RedHatTraining/repoze.who.git

Sacrifice dead chickens for Travis' boneheadedness.

Tres Seaver

2014-12-12 8345b4c064f641ac0f1865f3cff5feedc55904e0

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
4f3525	4	Unreleased
TS	5	----------
	6
7b0a91	7	- Add support for Python 3.4, PyPy3.
TS	8
19d219	9	- middleware: avoid UnboundLocalError when wrapped generater yields no
TS	10	items. See: http://bugs.repoze.org/issue184
	11
4f3525	12	- Make cookie expiration date RFC-2616 compliant (independent of locale,
TS	13	including 'GMT' zone). See https://github.com/repoze/repoze.who/pull/11
	14
9cd0f8	15	2.2 (2013-05-17)
a4b584	16	----------------
TS	17
1d7c19	18	- Parse INI-file configuration using ``SafeConfigParser``: allows
TS	19	escaping the ``'%'`` so that e.g. a query template using for a DB-API
	20	connection using ``pyformat`` preserves the template.
	21
a4b584	22	- Added support for Python 3.3, PyPy.
TS	23
d96616	24
717490	25	2.1 (2013-03-20)
c72bfe	26	----------------
TS	27
5ecc71	28	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	29	environment. Thanks to Dag Hoidal for the patch.
	30
d96616	31	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	32	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	33	for the patch.
	34
c72bfe	35	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	36
0cfb1a	37
TS	38	2.1b1 (2012-11-05)
	39	------------------
d9f6f4	40
TS	41	- Ported to Py3k using the "compatible subset" mode.
	42	- Dropped support for Python < 2.6.x.
	43	- Dropped dependency on Paste (forking some code from it).
	44	- Added dependency on WebOb instead.
	45	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	46
	47
d03c94	48	2.0 (2011-09-28)
493726	49	----------------
TS	50
7f9907	51	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	52	cookies. http://bugs.repoze.org/issue66
	53
493726	54	- Further harden middleware, calling ``close()`` on the iterable even if
TS	55	raising an exception for a missing challenger.
	56	http://bugs.repoze.org/issue174
	57
	58
1b2443	59	2.0b1 (2011-05-24)
TS	60	------------------
f8ef81	61
d6b53f	62	- Enabled standard use of logging module's configuration mechanism.
TS	63	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	64	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	65
	66
f8ef81	67	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	68
	69
2b9b1f	70	2.0a4 (2011-02-02)
TS	71	------------------
9a8e60	72
b01f44	73	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	74	iterable returned from thw wrapped application, as required by PEP 333.
	75	http://bugs.repoze.org/issue174
	76
03fba8	77	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	78	content for the config file: in such cases, the API factory will have
	79	no configured plugins or policies: it will only be useful for retrieving
	80	the API from an environment populated by middleware.
	81
c61031	82	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	83	methods could return a None if the identifier plugin returned a None.
cfe26c	84
c61031	85	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	86	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	87
c61031	88	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	89	configured with ``secure=True``: these attributes prevent the browser from
	90	sending cookies over insecure channels, which could be vulnerable to some
3b5782	91	XSS attacks.
d7e647	92
15e365	93	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	94	https://bugs.launchpad.net/bugs/674123 .
	95
e8080a	96	- Added a single-file example BFG application demonstrating the use of
TS	97	the new 'login' and 'logout' methods of the API object.
	98
924f24	99	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	100	as a convenience for application-driven login / logout code, which would
95f147	101	otherwise need to use private methods of the API, and reach down into
TS	102	its plugins.
f8ef81	103
9a8e60	104
2c742e	105	2.0a3 (2010-09-30)
eb7071	106	------------------
f80021	107
a446d6	108	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	109	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	110
TS	111	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	112
630a05	113	- ``repoze.who.plugins.form.FormPlugin``
a446d6	114
630a05	115	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	116
TS	117	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	118	``charset`` argument, and use to to encode / decode login and password.
TS	119	See http://bugs.repoze.org/issue155
	120
a446d6	121	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	122	``wsgiref`` from complaining.
