RedHatTraining/repoze.who.git

Tres Seaver

2012-11-06 87e79df73febeb83bf31d9b45f4c0f169a639a10

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
c72bfe	4	2.1 (unreleased)
TS	5	----------------
	6
	7	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
	8
0cfb1a	9
TS	10	2.1b1 (2012-11-05)
	11	------------------
d9f6f4	12
TS	13	- Ported to Py3k using the "compatible subset" mode.
	14	- Dropped support for Python < 2.6.x.
	15	- Dropped dependency on Paste (forking some code from it).
	16	- Added dependency on WebOb instead.
	17	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	18
	19
d03c94	20	2.0 (2011-09-28)
493726	21	----------------
TS	22
7f9907	23	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	24	cookies. http://bugs.repoze.org/issue66
	25
493726	26	- Further harden middleware, calling ``close()`` on the iterable even if
TS	27	raising an exception for a missing challenger.
	28	http://bugs.repoze.org/issue174
	29
	30
1b2443	31	2.0b1 (2011-05-24)
TS	32	------------------
f8ef81	33
d6b53f	34	- Enabled standard use of logging module's configuration mechanism.
TS	35	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	36	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	37
	38
f8ef81	39	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	40
	41
2b9b1f	42	2.0a4 (2011-02-02)
TS	43	------------------
9a8e60	44
b01f44	45	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	46	iterable returned from thw wrapped application, as required by PEP 333.
	47	http://bugs.repoze.org/issue174
	48
03fba8	49	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	50	content for the config file: in such cases, the API factory will have
	51	no configured plugins or policies: it will only be useful for retrieving
	52	the API from an environment populated by middleware.
	53
c61031	54	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	55	methods could return a None if the identifier plugin returned a None.
cfe26c	56
c61031	57	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	58	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	59
c61031	60	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	61	configured with ``secure=True``: these attributes prevent the browser from
	62	sending cookies over insecure channels, which could be vulnerable to some
3b5782	63	XSS attacks.
d7e647	64
15e365	65	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	66	https://bugs.launchpad.net/bugs/674123 .
	67
e8080a	68	- Added a single-file example BFG application demonstrating the use of
TS	69	the new 'login' and 'logout' methods of the API object.
	70
924f24	71	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	72	as a convenience for application-driven login / logout code, which would
95f147	73	otherwise need to use private methods of the API, and reach down into
TS	74	its plugins.
f8ef81	75
9a8e60	76
2c742e	77	2.0a3 (2010-09-30)
eb7071	78	------------------
f80021	79
a446d6	80	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	81	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	82
TS	83	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	84
630a05	85	- ``repoze.who.plugins.form.FormPlugin``
a446d6	86
630a05	87	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	88
TS	89	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	90	``charset`` argument, and use to to encode / decode login and password.
TS	91	See http://bugs.repoze.org/issue155
	92
a446d6	93	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	94	``wsgiref`` from complaining.
5b6365	95
a446d6	96	- Helped default request classifier cope with xml submissions with an
6b7b34	97	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	98	M. Catucci)
	99
a446d6	100	- Corrected the handling of type and subtype when matching an XML post
6b7b34	101	to ``xmlpost`` in the default classifier, which, according to RFC
CM	102	2045, must be matched case-insensitively:
	103	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	104
a349a2	105	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	106	method for applications which want to set up their own API Factory from
	107	a configuration file.
	108
f80021	109	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	110	(added missing ``global_config`` argument). See
	111	http://bugs.repoze.org/issue114
	112
f8ef81	113
c186ae	114	2.0a2 (2010-03-25)
TS	115	------------------
52bc23	116
TS	117	Bugs Fixed
	118	~~~~~~~~~~
	119
	120	- Fixed failure to pass substution values in log message string formatting
	121	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	122	logging done by the API object. See http://bugs.repoze.org/issue122
	123
	124	Backward Incompatibilities
	125	~~~~~~~~~~~~~~~~~~~~~~~~~~
	126
	127	- Adjusted logging level for some lower-level details from ``info``
	128	to ``debug``.
f8ef81	129
52bc23	130
TS	131
e25b84	132	2.0a1 (2010-02-24)
993216	133	------------------
TS	134
b4b8ee	135	Features
TS	136	~~~~~~~~
62cd25	137
c9c1c6	138	- Restored the ability to create the middleware using the old ``classifier``
TS	139	argument. That argument is now a deprecated-but-will-work-forever alias for
	140	``request_classifier``.
cbc983	141
b0f81f	142	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	143	and should normally be used both as an ``IIdentifier`` and an
	144	``IAuthenticator``.
