| commit | author | age | ||
| 07308f | 1 | ================== |
| aa8755 | 2 | repoze.who changes |
| CM | 3 | ================== |
| 4 | ||
| 2b870f | 5 | 1.0.13 (2009/4/24) |
| CM | 6 | ================== |
| 64ba13 | 7 | |
| TS | 8 | - Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins |
| 9 | are allowed to add keys to the ``identity`` dictionary (e.g., to save a | |
| ced7bd | 10 | second database query in an ``IMetadataProvider`` plugin). |
| 64ba13 | 11 | |
| 08b2ae | 12 | - Patch supplied for issue #71 (http://bugs.repoze.org/issue71) |
| CM | 13 | whereby a downstream app can return a generator, relying on an |
| 14 | upstream component to call start_response. We do this because the | |
| 15 | challenge decider needs the status and headers to decide what to do. | |
| 16 | ||
| 56d0c5 | 17 | 1.0.12 (2009/4/19) |
| CM | 18 | ================== |
| 19 | ||
| 20 | - auth_tkt plugin tried to append REMOTE_USER_TOKENS data to | |
| 21 | existing tokens data returned by auth_tkt.parse_tkt; this was | |
| 22 | incorrect; just overwrite. | |
| 0ee58d | 23 | |
| TS | 24 | - Extended auth_tkt plugin factory to allow passing secret in a separate |
| 25 | file from the main config file. See http://bugs.repoze.org/issue40 . | |
| 26 | ||
| a68075 | 27 | 1.0.11 (2009/4/10) |
| CM | 28 | ================== |
| afbbcd | 29 | |
| 8c20ba | 30 | - Fix auth_tkt plugin; cookie values are now quoted, making it possible |
| CM | 31 | to put spaces and other whitespace, etc in usernames. (thanks to Michael |
| 95736b | 32 | Pedersen). |
| 8c20ba | 33 | |
| afbbcd | 34 | - Fix corner case issue of an exception raised when attempting to log |
| CM | 35 | when there are no identifiers or authenticators. |
| 36 | ||
| 2e6142 | 37 | 1.0.10 (2009/1/23) |
| CM | 38 | ================== |
| 7b931d | 39 | |
| CM | 40 | - The RedirectingFormPlugin now passes along SetCookie headers set |
| 41 | into the response by the application within the NotFound response | |
| 42 | (fixes TG2 "flash" issue). | |
| 43 | ||
| f76fac | 44 | 1.0.9 (2008/12/18) |
| 9238cd | 45 | ================== |
| 30ab69 | 46 | |
| 9238cd | 47 | - The RedirectingFormPlugin now attempts to find a header named |
| CM | 48 | ``X-Authentication-Failure-Reason`` among the response headers set |
| 49 | by the application when a challenge is issued. If a value for this | |
| 50 | header exists (and is non-blank), the value is attached to the | |
| 51 | redirect URL's query string as the ``reason`` parameter (or a | |
| 52 | user-settable key). This makes it possible for downstream | |
| 53 | applications to issue a response that initiates a challenge with | |
| 54 | this header and subsequently display the reason in the login form | |
| 55 | rendered as a result of the challenge. | |
| 30ab69 | 56 | |
| 5f7932 | 57 | 1.0.8 (2008/12/13) |
| 9238cd | 58 | ================== |
| 186ff6 | 59 | |
| 9238cd | 60 | - The ``PluggableAuthenticationMiddleware`` constructor accepts a |
| CM | 61 | ``log_stream`` argument, which is typically a file. After this |
| 62 | release, it can also be a PEP 333 ``Logger`` instance; if it is a | |
| 63 | PEP 333 ``Logger`` instance, this logger will be used as the | |
| 64 | repoze.who logger (instead of one being constructed by the | |
| 65 | middleware, as was previously always the case). When the | |
| 66 | ``log_stream`` argument is a PEP 333 Logger object, the | |
| 67 | ``log_level`` argument is ignored. | |
| 186ff6 | 68 | |
| 37de44 | 69 | 1.0.7 (2008/08/28) |
| 9238cd | 70 | ================== |
| 37de44 | 71 | |