5b6365	123
a446d6	124	- Helped default request classifier cope with xml submissions with an
6b7b34	125	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	126	M. Catucci)
	127
a446d6	128	- Corrected the handling of type and subtype when matching an XML post
6b7b34	129	to ``xmlpost`` in the default classifier, which, according to RFC
CM	130	2045, must be matched case-insensitively:
	131	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	132
a349a2	133	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	134	method for applications which want to set up their own API Factory from
	135	a configuration file.
	136
f80021	137	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	138	(added missing ``global_config`` argument). See
	139	http://bugs.repoze.org/issue114
	140
f8ef81	141
c186ae	142	2.0a2 (2010-03-25)
TS	143	------------------
52bc23	144
TS	145	Bugs Fixed
	146	~~~~~~~~~~
	147
	148	- Fixed failure to pass substution values in log message string formatting
	149	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	150	logging done by the API object. See http://bugs.repoze.org/issue122
	151
	152	Backward Incompatibilities
	153	~~~~~~~~~~~~~~~~~~~~~~~~~~
	154
	155	- Adjusted logging level for some lower-level details from ``info``
	156	to ``debug``.
f8ef81	157
52bc23	158
TS	159
e25b84	160	2.0a1 (2010-02-24)
993216	161	------------------
TS	162
b4b8ee	163	Features
TS	164	~~~~~~~~
62cd25	165
c9c1c6	166	- Restored the ability to create the middleware using the old ``classifier``
TS	167	argument. That argument is now a deprecated-but-will-work-forever alias for
	168	``request_classifier``.
cbc983	169
b0f81f	170	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	171	and should normally be used both as an ``IIdentifier`` and an
	172	``IAuthenticator``.
	173
993216	174	- Factored out the API of the middleware object to make it useful from
TS	175	within the application. Applications using ``repoze.who``` now fall into
	176	one of three catgeories:
	177
	178	- "middleware-only" applications are configured with middleware, and
	179	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	180	to determing the authenticated user.
	181
	182	- "bare metal" applications use no ``repoze.who`` middleware at all:
	183	instead, they configure and an ``APIFactory`` object at startup, and
	184	use it to create an ``API`` object when needed on a per-request basis.
	185
	186	- "hybrid" applications are configured with ``repoze.who`` middleware,
	187	but use a new library function to fetch the ``API`` object from the
c9c1c6	188	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	189	login.
993216	190
b4b8ee	191	Bugs Fixed
TS	192	~~~~~~~~~~
	193
	194	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	195	logging would cause an exception.
	196
	197	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	198	distribute).
	199
	200	Backward Incompatibilities
	201	~~~~~~~~~~~~~~~~~~~~~~~~~~
	202
b213af	203	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	204	an identity. This feature is no longer supported: the ``auth_tkt``
	205	plugin, which used to use the feature, is now configured to work as
c9c1c6	206	an authenticator plugin (as well as an identifier).
b213af	207
b4b8ee	208	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	209	no longer has the following (non-API) methods (now made API methods
	210	of the ``repoze.who.api:API`` class):
	211
	212	- ``add_metadata``
	213	- ``authenticate``
	214	- ``challenge``
	215	- ``identify``
	216
	217	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	218	``repoze.who.api``:
	219
	220	- ``make_registries``
	221	- ``match_classification``
	222	- ``verify``
	223
	224
f8ef81	225
060054	226	1.0.18 (2009-11-05)
TS	227	-------------------
798feb	228
TS	229	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	230	headers from ``forget``, and was not setting the ``Max-Age`` and
	231	``Expires`` attributes of those cookies.
	232
b4b8ee	233
f8ef81	234
6e136f	235	1.0.17 (2009-11-05)
TS	236	-------------------
e0d138	237
TS	238	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	239	argument handling, to allow passing in a dotted name (e.g., from a config
	240	file).
	241
b4b8ee	242
f8ef81	243
6b15ee	244	1.0.16 (2009-11-04)
028e4d	245	-------------------
1ec83d	246
8dd881	247	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	248	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	249	Thanks to Roland Hedburg for the report.
