RedHatTraining/repoze.who.git

Tres Seaver

2012-03-19 96e536ce8d784765a4e73bf3f4a9d52e61b360c7

commit \| author \| age
7141c7	1	repoze.who Changelog
TS	2	====================
aa8755	3
d03c94	4	2.0 (2011-09-28)
493726	5	----------------
TS	6
7f9907	7	- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
TS	8	cookies. http://bugs.repoze.org/issue66
	9
493726	10	- Further harden middleware, calling ``close()`` on the iterable even if
TS	11	raising an exception for a missing challenger.
	12	http://bugs.repoze.org/issue174
	13
	14
1b2443	15	2.0b1 (2011-05-24)
TS	16	------------------
f8ef81	17
d6b53f	18	- Enabled standard use of logging module's configuration mechanism.
TS	19	See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
	20	Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178
	21
	22
f8ef81	23	- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.
TS	24
	25
2b9b1f	26	2.0a4 (2011-02-02)
TS	27	------------------
9a8e60	28
b01f44	29	- Ensure that the middleware calls ``close()`` (if it exists) on the
TS	30	iterable returned from thw wrapped application, as required by PEP 333.
	31	http://bugs.repoze.org/issue174
	32
03fba8	33	- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
TS	34	content for the config file: in such cases, the API factory will have
	35	no configured plugins or policies: it will only be useful for retrieving
	36	the API from an environment populated by middleware.
	37
c61031	38	- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
TS	39	methods could return a None if the identifier plugin returned a None.
cfe26c	40
c61031	41	- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
fc9a88	42	http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html
BS	43
c61031	44	- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
TS	45	configured with ``secure=True``: these attributes prevent the browser from
	46	sending cookies over insecure channels, which could be vulnerable to some
3b5782	47	XSS attacks.
d7e647	48
15e365	49	- Avoid propagating unicode 'max_age' value into cookie headers. See
TS	50	https://bugs.launchpad.net/bugs/674123 .
	51
e8080a	52	- Added a single-file example BFG application demonstrating the use of
TS	53	the new 'login' and 'logout' methods of the API object.
	54
924f24	55	- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
TS	56	as a convenience for application-driven login / logout code, which would
95f147	57	otherwise need to use private methods of the API, and reach down into
TS	58	its plugins.
f8ef81	59
9a8e60	60
2c742e	61	2.0a3 (2010-09-30)
eb7071	62	------------------
f80021	63
a446d6	64	- Deprecated the following plugins, moving their modules, tests, and docs
ff604c	65	to a new project, ``repoze.who.deprecatedplugins``:
a446d6	66
TS	67	- ``repoze.who.plugins.cookie.InsecureCookiePlugin``
	68
630a05	69	- ``repoze.who.plugins.form.FormPlugin``
a446d6	70
630a05	71	- ``repoze.who.plugins.form.RedirectingFormPlugin``
a446d6	72
TS	73	- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
76e951	74	``charset`` argument, and use to to encode / decode login and password.
TS	75	See http://bugs.repoze.org/issue155
	76
a446d6	77	- Updated ``repoze.who.restrict`` to return headers as a list, to keep
TS	78	``wsgiref`` from complaining.
5b6365	79
a446d6	80	- Helped default request classifier cope with xml submissions with an
6b7b34	81	explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
CM	82	M. Catucci)
	83
a446d6	84	- Corrected the handling of type and subtype when matching an XML post
6b7b34	85	to ``xmlpost`` in the default classifier, which, according to RFC
CM	86	2045, must be matched case-insensitively:
	87	http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)
	88
a349a2	89	- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
TS	90	method for applications which want to set up their own API Factory from
	91	a configuration file.
	92
f80021	93	- Fixed example call to ``repoze.who.config:make_middleware_with_config``
TS	94	(added missing ``global_config`` argument). See
	95	http://bugs.repoze.org/issue114
	96
f8ef81	97
c186ae	98	2.0a2 (2010-03-25)
TS	99	------------------
52bc23	100
TS	101	Bugs Fixed
	102	~~~~~~~~~~
	103
	104	- Fixed failure to pass substution values in log message string formatting
	105	for ``repoze.who.api:API.challenge``. Fix included adding tests for all
	106	logging done by the API object. See http://bugs.repoze.org/issue122
	107
	108	Backward Incompatibilities
	109	~~~~~~~~~~~~~~~~~~~~~~~~~~
	110
	111	- Adjusted logging level for some lower-level details from ``info``
	112	to ``debug``.
f8ef81	113
52bc23	114
TS	115
e25b84	116	2.0a1 (2010-02-24)
993216	117	------------------
TS	118
b4b8ee	119	Features
TS	120	~~~~~~~~
62cd25	121
c9c1c6	122	- Restored the ability to create the middleware using the old ``classifier``
TS	123	argument. That argument is now a deprecated-but-will-work-forever alias for
	124	``request_classifier``.
cbc983	125
b0f81f	126	- The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface,
TS	127	and should normally be used both as an ``IIdentifier`` and an
	128	``IAuthenticator``.