| 9238cd | 72 | - ``repoze.who`` and ``repoze.who.plugins`` were not added to the |
| CM | 73 | ``namespace_packages`` list in setup.py, potentially making 1.0.6 a |
| 74 | brownbag release, given that making these packages namespace | |
| 75 | packages was the only reason for its release. | |
| 37de44 | 76 | |
| facdf8 | 77 | 1.0.6 (2008/08/28) |
| 9238cd | 78 | ================== |
| facdf8 | 79 | |
| 9238cd | 80 | - Make repoze.who and repoze.who.plugins into namespace packages |
| CM | 81 | mainly so we can allow plugin authors to distribute packages in the |
| 82 | repoze.who.plugins namespace. | |
| facdf8 | 83 | |
| 7f0e9c | 84 | 1.0.5 (2008/08/23) |
| 9238cd | 85 | ================== |
| 519300 | 86 | |
| 9238cd | 87 | - Fix auth_tkt plugin to set the same cookies in its ``remember`` |
| CM | 88 | method that it does in its ``forget`` method. Previously, logging |
| 89 | out and relogging back in to a site that used auth_tkt identifier | |
| 90 | plugin was slightly dicey and would only work sometimes. | |
| facdf8 | 91 | |
| 9238cd | 92 | - The FormPlugin plugin has grown a redirect-on-unauthorized feature. |
| CM | 93 | Any response from a downstream application that causes a challenge |
| 94 | and includes a Location header will cause a redirect to the value of | |
| 95 | the Location header. | |
| dee08c | 96 | |
| b95a59 | 97 | 1.0.4 (2008/08/22) |
| 9238cd | 98 | =================== |
| b95a59 | 99 | |
| 9238cd | 100 | - Added a key to the '[general]' config section: ``remote_user_key``. |
| CM | 101 | If you use this key in the config file, it tells who to 1) not |
| 102 | perform any authentication if it exists in the environment during | |
| 103 | ingress and 2) to set the key in the environment for the downstream | |
| 104 | app to use as the REMOTE_USER variable. The default is | |
| 105 | ``REMOTE_USER``. | |
| b95a59 | 106 | |
| 9238cd | 107 | - Using unicode user ids in combination with the auth_tkt plugin would |
| CM | 108 | cause problems under mod_wsgi. |
| 55dc7a | 109 | |
| 9238cd | 110 | - Allowed 'cookie_path' argument to InsecureCookiePlugin (and config |
| CM | 111 | constructor). Thanks to Gustavo Narea. |
| 55dc7a | 112 | |
| f693fe | 113 | 1.0.3 (2008/08/16) |
| 9238cd | 114 | ================== |
| f693fe | 115 | |
| 9238cd | 116 | - A bug in the middleware's ``authenticate`` method made it impossible |
| CM | 117 | to authenticate a user with a userid that was null (e.g. 0, False), |
| 118 | which are valid identifiers. The only invalid userid is now None. | |
| c7e12d | 119 | |
| 9238cd | 120 | - Applied patch from Olaf Conradi which logs an error when an invalid |
| CM | 121 | filename is passed to the HTPasswdPlugin. |
| c7e12d | 122 | |
| d76609 | 123 | 1.0.2 (2008/06/16) |
| 9238cd | 124 | ================== |
| cad90d | 125 | |
| 9238cd | 126 | - Fix bug found by Chris Perkins: the auth_tkt plugin's "remember" |
| CM | 127 | method didn't handle userids which are Python "long" instances |
| 128 | properly. Symptom: TypeError: cannot concatenate 'str' and 'long' | |
| 129 | objects in "paste.auth.auth_tkt". | |
| a2c030 | 130 | |
| 9238cd | 131 | - Added predicate-based "restriction" middleware support |
| CM | 132 | (repoze.who.restrict), allowing configuratio-driven authorization as |
| 133 | a WSGI filter. One example predicate, 'authenticated_predicate', is | |
| 134 | supplied, which requires that the user be authenticated either via | |
| 135 | 'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to | |
| 136 | restrict access:: | |
| cad90d | 137 | |
| TS | 138 | [filter:authenticated_only] |
| 139 | use = egg:repoze.who#authenticated | |