21a9c5	250
8dd881	251	- Fixed an issue that caused the following symptom when using the
TS	252	ini configuration parser::
	253
	254	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	255
CM	256	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	257	for the bug report and initial fix.
	258
1ec83d	259
7141c7	260	1.0.15 (2009-06-25)
TS	261	-------------------
299b4c	262
a14163	263	- If the form post value ``max_age`` exists while in the ``identify``
CM	264	method is handling the ``login_handler_path``, pass the max_age
	265	value in the returned identity dictionary as ``max_age``. See the
	266	below bullet point for why.
	267
299b4c	268	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	269	method contains a ``max_age`` key with a string (or integer) value,
	270	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	271	the returned cookies. The cookie ``Max-Age`` is set to the value
	272	and the ``Expires`` is computed from the current time.
	273
7141c7	274
TS	275	1.0.14 (2009-06-17)
	276	-------------------
9318dd	277
1810b2	278	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	279
00a6d9	280	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	281	plugin. See http://bugs.repoze.org/issue81 .
	282
0dd808	283	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	284	responses which have been "pre-challenged" by the application.
	285
9318dd	286	- One-hundred percent unit test coverage.
TS	287
a6f6dc	288	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	289	identifier plugin, courtesty of Paul Johnston.
	290
	291	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	292	courtesty of Gustavo Narea.
	293
	294	If ``userid_checker`` is provided, it must be a dotted Python name
	295	that resolves to a function which accepts a userid and returns a
	296	boolean True or False, indicating whether that user exists in a
	297	database. This is a workaround. Due to a design bug in repoze.who,
	298	the only way who can check for user existence is to use one or more
	299	IAuthenticator plugin ``authenticate`` methods. If an
	300	IAuthenticator's ``authenticate`` method returns true, it means that
	301	the user exists. However most IAuthenticator plugins expect both
	302	a username and a password, and will return False unconditionally if
	303	both aren't supplied. This means that an authenticator can't be
	304	used to check if the user "only" exists. The identity provided by
	305	an auth_tkt does not contain a password to check against. The
	306	actual design bug in repoze.who is this: when a user presents
	307	credentials from an auth_tkt, he is considered "preauthenticated".
	308	IAuthenticator.authenticate is just never called for a
	309	"preauthenticated" identity, which works fine, but it means that the
	310	user will be considered authenticated even if you deleted the user's
	311	record from whatever database you happen to be using. However, if
	312	you use a userid_checker, you can ensure that a user exists for the
	313	auth_tkt supplied userid. If the userid_checker returns False, the
	314	auth_tkt credentials are considered "no good".
	315
7141c7	316
TS	317	1.0.13 (2009-04-24)
	318	-------------------
64ba13	319
TS	320	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	321	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	322	second database query in an ``IMetadataProvider`` plugin).
64ba13	323
08b2ae	324	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	325	whereby a downstream app can return a generator, relying on an
	326	upstream component to call start_response. We do this because the
	327	challenge decider needs the status and headers to decide what to do.
	328
56d0c5	329
7141c7	330	1.0.12 (2009-04-19)
TS	331	-------------------
56d0c5	332	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	333	existing tokens data returned by auth_tkt.parse_tkt; this was
	334	incorrect; just overwrite.
0ee58d	335
TS	336	- Extended auth_tkt plugin factory to allow passing secret in a separate
	337	file from the main config file. See http://bugs.repoze.org/issue40 .
	338
7141c7	339
TS	340	1.0.11 (2009-04-10)
	341	-------------------
afbbcd	342
8c20ba	343	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	344	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	345	Pedersen).
8c20ba	346
afbbcd	347	- Fix corner case issue of an exception raised when attempting to log
CM	348	when there are no identifiers or authenticators.
	349
7141c7	350
TS	351	1.0.10 (2009-01-23)
	352	-------------------
7b931d	353
CM	354	- The RedirectingFormPlugin now passes along SetCookie headers set
	355	into the response by the application within the NotFound response
	356	(fixes TG2 "flash" issue).
