
TS	6	----------------
	7
d96616	8	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	9	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	10	for the patch.
	11
c72bfe	12	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	13
0cfb1a	14
TS	15	2.1b1 (2012-11-05)
	16	------------------
d9f6f4	17
TS	18	- Ported to Py3k using the "compatible subset" mode.
	19	- Dropped support for Python < 2.6.x.
	20	- Dropped dependency on Paste (forking some code from it).
	21	- Added dependency on WebOb instead.
	22	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	23
	24
d03c94	25	2.0 (2011-09-28)
493726	26	----------------
TS	27
7f9907	28	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	29	cookies. http://bugs.repoze.org/issue66
	30
493726	31	- Further harden middleware, calling ``close()`` on the iterable even if
TS	32	raising an exception for a missing challenger.
	33	http://bugs.repoze.org/issue174
	34
	35
1b2443	36	2.0b1 (2011-05-24)
TS	37	------------------
f8ef81	38
d6b53f	39	- Enabled standard use of logging module's configuration mechanism.
TS	40	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	41	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	42
	43
f8ef81	44	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	45
	46
2b9b1f	47	2.0a4 (2011-02-02)
TS	48	------------------
9a8e60	49
b01f44	50	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	51	iterable returned from thw wrapped application, as required by PEP 333.
	52	http://bugs.repoze.org/issue174
	53
03fba8	54	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	55	content for the config file: in such cases, the API factory will have
	56	no configured plugins or policies: it will only be useful for retrieving
	57	the API from an environment populated by middleware.
	58
c61031	59	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	60	methods could return a None if the identifier plugin returned a None.
cfe26c	61
c61031	62	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	63	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	64
c61031	65	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	66	configured with ``secure=True``: these attributes prevent the browser from
	67	sending cookies over insecure channels, which could be vulnerable to some
3b5782	68	XSS attacks.
d7e647	69
15e365	70	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	71	https://bugs.launchpad.net/bugs/674123 .
	72
e8080a	73	- Added a single-file example BFG application demonstrating the use of
TS	74	the new 'login' and 'logout' methods of the API object.
	75
924f24	76	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	77	as a convenience for application-driven login / logout code, which would
95f147	78	otherwise need to use private methods of the API, and reach down into
TS	79	its plugins.
f8ef81	80
9a8e60	81
2c742e	82	2.0a3 (2010-09-30)
eb7071	83	------------------
f80021	84
a446d6	85	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	86	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	87
TS	88	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	89
630a05	90	- ``repoze.who.plugins.form.FormPlugin``
a446d6	91
630a05	92	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	93
TS	94	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	95	``charset`` argument, and use to to encode / decode login and password.
TS	96	See http://bugs.repoze.org/issue155
	97
a446d6	98	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	99	``wsgiref`` from complaining.
5b6365	100
a446d6	101	- Helped default request classifier cope with xml submissions with an
6b7b34	102	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	103	M. Catucci)
	104
a446d6	105	- Corrected the handling of type and subtype when matching an XML post
6b7b34	106	to ``xmlpost`` in the default classifier, which, according to RFC
CM	107	2045, must be matched case-insensitively:
	108	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	109
a349a2	110	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	111	method for applications which want to set up their own API Factory from
	112	a configuration file.
	113
f80021	114	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	115	(added missing ``global_config`` argument). See
	116	http://bugs.repoze.org/issue114
	117
f8ef81	118
c186ae	119	2.0a2 (2010-03-25)
TS	120	------------------
52bc23	121
TS	122	Bugs Fixed
	123	~~~~~~~~~~
	124
	125	- Fixed failure to pass substution values in log message string formatting
	126	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	127	logging done by the API object. See http://bugs.repoze.org/issue122
	128
	129	Backward Incompatibilities
	130	~~~~~~~~~~~~~~~~~~~~~~~~~~
	131
	132	- Adjusted logging level for some lower-level details from ``info``
	133	to ``debug``.
f8ef81	134
52bc23	135
TS	136
e25b84	137	2.0a1 (2010-02-24)
993216	138	------------------
TS	139
b4b8ee	140	Features
TS	141	~~~~~~~~
62cd25	142
c9c1c6	143	- Restored the ability to create the middleware using the old ``classifier``
TS	144	argument. That argument is now a deprecated-but-will-work-forever alias for
	145	``request_classifier``.
cbc983	146
b0f81f	147	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	148	and should normally be used both as an ``IIdentifier`` and an
	149	``IAuthenticator``.
