commit | author | age
|
07308f
|
1 |
================== |
aa8755
|
2 |
repoze.who changes |
CM |
3 |
================== |
|
4 |
|
2b870f
|
5 |
1.0.13 (2009/4/24) |
CM |
6 |
================== |
64ba13
|
7 |
|
TS |
8 |
- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins |
|
9 |
are allowed to add keys to the ``identity`` dictionary (e.g., to save a |
ced7bd
|
10 |
second database query in an ``IMetadataProvider`` plugin). |
64ba13
|
11 |
|
08b2ae
|
12 |
- Patch supplied for issue #71 (http://bugs.repoze.org/issue71) |
CM |
13 |
whereby a downstream app can return a generator, relying on an |
|
14 |
upstream component to call start_response. We do this because the |
|
15 |
challenge decider needs the status and headers to decide what to do. |
|
16 |
|
56d0c5
|
17 |
1.0.12 (2009/4/19) |
CM |
18 |
================== |
|
19 |
|
|
20 |
- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to |
|
21 |
existing tokens data returned by auth_tkt.parse_tkt; this was |
|
22 |
incorrect; just overwrite. |
0ee58d
|
23 |
|
TS |
24 |
- Extended auth_tkt plugin factory to allow passing secret in a separate |
|
25 |
file from the main config file. See http://bugs.repoze.org/issue40 . |
|
26 |
|
a68075
|
27 |
1.0.11 (2009/4/10) |
CM |
28 |
================== |
afbbcd
|
29 |
|
8c20ba
|
30 |
- Fix auth_tkt plugin; cookie values are now quoted, making it possible |
CM |
31 |
to put spaces and other whitespace, etc in usernames. (thanks to Michael |
95736b
|
32 |
Pedersen). |
8c20ba
|
33 |
|
afbbcd
|
34 |
- Fix corner case issue of an exception raised when attempting to log |
CM |
35 |
when there are no identifiers or authenticators. |
|
36 |
|
2e6142
|
37 |
1.0.10 (2009/1/23) |
CM |
38 |
================== |
7b931d
|
39 |
|
CM |
40 |
- The RedirectingFormPlugin now passes along SetCookie headers set |
|
41 |
into the response by the application within the NotFound response |
|
42 |
(fixes TG2 "flash" issue). |
|
43 |
|
f76fac
|
44 |
1.0.9 (2008/12/18) |
9238cd
|
45 |
================== |
30ab69
|
46 |
|
9238cd
|
47 |
- The RedirectingFormPlugin now attempts to find a header named |
CM |
48 |
``X-Authentication-Failure-Reason`` among the response headers set |
|
49 |
by the application when a challenge is issued. If a value for this |
|
50 |
header exists (and is non-blank), the value is attached to the |
|
51 |
redirect URL's query string as the ``reason`` parameter (or a |
|
52 |
user-settable key). This makes it possible for downstream |
|
53 |
applications to issue a response that initiates a challenge with |
|
54 |
this header and subsequently display the reason in the login form |
|
55 |
rendered as a result of the challenge. |
30ab69
|
56 |
|
5f7932
|
57 |
1.0.8 (2008/12/13) |
9238cd
|
58 |
================== |
186ff6
|
59 |
|
9238cd
|
60 |
- The ``PluggableAuthenticationMiddleware`` constructor accepts a |
CM |
61 |
``log_stream`` argument, which is typically a file. After this |
|
62 |
release, it can also be a PEP 333 ``Logger`` instance; if it is a |
|
63 |
PEP 333 ``Logger`` instance, this logger will be used as the |
|
64 |
repoze.who logger (instead of one being constructed by the |
|
65 |
middleware, as was previously always the case). When the |
|
66 |
``log_stream`` argument is a PEP 333 Logger object, the |
|
67 |
``log_level`` argument is ignored. |
186ff6
|
68 |
|
37de44
|
69 |
1.0.7 (2008/08/28) |
9238cd
|
70 |
================== |
37de44
|
71 |
|
9238cd
|
72 |
