RedHatTraining/repoze.who.git

Tres Seaver

2014-12-16 4f1123a707de4e0ffd5db669e5c65b4a1b1ebc9d

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
4f3525	4	Unreleased
TS	5	----------
	6
0a07fc	7	- ``plugins.auth_tkt``: Fix storage of "userdata" to save dict. Fixes
TS	8	https://github.com/repoze/repoze.who/issues/14 via
	9	https://github.com/repoze/repoze.who/pull/18.
	10
7b0a91	11	- Add support for Python 3.4, PyPy3.
TS	12
19d219	13	- middleware: avoid UnboundLocalError when wrapped generater yields no
TS	14	items. See: http://bugs.repoze.org/issue184
	15
4f3525	16	- Make cookie expiration date RFC-2616 compliant (independent of locale,
TS	17	including 'GMT' zone). See https://github.com/repoze/repoze.who/pull/11
	18
9cd0f8	19	2.2 (2013-05-17)
a4b584	20	----------------
TS	21
1d7c19	22	- Parse INI-file configuration using ``SafeConfigParser``: allows
TS	23	escaping the ``'%'`` so that e.g. a query template using for a DB-API
	24	connection using ``pyformat`` preserves the template.
	25
a4b584	26	- Added support for Python 3.3, PyPy.
TS	27
d96616	28
717490	29	2.1 (2013-03-20)
c72bfe	30	----------------
TS	31
5ecc71	32	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	33	environment. Thanks to Dag Hoidal for the patch.
	34
d96616	35	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	36	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	37	for the patch.
	38
c72bfe	39	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	40
0cfb1a	41
TS	42	2.1b1 (2012-11-05)
	43	------------------
d9f6f4	44
TS	45	- Ported to Py3k using the "compatible subset" mode.
	46	- Dropped support for Python < 2.6.x.
	47	- Dropped dependency on Paste (forking some code from it).
	48	- Added dependency on WebOb instead.
	49	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	50
	51
d03c94	52	2.0 (2011-09-28)
493726	53	----------------
TS	54
7f9907	55	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	56	cookies. http://bugs.repoze.org/issue66
	57
493726	58	- Further harden middleware, calling ``close()`` on the iterable even if
TS	59	raising an exception for a missing challenger.
	60	http://bugs.repoze.org/issue174
	61
	62
1b2443	63	2.0b1 (2011-05-24)
TS	64	------------------
f8ef81	65
d6b53f	66	- Enabled standard use of logging module's configuration mechanism.
TS	67	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	68	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	69
	70
f8ef81	71	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	72
	73
2b9b1f	74	2.0a4 (2011-02-02)
TS	75	------------------
9a8e60	76
b01f44	77	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	78	iterable returned from thw wrapped application, as required by PEP 333.
	79	http://bugs.repoze.org/issue174
	80
03fba8	81	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	82	content for the config file: in such cases, the API factory will have
	83	no configured plugins or policies: it will only be useful for retrieving
	84	the API from an environment populated by middleware.
	85
c61031	86	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	87	methods could return a None if the identifier plugin returned a None.
cfe26c	88
c61031	89	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	90	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	91
c61031	92	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	93	configured with ``secure=True``: these attributes prevent the browser from
	94	sending cookies over insecure channels, which could be vulnerable to some
3b5782	95	XSS attacks.
d7e647	96
15e365	97	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	98	https://bugs.launchpad.net/bugs/674123 .
	99
e8080a	100	- Added a single-file example BFG application demonstrating the use of
TS	101	the new 'login' and 'logout' methods of the API object.
	102
924f24	103	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	104	as a convenience for application-driven login / logout code, which would
95f147	105	otherwise need to use private methods of the API, and reach down into
TS	106	its plugins.
f8ef81	107
9a8e60	108
2c742e	109	2.0a3 (2010-09-30)
eb7071	110	------------------
f80021	111
a446d6	112	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	113	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	114
TS	115	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	116
630a05	117	- ``repoze.who.plugins.form.FormPlugin``
a446d6	118
630a05	119	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	120
TS	121	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	122	``charset`` argument, and use to to encode / decode login and password.