	145
993216	146	- Factored out the API of the middleware object to make it useful from
TS	147	within the application. Applications using ``repoze.who``` now fall into
	148	one of three catgeories:
	149
	150	- "middleware-only" applications are configured with middleware, and
	151	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	152	to determing the authenticated user.
	153
	154	- "bare metal" applications use no ``repoze.who`` middleware at all:
	155	instead, they configure and an ``APIFactory`` object at startup, and
	156	use it to create an ``API`` object when needed on a per-request basis.
	157
	158	- "hybrid" applications are configured with ``repoze.who`` middleware,
	159	but use a new library function to fetch the ``API`` object from the
c9c1c6	160	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	161	login.
993216	162
b4b8ee	163	Bugs Fixed
TS	164	~~~~~~~~~~
	165
	166	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	167	logging would cause an exception.
	168
	169	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	170	distribute).
	171
	172	Backward Incompatibilities
	173	~~~~~~~~~~~~~~~~~~~~~~~~~~
	174
b213af	175	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	176	an identity. This feature is no longer supported: the ``auth_tkt``
	177	plugin, which used to use the feature, is now configured to work as
c9c1c6	178	an authenticator plugin (as well as an identifier).
b213af	179
b4b8ee	180	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	181	no longer has the following (non-API) methods (now made API methods
	182	of the ``repoze.who.api:API`` class):
	183
	184	- ``add_metadata``
	185	- ``authenticate``
	186	- ``challenge``
	187	- ``identify``
	188
	189	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	190	``repoze.who.api``:
	191
	192	- ``make_registries``
	193	- ``match_classification``
	194	- ``verify``
	195
	196
f8ef81	197
060054	198	1.0.18 (2009-11-05)
TS	199	-------------------
798feb	200
TS	201	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	202	headers from ``forget``, and was not setting the ``Max-Age`` and
	203	``Expires`` attributes of those cookies.
	204
b4b8ee	205
f8ef81	206
6e136f	207	1.0.17 (2009-11-05)
TS	208	-------------------
e0d138	209
TS	210	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	211	argument handling, to allow passing in a dotted name (e.g., from a config
	212	file).
	213
b4b8ee	214
f8ef81	215
6b15ee	216	1.0.16 (2009-11-04)
028e4d	217	-------------------
1ec83d	218
8dd881	219	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	220	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	221	Thanks to Roland Hedburg for the report.
21a9c5	222
8dd881	223	- Fixed an issue that caused the following symptom when using the
TS	224	ini configuration parser::
	225
	226	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	227
CM	228	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	229	for the bug report and initial fix.
	230
1ec83d	231
7141c7	232	1.0.15 (2009-06-25)
TS	233	-------------------
299b4c	234
a14163	235	- If the form post value ``max_age`` exists while in the ``identify``
CM	236	method is handling the ``login_handler_path``, pass the max_age
	237	value in the returned identity dictionary as ``max_age``. See the
	238	below bullet point for why.
	239
299b4c	240	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	241	method contains a ``max_age`` key with a string (or integer) value,
	242	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	243	the returned cookies. The cookie ``Max-Age`` is set to the value
	244	and the ``Expires`` is computed from the current time.
	245
7141c7	246
TS	247	1.0.14 (2009-06-17)
	248	-------------------
9318dd	249
1810b2	250	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	251
00a6d9	252	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	253	plugin. See http://bugs.repoze.org/issue81 .
	254
0dd808	255	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	256	responses which have been "pre-challenged" by the application.
	257
9318dd	258	- One-hundred percent unit test coverage.
TS	259
a6f6dc	260	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	261	identifier plugin, courtesty of Paul Johnston.
	262
	263	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	264	courtesty of Gustavo Narea.
	265
	266	If ``userid_checker`` is provided, it must be a dotted Python name
	267	that resolves to a function which accepts a userid and returns a
	268	boolean True or False, indicating whether that user exists in a
	269	database. This is a workaround. Due to a design bug in repoze.who,
	270	the only way who can check for user existence is to use one or more
	271	IAuthenticator plugin ``authenticate`` methods. If an
	272	IAuthenticator's ``authenticate`` method returns true, it means that
	273	the user exists. However most IAuthenticator plugins expect both
	274	a username and a password, and will return False unconditionally if
	275	both aren't supplied. This means that an authenticator can't be
	276	used to check if the user "only" exists. The identity provided by
	277	an auth_tkt does not contain a password to check against. The
	278	actual design bug in repoze.who is this: when a user presents
	279	credentials from an auth_tkt, he is considered "preauthenticated".