	150
993216	151	- Factored out the API of the middleware object to make it useful from
TS	152	within the application. Applications using ``repoze.who``` now fall into
	153	one of three catgeories:
	154
	155	- "middleware-only" applications are configured with middleware, and
	156	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	157	to determing the authenticated user.
	158
	159	- "bare metal" applications use no ``repoze.who`` middleware at all:
	160	instead, they configure and an ``APIFactory`` object at startup, and
	161	use it to create an ``API`` object when needed on a per-request basis.
	162
	163	- "hybrid" applications are configured with ``repoze.who`` middleware,
	164	but use a new library function to fetch the ``API`` object from the
c9c1c6	165	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	166	login.
993216	167
b4b8ee	168	Bugs Fixed
TS	169	~~~~~~~~~~
	170
	171	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	172	logging would cause an exception.
	173
	174	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	175	distribute).
	176
	177	Backward Incompatibilities
	178	~~~~~~~~~~~~~~~~~~~~~~~~~~
	179
b213af	180	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	181	an identity. This feature is no longer supported: the ``auth_tkt``
	182	plugin, which used to use the feature, is now configured to work as
c9c1c6	183	an authenticator plugin (as well as an identifier).
b213af	184
b4b8ee	185	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	186	no longer has the following (non-API) methods (now made API methods
	187	of the ``repoze.who.api:API`` class):
	188
	189	- ``add_metadata``
	190	- ``authenticate``
	191	- ``challenge``
	192	- ``identify``
	193
	194	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	195	``repoze.who.api``:
	196
	197	- ``make_registries``
	198	- ``match_classification``
	199	- ``verify``
	200
	201
f8ef81	202
060054	203	1.0.18 (2009-11-05)
TS	204	-------------------
798feb	205
TS	206	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	207	headers from ``forget``, and was not setting the ``Max-Age`` and
	208	``Expires`` attributes of those cookies.
	209
b4b8ee	210
f8ef81	211
6e136f	212	1.0.17 (2009-11-05)
TS	213	-------------------
e0d138	214
TS	215	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	216	argument handling, to allow passing in a dotted name (e.g., from a config
	217	file).
	218
b4b8ee	219
f8ef81	220
6b15ee	221	1.0.16 (2009-11-04)
028e4d	222	-------------------
1ec83d	223
8dd881	224	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	225	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	226	Thanks to Roland Hedburg for the report.
21a9c5	227
8dd881	228	- Fixed an issue that caused the following symptom when using the
TS	229	ini configuration parser::
	230
	231	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	232
CM	233	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	234	for the bug report and initial fix.
	235
1ec83d	236
7141c7	237	1.0.15 (2009-06-25)
TS	238	-------------------
299b4c	239
a14163	240	- If the form post value ``max_age`` exists while in the ``identify``
CM	241	method is handling the ``login_handler_path``, pass the max_age
	242	value in the returned identity dictionary as ``max_age``. See the
	243	below bullet point for why.
	244
299b4c	245	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	246	method contains a ``max_age`` key with a string (or integer) value,
	247	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	248	the returned cookies. The cookie ``Max-Age`` is set to the value
	249	and the ``Expires`` is computed from the current time.
	250
7141c7	251
TS	252	1.0.14 (2009-06-17)
	253	-------------------
9318dd	254
1810b2	255	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	256
00a6d9	257	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	258	plugin. See http://bugs.repoze.org/issue81 .
	259
0dd808	260	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	261	responses which have been "pre-challenged" by the application.
	262
9318dd	263	- One-hundred percent unit test coverage.
TS	264
a6f6dc	265	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	266	identifier plugin, courtesty of Paul Johnston.
	267
	268	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	269	courtesty of Gustavo Narea.
	270
	271	If ``userid_checker`` is provided, it must be a dotted Python name
	272	that resolves to a function which accepts a userid and returns a
	273	boolean True or False, indicating whether that user exists in a
	274	database. This is a workaround. Due to a design bug in repoze.who,
	275	the only way who can check for user existence is to use one or more
	276	IAuthenticator plugin ``authenticate`` methods. If an
	277	IAuthenticator's ``authenticate`` method returns true, it means that
	278	the user exists. However most IAuthenticator plugins expect both
	279	a username and a password, and will return False unconditionally if
	280	both aren't supplied. This means that an authenticator can't be
	281	used to check if the user "only" exists. The identity provided by
	282	an auth_tkt does not contain a password to check against. The
	283	actual design bug in repoze.who is this: when a user presents
	284	credentials from an auth_tkt, he is considered "preauthenticated".
