RedHatTraining/repoze.who.git

Tres Seaver

2013-05-18 9cd0f87c361d02beb153586aaf913963da1216f6

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
9cd0f8	4	2.2 (2013-05-17)
a4b584	5	----------------
TS	6
1d7c19	7	- Parse INI-file configuration using ``SafeConfigParser``: allows
TS	8	escaping the ``'%'`` so that e.g. a query template using for a DB-API
	9	connection using ``pyformat`` preserves the template.
	10
a4b584	11	- Added support for Python 3.3, PyPy.
TS	12
d96616	13
717490	14	2.1 (2013-03-20)
c72bfe	15	----------------
TS	16
5ecc71	17	- ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI
TS	18	environment. Thanks to Dag Hoidal for the patch.
	19
d96616	20	- ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt``
TS	21	module is not available on Windows). Thanks to Chandrashekar Jayaraman
	22	for the patch.
	23
c72bfe	24	- Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri.
TS	25
0cfb1a	26
TS	27	2.1b1 (2012-11-05)
	28	------------------
d9f6f4	29
TS	30	- Ported to Py3k using the "compatible subset" mode.
	31	- Dropped support for Python < 2.6.x.
	32	- Dropped dependency on Paste (forking some code from it).
	33	- Added dependency on WebOb instead.
	34	Thanks to Atsushi Odagiri (aodag) for the initial effort.
	35
	36
d03c94	37	2.0 (2011-09-28)
493726	38	----------------
TS	39
7f9907	40	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	41	cookies. http://bugs.repoze.org/issue66
	42
493726	43	- Further harden middleware, calling ``close()`` on the iterable even if
TS	44	raising an exception for a missing challenger.
	45	http://bugs.repoze.org/issue174
	46
	47
1b2443	48	2.0b1 (2011-05-24)
TS	49	------------------
f8ef81	50
d6b53f	51	- Enabled standard use of logging module's configuration mechanism.
TS	52	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	53	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	54
	55
f8ef81	56	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	57
	58
2b9b1f	59	2.0a4 (2011-02-02)
TS	60	------------------
9a8e60	61
b01f44	62	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	63	iterable returned from thw wrapped application, as required by PEP 333.
	64	http://bugs.repoze.org/issue174
	65
03fba8	66	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	67	content for the config file: in such cases, the API factory will have
	68	no configured plugins or policies: it will only be useful for retrieving
	69	the API from an environment populated by middleware.
	70
c61031	71	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	72	methods could return a None if the identifier plugin returned a None.
cfe26c	73
c61031	74	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	75	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	76
c61031	77	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	78	configured with ``secure=True``: these attributes prevent the browser from
	79	sending cookies over insecure channels, which could be vulnerable to some
3b5782	80	XSS attacks.
d7e647	81
15e365	82	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	83	https://bugs.launchpad.net/bugs/674123 .
	84
e8080a	85	- Added a single-file example BFG application demonstrating the use of
TS	86	the new 'login' and 'logout' methods of the API object.
	87
924f24	88	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	89	as a convenience for application-driven login / logout code, which would
95f147	90	otherwise need to use private methods of the API, and reach down into
TS	91	its plugins.
f8ef81	92
9a8e60	93
2c742e	94	2.0a3 (2010-09-30)
eb7071	95	------------------
f80021	96
a446d6	97	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	98	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	99
TS	100	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	101
630a05	102	- ``repoze.who.plugins.form.FormPlugin``
a446d6	103
630a05	104	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	105
TS	106	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	107	``charset`` argument, and use to to encode / decode login and password.
TS	108	See http://bugs.repoze.org/issue155
	109
a446d6	110	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	111	``wsgiref`` from complaining.
5b6365	112
a446d6	113	- Helped default request classifier cope with xml submissions with an
6b7b34	114	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	115	M. Catucci)
	116
a446d6	117	- Corrected the handling of type and subtype when matching an XML post
6b7b34	118	to ``xmlpost`` in the default classifier, which, according to RFC
CM	119	2045, must be matched case-insensitively:
	120	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	121
a349a2	122	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	123	method for applications which want to set up their own API Factory from
	124	a configuration file.
