RedHatTraining/repoze.who.git

Tres Seaver

2013-04-05 690912d42f52958781f033ecd877b858b012a678

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
a4b584	4	2.2 (unreleased)
TS	5	----------------
	6
	7	- Added support for Python 3.3, PyPy.
	8
d96616	9
717490	10	2.1 (2013-03-20)
c72bfe	11	----------------
TS	12
5ecc71	13	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	14	environment. Thanks to Dag Hoidal for the patch.
	15
d96616	16	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	17	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	18	for the patch.
	19
c72bfe	20	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	21
0cfb1a	22
TS	23	2.1b1 (2012-11-05)
	24	------------------
d9f6f4	25
TS	26	- Ported to Py3k using the "compatible subset" mode.
	27	- Dropped support for Python < 2.6.x.
	28	- Dropped dependency on Paste (forking some code from it).
	29	- Added dependency on WebOb instead.
	30	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	31
	32
d03c94	33	2.0 (2011-09-28)
493726	34	----------------
TS	35
7f9907	36	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	37	cookies. http://bugs.repoze.org/issue66
	38
493726	39	- Further harden middleware, calling ``close()`` on the iterable even if
TS	40	raising an exception for a missing challenger.
	41	http://bugs.repoze.org/issue174
	42
	43
1b2443	44	2.0b1 (2011-05-24)
TS	45	------------------
f8ef81	46
d6b53f	47	- Enabled standard use of logging module's configuration mechanism.
TS	48	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	49	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	50
	51
f8ef81	52	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	53
	54
2b9b1f	55	2.0a4 (2011-02-02)
TS	56	------------------
9a8e60	57
b01f44	58	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	59	iterable returned from thw wrapped application, as required by PEP 333.
	60	http://bugs.repoze.org/issue174
	61
03fba8	62	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	63	content for the config file: in such cases, the API factory will have
	64	no configured plugins or policies: it will only be useful for retrieving
	65	the API from an environment populated by middleware.
	66
c61031	67	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	68	methods could return a None if the identifier plugin returned a None.
cfe26c	69
c61031	70	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	71	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	72
c61031	73	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	74	configured with ``secure=True``: these attributes prevent the browser from
	75	sending cookies over insecure channels, which could be vulnerable to some
3b5782	76	XSS attacks.
d7e647	77
15e365	78	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	79	https://bugs.launchpad.net/bugs/674123 .
	80
e8080a	81	- Added a single-file example BFG application demonstrating the use of
TS	82	the new 'login' and 'logout' methods of the API object.
	83
924f24	84	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	85	as a convenience for application-driven login / logout code, which would
95f147	86	otherwise need to use private methods of the API, and reach down into
TS	87	its plugins.
f8ef81	88
9a8e60	89
2c742e	90	2.0a3 (2010-09-30)
eb7071	91	------------------
f80021	92
a446d6	93	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	94	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	95
TS	96	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	97
630a05	98	- ``repoze.who.plugins.form.FormPlugin``
a446d6	99
630a05	100	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	101
TS	102	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	103	``charset`` argument, and use to to encode / decode login and password.
TS	104	See http://bugs.repoze.org/issue155
	105
a446d6	106	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	107	``wsgiref`` from complaining.
5b6365	108
a446d6	109	- Helped default request classifier cope with xml submissions with an
6b7b34	110	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	111	M. Catucci)
	112
a446d6	113	- Corrected the handling of type and subtype when matching an XML post
6b7b34	114	to ``xmlpost`` in the default classifier, which, according to RFC
CM	115	2045, must be matched case-insensitively:
	116	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	117
a349a2	118	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	119	method for applications which want to set up their own API Factory from
	120	a configuration file.