TS	123	See http://bugs.repoze.org/issue155
	124
a446d6	125	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	126	``wsgiref`` from complaining.
5b6365	127
a446d6	128	- Helped default request classifier cope with xml submissions with an
6b7b34	129	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	130	M. Catucci)
	131
a446d6	132	- Corrected the handling of type and subtype when matching an XML post
6b7b34	133	to ``xmlpost`` in the default classifier, which, according to RFC
CM	134	2045, must be matched case-insensitively:
	135	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	136
a349a2	137	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	138	method for applications which want to set up their own API Factory from
	139	a configuration file.
	140
f80021	141	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	142	(added missing ``global_config`` argument). See
	143	http://bugs.repoze.org/issue114
	144
f8ef81	145
c186ae	146	2.0a2 (2010-03-25)
TS	147	------------------
52bc23	148
TS	149	Bugs Fixed
	150	~~~~~~~~~~
	151
	152	- Fixed failure to pass substution values in log message string formatting
	153	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	154	logging done by the API object. See http://bugs.repoze.org/issue122
	155
	156	Backward Incompatibilities
	157	~~~~~~~~~~~~~~~~~~~~~~~~~~
	158
	159	- Adjusted logging level for some lower-level details from ``info``
	160	to ``debug``.
f8ef81	161
52bc23	162
TS	163
e25b84	164	2.0a1 (2010-02-24)
993216	165	------------------
TS	166
b4b8ee	167	Features
TS	168	~~~~~~~~
62cd25	169
c9c1c6	170	- Restored the ability to create the middleware using the old ``classifier``
TS	171	argument. That argument is now a deprecated-but-will-work-forever alias for
	172	``request_classifier``.
cbc983	173
b0f81f	174	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	175	and should normally be used both as an ``IIdentifier`` and an
	176	``IAuthenticator``.
	177
993216	178	- Factored out the API of the middleware object to make it useful from
TS	179	within the application. Applications using ``repoze.who``` now fall into
	180	one of three catgeories:
	181
	182	- "middleware-only" applications are configured with middleware, and
	183	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	184	to determing the authenticated user.
	185
	186	- "bare metal" applications use no ``repoze.who`` middleware at all:
	187	instead, they configure and an ``APIFactory`` object at startup, and
	188	use it to create an ``API`` object when needed on a per-request basis.
	189
	190	- "hybrid" applications are configured with ``repoze.who`` middleware,
	191	but use a new library function to fetch the ``API`` object from the
c9c1c6	192	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	193	login.
993216	194
b4b8ee	195	Bugs Fixed
TS	196	~~~~~~~~~~
	197
	198	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	199	logging would cause an exception.
	200
	201	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	202	distribute).
	203
	204	Backward Incompatibilities
	205	~~~~~~~~~~~~~~~~~~~~~~~~~~
	206
b213af	207	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	208	an identity. This feature is no longer supported: the ``auth_tkt``
	209	plugin, which used to use the feature, is now configured to work as
c9c1c6	210	an authenticator plugin (as well as an identifier).
b213af	211
b4b8ee	212	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	213	no longer has the following (non-API) methods (now made API methods
	214	of the ``repoze.who.api:API`` class):
	215
	216	- ``add_metadata``
	217	- ``authenticate``
	218	- ``challenge``
	219	- ``identify``
	220
	221	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	222	``repoze.who.api``:
	223
	224	- ``make_registries``
	225	- ``match_classification``
	226	- ``verify``
	227
	228
f8ef81	229
060054	230	1.0.18 (2009-11-05)
TS	231	-------------------
798feb	232
TS	233	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	234	headers from ``forget``, and was not setting the ``Max-Age`` and
	235	``Expires`` attributes of those cookies.
	236
b4b8ee	237
f8ef81	238
6e136f	239	1.0.17 (2009-11-05)
TS	240	-------------------
e0d138	241
TS	242	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	243	argument handling, to allow passing in a dotted name (e.g., from a config
	244	file).