	357
7141c7	358
TS	359	1.0.9 (2008-12-18)
	360	------------------
30ab69	361
9238cd	362	- The RedirectingFormPlugin now attempts to find a header named
CM	363	``X-Authentication-Failure-Reason`` among the response headers set
	364	by the application when a challenge is issued. If a value for this
	365	header exists (and is non-blank), the value is attached to the
	366	redirect URL's query string as the ``reason`` parameter (or a
	367	user-settable key). This makes it possible for downstream
	368	applications to issue a response that initiates a challenge with
	369	this header and subsequently display the reason in the login form
	370	rendered as a result of the challenge.
30ab69	371
7141c7	372
TS	373	1.0.8 (2008-12-13)
	374	------------------
186ff6	375
9238cd	376	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	377	``log_stream`` argument, which is typically a file. After this
	378	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	379	PEP 333 ``Logger`` instance, this logger will be used as the
	380	repoze.who logger (instead of one being constructed by the
	381	middleware, as was previously always the case). When the
	382	``log_stream`` argument is a PEP 333 Logger object, the
	383	``log_level`` argument is ignored.
186ff6	384
7141c7	385
TS	386	1.0.7 (2008-08-28)
	387	------------------
37de44	388
9238cd	389	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	390	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	391	brownbag release, given that making these packages namespace
	392	packages was the only reason for its release.
37de44	393
7141c7	394
TS	395	1.0.6 (2008-08-28)
	396	------------------
facdf8	397
9238cd	398	- Make repoze.who and repoze.who.plugins into namespace packages
CM	399	mainly so we can allow plugin authors to distribute packages in the
	400	repoze.who.plugins namespace.
facdf8	401
7141c7	402
TS	403	1.0.5 (2008-08-23)
	404	------------------
519300	405
9238cd	406	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	407	method that it does in its ``forget`` method. Previously, logging
	408	out and relogging back in to a site that used auth_tkt identifier
	409	plugin was slightly dicey and would only work sometimes.
facdf8	410
9238cd	411	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	412	Any response from a downstream application that causes a challenge
	413	and includes a Location header will cause a redirect to the value of
	414	the Location header.
dee08c	415
7141c7	416
TS	417	1.0.4 (2008-08-22)
	418	------------------
b95a59	419
9238cd	420	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	421	If you use this key in the config file, it tells who to 1) not
	422	perform any authentication if it exists in the environment during
	423	ingress and 2) to set the key in the environment for the downstream
	424	app to use as the REMOTE_USER variable. The default is
	425	``REMOTE_USER``.
b95a59	426
9238cd	427	- Using unicode user ids in combination with the auth_tkt plugin would
CM	428	cause problems under mod_wsgi.
55dc7a	429
9238cd	430	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	431	constructor). Thanks to Gustavo Narea.
55dc7a	432
7141c7	433
TS	434	1.0.3 (2008-08-16)
	435	------------------
f693fe	436
9238cd	437	- A bug in the middleware's ``authenticate`` method made it impossible
CM	438	to authenticate a user with a userid that was null (e.g. 0, False),
	439	which are valid identifiers. The only invalid userid is now None.
c7e12d	440
9238cd	441	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	442	filename is passed to the HTPasswdPlugin.
c7e12d	443
7141c7	444
TS	445	1.0.2 (2008-06-16)
	446	------------------
cad90d	447
9238cd	448	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	449	method didn't handle userids which are Python "long" instances
	450	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	451	objects in "paste.auth.auth_tkt".
a2c030	452
9238cd	453	- Added predicate-based "restriction" middleware support
CM	454	(repoze.who.restrict), allowing configuratio-driven authorization as
	455	a WSGI filter. One example predicate, 'authenticated_predicate', is
	456	supplied, which requires that the user be authenticated either via
	457	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	458	restrict access::
cad90d	459
TS	460	[filter:authenticated_only]
	461	use = egg:repoze.who#authenticated
	462
	463	or::
	464
	465	[filter:some_predicate]
	466	use = egg:repoze.who#predicate
	467	predicate = my.module:some_predicate
	468	some_option = a value
	469
7141c7	470
TS	471	1.0.1 (2008-05-24)
	472	------------------
8199a1	473
9238cd	474	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	475	from inserting that path into its search paths (the dependencies are
	476	available from PyPI).