- ``repoze.who`` and ``repoze.who.plugins`` were not added to the |
CM |
73 |
``namespace_packages`` list in setup.py, potentially making 1.0.6 a |
|
74 |
brownbag release, given that making these packages namespace |
|
75 |
packages was the only reason for its release. |
37de44
|
76 |
|
facdf8
|
77 |
1.0.6 (2008/08/28) |
9238cd
|
78 |
================== |
facdf8
|
79 |
|
9238cd
|
80 |
- Make repoze.who and repoze.who.plugins into namespace packages |
CM |
81 |
mainly so we can allow plugin authors to distribute packages in the |
|
82 |
repoze.who.plugins namespace. |
facdf8
|
83 |
|
7f0e9c
|
84 |
1.0.5 (2008/08/23) |
9238cd
|
85 |
================== |
519300
|
86 |
|
9238cd
|
87 |
- Fix auth_tkt plugin to set the same cookies in its ``remember`` |
CM |
88 |
method that it does in its ``forget`` method. Previously, logging |
|
89 |
out and relogging back in to a site that used auth_tkt identifier |
|
90 |
plugin was slightly dicey and would only work sometimes. |
facdf8
|
91 |
|
9238cd
|
92 |
- The FormPlugin plugin has grown a redirect-on-unauthorized feature. |
CM |
93 |
Any response from a downstream application that causes a challenge |
|
94 |
and includes a Location header will cause a redirect to the value of |
|
95 |
the Location header. |
dee08c
|
96 |
|
b95a59
|
97 |
1.0.4 (2008/08/22) |
9238cd
|
98 |
=================== |
b95a59
|
99 |
|
9238cd
|
100 |
- Added a key to the '[general]' config section: ``remote_user_key``. |
CM |
101 |
If you use this key in the config file, it tells who to 1) not |
|
102 |
perform any authentication if it exists in the environment during |
|
103 |
ingress and 2) to set the key in the environment for the downstream |
|
104 |
app to use as the REMOTE_USER variable. The default is |
|
105 |
``REMOTE_USER``. |
b95a59
|
106 |
|
9238cd
|
107 |
- Using unicode user ids in combination with the auth_tkt plugin would |
CM |
108 |
cause problems under mod_wsgi. |
55dc7a
|
109 |
|
9238cd
|
110 |
- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config |
CM |
111 |
constructor). Thanks to Gustavo Narea. |
55dc7a
|
112 |
|
f693fe
|
113 |
1.0.3 (2008/08/16) |
9238cd
|
114 |
================== |
f693fe
|
115 |
|
9238cd
|
116 |
- A bug in the middleware's ``authenticate`` method made it impossible |
CM |
117 |
to authenticate a user with a userid that was null (e.g. 0, False), |
|
118 |
which are valid identifiers. The only invalid userid is now None. |
c7e12d
|
119 |
|
9238cd
|
120 |
- Applied patch from Olaf Conradi which logs an error when an invalid |
CM |
121 |
filename is passed to the HTPasswdPlugin. |
c7e12d
|
122 |
|
d76609
|
123 |
1.0.2 (2008/06/16) |
9238cd
|
124 |
================== |
cad90d
|
125 |
|
9238cd
|
126 |
- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember" |
CM |
127 |
method didn't handle userids which are Python "long" instances |
|
128 |
properly. Symptom: TypeError: cannot concatenate 'str' and 'long' |
|
129 |
objects in "paste.auth.auth_tkt". |
a2c030
|
130 |
|
9238cd
|
131 |
- Added predicate-based "restriction" middleware support |
CM |
132 |
(repoze.who.restrict), allowing configuratio-driven authorization as |
|
133 |
a WSGI filter. One example predicate, 'authenticated_predicate', is |
|
134 |
supplied, which requires that the user be authenticated either via |
|
135 |
'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to |
|
136 |
restrict access:: |
cad90d
|
137 |
|
TS |
138 |
[filter:authenticated_only] |
|
139 |
use = egg:repoze.who#authenticated |
