RedHatTraining/repoze.who.git

Tres Seaver

2016-05-31 565160e0757c950b21db0104f42e778ca2a663a3

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
c46a74	4	2.3 (unreleased)
TS	5	----------------
	6
90fd1c	7	- Add support for Python 3.4, Python 3.5, and PyPy3.
c46a74	8
TS	9	- Drop support for Python 2.6 and 3.2.
4f3525	10
0a07fc	11	- ``plugins.auth_tkt``: Fix storage of "userdata" to save dict. Fixes
TS	12	https://github.com/repoze/repoze.who/issues/14 via
	13	https://github.com/repoze/repoze.who/pull/18.
7b0a91	14
19d219	15	- middleware: avoid UnboundLocalError when wrapped generater yields no
TS	16	items. See: http://bugs.repoze.org/issue184
	17
4f3525	18	- Make cookie expiration date RFC-2616 compliant (independent of locale,
TS	19	including 'GMT' zone). See https://github.com/repoze/repoze.who/pull/11
	20
9cd0f8	21	2.2 (2013-05-17)
a4b584	22	----------------
TS	23
1d7c19	24	- Parse INI-file configuration using ``SafeConfigParser``: allows
TS	25	escaping the ``'%'`` so that e.g. a query template using for a DB-API
	26	connection using ``pyformat`` preserves the template.
	27
a4b584	28	- Added support for Python 3.3, PyPy.
TS	29
d96616	30
717490	31	2.1 (2013-03-20)
c72bfe	32	----------------
TS	33
5ecc71	34	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	35	environment. Thanks to Dag Hoidal for the patch.
	36
d96616	37	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	38	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	39	for the patch.
	40
c72bfe	41	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	42
0cfb1a	43
TS	44	2.1b1 (2012-11-05)
	45	------------------
d9f6f4	46
TS	47	- Ported to Py3k using the "compatible subset" mode.
	48	- Dropped support for Python < 2.6.x.
	49	- Dropped dependency on Paste (forking some code from it).
	50	- Added dependency on WebOb instead.
	51	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	52
	53
d03c94	54	2.0 (2011-09-28)
493726	55	----------------
TS	56
7f9907	57	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	58	cookies. http://bugs.repoze.org/issue66
	59
493726	60	- Further harden middleware, calling ``close()`` on the iterable even if
TS	61	raising an exception for a missing challenger.
	62	http://bugs.repoze.org/issue174
	63
	64
1b2443	65	2.0b1 (2011-05-24)
TS	66	------------------
f8ef81	67
d6b53f	68	- Enabled standard use of logging module's configuration mechanism.
TS	69	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	70	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	71
	72
f8ef81	73	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	74
	75
2b9b1f	76	2.0a4 (2011-02-02)
TS	77	------------------
9a8e60	78
b01f44	79	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	80	iterable returned from thw wrapped application, as required by PEP 333.
	81	http://bugs.repoze.org/issue174
	82
03fba8	83	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	84	content for the config file: in such cases, the API factory will have
	85	no configured plugins or policies: it will only be useful for retrieving
	86	the API from an environment populated by middleware.
	87
c61031	88	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	89	methods could return a None if the identifier plugin returned a None.
cfe26c	90
c61031	91	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	92	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	93
c61031	94	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	95	configured with ``secure=True``: these attributes prevent the browser from
	96	sending cookies over insecure channels, which could be vulnerable to some
3b5782	97	XSS attacks.
d7e647	98
15e365	99	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	100	https://bugs.launchpad.net/bugs/674123 .
	101
e8080a	102	- Added a single-file example BFG application demonstrating the use of
TS	103	the new 'login' and 'logout' methods of the API object.
	104
924f24	105	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	106	as a convenience for application-driven login / logout code, which would
95f147	107	otherwise need to use private methods of the API, and reach down into
TS	108	its plugins.
f8ef81	109
9a8e60	110
2c742e	111	2.0a3 (2010-09-30)
eb7071	112	------------------
f80021	113
a446d6	114	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	115	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	116
TS	117	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	118
630a05	119	- ``repoze.who.plugins.form.FormPlugin``
a446d6	120
630a05	121	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	122
TS	123	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	124	``charset`` argument, and use to to encode / decode login and password.