8199a1	477
7141c7	478
TS	479	1.0 (2008-05-04)
	480	-----------------
419946	481
9238cd	482	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	483	collecting identification information. Symptom: a downstream app
	484	would receive a POST request with a blank body, which would
	485	sometimes result in a Bad Request error.
f39349	486
9238cd	487	- Fixed interface declarations of
CM	488	'classifiers.default_request_classifier' and
	489	'classifiers.default_password_compare'.
515c69	490
9238cd	491	- Added actual config-driven middleware factory,
CM	492	'config.make_middleware_with_config'
515c69	493
9238cd	494	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	495
7141c7	496	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	497	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	498	with the following changes:
419946	499
7141c7	500	- "Bare" plugins (requiring no configuration options) may be specified
419946	501	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	502	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	503
7141c7	504	- Therefore, the separator between a plugin and its classifier is now
TS	505	a semicolon, rather than a colon. E.g.::
419946	506
TS	507	[plugins:id_plugin]
	508	use = egg:another.package#identify_with_frobnatz
	509	frobnatz = baz
	510
	511	[identifiers]
	512	plugins =
	513	egg:my.egg#identify;browser
	514	dotted.name:identifier
	515	id_plugin
	516
7141c7	517
779caf	518	0.9.1 (2008-04-27)
7141c7	519	------------------
779caf	520
9238cd	521	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	522	ids.
779caf	523
7141c7	524
88e646	525	0.9 (2008-04-01)
7141c7	526	----------------
88e646	527
9238cd	528	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	529	not set).
88e646	530
9238cd	531	- Add PATH_INFO to started and ended log info.
d9f046	532
9238cd	533	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	534
9238cd	535	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	536	"query", "conn_factory", and "compare_fn". The old constructor
	537	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	538	new constructor accepts no DSN; the conn_factory is assumed to do
	539	all the work to make a connection, including knowing the DSN if one
	540	is required. The "conn_factory" should return something that, when
	541	called with no arguments, returns a database connection.
d9f046	542
9238cd	543	- The "make_plugin" helper in plugins/sql has been renamed
CM	544	"make_authenticator_plugin". When called, this helper will return a
	545	SQLAuthenticatorPlugin. A bit of helper logic in the
	546	"make_authenticator_plugin" allows a connection factory to be
	547	computed. The top-level callable referred to by conn_factory in
	548	this helper should return a function that, when called with no
	549	arguments, returns a datbase connection. The top-level callable
	550	itself is called with "who_conf" (global who configuration) and any
	551	number of non-top-level keyword arguments as they are passed into
	552	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	553
9238cd	554	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	555	called, this will make a SQLMetadataProviderPlugin. See the
	556	implementation for details. It is similar to the
	557	"make_authenticator_plugin" helper.
d9f046	558
7141c7	559
cbe4e3	560	0.8 (2008-03-27)
7141c7	561	----------------
b5a331	562
9238cd	563	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	564	redirect to an external (or downstream application) login form to
	565	perform identification. The external login form must post to the
	566	"login_handler_path" of the plugin (optimally with a "came_from"
	567	value to tell the plugin where to redirect the response to if the
	568	authentication works properly). The "logout_handler_path" of this
	569	plugin can be visited to perform a logout. The "came_from" value
	570	also works there.
a400b0	571
9238cd	572	- Identifier plugins are now permitted to set a key in the environment
CM	573	named 'repoze.who.application' on ingress (in 'identify'). If an
	574	identifier plugin does so, this application is used instead of the
	575	"normal" downstream application. This feature was added to more
	576	simply support the redirecting form identifier plugin.