	285	IAuthenticator.authenticate is just never called for a
	286	"preauthenticated" identity, which works fine, but it means that the
	287	user will be considered authenticated even if you deleted the user's
	288	record from whatever database you happen to be using. However, if
	289	you use a userid_checker, you can ensure that a user exists for the
	290	auth_tkt supplied userid. If the userid_checker returns False, the
	291	auth_tkt credentials are considered "no good".
	292
7141c7	293
TS	294	1.0.13 (2009-04-24)
	295	-------------------
64ba13	296
TS	297	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	298	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	299	second database query in an ``IMetadataProvider`` plugin).
64ba13	300
08b2ae	301	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	302	whereby a downstream app can return a generator, relying on an
	303	upstream component to call start_response. We do this because the
	304	challenge decider needs the status and headers to decide what to do.
	305
56d0c5	306
7141c7	307	1.0.12 (2009-04-19)
TS	308	-------------------
56d0c5	309	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	310	existing tokens data returned by auth_tkt.parse_tkt; this was
	311	incorrect; just overwrite.
0ee58d	312
TS	313	- Extended auth_tkt plugin factory to allow passing secret in a separate
	314	file from the main config file. See http://bugs.repoze.org/issue40 .
	315
7141c7	316
TS	317	1.0.11 (2009-04-10)
	318	-------------------
afbbcd	319
8c20ba	320	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	321	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	322	Pedersen).
8c20ba	323
afbbcd	324	- Fix corner case issue of an exception raised when attempting to log
CM	325	when there are no identifiers or authenticators.
	326
7141c7	327
TS	328	1.0.10 (2009-01-23)
	329	-------------------
7b931d	330
CM	331	- The RedirectingFormPlugin now passes along SetCookie headers set
	332	into the response by the application within the NotFound response
	333	(fixes TG2 "flash" issue).
	334
7141c7	335
TS	336	1.0.9 (2008-12-18)
	337	------------------
30ab69	338
9238cd	339	- The RedirectingFormPlugin now attempts to find a header named
CM	340	``X-Authentication-Failure-Reason`` among the response headers set
	341	by the application when a challenge is issued. If a value for this
	342	header exists (and is non-blank), the value is attached to the
	343	redirect URL's query string as the ``reason`` parameter (or a
	344	user-settable key). This makes it possible for downstream
	345	applications to issue a response that initiates a challenge with
	346	this header and subsequently display the reason in the login form
	347	rendered as a result of the challenge.
30ab69	348
7141c7	349
TS	350	1.0.8 (2008-12-13)
	351	------------------
186ff6	352
9238cd	353	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	354	``log_stream`` argument, which is typically a file. After this
	355	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	356	PEP 333 ``Logger`` instance, this logger will be used as the
	357	repoze.who logger (instead of one being constructed by the
	358	middleware, as was previously always the case). When the
	359	``log_stream`` argument is a PEP 333 Logger object, the
	360	``log_level`` argument is ignored.
186ff6	361
7141c7	362
TS	363	1.0.7 (2008-08-28)
	364	------------------
37de44	365
9238cd	366	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	367	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	368	brownbag release, given that making these packages namespace
	369	packages was the only reason for its release.
37de44	370
7141c7	371
TS	372	1.0.6 (2008-08-28)
	373	------------------
facdf8	374
9238cd	375	- Make repoze.who and repoze.who.plugins into namespace packages
CM	376	mainly so we can allow plugin authors to distribute packages in the
	377	repoze.who.plugins namespace.
facdf8	378
7141c7	379
TS	380	1.0.5 (2008-08-23)
	381	------------------
519300	382
9238cd	383	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	384	method that it does in its ``forget`` method. Previously, logging
	385	out and relogging back in to a site that used auth_tkt identifier
	386	plugin was slightly dicey and would only work sometimes.
facdf8	387
9238cd	388	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	389	Any response from a downstream application that causes a challenge
	390	and includes a Location header will cause a redirect to the value of
	391	the Location header.
dee08c	392
7141c7	393
TS	394	1.0.4 (2008-08-22)
	395	------------------
b95a59	396
9238cd	397	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	398	If you use this key in the config file, it tells who to 1) not
	399	perform any authentication if it exists in the environment during
	400	ingress and 2) to set the key in the environment for the downstream
	401	app to use as the REMOTE_USER variable. The default is
	402	``REMOTE_USER``.
b95a59	403
9238cd	404	- Using unicode user ids in combination with the auth_tkt plugin would
CM	405	cause problems under mod_wsgi.
55dc7a	406
9238cd	407	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	408	constructor). Thanks to Gustavo Narea.