TS	125	See http://bugs.repoze.org/issue155
	126
a446d6	127	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	128	``wsgiref`` from complaining.
5b6365	129
a446d6	130	- Helped default request classifier cope with xml submissions with an
6b7b34	131	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	132	M. Catucci)
	133
a446d6	134	- Corrected the handling of type and subtype when matching an XML post
6b7b34	135	to ``xmlpost`` in the default classifier, which, according to RFC
CM	136	2045, must be matched case-insensitively:
	137	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	138
a349a2	139	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	140	method for applications which want to set up their own API Factory from
	141	a configuration file.
	142
f80021	143	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	144	(added missing ``global_config`` argument). See
	145	http://bugs.repoze.org/issue114
	146
f8ef81	147
c186ae	148	2.0a2 (2010-03-25)
TS	149	------------------
52bc23	150
TS	151	Bugs Fixed
	152	~~~~~~~~~~
	153
	154	- Fixed failure to pass substution values in log message string formatting
	155	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	156	logging done by the API object. See http://bugs.repoze.org/issue122
	157
	158	Backward Incompatibilities
	159	~~~~~~~~~~~~~~~~~~~~~~~~~~
	160
	161	- Adjusted logging level for some lower-level details from ``info``
	162	to ``debug``.
f8ef81	163
52bc23	164
TS	165
e25b84	166	2.0a1 (2010-02-24)
993216	167	------------------
TS	168
b4b8ee	169	Features
TS	170	~~~~~~~~
62cd25	171
c9c1c6	172	- Restored the ability to create the middleware using the old ``classifier``
TS	173	argument. That argument is now a deprecated-but-will-work-forever alias for
	174	``request_classifier``.
cbc983	175
b0f81f	176	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	177	and should normally be used both as an ``IIdentifier`` and an
	178	``IAuthenticator``.
	179
993216	180	- Factored out the API of the middleware object to make it useful from
TS	181	within the application. Applications using ``repoze.who``` now fall into
	182	one of three catgeories:
	183
	184	- "middleware-only" applications are configured with middleware, and
	185	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	186	to determing the authenticated user.
	187
	188	- "bare metal" applications use no ``repoze.who`` middleware at all:
	189	instead, they configure and an ``APIFactory`` object at startup, and
	190	use it to create an ``API`` object when needed on a per-request basis.
	191
	192	- "hybrid" applications are configured with ``repoze.who`` middleware,
	193	but use a new library function to fetch the ``API`` object from the
c9c1c6	194	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	195	login.
993216	196
b4b8ee	197	Bugs Fixed
TS	198	~~~~~~~~~~
	199
	200	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	201	logging would cause an exception.
	202
	203	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	204	distribute).
	205
	206	Backward Incompatibilities
	207	~~~~~~~~~~~~~~~~~~~~~~~~~~
	208
b213af	209	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	210	an identity. This feature is no longer supported: the ``auth_tkt``
	211	plugin, which used to use the feature, is now configured to work as
c9c1c6	212	an authenticator plugin (as well as an identifier).
b213af	213
b4b8ee	214	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	215	no longer has the following (non-API) methods (now made API methods
	216	of the ``repoze.who.api:API`` class):
	217
	218	- ``add_metadata``
	219	- ``authenticate``
	220	- ``challenge``
	221	- ``identify``
	222
	223	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	224	``repoze.who.api``:
	225
	226	- ``make_registries``
	227	- ``match_classification``
	228	- ``verify``
	229
	230
f8ef81	231
060054	232	1.0.18 (2009-11-05)
TS	233	-------------------
798feb	234
TS	235	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	236	headers from ``forget``, and was not setting the ``Max-Age`` and
	237	``Expires`` attributes of those cookies.
	238
b4b8ee	239
f8ef81	240
6e136f	241	1.0.17 (2009-11-05)
TS	242	-------------------
e0d138	243
TS	244	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	245	argument handling, to allow passing in a dotted name (e.g., from a config
	246	file).