a400b0	577
7141c7	578
a400b0	579	0.7 (2008-03-26)
7141c7	580	----------------
a400b0	581
9238cd	582	- Change the IMetadataProvider interface: this interface used to have
CM	583	a "metadata" method which returned a dictionary. This method is not
	584	part of that API anymore. It's been replaced with an "add_metadata"
	585	method which has the signature::
b5a331	586
CM	587	def add_metadata(environ, identity):
	588	"""
	589	Add metadata to the identity (which is a dictionary)
	590	"""
	591
	592	The return value is ignored. IMetadataProvider plugins are now
	593	assumed to be responsible for 'scribbling' directly on the identity
	594	that is passed in (it's a dictionary). The user id can always be
	595	retrieved from the identity via identity['repoze.who.userid'] for
	596	metadata plugins that rely on that value.
	597
7141c7	598
a400b0	599	0.6 (2008-03-20)
7141c7	600	----------------
e35c64	601
9238cd	602	- Renaming: repoze.pam is now repoze.who
cb5426	603
9238cd	604	- Bump ez_setup.py version.
e35c64	605
9238cd	606	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	607
7141c7	608
3b67e9	609	0.5 (2008-03-09)
7141c7	610	----------------
db4cf5	611
9238cd	612	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	613	(pass in remote_user_key to middleware constructor).
db4cf5	614
9238cd	615	- Allow form plugin to override the default form.
db4cf5	616
9238cd	617	- API change: IIdentifiers are no longer required to put both 'login'
CM	618	and 'password' in a returned identity dictionary. Instead, an
	619	IIdentifier can place arbitrary key/value pairs in the identity
	620	dictionary (or return an empty dictionary).
40a968	621
9238cd	622	- API return value change: the "failure" identity which IIdentifiers
CM	623	return is now None rather than an empty dictionary.
40a968	624
9238cd	625	- The IAuthenticator interface now specifies that IAuthenticators must
CM	626	not raise an exception when evaluating an identity that does not
	627	have "expected" key/value pairs (e.g. when an IAuthenticator that
	628	expects login and password inspects an identity returned by an
	629	IP-based auth system which only puts the IP address in the
	630	identity); instead they fail gracefully by returning None.
40a968	631
9238cd	632	- Add (cookie) "auth_tkt" identification plugin.
a5b033	633
9238cd	634	- Stamp identity dictionaries with a userid by placing a key named
CM	635	'repoze.pam.userid' into the identity for each authenticated
	636	identity.
a5b033	637
9238cd	638	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	639	identity dictionary, consider this identity "preauthenticated". No
	640	authenticator plugins will be asked to authenticate this identity.
	641	This is designed for things like the recently added auth_tkt plugin,
	642	which embeds the user id into the ticket. This effectively alllows
	643	an IIdentifier plugin to become an IAuthenticator plugin when
	644	breaking apart the responsibility into two separate plugins is
	645	"make-work". Preauthenticated identities will be selected first
	646	when deciding which identity to use for any given request.
a5b033	647
9238cd	648	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	649	ingress if an identity is found. Its value will be the identity
	650	dictionary related to the identity selected by repoze.pam on
	651	ingress. Downstream consumers are allowed to mutate this
	652	dictionary; this value is passed to "remember" and "forget", so its
	653	main use is to do a "credentials reset"; e.g. a user has changed his
	654	username or password within the application, but we don't want to
	655	force him to log in again after he does so.
a5b033	656
7141c7	657
247f34	658	0.4 (03-07-2008)
7141c7	659	----------------
247f34	660
9238cd	661	- Allow plugins to specify a classifiers list per interface (instead
CM	662	of a single classifiers list per plugin).
247f34	663
7141c7	664
fb510d	665	0.3 (03-05-2008)
7141c7	666	----------------
fb510d	667
9238cd	668	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	669	sha instead of base64'ed binary sha for simpler conversion.
fb510d	670
7141c7	671
196bc2	672	0.2 (03-04-2008)
7141c7	673	----------------
196bc2	674
9238cd	675	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	676
7141c7	677
318832	678	0.1 (02-27-2008)
7141c7	679	----------------
318832	680
9238cd	681	- Initial release (no configuration file support yet).