|
140 |
|
|
141 |
or:: |
|
142 |
|
|
143 |
[filter:some_predicate] |
|
144 |
use = egg:repoze.who#predicate |
|
145 |
predicate = my.module:some_predicate |
|
146 |
some_option = a value |
|
147 |
|
8199a1
|
148 |
1.0.1 |
9238cd
|
149 |
===== |
8199a1
|
150 |
|
9238cd
|
151 |
- Remove dependency-link to dist.repoze.org to prevent easy_install |
CM |
152 |
from inserting that path into its search paths (the dependencies are |
|
153 |
available from PyPI). |
8199a1
|
154 |
|
22e9e2
|
155 |
1.0 |
9238cd
|
156 |
=== |
419946
|
157 |
|
9238cd
|
158 |
- The plugin at plugins.form.FormPlugin didn't redirect properly after |
CM |
159 |
collecting identification information. Symptom: a downstream app |
|
160 |
would receive a POST request with a blank body, which would |
|
161 |
sometimes result in a Bad Request error. |
f39349
|
162 |
|
9238cd
|
163 |
- Fixed interface declarations of |
CM |
164 |
'classifiers.default_request_classifier' and |
|
165 |
'classifiers.default_password_compare'. |
515c69
|
166 |
|
9238cd
|
167 |
- Added actual config-driven middleware factory, |
CM |
168 |
'config.make_middleware_with_config' |
515c69
|
169 |
|
9238cd
|
170 |
- Removed fossilized 'who_conf' argument from plugin factory functions. |
515c69
|
171 |
|
9238cd
|
172 |
- Added ConfigParser-based WhoConfig, implementing the spec outlined |
CM |
173 |
at |
|
174 |
http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file, |
|
175 |
with the following changes: |
419946
|
176 |
|
9238cd
|
177 |
o "Bare" plugins (requiring no configuration options) may be specified |
419946
|
178 |
as either egg entry points (e.g., 'egg:distname#entry_point_name') or |
TS |
179 |
as dotted-path-with-colon (e.g., 'dotted.name:object_id'). |
|
180 |
|
9238cd
|
181 |
o Therefore, the separator between a plugin and its classifier is now |
CM |
182 |
a semicolon, rather than a colon. E.g.:: |
419946
|
183 |
|
TS |
184 |
[plugins:id_plugin] |
|
185 |
use = egg:another.package#identify_with_frobnatz |
|
186 |
frobnatz = baz |
|
187 |
|
|
188 |
[identifiers] |
|
189 |
plugins = |
|
190 |
egg:my.egg#identify;browser |
|
191 |
dotted.name:identifier |
|
192 |
id_plugin |
|
193 |
|
779caf
|
194 |
0.9.1 (2008-04-27) |
9238cd
|
195 |
================== |
779caf
|
196 |
|
9238cd
|
197 |
- Fix auth_tkt plugin to be able to encode and decode integer user |
CM |
198 |
ids. |
779caf
|
199 |
|
88e646
|
200 |
0.9 (2008-04-01) |
9238cd
|
201 |
================ |
88e646
|
202 |
|
9238cd
|
203 |
- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers |
CM |
204 |
not set). |
88e646
|
205 |
|
9238cd
|
206 |
- Add PATH_INFO to started and ended log info. |
d9f046
|
207 |
|
9238cd
|
208 |
- Add a SQLMetadataProviderPlugin (in plugins/sql). |
d9f046
|
209 |
|
9238cd
|
210 |
- Change constructor of SQLAuthenticatorPlugin: it now accepts only |
CM |
211 |
"query", "conn_factory", and "compare_fn". The old constructor |
|
212 |
accepted a DSN, but some database systems don't use DBAPI DSNs. The |
|
213 |
new constructor accepts no DSN; the conn_factory is assumed to do |
|
214 |
all the work to make a connection, including knowing the DSN if one |
|
215 |
is required. The "conn_factory" should return something that, when |
|
216 |
called with no arguments, returns a database connection. |
d9f046
|
217 |
|
9238cd
|
218 |
- The "make_plugin" helper in plugins/sql has been renamed |
CM |
219 |
"make_authenticator_plugin". When called, this helper will return a |