	247
b4b8ee	248
f8ef81	249
6b15ee	250	1.0.16 (2009-11-04)
028e4d	251	-------------------
1ec83d	252
8dd881	253	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	254	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	255	Thanks to Roland Hedburg for the report.
21a9c5	256
8dd881	257	- Fixed an issue that caused the following symptom when using the
TS	258	ini configuration parser::
	259
	260	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	261
CM	262	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	263	for the bug report and initial fix.
	264
1ec83d	265
7141c7	266	1.0.15 (2009-06-25)
TS	267	-------------------
299b4c	268
a14163	269	- If the form post value ``max_age`` exists while in the ``identify``
CM	270	method is handling the ``login_handler_path``, pass the max_age
	271	value in the returned identity dictionary as ``max_age``. See the
	272	below bullet point for why.
	273
299b4c	274	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	275	method contains a ``max_age`` key with a string (or integer) value,
	276	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	277	the returned cookies. The cookie ``Max-Age`` is set to the value
	278	and the ``Expires`` is computed from the current time.
	279
7141c7	280
TS	281	1.0.14 (2009-06-17)
	282	-------------------
9318dd	283
1810b2	284	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	285
00a6d9	286	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	287	plugin. See http://bugs.repoze.org/issue81 .
	288
0dd808	289	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	290	responses which have been "pre-challenged" by the application.
	291
9318dd	292	- One-hundred percent unit test coverage.
TS	293
a6f6dc	294	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	295	identifier plugin, courtesty of Paul Johnston.
	296
	297	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	298	courtesty of Gustavo Narea.
	299
	300	If ``userid_checker`` is provided, it must be a dotted Python name
	301	that resolves to a function which accepts a userid and returns a
	302	boolean True or False, indicating whether that user exists in a
	303	database. This is a workaround. Due to a design bug in repoze.who,
	304	the only way who can check for user existence is to use one or more
	305	IAuthenticator plugin ``authenticate`` methods. If an
	306	IAuthenticator's ``authenticate`` method returns true, it means that
	307	the user exists. However most IAuthenticator plugins expect both
	308	a username and a password, and will return False unconditionally if
	309	both aren't supplied. This means that an authenticator can't be
	310	used to check if the user "only" exists. The identity provided by
	311	an auth_tkt does not contain a password to check against. The
	312	actual design bug in repoze.who is this: when a user presents
	313	credentials from an auth_tkt, he is considered "preauthenticated".
	314	IAuthenticator.authenticate is just never called for a
	315	"preauthenticated" identity, which works fine, but it means that the
	316	user will be considered authenticated even if you deleted the user's
	317	record from whatever database you happen to be using. However, if
	318	you use a userid_checker, you can ensure that a user exists for the
	319	auth_tkt supplied userid. If the userid_checker returns False, the
	320	auth_tkt credentials are considered "no good".
	321
7141c7	322
TS	323	1.0.13 (2009-04-24)
	324	-------------------
64ba13	325
TS	326	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	327	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	328	second database query in an ``IMetadataProvider`` plugin).
64ba13	329
08b2ae	330	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	331	whereby a downstream app can return a generator, relying on an
	332	upstream component to call start_response. We do this because the
	333	challenge decider needs the status and headers to decide what to do.
	334
56d0c5	335
7141c7	336	1.0.12 (2009-04-19)
TS	337	-------------------
56d0c5	338	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	339	existing tokens data returned by auth_tkt.parse_tkt; this was
	340	incorrect; just overwrite.
0ee58d	341
TS	342	- Extended auth_tkt plugin factory to allow passing secret in a separate
	343	file from the main config file. See http://bugs.repoze.org/issue40 .
	344
7141c7	345
TS	346	1.0.11 (2009-04-10)
	347	-------------------
afbbcd	348
8c20ba	349	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	350	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	351	Pedersen).
8c20ba	352
afbbcd	353	- Fix corner case issue of an exception raised when attempting to log
CM	354	when there are no identifiers or authenticators.