	245
b4b8ee	246
f8ef81	247
6b15ee	248	1.0.16 (2009-11-04)
028e4d	249	-------------------
1ec83d	250
8dd881	251	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	252	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	253	Thanks to Roland Hedburg for the report.
21a9c5	254
8dd881	255	- Fixed an issue that caused the following symptom when using the
TS	256	ini configuration parser::
	257
	258	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	259
CM	260	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	261	for the bug report and initial fix.
	262
1ec83d	263
7141c7	264	1.0.15 (2009-06-25)
TS	265	-------------------
299b4c	266
a14163	267	- If the form post value ``max_age`` exists while in the ``identify``
CM	268	method is handling the ``login_handler_path``, pass the max_age
	269	value in the returned identity dictionary as ``max_age``. See the
	270	below bullet point for why.
	271
299b4c	272	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	273	method contains a ``max_age`` key with a string (or integer) value,
	274	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	275	the returned cookies. The cookie ``Max-Age`` is set to the value
	276	and the ``Expires`` is computed from the current time.
	277
7141c7	278
TS	279	1.0.14 (2009-06-17)
	280	-------------------
9318dd	281
1810b2	282	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	283
00a6d9	284	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	285	plugin. See http://bugs.repoze.org/issue81 .
	286
0dd808	287	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	288	responses which have been "pre-challenged" by the application.
	289
9318dd	290	- One-hundred percent unit test coverage.
TS	291
a6f6dc	292	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	293	identifier plugin, courtesty of Paul Johnston.
	294
	295	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	296	courtesty of Gustavo Narea.
	297
	298	If ``userid_checker`` is provided, it must be a dotted Python name
	299	that resolves to a function which accepts a userid and returns a
	300	boolean True or False, indicating whether that user exists in a
	301	database. This is a workaround. Due to a design bug in repoze.who,
	302	the only way who can check for user existence is to use one or more
	303	IAuthenticator plugin ``authenticate`` methods. If an
	304	IAuthenticator's ``authenticate`` method returns true, it means that
	305	the user exists. However most IAuthenticator plugins expect both
	306	a username and a password, and will return False unconditionally if
	307	both aren't supplied. This means that an authenticator can't be
	308	used to check if the user "only" exists. The identity provided by
	309	an auth_tkt does not contain a password to check against. The
	310	actual design bug in repoze.who is this: when a user presents
	311	credentials from an auth_tkt, he is considered "preauthenticated".
	312	IAuthenticator.authenticate is just never called for a
	313	"preauthenticated" identity, which works fine, but it means that the
	314	user will be considered authenticated even if you deleted the user's
	315	record from whatever database you happen to be using. However, if
	316	you use a userid_checker, you can ensure that a user exists for the
	317	auth_tkt supplied userid. If the userid_checker returns False, the
	318	auth_tkt credentials are considered "no good".
	319
7141c7	320
TS	321	1.0.13 (2009-04-24)
	322	-------------------
64ba13	323
TS	324	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	325	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	326	second database query in an ``IMetadataProvider`` plugin).
64ba13	327
08b2ae	328	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	329	whereby a downstream app can return a generator, relying on an
	330	upstream component to call start_response. We do this because the
	331	challenge decider needs the status and headers to decide what to do.
	332
56d0c5	333
7141c7	334	1.0.12 (2009-04-19)
TS	335	-------------------
56d0c5	336	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	337	existing tokens data returned by auth_tkt.parse_tkt; this was
	338	incorrect; just overwrite.
0ee58d	339
TS	340	- Extended auth_tkt plugin factory to allow passing secret in a separate
	341	file from the main config file. See http://bugs.repoze.org/issue40 .
	342
7141c7	343
TS	344	1.0.11 (2009-04-10)
	345	-------------------
afbbcd	346
8c20ba	347	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	348	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	349	Pedersen).
8c20ba	350
afbbcd	351	- Fix corner case issue of an exception raised when attempting to log
CM	352	when there are no identifiers or authenticators.
	353
7141c7	354
TS	355	1.0.10 (2009-01-23)
	356	-------------------
7b931d	357
CM	358	- The RedirectingFormPlugin now passes along SetCookie headers set
	359	into the response by the application within the NotFound response
	360	(fixes TG2 "flash" issue).