	125
f80021	126	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	127	(added missing ``global_config`` argument). See
	128	http://bugs.repoze.org/issue114
	129
f8ef81	130
c186ae	131	2.0a2 (2010-03-25)
TS	132	------------------
52bc23	133
TS	134	Bugs Fixed
	135	~~~~~~~~~~
	136
	137	- Fixed failure to pass substution values in log message string formatting
	138	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	139	logging done by the API object. See http://bugs.repoze.org/issue122
	140
	141	Backward Incompatibilities
	142	~~~~~~~~~~~~~~~~~~~~~~~~~~
	143
	144	- Adjusted logging level for some lower-level details from ``info``
	145	to ``debug``.
f8ef81	146
52bc23	147
TS	148
e25b84	149	2.0a1 (2010-02-24)
993216	150	------------------
TS	151
b4b8ee	152	Features
TS	153	~~~~~~~~
62cd25	154
c9c1c6	155	- Restored the ability to create the middleware using the old ``classifier``
TS	156	argument. That argument is now a deprecated-but-will-work-forever alias for
	157	``request_classifier``.
cbc983	158
b0f81f	159	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	160	and should normally be used both as an ``IIdentifier`` and an
	161	``IAuthenticator``.
	162
993216	163	- Factored out the API of the middleware object to make it useful from
TS	164	within the application. Applications using ``repoze.who``` now fall into
	165	one of three catgeories:
	166
	167	- "middleware-only" applications are configured with middleware, and
	168	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	169	to determing the authenticated user.
	170
	171	- "bare metal" applications use no ``repoze.who`` middleware at all:
	172	instead, they configure and an ``APIFactory`` object at startup, and
	173	use it to create an ``API`` object when needed on a per-request basis.
	174
	175	- "hybrid" applications are configured with ``repoze.who`` middleware,
	176	but use a new library function to fetch the ``API`` object from the
c9c1c6	177	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	178	login.
993216	179
b4b8ee	180	Bugs Fixed
TS	181	~~~~~~~~~~
	182
	183	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	184	logging would cause an exception.
	185
	186	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	187	distribute).
	188
	189	Backward Incompatibilities
	190	~~~~~~~~~~~~~~~~~~~~~~~~~~
	191
b213af	192	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	193	an identity. This feature is no longer supported: the ``auth_tkt``
	194	plugin, which used to use the feature, is now configured to work as
c9c1c6	195	an authenticator plugin (as well as an identifier).
b213af	196
b4b8ee	197	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	198	no longer has the following (non-API) methods (now made API methods
	199	of the ``repoze.who.api:API`` class):
	200
	201	- ``add_metadata``
	202	- ``authenticate``
	203	- ``challenge``
	204	- ``identify``
	205
	206	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	207	``repoze.who.api``:
	208
	209	- ``make_registries``
	210	- ``match_classification``
	211	- ``verify``
	212
	213
f8ef81	214
060054	215	1.0.18 (2009-11-05)
TS	216	-------------------
798feb	217
TS	218	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	219	headers from ``forget``, and was not setting the ``Max-Age`` and
	220	``Expires`` attributes of those cookies.
	221
b4b8ee	222
f8ef81	223
6e136f	224	1.0.17 (2009-11-05)
TS	225	-------------------
e0d138	226
TS	227	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	228	argument handling, to allow passing in a dotted name (e.g., from a config
	229	file).
	230
b4b8ee	231
f8ef81	232
6b15ee	233	1.0.16 (2009-11-04)
028e4d	234	-------------------
1ec83d	235
8dd881	236	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	237	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	238	Thanks to Roland Hedburg for the report.
21a9c5	239
8dd881	240	- Fixed an issue that caused the following symptom when using the
TS	241	ini configuration parser::
	242
	243	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	244
CM	245	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	246	for the bug report and initial fix.