	355
7141c7	356
TS	357	1.0.10 (2009-01-23)
	358	-------------------
7b931d	359
CM	360	- The RedirectingFormPlugin now passes along SetCookie headers set
	361	into the response by the application within the NotFound response
	362	(fixes TG2 "flash" issue).
	363
7141c7	364
TS	365	1.0.9 (2008-12-18)
	366	------------------
30ab69	367
9238cd	368	- The RedirectingFormPlugin now attempts to find a header named
CM	369	``X-Authentication-Failure-Reason`` among the response headers set
	370	by the application when a challenge is issued. If a value for this
	371	header exists (and is non-blank), the value is attached to the
	372	redirect URL's query string as the ``reason`` parameter (or a
	373	user-settable key). This makes it possible for downstream
	374	applications to issue a response that initiates a challenge with
	375	this header and subsequently display the reason in the login form
	376	rendered as a result of the challenge.
30ab69	377
7141c7	378
TS	379	1.0.8 (2008-12-13)
	380	------------------
186ff6	381
9238cd	382	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	383	``log_stream`` argument, which is typically a file. After this
	384	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	385	PEP 333 ``Logger`` instance, this logger will be used as the
	386	repoze.who logger (instead of one being constructed by the
	387	middleware, as was previously always the case). When the
	388	``log_stream`` argument is a PEP 333 Logger object, the
	389	``log_level`` argument is ignored.
186ff6	390
7141c7	391
TS	392	1.0.7 (2008-08-28)
	393	------------------
37de44	394
9238cd	395	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	396	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	397	brownbag release, given that making these packages namespace
	398	packages was the only reason for its release.
37de44	399
7141c7	400
TS	401	1.0.6 (2008-08-28)
	402	------------------
facdf8	403
9238cd	404	- Make repoze.who and repoze.who.plugins into namespace packages
CM	405	mainly so we can allow plugin authors to distribute packages in the
	406	repoze.who.plugins namespace.
facdf8	407
7141c7	408
TS	409	1.0.5 (2008-08-23)
	410	------------------
519300	411
9238cd	412	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	413	method that it does in its ``forget`` method. Previously, logging
	414	out and relogging back in to a site that used auth_tkt identifier
	415	plugin was slightly dicey and would only work sometimes.
facdf8	416
9238cd	417	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	418	Any response from a downstream application that causes a challenge
	419	and includes a Location header will cause a redirect to the value of
	420	the Location header.
dee08c	421
7141c7	422
TS	423	1.0.4 (2008-08-22)
	424	------------------
b95a59	425
9238cd	426	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	427	If you use this key in the config file, it tells who to 1) not
	428	perform any authentication if it exists in the environment during
	429	ingress and 2) to set the key in the environment for the downstream
	430	app to use as the REMOTE_USER variable. The default is
	431	``REMOTE_USER``.
b95a59	432
9238cd	433	- Using unicode user ids in combination with the auth_tkt plugin would
CM	434	cause problems under mod_wsgi.
55dc7a	435
9238cd	436	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	437	constructor). Thanks to Gustavo Narea.
55dc7a	438
7141c7	439
TS	440	1.0.3 (2008-08-16)
	441	------------------
f693fe	442
9238cd	443	- A bug in the middleware's ``authenticate`` method made it impossible
CM	444	to authenticate a user with a userid that was null (e.g. 0, False),
	445	which are valid identifiers. The only invalid userid is now None.
c7e12d	446
9238cd	447	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	448	filename is passed to the HTPasswdPlugin.
c7e12d	449
7141c7	450
TS	451	1.0.2 (2008-06-16)
	452	------------------
cad90d	453
9238cd	454	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	455	method didn't handle userids which are Python "long" instances
	456	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	457	objects in "paste.auth.auth_tkt".
a2c030	458
9238cd	459	- Added predicate-based "restriction" middleware support
CM	460	(repoze.who.restrict), allowing configuratio-driven authorization as
	461	a WSGI filter. One example predicate, 'authenticated_predicate', is
	462	supplied, which requires that the user be authenticated either via
	463	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	464	restrict access::
cad90d	465
TS	466	[filter:authenticated_only]
	467	use = egg:repoze.who#authenticated
	468
	469	or::
	470
	471	[filter:some_predicate]
	472	use = egg:repoze.who#predicate
	473	predicate = my.module:some_predicate
	474	some_option = a value
	475
7141c7	476
TS	477	1.0.1 (2008-05-24)
	478	------------------
8199a1	479
9238cd	480	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	481	from inserting that path into its search paths (the dependencies are
	482	available from PyPI).