	361
7141c7	362
TS	363	1.0.9 (2008-12-18)
	364	------------------
30ab69	365
9238cd	366	- The RedirectingFormPlugin now attempts to find a header named
CM	367	``X-Authentication-Failure-Reason`` among the response headers set
	368	by the application when a challenge is issued. If a value for this
	369	header exists (and is non-blank), the value is attached to the
	370	redirect URL's query string as the ``reason`` parameter (or a
	371	user-settable key). This makes it possible for downstream
	372	applications to issue a response that initiates a challenge with
	373	this header and subsequently display the reason in the login form
	374	rendered as a result of the challenge.
30ab69	375
7141c7	376
TS	377	1.0.8 (2008-12-13)
	378	------------------
186ff6	379
9238cd	380	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	381	``log_stream`` argument, which is typically a file. After this
	382	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	383	PEP 333 ``Logger`` instance, this logger will be used as the
	384	repoze.who logger (instead of one being constructed by the
	385	middleware, as was previously always the case). When the
	386	``log_stream`` argument is a PEP 333 Logger object, the
	387	``log_level`` argument is ignored.
186ff6	388
7141c7	389
TS	390	1.0.7 (2008-08-28)
	391	------------------
37de44	392
9238cd	393	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	394	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	395	brownbag release, given that making these packages namespace
	396	packages was the only reason for its release.
37de44	397
7141c7	398
TS	399	1.0.6 (2008-08-28)
	400	------------------
facdf8	401
9238cd	402	- Make repoze.who and repoze.who.plugins into namespace packages
CM	403	mainly so we can allow plugin authors to distribute packages in the
	404	repoze.who.plugins namespace.
facdf8	405
7141c7	406
TS	407	1.0.5 (2008-08-23)
	408	------------------
519300	409
9238cd	410	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	411	method that it does in its ``forget`` method. Previously, logging
	412	out and relogging back in to a site that used auth_tkt identifier
	413	plugin was slightly dicey and would only work sometimes.
facdf8	414
9238cd	415	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	416	Any response from a downstream application that causes a challenge
	417	and includes a Location header will cause a redirect to the value of
	418	the Location header.
dee08c	419
7141c7	420
TS	421	1.0.4 (2008-08-22)
	422	------------------
b95a59	423
9238cd	424	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	425	If you use this key in the config file, it tells who to 1) not
	426	perform any authentication if it exists in the environment during
	427	ingress and 2) to set the key in the environment for the downstream
	428	app to use as the REMOTE_USER variable. The default is
	429	``REMOTE_USER``.
b95a59	430
9238cd	431	- Using unicode user ids in combination with the auth_tkt plugin would
CM	432	cause problems under mod_wsgi.
55dc7a	433
9238cd	434	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	435	constructor). Thanks to Gustavo Narea.
55dc7a	436
7141c7	437
TS	438	1.0.3 (2008-08-16)
	439	------------------
f693fe	440
9238cd	441	- A bug in the middleware's ``authenticate`` method made it impossible
CM	442	to authenticate a user with a userid that was null (e.g. 0, False),
	443	which are valid identifiers. The only invalid userid is now None.
c7e12d	444
9238cd	445	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	446	filename is passed to the HTPasswdPlugin.
c7e12d	447
7141c7	448
TS	449	1.0.2 (2008-06-16)
	450	------------------
cad90d	451
9238cd	452	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	453	method didn't handle userids which are Python "long" instances
	454	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	455	objects in "paste.auth.auth_tkt".
a2c030	456
9238cd	457	- Added predicate-based "restriction" middleware support
CM	458	(repoze.who.restrict), allowing configuratio-driven authorization as
	459	a WSGI filter. One example predicate, 'authenticated_predicate', is
	460	supplied, which requires that the user be authenticated either via
	461	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	462	restrict access::
cad90d	463
TS	464	[filter:authenticated_only]
	465	use = egg:repoze.who#authenticated
	466
	467	or::
	468
	469	[filter:some_predicate]
	470	use = egg:repoze.who#predicate
	471	predicate = my.module:some_predicate
	472	some_option = a value
	473
7141c7	474
TS	475	1.0.1 (2008-05-24)
	476	------------------
8199a1	477
9238cd	478	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	479	from inserting that path into its search paths (the dependencies are
	480	available from PyPI).