| 140 | ||
| 141 | or:: | |
| 142 | ||
| 143 | [filter:some_predicate] | |
| 144 | use = egg:repoze.who#predicate | |
| 145 | predicate = my.module:some_predicate | |
| 146 | some_option = a value | |
| 147 | ||
| 8199a1 | 148 | 1.0.1 |
| 9238cd | 149 | ===== |
| 8199a1 | 150 | |
| 9238cd | 151 | - Remove dependency-link to dist.repoze.org to prevent easy_install |
| CM | 152 | from inserting that path into its search paths (the dependencies are |
| 153 | available from PyPI). | |
| 8199a1 | 154 | |
| 22e9e2 | 155 | 1.0 |
| 9238cd | 156 | === |
| 419946 | 157 | |
| 9238cd | 158 | - The plugin at plugins.form.FormPlugin didn't redirect properly after |
| CM | 159 | collecting identification information. Symptom: a downstream app |
| 160 | would receive a POST request with a blank body, which would | |
| 161 | sometimes result in a Bad Request error. | |
| f39349 | 162 | |
| 9238cd | 163 | - Fixed interface declarations of |
| CM | 164 | 'classifiers.default_request_classifier' and |
| 165 | 'classifiers.default_password_compare'. | |
| 515c69 | 166 | |
| 9238cd | 167 | - Added actual config-driven middleware factory, |
| CM | 168 | 'config.make_middleware_with_config' |
| 515c69 | 169 | |
| 9238cd | 170 | - Removed fossilized 'who_conf' argument from plugin factory functions. |
| 515c69 | 171 | |
| 9238cd | 172 | - Added ConfigParser-based WhoConfig, implementing the spec outlined |
| CM | 173 | at |
| 174 | http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file, | |
| 175 | with the following changes: | |
| 419946 | 176 | |
| 9238cd | 177 | o "Bare" plugins (requiring no configuration options) may be specified |
| 419946 | 178 | as either egg entry points (e.g., 'egg:distname#entry_point_name') or |
| TS | 179 | as dotted-path-with-colon (e.g., 'dotted.name:object_id'). |
| 180 | ||
| 9238cd | 181 | o Therefore, the separator between a plugin and its classifier is now |
| CM | 182 | a semicolon, rather than a colon. E.g.:: |
| 419946 | 183 | |
| TS | 184 | [plugins:id_plugin] |
| 185 | use = egg:another.package#identify_with_frobnatz | |
| 186 | frobnatz = baz | |
| 187 | ||
| 188 | [identifiers] | |
| 189 | plugins = | |
| 190 | egg:my.egg#identify;browser | |
| 191 | dotted.name:identifier | |
| 192 | id_plugin | |
| 193 | ||
| 779caf | 194 | 0.9.1 (2008-04-27) |
| 9238cd | 195 | ================== |
| 779caf | 196 | |
| 9238cd | 197 | - Fix auth_tkt plugin to be able to encode and decode integer user |
| CM | 198 | ids. |
| 779caf | 199 | |
| 88e646 | 200 | 0.9 (2008-04-01) |
| 9238cd | 201 | ================ |
| 88e646 | 202 | |
| 9238cd | 203 | - Fix bug introduced in FormPlugin in 0.8 release (rememberer headers |
| CM | 204 | not set). |
| 88e646 | 205 | |
| 9238cd | 206 | - Add PATH_INFO to started and ended log info. |
| d9f046 | 207 | |
| 9238cd | 208 | - Add a SQLMetadataProviderPlugin (in plugins/sql). |
| d9f046 | 209 | |
| 9238cd | 210 | - Change constructor of SQLAuthenticatorPlugin: it now accepts only |
| CM | 211 | "query", "conn_factory", and "compare_fn". The old constructor |
| 212 | accepted a DSN, but some database systems don't use DBAPI DSNs. The | |
| 213 | new constructor accepts no DSN; the conn_factory is assumed to do | |
| 214 | all the work to make a connection, including knowing the DSN if one | |
| 215 | is required. The "conn_factory" should return something that, when | |
| 216 | called with no arguments, returns a database connection. | |
| d9f046 | 217 | |
| 9238cd | 218 | - The "make_plugin" helper in plugins/sql has been renamed |
| CM | 219 | "make_authenticator_plugin". When called, this helper will return a |