	247
1ec83d	248
7141c7	249	1.0.15 (2009-06-25)
TS	250	-------------------
299b4c	251
a14163	252	- If the form post value ``max_age`` exists while in the ``identify``
CM	253	method is handling the ``login_handler_path``, pass the max_age
	254	value in the returned identity dictionary as ``max_age``. See the
	255	below bullet point for why.
	256
299b4c	257	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	258	method contains a ``max_age`` key with a string (or integer) value,
	259	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	260	the returned cookies. The cookie ``Max-Age`` is set to the value
	261	and the ``Expires`` is computed from the current time.
	262
7141c7	263
TS	264	1.0.14 (2009-06-17)
	265	-------------------
9318dd	266
1810b2	267	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	268
00a6d9	269	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	270	plugin. See http://bugs.repoze.org/issue81 .
	271
0dd808	272	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	273	responses which have been "pre-challenged" by the application.
	274
9318dd	275	- One-hundred percent unit test coverage.
TS	276
a6f6dc	277	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	278	identifier plugin, courtesty of Paul Johnston.
	279
	280	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	281	courtesty of Gustavo Narea.
	282
	283	If ``userid_checker`` is provided, it must be a dotted Python name
	284	that resolves to a function which accepts a userid and returns a
	285	boolean True or False, indicating whether that user exists in a
	286	database. This is a workaround. Due to a design bug in repoze.who,
	287	the only way who can check for user existence is to use one or more
	288	IAuthenticator plugin ``authenticate`` methods. If an
	289	IAuthenticator's ``authenticate`` method returns true, it means that
	290	the user exists. However most IAuthenticator plugins expect both
	291	a username and a password, and will return False unconditionally if
	292	both aren't supplied. This means that an authenticator can't be
	293	used to check if the user "only" exists. The identity provided by
	294	an auth_tkt does not contain a password to check against. The
	295	actual design bug in repoze.who is this: when a user presents
	296	credentials from an auth_tkt, he is considered "preauthenticated".
	297	IAuthenticator.authenticate is just never called for a
	298	"preauthenticated" identity, which works fine, but it means that the
	299	user will be considered authenticated even if you deleted the user's
	300	record from whatever database you happen to be using. However, if
	301	you use a userid_checker, you can ensure that a user exists for the
	302	auth_tkt supplied userid. If the userid_checker returns False, the
	303	auth_tkt credentials are considered "no good".
	304
7141c7	305
TS	306	1.0.13 (2009-04-24)
	307	-------------------
64ba13	308
TS	309	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	310	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	311	second database query in an ``IMetadataProvider`` plugin).
64ba13	312
08b2ae	313	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	314	whereby a downstream app can return a generator, relying on an
	315	upstream component to call start_response. We do this because the
	316	challenge decider needs the status and headers to decide what to do.
	317
56d0c5	318
7141c7	319	1.0.12 (2009-04-19)
TS	320	-------------------
56d0c5	321	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	322	existing tokens data returned by auth_tkt.parse_tkt; this was
	323	incorrect; just overwrite.
0ee58d	324
TS	325	- Extended auth_tkt plugin factory to allow passing secret in a separate
	326	file from the main config file. See http://bugs.repoze.org/issue40 .
	327
7141c7	328
TS	329	1.0.11 (2009-04-10)
	330	-------------------
afbbcd	331
8c20ba	332	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	333	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	334	Pedersen).
8c20ba	335
afbbcd	336	- Fix corner case issue of an exception raised when attempting to log
CM	337	when there are no identifiers or authenticators.
	338
7141c7	339
TS	340	1.0.10 (2009-01-23)
	341	-------------------
7b931d	342
CM	343	- The RedirectingFormPlugin now passes along SetCookie headers set
	344	into the response by the application within the NotFound response
	345	(fixes TG2 "flash" issue).