	129
993216	130	- Factored out the API of the middleware object to make it useful from
TS	131	within the application. Applications using ``repoze.who``` now fall into
	132	one of three catgeories:
	133
	134	- "middleware-only" applications are configured with middleware, and
	135	use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment
	136	to determing the authenticated user.
	137
	138	- "bare metal" applications use no ``repoze.who`` middleware at all:
	139	instead, they configure and an ``APIFactory`` object at startup, and
	140	use it to create an ``API`` object when needed on a per-request basis.
	141
	142	- "hybrid" applications are configured with ``repoze.who`` middleware,
	143	but use a new library function to fetch the ``API`` object from the
c9c1c6	144	environ, e.g. to permit calling ``remember`` after a signup or successful
TS	145	login.
993216	146
b4b8ee	147	Bugs Fixed
TS	148	~~~~~~~~~~
	149
	150	- Fix http://bugs.repoze.org/issue102: when no challengers existed,
	151	logging would cause an exception.
	152
	153	- Remove ``ez_setup.py`` and dependency on it in setup.py (support
	154	distribute).
	155
	156	Backward Incompatibilities
	157	~~~~~~~~~~~~~~~~~~~~~~~~~~
	158
b213af	159	- The middleware used to allow identifier plugins to "pre-authenticate"
TS	160	an identity. This feature is no longer supported: the ``auth_tkt``
	161	plugin, which used to use the feature, is now configured to work as
c9c1c6	162	an authenticator plugin (as well as an identifier).
b213af	163
b4b8ee	164	- The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class
TS	165	no longer has the following (non-API) methods (now made API methods
	166	of the ``repoze.who.api:API`` class):
	167
	168	- ``add_metadata``
	169	- ``authenticate``
	170	- ``challenge``
	171	- ``identify``
	172
	173	- The following (non-API) functions moved from ``repoze.who.middleware`` to
	174	``repoze.who.api``:
	175
	176	- ``make_registries``
	177	- ``match_classification``
	178	- ``verify``
	179
	180
f8ef81	181
060054	182	1.0.18 (2009-11-05)
TS	183	-------------------
798feb	184
TS	185	- Issue #104: AuthTkt plugin was passing an invalid cookie value in
	186	headers from ``forget``, and was not setting the ``Max-Age`` and
	187	``Expires`` attributes of those cookies.
	188
b4b8ee	189
f8ef81	190
6e136f	191	1.0.17 (2009-11-05)
TS	192	-------------------
e0d138	193
TS	194	- Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable``
	195	argument handling, to allow passing in a dotted name (e.g., from a config
	196	file).
	197
b4b8ee	198
f8ef81	199
6b15ee	200	1.0.16 (2009-11-04)
028e4d	201	-------------------
1ec83d	202
8dd881	203	- Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin``
TS	204	to the callers of the ``repoze.who.plugins.form.make_plugin`` factory.
	205	Thanks to Roland Hedburg for the report.
21a9c5	206
8dd881	207	- Fixed an issue that caused the following symptom when using the
TS	208	ini configuration parser::
	209
	210	TypeError: _makePlugin() got multiple values for keyword argument 'name'
21a9c5	211
CM	212	See http://bugs.repoze.org/issue92 for more details. Thanks to vaab
	213	for the bug report and initial fix.
	214
1ec83d	215
7141c7	216	1.0.15 (2009-06-25)
TS	217	-------------------
299b4c	218
a14163	219	- If the form post value ``max_age`` exists while in the ``identify``
CM	220	method is handling the ``login_handler_path``, pass the max_age
	221	value in the returned identity dictionary as ``max_age``. See the
	222	below bullet point for why.
	223
299b4c	224	- If the ``identity`` dict passed to the ``auth_tkt`` ``remember``
CM	225	method contains a ``max_age`` key with a string (or integer) value,
	226	treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in
	227	the returned cookies. The cookie ``Max-Age`` is set to the value
	228	and the ``Expires`` is computed from the current time.
	229
7141c7	230
TS	231	1.0.14 (2009-06-17)
	232	-------------------
9318dd	233
1810b2	234	- Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
TS	235
00a6d9	236	- Documented issue with using ``include_ip`` setting in the ``auth_tkt``
TS	237	plugin. See http://bugs.repoze.org/issue81 .
	238
0dd808	239	- Added 'passthrough_challenge_decider', which avoids re-challenging 401
TS	240	responses which have been "pre-challenged" by the application.
	241
9318dd	242	- One-hundred percent unit test coverage.
TS	243
a6f6dc	244	- Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt
CM	245	identifier plugin, courtesty of Paul Johnston.