	121
f80021	122	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	123	(added missing ``global_config`` argument). See
	124	http://bugs.repoze.org/issue114
	125
f8ef81	126
c186ae	127	2.0a2 (2010-03-25)
TS	128	------------------
52bc23	129
TS	130	Bugs Fixed
	131	~~~~~~~~~~
	132
	133	- Fixed failure to pass substution values in log message string formatting
	134	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	135	logging done by the API object. See http://bugs.repoze.org/issue122
	136
	137	Backward Incompatibilities
	138	~~~~~~~~~~~~~~~~~~~~~~~~~~
	139
	140	- Adjusted logging level for some lower-level details from ``info``
	141	to ``debug``.
f8ef81	142
52bc23	143
TS	144
e25b84	145	2.0a1 (2010-02-24)
993216	146	------------------
TS	147
b4b8ee	148	Features
TS	149	~~~~~~~~
62cd25	150
c9c1c6	151	- Restored the ability to create the middleware using the old ``classifier``
TS	152	argument. That argument is now a deprecated-but-will-work-forever alias for
	153	``request_classifier``.
cbc983	154
b0f81f	155	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	156	and should normally be used both as an ``IIdentifier`` and an
	157	``IAuthenticator``.
	158
993216	159	- Factored out the API of the middleware object to make it useful from
TS	160	within the application. Applications using ``repoze.who``` now fall into
	161	one of three catgeories:
	162
	163	- "middleware-only" applications are configured with middleware, and
	164	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	165	to determing the authenticated user.
	166
	167	- "bare metal" applications use no ``repoze.who`` middleware at all:
	168	instead, they configure and an ``APIFactory`` object at startup, and
	169	use it to create an ``API`` object when needed on a per-request basis.
	170
	171	- "hybrid" applications are configured with ``repoze.who`` middleware,
	172	but use a new library function to fetch the ``API`` object from the
c9c1c6	173	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	174	login.
993216	175
b4b8ee	176	Bugs Fixed
TS	177	~~~~~~~~~~
	178
	179	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	180	logging would cause an exception.
	181
	182	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	183	distribute).
	184
	185	Backward Incompatibilities
	186	~~~~~~~~~~~~~~~~~~~~~~~~~~
	187
b213af	188	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	189	an identity. This feature is no longer supported: the ``auth_tkt``
	190	plugin, which used to use the feature, is now configured to work as
c9c1c6	191	an authenticator plugin (as well as an identifier).
b213af	192
b4b8ee	193	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	194	no longer has the following (non-API) methods (now made API methods
	195	of the ``repoze.who.api:API`` class):
	196
	197	- ``add_metadata``
	198	- ``authenticate``
	199	- ``challenge``
	200	- ``identify``
	201
	202	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	203	``repoze.who.api``:
	204
	205	- ``make_registries``
	206	- ``match_classification``
	207	- ``verify``
	208
	209
f8ef81	210
060054	211	1.0.18 (2009-11-05)
TS	212	-------------------
798feb	213
TS	214	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	215	headers from ``forget``, and was not setting the ``Max-Age`` and
	216	``Expires`` attributes of those cookies.
	217
b4b8ee	218
f8ef81	219
6e136f	220	1.0.17 (2009-11-05)
TS	221	-------------------
e0d138	222
TS	223	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	224	argument handling, to allow passing in a dotted name (e.g., from a config
	225	file).
	226
b4b8ee	227
f8ef81	228
6b15ee	229	1.0.16 (2009-11-04)
028e4d	230	-------------------
1ec83d	231
8dd881	232	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	233	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	234	Thanks to Roland Hedburg for the report.
21a9c5	235
8dd881	236	- Fixed an issue that caused the following symptom when using the
TS	237	ini configuration parser::
	238
	239	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	240
CM	241	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	242	for the bug report and initial fix.
	243
1ec83d	244
7141c7	245	1.0.15 (2009-06-25)
TS	246	-------------------
299b4c	247
a14163	248	- If the form post value ``max_age`` exists while in the ``identify``
CM	249	method is handling the ``login_handler_path``, pass the max_age
	250	value in the returned identity dictionary as ``max_age``. See the
	251	below bullet point for why.