	346
7141c7	347
TS	348	1.0.9 (2008-12-18)
	349	------------------
30ab69	350
9238cd	351	- The RedirectingFormPlugin now attempts to find a header named
CM	352	``X-Authentication-Failure-Reason`` among the response headers set
	353	by the application when a challenge is issued. If a value for this
	354	header exists (and is non-blank), the value is attached to the
	355	redirect URL's query string as the ``reason`` parameter (or a
	356	user-settable key). This makes it possible for downstream
	357	applications to issue a response that initiates a challenge with
	358	this header and subsequently display the reason in the login form
	359	rendered as a result of the challenge.
30ab69	360
7141c7	361
TS	362	1.0.8 (2008-12-13)
	363	------------------
186ff6	364
9238cd	365	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	366	``log_stream`` argument, which is typically a file. After this
	367	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	368	PEP 333 ``Logger`` instance, this logger will be used as the
	369	repoze.who logger (instead of one being constructed by the
	370	middleware, as was previously always the case). When the
	371	``log_stream`` argument is a PEP 333 Logger object, the
	372	``log_level`` argument is ignored.
186ff6	373
7141c7	374
TS	375	1.0.7 (2008-08-28)
	376	------------------
37de44	377
9238cd	378	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	379	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	380	brownbag release, given that making these packages namespace
	381	packages was the only reason for its release.
37de44	382
7141c7	383
TS	384	1.0.6 (2008-08-28)
	385	------------------
facdf8	386
9238cd	387	- Make repoze.who and repoze.who.plugins into namespace packages
CM	388	mainly so we can allow plugin authors to distribute packages in the
	389	repoze.who.plugins namespace.
facdf8	390
7141c7	391
TS	392	1.0.5 (2008-08-23)
	393	------------------
519300	394
9238cd	395	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	396	method that it does in its ``forget`` method. Previously, logging
	397	out and relogging back in to a site that used auth_tkt identifier
	398	plugin was slightly dicey and would only work sometimes.
facdf8	399
9238cd	400	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	401	Any response from a downstream application that causes a challenge
	402	and includes a Location header will cause a redirect to the value of
	403	the Location header.
dee08c	404
7141c7	405
TS	406	1.0.4 (2008-08-22)
	407	------------------
b95a59	408
9238cd	409	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	410	If you use this key in the config file, it tells who to 1) not
	411	perform any authentication if it exists in the environment during
	412	ingress and 2) to set the key in the environment for the downstream
	413	app to use as the REMOTE_USER variable. The default is
	414	``REMOTE_USER``.
b95a59	415
9238cd	416	- Using unicode user ids in combination with the auth_tkt plugin would
CM	417	cause problems under mod_wsgi.
55dc7a	418
9238cd	419	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	420	constructor). Thanks to Gustavo Narea.
55dc7a	421
7141c7	422
TS	423	1.0.3 (2008-08-16)
	424	------------------
f693fe	425
9238cd	426	- A bug in the middleware's ``authenticate`` method made it impossible
CM	427	to authenticate a user with a userid that was null (e.g. 0, False),
	428	which are valid identifiers. The only invalid userid is now None.
c7e12d	429
9238cd	430	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	431	filename is passed to the HTPasswdPlugin.
c7e12d	432
7141c7	433
TS	434	1.0.2 (2008-06-16)
	435	------------------
cad90d	436
9238cd	437	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	438	method didn't handle userids which are Python "long" instances
	439	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	440	objects in "paste.auth.auth_tkt".
a2c030	441
9238cd	442	- Added predicate-based "restriction" middleware support
CM	443	(repoze.who.restrict), allowing configuratio-driven authorization as
	444	a WSGI filter. One example predicate, 'authenticated_predicate', is
	445	supplied, which requires that the user be authenticated either via
	446	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	447	restrict access::
cad90d	448
TS	449	[filter:authenticated_only]
	450	use = egg:repoze.who#authenticated
	451
	452	or::
	453
	454	[filter:some_predicate]
	455	use = egg:repoze.who#predicate
	456	predicate = my.module:some_predicate
	457	some_option = a value
	458
7141c7	459
TS	460	1.0.1 (2008-05-24)
	461	------------------
8199a1	462
9238cd	463	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	464	from inserting that path into its search paths (the dependencies are
	465	available from PyPI).