	280	IAuthenticator.authenticate is just never called for a
	281	"preauthenticated" identity, which works fine, but it means that the
	282	user will be considered authenticated even if you deleted the user's
	283	record from whatever database you happen to be using. However, if
	284	you use a userid_checker, you can ensure that a user exists for the
	285	auth_tkt supplied userid. If the userid_checker returns False, the
	286	auth_tkt credentials are considered "no good".
	287
7141c7	288
TS	289	1.0.13 (2009-04-24)
	290	-------------------
64ba13	291
TS	292	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	293	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	294	second database query in an ``IMetadataProvider`` plugin).
64ba13	295
08b2ae	296	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	297	whereby a downstream app can return a generator, relying on an
	298	upstream component to call start_response. We do this because the
	299	challenge decider needs the status and headers to decide what to do.
	300
56d0c5	301
7141c7	302	1.0.12 (2009-04-19)
TS	303	-------------------
56d0c5	304	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	305	existing tokens data returned by auth_tkt.parse_tkt; this was
	306	incorrect; just overwrite.
0ee58d	307
TS	308	- Extended auth_tkt plugin factory to allow passing secret in a separate
	309	file from the main config file. See http://bugs.repoze.org/issue40 .
	310
7141c7	311
TS	312	1.0.11 (2009-04-10)
	313	-------------------
afbbcd	314
8c20ba	315	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	316	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	317	Pedersen).
8c20ba	318
afbbcd	319	- Fix corner case issue of an exception raised when attempting to log
CM	320	when there are no identifiers or authenticators.
	321
7141c7	322
TS	323	1.0.10 (2009-01-23)
	324	-------------------
7b931d	325
CM	326	- The RedirectingFormPlugin now passes along SetCookie headers set
	327	into the response by the application within the NotFound response
	328	(fixes TG2 "flash" issue).
	329
7141c7	330
TS	331	1.0.9 (2008-12-18)
	332	------------------
30ab69	333
9238cd	334	- The RedirectingFormPlugin now attempts to find a header named
CM	335	``X-Authentication-Failure-Reason`` among the response headers set
	336	by the application when a challenge is issued. If a value for this
	337	header exists (and is non-blank), the value is attached to the
	338	redirect URL's query string as the ``reason`` parameter (or a
	339	user-settable key). This makes it possible for downstream
	340	applications to issue a response that initiates a challenge with
	341	this header and subsequently display the reason in the login form
	342	rendered as a result of the challenge.
30ab69	343
7141c7	344
TS	345	1.0.8 (2008-12-13)
	346	------------------
186ff6	347
9238cd	348	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	349	``log_stream`` argument, which is typically a file. After this
	350	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	351	PEP 333 ``Logger`` instance, this logger will be used as the
	352	repoze.who logger (instead of one being constructed by the
	353	middleware, as was previously always the case). When the
	354	``log_stream`` argument is a PEP 333 Logger object, the
	355	``log_level`` argument is ignored.
186ff6	356
7141c7	357
TS	358	1.0.7 (2008-08-28)
	359	------------------
37de44	360
9238cd	361	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	362	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	363	brownbag release, given that making these packages namespace
	364	packages was the only reason for its release.
37de44	365
7141c7	366
TS	367	1.0.6 (2008-08-28)
	368	------------------
facdf8	369
9238cd	370	- Make repoze.who and repoze.who.plugins into namespace packages
CM	371	mainly so we can allow plugin authors to distribute packages in the
	372	repoze.who.plugins namespace.
facdf8	373
7141c7	374
TS	375	1.0.5 (2008-08-23)
	376	------------------
519300	377
9238cd	378	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	379	method that it does in its ``forget`` method. Previously, logging
	380	out and relogging back in to a site that used auth_tkt identifier
	381	plugin was slightly dicey and would only work sometimes.
facdf8	382
9238cd	383	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	384	Any response from a downstream application that causes a challenge
	385	and includes a Location header will cause a redirect to the value of
	386	the Location header.
dee08c	387
7141c7	388
TS	389	1.0.4 (2008-08-22)
	390	------------------
b95a59	391
9238cd	392	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	393	If you use this key in the config file, it tells who to 1) not
	394	perform any authentication if it exists in the environment during
	395	ingress and 2) to set the key in the environment for the downstream
	396	app to use as the REMOTE_USER variable. The default is
	397	``REMOTE_USER``.
b95a59	398
9238cd	399	- Using unicode user ids in combination with the auth_tkt plugin would
CM	400	cause problems under mod_wsgi.
55dc7a	401
9238cd	402	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	403	constructor). Thanks to Gustavo Narea.