	252
299b4c	253	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	254	method contains a ``max_age`` key with a string (or integer) value,
	255	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	256	the returned cookies. The cookie ``Max-Age`` is set to the value
	257	and the ``Expires`` is computed from the current time.
	258
7141c7	259
TS	260	1.0.14 (2009-06-17)
	261	-------------------
9318dd	262
1810b2	263	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	264
00a6d9	265	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	266	plugin. See http://bugs.repoze.org/issue81 .
	267
0dd808	268	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	269	responses which have been "pre-challenged" by the application.
	270
9318dd	271	- One-hundred percent unit test coverage.
TS	272
a6f6dc	273	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	274	identifier plugin, courtesty of Paul Johnston.
	275
	276	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	277	courtesty of Gustavo Narea.
	278
	279	If ``userid_checker`` is provided, it must be a dotted Python name
	280	that resolves to a function which accepts a userid and returns a
	281	boolean True or False, indicating whether that user exists in a
	282	database. This is a workaround. Due to a design bug in repoze.who,
	283	the only way who can check for user existence is to use one or more
	284	IAuthenticator plugin ``authenticate`` methods. If an
	285	IAuthenticator's ``authenticate`` method returns true, it means that
	286	the user exists. However most IAuthenticator plugins expect both
	287	a username and a password, and will return False unconditionally if
	288	both aren't supplied. This means that an authenticator can't be
	289	used to check if the user "only" exists. The identity provided by
	290	an auth_tkt does not contain a password to check against. The
	291	actual design bug in repoze.who is this: when a user presents
	292	credentials from an auth_tkt, he is considered "preauthenticated".
	293	IAuthenticator.authenticate is just never called for a
	294	"preauthenticated" identity, which works fine, but it means that the
	295	user will be considered authenticated even if you deleted the user's
	296	record from whatever database you happen to be using. However, if
	297	you use a userid_checker, you can ensure that a user exists for the
	298	auth_tkt supplied userid. If the userid_checker returns False, the
	299	auth_tkt credentials are considered "no good".
	300
7141c7	301
TS	302	1.0.13 (2009-04-24)
	303	-------------------
64ba13	304
TS	305	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	306	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	307	second database query in an ``IMetadataProvider`` plugin).
64ba13	308
08b2ae	309	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	310	whereby a downstream app can return a generator, relying on an
	311	upstream component to call start_response. We do this because the
	312	challenge decider needs the status and headers to decide what to do.
	313
56d0c5	314
7141c7	315	1.0.12 (2009-04-19)
TS	316	-------------------
56d0c5	317	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	318	existing tokens data returned by auth_tkt.parse_tkt; this was
	319	incorrect; just overwrite.
0ee58d	320
TS	321	- Extended auth_tkt plugin factory to allow passing secret in a separate
	322	file from the main config file. See http://bugs.repoze.org/issue40 .
	323
7141c7	324
TS	325	1.0.11 (2009-04-10)
	326	-------------------
afbbcd	327
8c20ba	328	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	329	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	330	Pedersen).
8c20ba	331
afbbcd	332	- Fix corner case issue of an exception raised when attempting to log
CM	333	when there are no identifiers or authenticators.
	334
7141c7	335
TS	336	1.0.10 (2009-01-23)
	337	-------------------
7b931d	338
CM	339	- The RedirectingFormPlugin now passes along SetCookie headers set
	340	into the response by the application within the NotFound response
	341	(fixes TG2 "flash" issue).
	342
7141c7	343
TS	344	1.0.9 (2008-12-18)
	345	------------------
30ab69	346
9238cd	347	- The RedirectingFormPlugin now attempts to find a header named
CM	348	``X-Authentication-Failure-Reason`` among the response headers set
	349	by the application when a challenge is issued. If a value for this
	350	header exists (and is non-blank), the value is attached to the
	351	redirect URL's query string as the ``reason`` parameter (or a
	352	user-settable key). This makes it possible for downstream
	353	applications to issue a response that initiates a challenge with
	354	this header and subsequently display the reason in the login form
	355	rendered as a result of the challenge.