8199a1	466
7141c7	467
TS	468	1.0 (2008-05-04)
	469	-----------------
419946	470
9238cd	471	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	472	collecting identification information. Symptom: a downstream app
	473	would receive a POST request with a blank body, which would
	474	sometimes result in a Bad Request error.
f39349	475
9238cd	476	- Fixed interface declarations of
CM	477	'classifiers.default_request_classifier' and
	478	'classifiers.default_password_compare'.
515c69	479
9238cd	480	- Added actual config-driven middleware factory,
CM	481	'config.make_middleware_with_config'
515c69	482
9238cd	483	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	484
7141c7	485	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	486	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	487	with the following changes:
419946	488
7141c7	489	- "Bare" plugins (requiring no configuration options) may be specified
419946	490	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	491	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	492
7141c7	493	- Therefore, the separator between a plugin and its classifier is now
TS	494	a semicolon, rather than a colon. E.g.::
419946	495
TS	496	[plugins:id_plugin]
	497	use = egg:another.package#identify_with_frobnatz
	498	frobnatz = baz
	499
	500	[identifiers]
	501	plugins =
	502	egg:my.egg#identify;browser
	503	dotted.name:identifier
	504	id_plugin
	505
7141c7	506
779caf	507	0.9.1 (2008-04-27)
7141c7	508	------------------
779caf	509
9238cd	510	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	511	ids.
779caf	512
7141c7	513
88e646	514	0.9 (2008-04-01)
7141c7	515	----------------
88e646	516
9238cd	517	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	518	not set).
88e646	519
9238cd	520	- Add PATH_INFO to started and ended log info.
d9f046	521
9238cd	522	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	523
9238cd	524	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	525	"query", "conn_factory", and "compare_fn". The old constructor
	526	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	527	new constructor accepts no DSN; the conn_factory is assumed to do
	528	all the work to make a connection, including knowing the DSN if one
	529	is required. The "conn_factory" should return something that, when
	530	called with no arguments, returns a database connection.
d9f046	531
9238cd	532	- The "make_plugin" helper in plugins/sql has been renamed
CM	533	"make_authenticator_plugin". When called, this helper will return a
	534	SQLAuthenticatorPlugin. A bit of helper logic in the
	535	"make_authenticator_plugin" allows a connection factory to be
	536	computed. The top-level callable referred to by conn_factory in
	537	this helper should return a function that, when called with no
	538	arguments, returns a datbase connection. The top-level callable
	539	itself is called with "who_conf" (global who configuration) and any
	540	number of non-top-level keyword arguments as they are passed into
	541	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	542
9238cd	543	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	544	called, this will make a SQLMetadataProviderPlugin. See the
	545	implementation for details. It is similar to the
	546	"make_authenticator_plugin" helper.
d9f046	547
7141c7	548
cbe4e3	549	0.8 (2008-03-27)
7141c7	550	----------------
b5a331	551
9238cd	552	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	553	redirect to an external (or downstream application) login form to
	554	perform identification. The external login form must post to the
	555	"login_handler_path" of the plugin (optimally with a "came_from"
	556	value to tell the plugin where to redirect the response to if the
	557	authentication works properly). The "logout_handler_path" of this
	558	plugin can be visited to perform a logout. The "came_from" value
	559	also works there.
a400b0	560
9238cd	561	- Identifier plugins are now permitted to set a key in the environment
CM	562	named 'repoze.who.application' on ingress (in 'identify'). If an
	563	identifier plugin does so, this application is used instead of the
	564	"normal" downstream application. This feature was added to more
	565	simply support the redirecting form identifier plugin.