|
220 |
SQLAuthenticatorPlugin. A bit of helper logic in the |
|
221 |
"make_authenticator_plugin" allows a connection factory to be |
|
222 |
computed. The top-level callable referred to by conn_factory in |
|
223 |
this helper should return a function that, when called with no |
|
224 |
arguments, returns a datbase connection. The top-level callable |
|
225 |
itself is called with "who_conf" (global who configuration) and any |
|
226 |
number of non-top-level keyword arguments as they are passed into |
|
227 |
the helper, to allow for a DSN or URL or whatever to be passed in. |
d9f046
|
228 |
|
9238cd
|
229 |
- A "make_metatata_plugin" helper has been added to plugins/sql. When |
CM |
230 |
called, this will make a SQLMetadataProviderPlugin. See the |
|
231 |
implementation for details. It is similar to the |
|
232 |
"make_authenticator_plugin" helper. |
d9f046
|
233 |
|
cbe4e3
|
234 |
0.8 (2008-03-27) |
9238cd
|
235 |
================ |
b5a331
|
236 |
|
9238cd
|
237 |
- Add a RedirectingFormIdentifier plugin. This plugin is willing to |
CM |
238 |
redirect to an external (or downstream application) login form to |
|
239 |
perform identification. The external login form must post to the |
|
240 |
"login_handler_path" of the plugin (optimally with a "came_from" |
|
241 |
value to tell the plugin where to redirect the response to if the |
|
242 |
authentication works properly). The "logout_handler_path" of this |
|
243 |
plugin can be visited to perform a logout. The "came_from" value |
|
244 |
also works there. |
a400b0
|
245 |
|
9238cd
|
246 |
- Identifier plugins are now permitted to set a key in the environment |
CM |
247 |
named 'repoze.who.application' on ingress (in 'identify'). If an |
|
248 |
identifier plugin does so, this application is used instead of the |
|
249 |
"normal" downstream application. This feature was added to more |
|
250 |
simply support the redirecting form identifier plugin. |
a400b0
|
251 |
|
CM |
252 |
0.7 (2008-03-26) |
9238cd
|
253 |
================ |
a400b0
|
254 |
|
9238cd
|
255 |
- Change the IMetadataProvider interface: this interface used to have |
CM |
256 |
a "metadata" method which returned a dictionary. This method is not |
|
257 |
part of that API anymore. It's been replaced with an "add_metadata" |
|
258 |
method which has the signature:: |
b5a331
|
259 |
|
CM |
260 |
def add_metadata(environ, identity): |
|
261 |
""" |
|
262 |
Add metadata to the identity (which is a dictionary) |
|
263 |
""" |
|
264 |
|
|
265 |
The return value is ignored. IMetadataProvider plugins are now |
|
266 |
assumed to be responsible for 'scribbling' directly on the identity |
|
267 |
that is passed in (it's a dictionary). The user id can always be |
|
268 |
retrieved from the identity via identity['repoze.who.userid'] for |
|
269 |
metadata plugins that rely on that value. |
|
270 |
|
a400b0
|
271 |
0.6 (2008-03-20) |
9238cd
|
272 |
================ |
e35c64
|
273 |
|
9238cd
|
274 |
- Renaming: repoze.pam is now repoze.who |
cb5426
|
275 |
|
9238cd
|
276 |
- Bump ez_setup.py version. |
e35c64
|
277 |
|
9238cd
|
278 |
- Add IMetadataProvider plugin type. Chris says 'Whit rules'. |
fa9581
|
279 |
|
3b67e9
|
280 |
0.5 (2008-03-09) |
9238cd
|
281 |
================ |
db4cf5
|
282 |
|
9238cd
|
283 |
- Allow "remote user key" (default: REMOTE_USER) to be overridden |
CM |
284 |
(pass in remote_user_key to middleware constructor). |
db4cf5
|
285 |
|