8199a1	483
7141c7	484
TS	485	1.0 (2008-05-04)
	486	-----------------
419946	487
9238cd	488	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	489	collecting identification information. Symptom: a downstream app
	490	would receive a POST request with a blank body, which would
	491	sometimes result in a Bad Request error.
f39349	492
9238cd	493	- Fixed interface declarations of
CM	494	'classifiers.default_request_classifier' and
	495	'classifiers.default_password_compare'.
515c69	496
9238cd	497	- Added actual config-driven middleware factory,
CM	498	'config.make_middleware_with_config'
515c69	499
9238cd	500	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	501
7141c7	502	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	503	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	504	with the following changes:
419946	505
7141c7	506	- "Bare" plugins (requiring no configuration options) may be specified
419946	507	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	508	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	509
7141c7	510	- Therefore, the separator between a plugin and its classifier is now
TS	511	a semicolon, rather than a colon. E.g.::
419946	512
TS	513	[plugins:id_plugin]
	514	use = egg:another.package#identify_with_frobnatz
	515	frobnatz = baz
	516
	517	[identifiers]
	518	plugins =
	519	egg:my.egg#identify;browser
	520	dotted.name:identifier
	521	id_plugin
	522
7141c7	523
779caf	524	0.9.1 (2008-04-27)
7141c7	525	------------------
779caf	526
9238cd	527	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	528	ids.
779caf	529
7141c7	530
88e646	531	0.9 (2008-04-01)
7141c7	532	----------------
88e646	533
9238cd	534	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	535	not set).
88e646	536
9238cd	537	- Add PATH_INFO to started and ended log info.
d9f046	538
9238cd	539	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	540
9238cd	541	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	542	"query", "conn_factory", and "compare_fn". The old constructor
	543	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	544	new constructor accepts no DSN; the conn_factory is assumed to do
	545	all the work to make a connection, including knowing the DSN if one
	546	is required. The "conn_factory" should return something that, when
	547	called with no arguments, returns a database connection.
d9f046	548
9238cd	549	- The "make_plugin" helper in plugins/sql has been renamed
CM	550	"make_authenticator_plugin". When called, this helper will return a
	551	SQLAuthenticatorPlugin. A bit of helper logic in the
	552	"make_authenticator_plugin" allows a connection factory to be
	553	computed. The top-level callable referred to by conn_factory in
	554	this helper should return a function that, when called with no
	555	arguments, returns a datbase connection. The top-level callable
	556	itself is called with "who_conf" (global who configuration) and any
	557	number of non-top-level keyword arguments as they are passed into
	558	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	559
9238cd	560	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	561	called, this will make a SQLMetadataProviderPlugin. See the
	562	implementation for details. It is similar to the
	563	"make_authenticator_plugin" helper.
d9f046	564
7141c7	565
cbe4e3	566	0.8 (2008-03-27)
7141c7	567	----------------
b5a331	568
9238cd	569	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	570	redirect to an external (or downstream application) login form to
	571	perform identification. The external login form must post to the
	572	"login_handler_path" of the plugin (optimally with a "came_from"
	573	value to tell the plugin where to redirect the response to if the
	574	authentication works properly). The "logout_handler_path" of this
	575	plugin can be visited to perform a logout. The "came_from" value
	576	also works there.
a400b0	577
9238cd	578	- Identifier plugins are now permitted to set a key in the environment
CM	579	named 'repoze.who.application' on ingress (in 'identify'). If an
	580	identifier plugin does so, this application is used instead of the
	581	"normal" downstream application. This feature was added to more
	582	simply support the redirecting form identifier plugin.