55dc7a	409
7141c7	410
TS	411	1.0.3 (2008-08-16)
	412	------------------
f693fe	413
9238cd	414	- A bug in the middleware's ``authenticate`` method made it impossible
CM	415	to authenticate a user with a userid that was null (e.g. 0, False),
	416	which are valid identifiers. The only invalid userid is now None.
c7e12d	417
9238cd	418	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	419	filename is passed to the HTPasswdPlugin.
c7e12d	420
7141c7	421
TS	422	1.0.2 (2008-06-16)
	423	------------------
cad90d	424
9238cd	425	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	426	method didn't handle userids which are Python "long" instances
	427	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	428	objects in "paste.auth.auth_tkt".
a2c030	429
9238cd	430	- Added predicate-based "restriction" middleware support
CM	431	(repoze.who.restrict), allowing configuratio-driven authorization as
	432	a WSGI filter. One example predicate, 'authenticated_predicate', is
	433	supplied, which requires that the user be authenticated either via
	434	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	435	restrict access::
cad90d	436
TS	437	[filter:authenticated_only]
	438	use = egg:repoze.who#authenticated
	439
	440	or::
	441
	442	[filter:some_predicate]
	443	use = egg:repoze.who#predicate
	444	predicate = my.module:some_predicate
	445	some_option = a value
	446
7141c7	447
TS	448	1.0.1 (2008-05-24)
	449	------------------
8199a1	450
9238cd	451	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	452	from inserting that path into its search paths (the dependencies are
	453	available from PyPI).
8199a1	454
7141c7	455
TS	456	1.0 (2008-05-04)
	457	-----------------
419946	458
9238cd	459	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	460	collecting identification information. Symptom: a downstream app
	461	would receive a POST request with a blank body, which would
	462	sometimes result in a Bad Request error.
f39349	463
9238cd	464	- Fixed interface declarations of
CM	465	'classifiers.default_request_classifier' and
	466	'classifiers.default_password_compare'.
515c69	467
9238cd	468	- Added actual config-driven middleware factory,
CM	469	'config.make_middleware_with_config'
515c69	470
9238cd	471	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	472
7141c7	473	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	474	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	475	with the following changes:
419946	476
7141c7	477	- "Bare" plugins (requiring no configuration options) may be specified
419946	478	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	479	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	480
7141c7	481	- Therefore, the separator between a plugin and its classifier is now
TS	482	a semicolon, rather than a colon. E.g.::
419946	483
TS	484	[plugins:id_plugin]
	485	use = egg:another.package#identify_with_frobnatz
	486	frobnatz = baz
	487
	488	[identifiers]
	489	plugins =
	490	egg:my.egg#identify;browser
	491	dotted.name:identifier
	492	id_plugin
	493
7141c7	494
779caf	495	0.9.1 (2008-04-27)
7141c7	496	------------------
779caf	497
9238cd	498	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	499	ids.
779caf	500
7141c7	501
88e646	502	0.9 (2008-04-01)
7141c7	503	----------------
88e646	504
9238cd	505	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	506	not set).
88e646	507
9238cd	508	- Add PATH_INFO to started and ended log info.
d9f046	509
9238cd	510	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	511
9238cd	512	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	513	"query", "conn_factory", and "compare_fn". The old constructor
	514	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	515	new constructor accepts no DSN; the conn_factory is assumed to do
	516	all the work to make a connection, including knowing the DSN if one
	517	is required. The "conn_factory" should return something that, when
	518	called with no arguments, returns a database connection.
d9f046	519
9238cd	520	- The "make_plugin" helper in plugins/sql has been renamed
CM	521	"make_authenticator_plugin". When called, this helper will return a
	522	SQLAuthenticatorPlugin. A bit of helper logic in the
	523	"make_authenticator_plugin" allows a connection factory to be
	524	computed. The top-level callable referred to by conn_factory in
	525	this helper should return a function that, when called with no
	526	arguments, returns a datbase connection. The top-level callable
	527	itself is called with "who_conf" (global who configuration) and any
	528	number of non-top-level keyword arguments as they are passed into
	529	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	530
9238cd	531	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	532	called, this will make a SQLMetadataProviderPlugin. See the
	533	implementation for details. It is similar to the
	534	"make_authenticator_plugin" helper.
d9f046	535
7141c7	536
cbe4e3	537	0.8 (2008-03-27)
7141c7	538	----------------
b5a331	539
9238cd	540	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	541	redirect to an external (or downstream application) login form to
	542	perform identification. The external login form must post to the
	543	"login_handler_path" of the plugin (optimally with a "came_from"
	544	value to tell the plugin where to redirect the response to if the
	545	authentication works properly). The "logout_handler_path" of this
	546	plugin can be visited to perform a logout. The "came_from" value
	547	also works there.