| 220 | SQLAuthenticatorPlugin. A bit of helper logic in the | |
| 221 | "make_authenticator_plugin" allows a connection factory to be | |
| 222 | computed. The top-level callable referred to by conn_factory in | |
| 223 | this helper should return a function that, when called with no | |
| 224 | arguments, returns a datbase connection. The top-level callable | |
| 225 | itself is called with "who_conf" (global who configuration) and any | |
| 226 | number of non-top-level keyword arguments as they are passed into | |
| 227 | the helper, to allow for a DSN or URL or whatever to be passed in. | |
| d9f046 | 228 | |
| 9238cd | 229 | - A "make_metatata_plugin" helper has been added to plugins/sql. When |
| CM | 230 | called, this will make a SQLMetadataProviderPlugin. See the |
| 231 | implementation for details. It is similar to the | |
| 232 | "make_authenticator_plugin" helper. | |
| d9f046 | 233 | |
| cbe4e3 | 234 | 0.8 (2008-03-27) |
| 9238cd | 235 | ================ |
| b5a331 | 236 | |
| 9238cd | 237 | - Add a RedirectingFormIdentifier plugin. This plugin is willing to |
| CM | 238 | redirect to an external (or downstream application) login form to |
| 239 | perform identification. The external login form must post to the | |
| 240 | "login_handler_path" of the plugin (optimally with a "came_from" | |
| 241 | value to tell the plugin where to redirect the response to if the | |
| 242 | authentication works properly). The "logout_handler_path" of this | |
| 243 | plugin can be visited to perform a logout. The "came_from" value | |
| 244 | also works there. | |
| a400b0 | 245 | |
| 9238cd | 246 | - Identifier plugins are now permitted to set a key in the environment |
| CM | 247 | named 'repoze.who.application' on ingress (in 'identify'). If an |
| 248 | identifier plugin does so, this application is used instead of the | |
| 249 | "normal" downstream application. This feature was added to more | |
| 250 | simply support the redirecting form identifier plugin. | |
| a400b0 | 251 | |
| CM | 252 | 0.7 (2008-03-26) |
| 9238cd | 253 | ================ |
| a400b0 | 254 | |
| 9238cd | 255 | - Change the IMetadataProvider interface: this interface used to have |
| CM | 256 | a "metadata" method which returned a dictionary. This method is not |
| 257 | part of that API anymore. It's been replaced with an "add_metadata" | |
| 258 | method which has the signature:: | |
| b5a331 | 259 | |
| CM | 260 | def add_metadata(environ, identity): |
| 261 | """ | |
| 262 | Add metadata to the identity (which is a dictionary) | |
| 263 | """ | |
| 264 | ||
| 265 | The return value is ignored. IMetadataProvider plugins are now | |
| 266 | assumed to be responsible for 'scribbling' directly on the identity | |
| 267 | that is passed in (it's a dictionary). The user id can always be | |
| 268 | retrieved from the identity via identity['repoze.who.userid'] for | |
| 269 | metadata plugins that rely on that value. | |
| 270 | ||
| a400b0 | 271 | 0.6 (2008-03-20) |
| 9238cd | 272 | ================ |
| e35c64 | 273 | |
| 9238cd | 274 | - Renaming: repoze.pam is now repoze.who |
| cb5426 | 275 | |
| 9238cd | 276 | - Bump ez_setup.py version. |
| e35c64 | 277 | |
| 9238cd | 278 | - Add IMetadataProvider plugin type. Chris says 'Whit rules'. |
| fa9581 | 279 | |
| 3b67e9 | 280 | 0.5 (2008-03-09) |
| 9238cd | 281 | ================ |
| db4cf5 | 282 | |
| 9238cd | 283 | - Allow "remote user key" (default: REMOTE_USER) to be overridden |
| CM | 284 | (pass in remote_user_key to middleware constructor). |
| db4cf5 | 285 | |