a400b0	583
7141c7	584
a400b0	585	0.7 (2008-03-26)
7141c7	586	----------------
a400b0	587
9238cd	588	- Change the IMetadataProvider interface: this interface used to have
CM	589	a "metadata" method which returned a dictionary. This method is not
	590	part of that API anymore. It's been replaced with an "add_metadata"
	591	method which has the signature::
b5a331	592
CM	593	def add_metadata(environ, identity):
	594	"""
	595	Add metadata to the identity (which is a dictionary)
	596	"""
	597
	598	The return value is ignored. IMetadataProvider plugins are now
	599	assumed to be responsible for 'scribbling' directly on the identity
	600	that is passed in (it's a dictionary). The user id can always be
	601	retrieved from the identity via identity['repoze.who.userid'] for
	602	metadata plugins that rely on that value.
	603
7141c7	604
a400b0	605	0.6 (2008-03-20)
7141c7	606	----------------
e35c64	607
9238cd	608	- Renaming: repoze.pam is now repoze.who
cb5426	609
9238cd	610	- Bump ez_setup.py version.
e35c64	611
9238cd	612	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	613
7141c7	614
3b67e9	615	0.5 (2008-03-09)
7141c7	616	----------------
db4cf5	617
9238cd	618	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	619	(pass in remote_user_key to middleware constructor).
db4cf5	620
9238cd	621	- Allow form plugin to override the default form.
db4cf5	622
9238cd	623	- API change: IIdentifiers are no longer required to put both 'login'
CM	624	and 'password' in a returned identity dictionary. Instead, an
	625	IIdentifier can place arbitrary key/value pairs in the identity
	626	dictionary (or return an empty dictionary).
40a968	627
9238cd	628	- API return value change: the "failure" identity which IIdentifiers
CM	629	return is now None rather than an empty dictionary.
40a968	630
9238cd	631	- The IAuthenticator interface now specifies that IAuthenticators must
CM	632	not raise an exception when evaluating an identity that does not
	633	have "expected" key/value pairs (e.g. when an IAuthenticator that
	634	expects login and password inspects an identity returned by an
	635	IP-based auth system which only puts the IP address in the
	636	identity); instead they fail gracefully by returning None.
40a968	637
9238cd	638	- Add (cookie) "auth_tkt" identification plugin.
a5b033	639
9238cd	640	- Stamp identity dictionaries with a userid by placing a key named
CM	641	'repoze.pam.userid' into the identity for each authenticated
	642	identity.
a5b033	643
9238cd	644	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	645	identity dictionary, consider this identity "preauthenticated". No
	646	authenticator plugins will be asked to authenticate this identity.
	647	This is designed for things like the recently added auth_tkt plugin,
	648	which embeds the user id into the ticket. This effectively alllows
	649	an IIdentifier plugin to become an IAuthenticator plugin when
	650	breaking apart the responsibility into two separate plugins is
	651	"make-work". Preauthenticated identities will be selected first
	652	when deciding which identity to use for any given request.
a5b033	653
9238cd	654	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	655	ingress if an identity is found. Its value will be the identity
	656	dictionary related to the identity selected by repoze.pam on
	657	ingress. Downstream consumers are allowed to mutate this
	658	dictionary; this value is passed to "remember" and "forget", so its
	659	main use is to do a "credentials reset"; e.g. a user has changed his
	660	username or password within the application, but we don't want to
	661	force him to log in again after he does so.
a5b033	662
7141c7	663
247f34	664	0.4 (03-07-2008)
7141c7	665	----------------
247f34	666
9238cd	667	- Allow plugins to specify a classifiers list per interface (instead
CM	668	of a single classifiers list per plugin).
247f34	669
7141c7	670
fb510d	671	0.3 (03-05-2008)
7141c7	672	----------------
fb510d	673
9238cd	674	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	675	sha instead of base64'ed binary sha for simpler conversion.
fb510d	676
7141c7	677
196bc2	678	0.2 (03-04-2008)
7141c7	679	----------------
196bc2	680
9238cd	681	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	682
7141c7	683
318832	684	0.1 (02-27-2008)
7141c7	685	----------------
318832	686
9238cd	687	- Initial release (no configuration file support yet).