8199a1	481
7141c7	482
TS	483	1.0 (2008-05-04)
	484	-----------------
419946	485
9238cd	486	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	487	collecting identification information. Symptom: a downstream app
	488	would receive a POST request with a blank body, which would
	489	sometimes result in a Bad Request error.
f39349	490
9238cd	491	- Fixed interface declarations of
CM	492	'classifiers.default_request_classifier' and
	493	'classifiers.default_password_compare'.
515c69	494
9238cd	495	- Added actual config-driven middleware factory,
CM	496	'config.make_middleware_with_config'
515c69	497
9238cd	498	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	499
7141c7	500	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	501	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	502	with the following changes:
419946	503
7141c7	504	- "Bare" plugins (requiring no configuration options) may be specified
419946	505	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	506	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	507
7141c7	508	- Therefore, the separator between a plugin and its classifier is now
TS	509	a semicolon, rather than a colon. E.g.::
419946	510
TS	511	[plugins:id_plugin]
	512	use = egg:another.package#identify_with_frobnatz
	513	frobnatz = baz
	514
	515	[identifiers]
	516	plugins =
	517	egg:my.egg#identify;browser
	518	dotted.name:identifier
	519	id_plugin
	520
7141c7	521
779caf	522	0.9.1 (2008-04-27)
7141c7	523	------------------
779caf	524
9238cd	525	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	526	ids.
779caf	527
7141c7	528
88e646	529	0.9 (2008-04-01)
7141c7	530	----------------
88e646	531
9238cd	532	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	533	not set).
88e646	534
9238cd	535	- Add PATH_INFO to started and ended log info.
d9f046	536
9238cd	537	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	538
9238cd	539	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	540	"query", "conn_factory", and "compare_fn". The old constructor
	541	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	542	new constructor accepts no DSN; the conn_factory is assumed to do
	543	all the work to make a connection, including knowing the DSN if one
	544	is required. The "conn_factory" should return something that, when
	545	called with no arguments, returns a database connection.
d9f046	546
9238cd	547	- The "make_plugin" helper in plugins/sql has been renamed
CM	548	"make_authenticator_plugin". When called, this helper will return a
	549	SQLAuthenticatorPlugin. A bit of helper logic in the
	550	"make_authenticator_plugin" allows a connection factory to be
	551	computed. The top-level callable referred to by conn_factory in
	552	this helper should return a function that, when called with no
	553	arguments, returns a datbase connection. The top-level callable
	554	itself is called with "who_conf" (global who configuration) and any
	555	number of non-top-level keyword arguments as they are passed into
	556	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	557
9238cd	558	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	559	called, this will make a SQLMetadataProviderPlugin. See the
	560	implementation for details. It is similar to the
	561	"make_authenticator_plugin" helper.
d9f046	562
7141c7	563
cbe4e3	564	0.8 (2008-03-27)
7141c7	565	----------------
b5a331	566
9238cd	567	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	568	redirect to an external (or downstream application) login form to
	569	perform identification. The external login form must post to the
	570	"login_handler_path" of the plugin (optimally with a "came_from"
	571	value to tell the plugin where to redirect the response to if the
	572	authentication works properly). The "logout_handler_path" of this
	573	plugin can be visited to perform a logout. The "came_from" value
	574	also works there.
a400b0	575
9238cd	576	- Identifier plugins are now permitted to set a key in the environment
CM	577	named 'repoze.who.application' on ingress (in 'identify'). If an
	578	identifier plugin does so, this application is used instead of the
	579	"normal" downstream application. This feature was added to more
	580	simply support the redirecting form identifier plugin.