| 9238cd | 286 | - Allow form plugin to override the default form. |
| db4cf5 | 287 | |
| 9238cd | 288 | - API change: IIdentifiers are no longer required to put both 'login' |
| CM | 289 | and 'password' in a returned identity dictionary. Instead, an |
| 290 | IIdentifier can place arbitrary key/value pairs in the identity | |
| 291 | dictionary (or return an empty dictionary). | |
| 40a968 | 292 | |
| 9238cd | 293 | - API return value change: the "failure" identity which IIdentifiers |
| CM | 294 | return is now None rather than an empty dictionary. |
| 40a968 | 295 | |
| 9238cd | 296 | - The IAuthenticator interface now specifies that IAuthenticators must |
| CM | 297 | not raise an exception when evaluating an identity that does not |
| 298 | have "expected" key/value pairs (e.g. when an IAuthenticator that | |
| 299 | expects login and password inspects an identity returned by an | |
| 300 | IP-based auth system which only puts the IP address in the | |
| 301 | identity); instead they fail gracefully by returning None. | |
| 40a968 | 302 | |
| 9238cd | 303 | - Add (cookie) "auth_tkt" identification plugin. |
| a5b033 | 304 | |
| 9238cd | 305 | - Stamp identity dictionaries with a userid by placing a key named |
| CM | 306 | 'repoze.pam.userid' into the identity for each authenticated |
| 307 | identity. | |
| a5b033 | 308 | |
| 9238cd | 309 | - If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the |
| CM | 310 | identity dictionary, consider this identity "preauthenticated". No |
| 311 | authenticator plugins will be asked to authenticate this identity. | |
| 312 | This is designed for things like the recently added auth_tkt plugin, | |
| 313 | which embeds the user id into the ticket. This effectively alllows | |
| 314 | an IIdentifier plugin to become an IAuthenticator plugin when | |
| 315 | breaking apart the responsibility into two separate plugins is | |
| 316 | "make-work". Preauthenticated identities will be selected first | |
| 317 | when deciding which identity to use for any given request. | |
| a5b033 | 318 | |
| 9238cd | 319 | - Insert a 'repoze.pam.identity' key into the WSGI environment on |
| CM | 320 | ingress if an identity is found. Its value will be the identity |
| 321 | dictionary related to the identity selected by repoze.pam on | |
| 322 | ingress. Downstream consumers are allowed to mutate this | |
| 323 | dictionary; this value is passed to "remember" and "forget", so its | |
| 324 | main use is to do a "credentials reset"; e.g. a user has changed his | |
| 325 | username or password within the application, but we don't want to | |
| 326 | force him to log in again after he does so. | |
| a5b033 | 327 | |
| 247f34 | 328 | 0.4 (03-07-2008) |
| 9238cd | 329 | ================ |
| 247f34 | 330 | |
| 9238cd | 331 | - Allow plugins to specify a classifiers list per interface (instead |
| CM | 332 | of a single classifiers list per plugin). |
| 247f34 | 333 | |
| fb510d | 334 | 0.3 (03-05-2008) |
| 9238cd | 335 | ================ |
| fb510d | 336 | |
| 9238cd | 337 | - Make SQLAuthenticatorPlugin's default_password_compare use hexdigest |
| CM | 338 | sha instead of base64'ed binary sha for simpler conversion. |
| fb510d | 339 | |
| 196bc2 | 340 | 0.2 (03-04-2008) |
| 9238cd | 341 | ================ |
| 196bc2 | 342 | |
| 9238cd | 343 | - Added SQLAuthenticatorPlugin (see plugins/sql.py). |
| 196bc2 | 344 | |
| 318832 | 345 | 0.1 (02-27-2008) |
| 9238cd | 346 | ================ |
| 318832 | 347 | |
| 9238cd | 348 | - Initial release (no configuration file support yet). |
| CM | 349 | |
| fdbab9 | 350 | |