a400b0	566
7141c7	567
a400b0	568	0.7 (2008-03-26)
7141c7	569	----------------
a400b0	570
9238cd	571	- Change the IMetadataProvider interface: this interface used to have
CM	572	a "metadata" method which returned a dictionary. This method is not
	573	part of that API anymore. It's been replaced with an "add_metadata"
	574	method which has the signature::
b5a331	575
CM	576	def add_metadata(environ, identity):
	577	"""
	578	Add metadata to the identity (which is a dictionary)
	579	"""
	580
	581	The return value is ignored. IMetadataProvider plugins are now
	582	assumed to be responsible for 'scribbling' directly on the identity
	583	that is passed in (it's a dictionary). The user id can always be
	584	retrieved from the identity via identity['repoze.who.userid'] for
	585	metadata plugins that rely on that value.
	586
7141c7	587
a400b0	588	0.6 (2008-03-20)
7141c7	589	----------------
e35c64	590
9238cd	591	- Renaming: repoze.pam is now repoze.who
cb5426	592
9238cd	593	- Bump ez_setup.py version.
e35c64	594
9238cd	595	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	596
7141c7	597
3b67e9	598	0.5 (2008-03-09)
7141c7	599	----------------
db4cf5	600
9238cd	601	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	602	(pass in remote_user_key to middleware constructor).
db4cf5	603
9238cd	604	- Allow form plugin to override the default form.
db4cf5	605
9238cd	606	- API change: IIdentifiers are no longer required to put both 'login'
CM	607	and 'password' in a returned identity dictionary. Instead, an
	608	IIdentifier can place arbitrary key/value pairs in the identity
	609	dictionary (or return an empty dictionary).
40a968	610
9238cd	611	- API return value change: the "failure" identity which IIdentifiers
CM	612	return is now None rather than an empty dictionary.
40a968	613
9238cd	614	- The IAuthenticator interface now specifies that IAuthenticators must
CM	615	not raise an exception when evaluating an identity that does not
	616	have "expected" key/value pairs (e.g. when an IAuthenticator that
	617	expects login and password inspects an identity returned by an
	618	IP-based auth system which only puts the IP address in the
	619	identity); instead they fail gracefully by returning None.
40a968	620
9238cd	621	- Add (cookie) "auth_tkt" identification plugin.
a5b033	622
9238cd	623	- Stamp identity dictionaries with a userid by placing a key named
CM	624	'repoze.pam.userid' into the identity for each authenticated
	625	identity.
a5b033	626
9238cd	627	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	628	identity dictionary, consider this identity "preauthenticated". No
	629	authenticator plugins will be asked to authenticate this identity.
	630	This is designed for things like the recently added auth_tkt plugin,
	631	which embeds the user id into the ticket. This effectively alllows
	632	an IIdentifier plugin to become an IAuthenticator plugin when
	633	breaking apart the responsibility into two separate plugins is
	634	"make-work". Preauthenticated identities will be selected first
	635	when deciding which identity to use for any given request.
a5b033	636
9238cd	637	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	638	ingress if an identity is found. Its value will be the identity
	639	dictionary related to the identity selected by repoze.pam on
	640	ingress. Downstream consumers are allowed to mutate this
	641	dictionary; this value is passed to "remember" and "forget", so its
	642	main use is to do a "credentials reset"; e.g. a user has changed his
	643	username or password within the application, but we don't want to
	644	force him to log in again after he does so.
a5b033	645
7141c7	646
247f34	647	0.4 (03-07-2008)
7141c7	648	----------------
247f34	649
9238cd	650	- Allow plugins to specify a classifiers list per interface (instead
CM	651	of a single classifiers list per plugin).
247f34	652
7141c7	653
fb510d	654	0.3 (03-05-2008)
7141c7	655	----------------
fb510d	656
9238cd	657	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	658	sha instead of base64'ed binary sha for simpler conversion.
fb510d	659
7141c7	660
196bc2	661	0.2 (03-04-2008)
7141c7	662	----------------
196bc2	663
9238cd	664	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	665
7141c7	666
318832	667	0.1 (02-27-2008)
7141c7	668	----------------
318832	669
9238cd	670	- Initial release (no configuration file support yet).