a400b0	581
7141c7	582
a400b0	583	0.7 (2008-03-26)
7141c7	584	----------------
a400b0	585
9238cd	586	- Change the IMetadataProvider interface: this interface used to have
CM	587	a "metadata" method which returned a dictionary. This method is not
	588	part of that API anymore. It's been replaced with an "add_metadata"
	589	method which has the signature::
b5a331	590
CM	591	def add_metadata(environ, identity):
	592	"""
	593	Add metadata to the identity (which is a dictionary)
	594	"""
	595
	596	The return value is ignored. IMetadataProvider plugins are now
	597	assumed to be responsible for 'scribbling' directly on the identity
	598	that is passed in (it's a dictionary). The user id can always be
	599	retrieved from the identity via identity['repoze.who.userid'] for
	600	metadata plugins that rely on that value.
	601
7141c7	602
a400b0	603	0.6 (2008-03-20)
7141c7	604	----------------
e35c64	605
9238cd	606	- Renaming: repoze.pam is now repoze.who
cb5426	607
9238cd	608	- Bump ez_setup.py version.
e35c64	609
9238cd	610	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	611
7141c7	612
3b67e9	613	0.5 (2008-03-09)
7141c7	614	----------------
db4cf5	615
9238cd	616	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	617	(pass in remote_user_key to middleware constructor).
db4cf5	618
9238cd	619	- Allow form plugin to override the default form.
db4cf5	620
9238cd	621	- API change: IIdentifiers are no longer required to put both 'login'
CM	622	and 'password' in a returned identity dictionary. Instead, an
	623	IIdentifier can place arbitrary key/value pairs in the identity
	624	dictionary (or return an empty dictionary).
40a968	625
9238cd	626	- API return value change: the "failure" identity which IIdentifiers
CM	627	return is now None rather than an empty dictionary.
40a968	628
9238cd	629	- The IAuthenticator interface now specifies that IAuthenticators must
CM	630	not raise an exception when evaluating an identity that does not
	631	have "expected" key/value pairs (e.g. when an IAuthenticator that
	632	expects login and password inspects an identity returned by an
	633	IP-based auth system which only puts the IP address in the
	634	identity); instead they fail gracefully by returning None.
40a968	635
9238cd	636	- Add (cookie) "auth_tkt" identification plugin.
a5b033	637
9238cd	638	- Stamp identity dictionaries with a userid by placing a key named
CM	639	'repoze.pam.userid' into the identity for each authenticated
	640	identity.
a5b033	641
9238cd	642	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	643	identity dictionary, consider this identity "preauthenticated". No
	644	authenticator plugins will be asked to authenticate this identity.
	645	This is designed for things like the recently added auth_tkt plugin,
	646	which embeds the user id into the ticket. This effectively alllows
	647	an IIdentifier plugin to become an IAuthenticator plugin when
	648	breaking apart the responsibility into two separate plugins is
	649	"make-work". Preauthenticated identities will be selected first
	650	when deciding which identity to use for any given request.
a5b033	651
9238cd	652	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	653	ingress if an identity is found. Its value will be the identity
	654	dictionary related to the identity selected by repoze.pam on
	655	ingress. Downstream consumers are allowed to mutate this
	656	dictionary; this value is passed to "remember" and "forget", so its
	657	main use is to do a "credentials reset"; e.g. a user has changed his
	658	username or password within the application, but we don't want to
	659	force him to log in again after he does so.
a5b033	660
7141c7	661
247f34	662	0.4 (03-07-2008)
7141c7	663	----------------
247f34	664
9238cd	665	- Allow plugins to specify a classifiers list per interface (instead
CM	666	of a single classifiers list per plugin).
247f34	667
7141c7	668
fb510d	669	0.3 (03-05-2008)
7141c7	670	----------------
fb510d	671
9238cd	672	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	673	sha instead of base64'ed binary sha for simpler conversion.
fb510d	674
7141c7	675
196bc2	676	0.2 (03-04-2008)
7141c7	677	----------------
196bc2	678
9238cd	679	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	680
7141c7	681
318832	682	0.1 (02-27-2008)
7141c7	683	----------------
318832	684
9238cd	685	- Initial release (no configuration file support yet).