30ab69	356
7141c7	357
TS	358	1.0.8 (2008-12-13)
	359	------------------
186ff6	360
9238cd	361	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	362	``log_stream`` argument, which is typically a file. After this
	363	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	364	PEP 333 ``Logger`` instance, this logger will be used as the
	365	repoze.who logger (instead of one being constructed by the
	366	middleware, as was previously always the case). When the
	367	``log_stream`` argument is a PEP 333 Logger object, the
	368	``log_level`` argument is ignored.
186ff6	369
7141c7	370
TS	371	1.0.7 (2008-08-28)
	372	------------------
37de44	373
9238cd	374	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	375	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	376	brownbag release, given that making these packages namespace
	377	packages was the only reason for its release.
37de44	378
7141c7	379
TS	380	1.0.6 (2008-08-28)
	381	------------------
facdf8	382
9238cd	383	- Make repoze.who and repoze.who.plugins into namespace packages
CM	384	mainly so we can allow plugin authors to distribute packages in the
	385	repoze.who.plugins namespace.
facdf8	386
7141c7	387
TS	388	1.0.5 (2008-08-23)
	389	------------------
519300	390
9238cd	391	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	392	method that it does in its ``forget`` method. Previously, logging
	393	out and relogging back in to a site that used auth_tkt identifier
	394	plugin was slightly dicey and would only work sometimes.
facdf8	395
9238cd	396	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	397	Any response from a downstream application that causes a challenge
	398	and includes a Location header will cause a redirect to the value of
	399	the Location header.
dee08c	400
7141c7	401
TS	402	1.0.4 (2008-08-22)
	403	------------------
b95a59	404
9238cd	405	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	406	If you use this key in the config file, it tells who to 1) not
	407	perform any authentication if it exists in the environment during
	408	ingress and 2) to set the key in the environment for the downstream
	409	app to use as the REMOTE_USER variable. The default is
	410	``REMOTE_USER``.
b95a59	411
9238cd	412	- Using unicode user ids in combination with the auth_tkt plugin would
CM	413	cause problems under mod_wsgi.
55dc7a	414
9238cd	415	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	416	constructor). Thanks to Gustavo Narea.
55dc7a	417
7141c7	418
TS	419	1.0.3 (2008-08-16)
	420	------------------
f693fe	421
9238cd	422	- A bug in the middleware's ``authenticate`` method made it impossible
CM	423	to authenticate a user with a userid that was null (e.g. 0, False),
	424	which are valid identifiers. The only invalid userid is now None.
c7e12d	425
9238cd	426	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	427	filename is passed to the HTPasswdPlugin.
c7e12d	428
7141c7	429
TS	430	1.0.2 (2008-06-16)
	431	------------------
cad90d	432
9238cd	433	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	434	method didn't handle userids which are Python "long" instances
	435	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	436	objects in "paste.auth.auth_tkt".
a2c030	437
9238cd	438	- Added predicate-based "restriction" middleware support
CM	439	(repoze.who.restrict), allowing configuratio-driven authorization as
	440	a WSGI filter. One example predicate, 'authenticated_predicate', is
	441	supplied, which requires that the user be authenticated either via
	442	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	443	restrict access::
cad90d	444
TS	445	[filter:authenticated_only]
	446	use = egg:repoze.who#authenticated
	447
	448	or::
	449
	450	[filter:some_predicate]
	451	use = egg:repoze.who#predicate
	452	predicate = my.module:some_predicate
	453	some_option = a value
	454
7141c7	455
TS	456	1.0.1 (2008-05-24)
	457	------------------
8199a1	458
9238cd	459	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	460	from inserting that path into its search paths (the dependencies are
	461	available from PyPI).