9238cd
|
286 |
- Allow form plugin to override the default form. |
db4cf5
|
287 |
|
9238cd
|
288 |
- API change: IIdentifiers are no longer required to put both 'login' |
CM |
289 |
and 'password' in a returned identity dictionary. Instead, an |
|
290 |
IIdentifier can place arbitrary key/value pairs in the identity |
|
291 |
dictionary (or return an empty dictionary). |
40a968
|
292 |
|
9238cd
|
293 |
- API return value change: the "failure" identity which IIdentifiers |
CM |
294 |
return is now None rather than an empty dictionary. |
40a968
|
295 |
|
9238cd
|
296 |
- The IAuthenticator interface now specifies that IAuthenticators must |
CM |
297 |
not raise an exception when evaluating an identity that does not |
|
298 |
have "expected" key/value pairs (e.g. when an IAuthenticator that |
|
299 |
expects login and password inspects an identity returned by an |
|
300 |
IP-based auth system which only puts the IP address in the |
|
301 |
identity); instead they fail gracefully by returning None. |
40a968
|
302 |
|
9238cd
|
303 |
- Add (cookie) "auth_tkt" identification plugin. |
a5b033
|
304 |
|
9238cd
|
305 |
- Stamp identity dictionaries with a userid by placing a key named |
CM |
306 |
'repoze.pam.userid' into the identity for each authenticated |
|
307 |
identity. |
a5b033
|
308 |
|
9238cd
|
309 |
- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the |
CM |
310 |
identity dictionary, consider this identity "preauthenticated". No |
|
311 |
authenticator plugins will be asked to authenticate this identity. |
|
312 |
This is designed for things like the recently added auth_tkt plugin, |
|
313 |
which embeds the user id into the ticket. This effectively alllows |
|
314 |
an IIdentifier plugin to become an IAuthenticator plugin when |
|
315 |
breaking apart the responsibility into two separate plugins is |
|
316 |
"make-work". Preauthenticated identities will be selected first |
|
317 |
when deciding which identity to use for any given request. |
a5b033
|
318 |
|
9238cd
|
319 |
- Insert a 'repoze.pam.identity' key into the WSGI environment on |
CM |
320 |
ingress if an identity is found. Its value will be the identity |
|
321 |
dictionary related to the identity selected by repoze.pam on |
|
322 |
ingress. Downstream consumers are allowed to mutate this |
|
323 |
dictionary; this value is passed to "remember" and "forget", so its |
|
324 |
main use is to do a "credentials reset"; e.g. a user has changed his |
|
325 |
username or password within the application, but we don't want to |
|
326 |
force him to log in again after he does so. |
a5b033
|
327 |
|
247f34
|
328 |
0.4 (03-07-2008) |
9238cd
|
329 |
================ |
247f34
|
330 |
|
9238cd
|
331 |
- Allow plugins to specify a classifiers list per interface (instead |
CM |
332 |
of a single classifiers list per plugin). |
247f34
|
333 |
|
fb510d
|
334 |
0.3 (03-05-2008) |
9238cd
|
335 |
================ |
fb510d
|
336 |
|
9238cd
|
337 |
- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest |
CM |
338 |
sha instead of base64'ed binary sha for simpler conversion. |
fb510d
|
339 |
|
196bc2
|
340 |
0.2 (03-04-2008) |
9238cd
|
341 |
================ |
196bc2
|
342 |
|
9238cd
|
343 |
- Added SQLAuthenticatorPlugin (see plugins/sql.py). |
196bc2
|
344 |
|
318832
|
345 |
0.1 (02-27-2008) |
9238cd
|
346 |
================ |
318832
|
347 |
|
9238cd
|
348 |
- Initial release (no configuration file support yet). |
CM |
349 |
|
fdbab9
|
350 |
|