55dc7a	404
7141c7	405
TS	406	1.0.3 (2008-08-16)
	407	------------------
f693fe	408
9238cd	409	- A bug in the middleware's ``authenticate`` method made it impossible
CM	410	to authenticate a user with a userid that was null (e.g. 0, False),
	411	which are valid identifiers. The only invalid userid is now None.
c7e12d	412
9238cd	413	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	414	filename is passed to the HTPasswdPlugin.
c7e12d	415
7141c7	416
TS	417	1.0.2 (2008-06-16)
	418	------------------
cad90d	419
9238cd	420	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	421	method didn't handle userids which are Python "long" instances
	422	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	423	objects in "paste.auth.auth_tkt".
a2c030	424
9238cd	425	- Added predicate-based "restriction" middleware support
CM	426	(repoze.who.restrict), allowing configuratio-driven authorization as
	427	a WSGI filter. One example predicate, 'authenticated_predicate', is
	428	supplied, which requires that the user be authenticated either via
	429	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	430	restrict access::
cad90d	431
TS	432	[filter:authenticated_only]
	433	use = egg:repoze.who#authenticated
	434
	435	or::
	436
	437	[filter:some_predicate]
	438	use = egg:repoze.who#predicate
	439	predicate = my.module:some_predicate
	440	some_option = a value
	441
7141c7	442
TS	443	1.0.1 (2008-05-24)
	444	------------------
8199a1	445
9238cd	446	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	447	from inserting that path into its search paths (the dependencies are
	448	available from PyPI).
8199a1	449
7141c7	450
TS	451	1.0 (2008-05-04)
	452	-----------------
419946	453
9238cd	454	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	455	collecting identification information. Symptom: a downstream app
	456	would receive a POST request with a blank body, which would
	457	sometimes result in a Bad Request error.
f39349	458
9238cd	459	- Fixed interface declarations of
CM	460	'classifiers.default_request_classifier' and
	461	'classifiers.default_password_compare'.
515c69	462
9238cd	463	- Added actual config-driven middleware factory,
CM	464	'config.make_middleware_with_config'
515c69	465
9238cd	466	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	467
7141c7	468	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	469	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	470	with the following changes:
419946	471
7141c7	472	- "Bare" plugins (requiring no configuration options) may be specified
419946	473	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	474	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	475
7141c7	476	- Therefore, the separator between a plugin and its classifier is now
TS	477	a semicolon, rather than a colon. E.g.::
419946	478
TS	479	[plugins:id_plugin]
	480	use = egg:another.package#identify_with_frobnatz
	481	frobnatz = baz
	482
	483	[identifiers]
	484	plugins =
	485	egg:my.egg#identify;browser
	486	dotted.name:identifier
	487	id_plugin
	488
7141c7	489
779caf	490	0.9.1 (2008-04-27)
7141c7	491	------------------
779caf	492
9238cd	493	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	494	ids.
779caf	495
7141c7	496
88e646	497	0.9 (2008-04-01)
7141c7	498	----------------
88e646	499
9238cd	500	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	501	not set).
88e646	502
9238cd	503	- Add PATH_INFO to started and ended log info.
d9f046	504
9238cd	505	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	506
9238cd	507	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	508	"query", "conn_factory", and "compare_fn". The old constructor
	509	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	510	new constructor accepts no DSN; the conn_factory is assumed to do
	511	all the work to make a connection, including knowing the DSN if one
	512	is required. The "conn_factory" should return something that, when
	513	called with no arguments, returns a database connection.
d9f046	514
9238cd	515	- The "make_plugin" helper in plugins/sql has been renamed
CM	516	"make_authenticator_plugin". When called, this helper will return a
	517	SQLAuthenticatorPlugin. A bit of helper logic in the
	518	"make_authenticator_plugin" allows a connection factory to be
	519	computed. The top-level callable referred to by conn_factory in
	520	this helper should return a function that, when called with no
	521	arguments, returns a datbase connection. The top-level callable
	522	itself is called with "who_conf" (global who configuration) and any
	523	number of non-top-level keyword arguments as they are passed into
	524	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	525
9238cd	526	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	527	called, this will make a SQLMetadataProviderPlugin. See the
	528	implementation for details. It is similar to the
	529	"make_authenticator_plugin" helper.
d9f046	530
7141c7	531
cbe4e3	532	0.8 (2008-03-27)
7141c7	533	----------------
b5a331	534
9238cd	535	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	536	redirect to an external (or downstream application) login form to
	537	perform identification. The external login form must post to the
	538	"login_handler_path" of the plugin (optimally with a "came_from"
	539	value to tell the plugin where to redirect the response to if the
	540	authentication works properly). The "logout_handler_path" of this
	541	plugin can be visited to perform a logout. The "came_from" value
	542	also works there.