8199a1	462
7141c7	463
TS	464	1.0 (2008-05-04)
	465	-----------------
419946	466
9238cd	467	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	468	collecting identification information. Symptom: a downstream app
	469	would receive a POST request with a blank body, which would
	470	sometimes result in a Bad Request error.
f39349	471
9238cd	472	- Fixed interface declarations of
CM	473	'classifiers.default_request_classifier' and
	474	'classifiers.default_password_compare'.
515c69	475
9238cd	476	- Added actual config-driven middleware factory,
CM	477	'config.make_middleware_with_config'
515c69	478
9238cd	479	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	480
7141c7	481	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	482	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	483	with the following changes:
419946	484
7141c7	485	- "Bare" plugins (requiring no configuration options) may be specified
419946	486	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	487	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	488
7141c7	489	- Therefore, the separator between a plugin and its classifier is now
TS	490	a semicolon, rather than a colon. E.g.::
419946	491
TS	492	[plugins:id_plugin]
	493	use = egg:another.package#identify_with_frobnatz
	494	frobnatz = baz
	495
	496	[identifiers]
	497	plugins =
	498	egg:my.egg#identify;browser
	499	dotted.name:identifier
	500	id_plugin
	501
7141c7	502
779caf	503	0.9.1 (2008-04-27)
7141c7	504	------------------
779caf	505
9238cd	506	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	507	ids.
779caf	508
7141c7	509
88e646	510	0.9 (2008-04-01)
7141c7	511	----------------
88e646	512
9238cd	513	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	514	not set).
88e646	515
9238cd	516	- Add PATH_INFO to started and ended log info.
d9f046	517
9238cd	518	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	519
9238cd	520	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	521	"query", "conn_factory", and "compare_fn". The old constructor
	522	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	523	new constructor accepts no DSN; the conn_factory is assumed to do
	524	all the work to make a connection, including knowing the DSN if one
	525	is required. The "conn_factory" should return something that, when
	526	called with no arguments, returns a database connection.
d9f046	527
9238cd	528	- The "make_plugin" helper in plugins/sql has been renamed
CM	529	"make_authenticator_plugin". When called, this helper will return a
	530	SQLAuthenticatorPlugin. A bit of helper logic in the
	531	"make_authenticator_plugin" allows a connection factory to be
	532	computed. The top-level callable referred to by conn_factory in
	533	this helper should return a function that, when called with no
	534	arguments, returns a datbase connection. The top-level callable
	535	itself is called with "who_conf" (global who configuration) and any
	536	number of non-top-level keyword arguments as they are passed into
	537	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	538
9238cd	539	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	540	called, this will make a SQLMetadataProviderPlugin. See the
	541	implementation for details. It is similar to the
	542	"make_authenticator_plugin" helper.
d9f046	543
7141c7	544
cbe4e3	545	0.8 (2008-03-27)
7141c7	546	----------------
b5a331	547
9238cd	548	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	549	redirect to an external (or downstream application) login form to
	550	perform identification. The external login form must post to the
	551	"login_handler_path" of the plugin (optimally with a "came_from"
	552	value to tell the plugin where to redirect the response to if the
	553	authentication works properly). The "logout_handler_path" of this
	554	plugin can be visited to perform a logout. The "came_from" value
	555	also works there.
a400b0	556
9238cd	557	- Identifier plugins are now permitted to set a key in the environment
CM	558	named 'repoze.who.application' on ingress (in 'identify'). If an
	559	identifier plugin does so, this application is used instead of the
	560	"normal" downstream application. This feature was added to more
	561	simply support the redirecting form identifier plugin.
a400b0	562
7141c7	563
a400b0	564	0.7 (2008-03-26)
7141c7	565	----------------
a400b0	566
9238cd	567	- Change the IMetadataProvider interface: this interface used to have
CM	568	a "metadata" method which returned a dictionary. This method is not
	569	part of that API anymore. It's been replaced with an "add_metadata"
	570	method which has the signature::
b5a331	571
CM	572	def add_metadata(environ, identity):
	573	"""
	574	Add metadata to the identity (which is a dictionary)
	575	"""
	576
	577	The return value is ignored. IMetadataProvider plugins are now
	578	assumed to be responsible for 'scribbling' directly on the identity
	579	that is passed in (it's a dictionary). The user id can always be
	580	retrieved from the identity via identity['repoze.who.userid'] for
	581	metadata plugins that rely on that value.