a400b0	548
9238cd	549	- Identifier plugins are now permitted to set a key in the environment
CM	550	named 'repoze.who.application' on ingress (in 'identify'). If an
	551	identifier plugin does so, this application is used instead of the
	552	"normal" downstream application. This feature was added to more
	553	simply support the redirecting form identifier plugin.
a400b0	554
7141c7	555
a400b0	556	0.7 (2008-03-26)
7141c7	557	----------------
a400b0	558
9238cd	559	- Change the IMetadataProvider interface: this interface used to have
CM	560	a "metadata" method which returned a dictionary. This method is not
	561	part of that API anymore. It's been replaced with an "add_metadata"
	562	method which has the signature::
b5a331	563
CM	564	def add_metadata(environ, identity):
	565	"""
	566	Add metadata to the identity (which is a dictionary)
	567	"""
	568
	569	The return value is ignored. IMetadataProvider plugins are now
	570	assumed to be responsible for 'scribbling' directly on the identity
	571	that is passed in (it's a dictionary). The user id can always be
	572	retrieved from the identity via identity['repoze.who.userid'] for
	573	metadata plugins that rely on that value.
	574
7141c7	575
a400b0	576	0.6 (2008-03-20)
7141c7	577	----------------
e35c64	578
9238cd	579	- Renaming: repoze.pam is now repoze.who
cb5426	580
9238cd	581	- Bump ez_setup.py version.
e35c64	582
9238cd	583	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	584
7141c7	585
3b67e9	586	0.5 (2008-03-09)
7141c7	587	----------------
db4cf5	588
9238cd	589	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	590	(pass in remote_user_key to middleware constructor).
db4cf5	591
9238cd	592	- Allow form plugin to override the default form.
db4cf5	593
9238cd	594	- API change: IIdentifiers are no longer required to put both 'login'
CM	595	and 'password' in a returned identity dictionary. Instead, an
	596	IIdentifier can place arbitrary key/value pairs in the identity
	597	dictionary (or return an empty dictionary).
40a968	598
9238cd	599	- API return value change: the "failure" identity which IIdentifiers
CM	600	return is now None rather than an empty dictionary.
40a968	601
9238cd	602	- The IAuthenticator interface now specifies that IAuthenticators must
CM	603	not raise an exception when evaluating an identity that does not
	604	have "expected" key/value pairs (e.g. when an IAuthenticator that
	605	expects login and password inspects an identity returned by an
	606	IP-based auth system which only puts the IP address in the
	607	identity); instead they fail gracefully by returning None.
40a968	608
9238cd	609	- Add (cookie) "auth_tkt" identification plugin.
a5b033	610
9238cd	611	- Stamp identity dictionaries with a userid by placing a key named
CM	612	'repoze.pam.userid' into the identity for each authenticated
	613	identity.
a5b033	614
9238cd	615	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	616	identity dictionary, consider this identity "preauthenticated". No
	617	authenticator plugins will be asked to authenticate this identity.
	618	This is designed for things like the recently added auth_tkt plugin,
	619	which embeds the user id into the ticket. This effectively alllows
	620	an IIdentifier plugin to become an IAuthenticator plugin when
	621	breaking apart the responsibility into two separate plugins is
	622	"make-work". Preauthenticated identities will be selected first
	623	when deciding which identity to use for any given request.
a5b033	624
9238cd	625	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	626	ingress if an identity is found. Its value will be the identity
	627	dictionary related to the identity selected by repoze.pam on
	628	ingress. Downstream consumers are allowed to mutate this
	629	dictionary; this value is passed to "remember" and "forget", so its
	630	main use is to do a "credentials reset"; e.g. a user has changed his
	631	username or password within the application, but we don't want to
	632	force him to log in again after he does so.
a5b033	633
7141c7	634
247f34	635	0.4 (03-07-2008)
7141c7	636	----------------
247f34	637
9238cd	638	- Allow plugins to specify a classifiers list per interface (instead
CM	639	of a single classifiers list per plugin).
247f34	640
7141c7	641
fb510d	642	0.3 (03-05-2008)
7141c7	643	----------------
fb510d	644
9238cd	645	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	646	sha instead of base64'ed binary sha for simpler conversion.
fb510d	647
7141c7	648
196bc2	649	0.2 (03-04-2008)
7141c7	650	----------------
196bc2	651
9238cd	652	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	653
7141c7	654
318832	655	0.1 (02-27-2008)
7141c7	656	----------------
318832	657
9238cd	658	- Initial release (no configuration file support yet).