a400b0	543
9238cd	544	- Identifier plugins are now permitted to set a key in the environment
CM	545	named 'repoze.who.application' on ingress (in 'identify'). If an
	546	identifier plugin does so, this application is used instead of the
	547	"normal" downstream application. This feature was added to more
	548	simply support the redirecting form identifier plugin.
a400b0	549
7141c7	550
a400b0	551	0.7 (2008-03-26)
7141c7	552	----------------
a400b0	553
9238cd	554	- Change the IMetadataProvider interface: this interface used to have
CM	555	a "metadata" method which returned a dictionary. This method is not
	556	part of that API anymore. It's been replaced with an "add_metadata"
	557	method which has the signature::
b5a331	558
CM	559	def add_metadata(environ, identity):
	560	"""
	561	Add metadata to the identity (which is a dictionary)
	562	"""
	563
	564	The return value is ignored. IMetadataProvider plugins are now
	565	assumed to be responsible for 'scribbling' directly on the identity
	566	that is passed in (it's a dictionary). The user id can always be
	567	retrieved from the identity via identity['repoze.who.userid'] for
	568	metadata plugins that rely on that value.
	569
7141c7	570
a400b0	571	0.6 (2008-03-20)
7141c7	572	----------------
e35c64	573
9238cd	574	- Renaming: repoze.pam is now repoze.who
cb5426	575
9238cd	576	- Bump ez_setup.py version.
e35c64	577
9238cd	578	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	579
7141c7	580
3b67e9	581	0.5 (2008-03-09)
7141c7	582	----------------
db4cf5	583
9238cd	584	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	585	(pass in remote_user_key to middleware constructor).
db4cf5	586
9238cd	587	- Allow form plugin to override the default form.
db4cf5	588
9238cd	589	- API change: IIdentifiers are no longer required to put both 'login'
CM	590	and 'password' in a returned identity dictionary. Instead, an
	591	IIdentifier can place arbitrary key/value pairs in the identity
	592	dictionary (or return an empty dictionary).
40a968	593
9238cd	594	- API return value change: the "failure" identity which IIdentifiers
CM	595	return is now None rather than an empty dictionary.
40a968	596
9238cd	597	- The IAuthenticator interface now specifies that IAuthenticators must
CM	598	not raise an exception when evaluating an identity that does not
	599	have "expected" key/value pairs (e.g. when an IAuthenticator that
	600	expects login and password inspects an identity returned by an
	601	IP-based auth system which only puts the IP address in the
	602	identity); instead they fail gracefully by returning None.
40a968	603
9238cd	604	- Add (cookie) "auth_tkt" identification plugin.
a5b033	605
9238cd	606	- Stamp identity dictionaries with a userid by placing a key named
CM	607	'repoze.pam.userid' into the identity for each authenticated
	608	identity.
a5b033	609
9238cd	610	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	611	identity dictionary, consider this identity "preauthenticated". No
	612	authenticator plugins will be asked to authenticate this identity.
	613	This is designed for things like the recently added auth_tkt plugin,
	614	which embeds the user id into the ticket. This effectively alllows
	615	an IIdentifier plugin to become an IAuthenticator plugin when
	616	breaking apart the responsibility into two separate plugins is
	617	"make-work". Preauthenticated identities will be selected first
	618	when deciding which identity to use for any given request.
a5b033	619
9238cd	620	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	621	ingress if an identity is found. Its value will be the identity
	622	dictionary related to the identity selected by repoze.pam on
	623	ingress. Downstream consumers are allowed to mutate this
	624	dictionary; this value is passed to "remember" and "forget", so its
	625	main use is to do a "credentials reset"; e.g. a user has changed his
	626	username or password within the application, but we don't want to
	627	force him to log in again after he does so.
a5b033	628
7141c7	629
247f34	630	0.4 (03-07-2008)
7141c7	631	----------------
247f34	632
9238cd	633	- Allow plugins to specify a classifiers list per interface (instead
CM	634	of a single classifiers list per plugin).
247f34	635
7141c7	636
fb510d	637	0.3 (03-05-2008)
7141c7	638	----------------
fb510d	639
9238cd	640	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	641	sha instead of base64'ed binary sha for simpler conversion.
fb510d	642
7141c7	643
196bc2	644	0.2 (03-04-2008)
7141c7	645	----------------
196bc2	646
9238cd	647	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	648
7141c7	649
318832	650	0.1 (02-27-2008)
7141c7	651	----------------
318832	652
9238cd	653	- Initial release (no configuration file support yet).