	582
7141c7	583
a400b0	584	0.6 (2008-03-20)
7141c7	585	----------------
e35c64	586
9238cd	587	- Renaming: repoze.pam is now repoze.who
cb5426	588
9238cd	589	- Bump ez_setup.py version.
e35c64	590
9238cd	591	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	592
7141c7	593
3b67e9	594	0.5 (2008-03-09)
7141c7	595	----------------
db4cf5	596
9238cd	597	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	598	(pass in remote_user_key to middleware constructor).
db4cf5	599
9238cd	600	- Allow form plugin to override the default form.
db4cf5	601
9238cd	602	- API change: IIdentifiers are no longer required to put both 'login'
CM	603	and 'password' in a returned identity dictionary. Instead, an
	604	IIdentifier can place arbitrary key/value pairs in the identity
	605	dictionary (or return an empty dictionary).
40a968	606
9238cd	607	- API return value change: the "failure" identity which IIdentifiers
CM	608	return is now None rather than an empty dictionary.
40a968	609
9238cd	610	- The IAuthenticator interface now specifies that IAuthenticators must
CM	611	not raise an exception when evaluating an identity that does not
	612	have "expected" key/value pairs (e.g. when an IAuthenticator that
	613	expects login and password inspects an identity returned by an
	614	IP-based auth system which only puts the IP address in the
	615	identity); instead they fail gracefully by returning None.
40a968	616
9238cd	617	- Add (cookie) "auth_tkt" identification plugin.
a5b033	618
9238cd	619	- Stamp identity dictionaries with a userid by placing a key named
CM	620	'repoze.pam.userid' into the identity for each authenticated
	621	identity.
a5b033	622
9238cd	623	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	624	identity dictionary, consider this identity "preauthenticated". No
	625	authenticator plugins will be asked to authenticate this identity.
	626	This is designed for things like the recently added auth_tkt plugin,
	627	which embeds the user id into the ticket. This effectively alllows
	628	an IIdentifier plugin to become an IAuthenticator plugin when
	629	breaking apart the responsibility into two separate plugins is
	630	"make-work". Preauthenticated identities will be selected first
	631	when deciding which identity to use for any given request.
a5b033	632
9238cd	633	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	634	ingress if an identity is found. Its value will be the identity
	635	dictionary related to the identity selected by repoze.pam on
	636	ingress. Downstream consumers are allowed to mutate this
	637	dictionary; this value is passed to "remember" and "forget", so its
	638	main use is to do a "credentials reset"; e.g. a user has changed his
	639	username or password within the application, but we don't want to
	640	force him to log in again after he does so.
a5b033	641
7141c7	642
247f34	643	0.4 (03-07-2008)
7141c7	644	----------------
247f34	645
9238cd	646	- Allow plugins to specify a classifiers list per interface (instead
CM	647	of a single classifiers list per plugin).
247f34	648
7141c7	649
fb510d	650	0.3 (03-05-2008)
7141c7	651	----------------
fb510d	652
9238cd	653	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	654	sha instead of base64'ed binary sha for simpler conversion.
fb510d	655
7141c7	656
196bc2	657	0.2 (03-04-2008)
7141c7	658	----------------
196bc2	659
9238cd	660	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	661
7141c7	662
318832	663	0.1 (02-27-2008)
7141c7	664	----------------
318832	665
9238cd	666	- Initial release (no configuration file support yet).