	246
	247	- Add a ``userid_checker`` argument to the auth_tkt identifier plugin,
	248	courtesty of Gustavo Narea.
	249
	250	If ``userid_checker`` is provided, it must be a dotted Python name
	251	that resolves to a function which accepts a userid and returns a
	252	boolean True or False, indicating whether that user exists in a
	253	database. This is a workaround. Due to a design bug in repoze.who,
	254	the only way who can check for user existence is to use one or more
	255	IAuthenticator plugin ``authenticate`` methods. If an
	256	IAuthenticator's ``authenticate`` method returns true, it means that
	257	the user exists. However most IAuthenticator plugins expect both
	258	a username and a password, and will return False unconditionally if
	259	both aren't supplied. This means that an authenticator can't be
	260	used to check if the user "only" exists. The identity provided by
	261	an auth_tkt does not contain a password to check against. The
	262	actual design bug in repoze.who is this: when a user presents
	263	credentials from an auth_tkt, he is considered "preauthenticated".
	264	IAuthenticator.authenticate is just never called for a
	265	"preauthenticated" identity, which works fine, but it means that the
	266	user will be considered authenticated even if you deleted the user's
	267	record from whatever database you happen to be using. However, if
	268	you use a userid_checker, you can ensure that a user exists for the
	269	auth_tkt supplied userid. If the userid_checker returns False, the
	270	auth_tkt credentials are considered "no good".
	271
7141c7	272
TS	273	1.0.13 (2009-04-24)
	274	-------------------
64ba13	275
TS	276	- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
	277	are allowed to add keys to the ``identity`` dictionary (e.g., to save a
ced7bd	278	second database query in an ``IMetadataProvider`` plugin).
64ba13	279
08b2ae	280	- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
CM	281	whereby a downstream app can return a generator, relying on an
	282	upstream component to call start_response. We do this because the
	283	challenge decider needs the status and headers to decide what to do.
	284
56d0c5	285
7141c7	286	1.0.12 (2009-04-19)
TS	287	-------------------
56d0c5	288	- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
CM	289	existing tokens data returned by auth_tkt.parse_tkt; this was
	290	incorrect; just overwrite.
0ee58d	291
TS	292	- Extended auth_tkt plugin factory to allow passing secret in a separate
	293	file from the main config file. See http://bugs.repoze.org/issue40 .
	294
7141c7	295
TS	296	1.0.11 (2009-04-10)
	297	-------------------
afbbcd	298
8c20ba	299	- Fix auth_tkt plugin; cookie values are now quoted, making it possible
CM	300	to put spaces and other whitespace, etc in usernames. (thanks to Michael
95736b	301	Pedersen).
8c20ba	302
afbbcd	303	- Fix corner case issue of an exception raised when attempting to log
CM	304	when there are no identifiers or authenticators.
	305
7141c7	306
TS	307	1.0.10 (2009-01-23)
	308	-------------------
7b931d	309
CM	310	- The RedirectingFormPlugin now passes along SetCookie headers set
	311	into the response by the application within the NotFound response
	312	(fixes TG2 "flash" issue).
	313
7141c7	314
TS	315	1.0.9 (2008-12-18)
	316	------------------
30ab69	317
9238cd	318	- The RedirectingFormPlugin now attempts to find a header named
CM	319	``X-Authentication-Failure-Reason`` among the response headers set
	320	by the application when a challenge is issued. If a value for this
	321	header exists (and is non-blank), the value is attached to the
	322	redirect URL's query string as the ``reason`` parameter (or a
	323	user-settable key). This makes it possible for downstream
	324	applications to issue a response that initiates a challenge with
	325	this header and subsequently display the reason in the login form
	326	rendered as a result of the challenge.
30ab69	327
7141c7	328
TS	329	1.0.8 (2008-12-13)
	330	------------------
186ff6	331
9238cd	332	- The ``PluggableAuthenticationMiddleware`` constructor accepts a
CM	333	``log_stream`` argument, which is typically a file. After this
	334	release, it can also be a PEP 333 ``Logger`` instance; if it is a
	335	PEP 333 ``Logger`` instance, this logger will be used as the
	336	repoze.who logger (instead of one being constructed by the
	337	middleware, as was previously always the case). When the
	338	``log_stream`` argument is a PEP 333 Logger object, the
	339	``log_level`` argument is ignored.
186ff6	340
7141c7	341
TS	342	1.0.7 (2008-08-28)
	343	------------------
37de44	344
9238cd	345	- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
CM	346	``namespace_packages`` list in setup.py, potentially making 1.0.6 a
	347	brownbag release, given that making these packages namespace
	348	packages was the only reason for its release.
37de44	349
7141c7	350
TS	351	1.0.6 (2008-08-28)
	352	------------------
facdf8	353
9238cd	354	- Make repoze.who and repoze.who.plugins into namespace packages
CM	355	mainly so we can allow plugin authors to distribute packages in the
	356	repoze.who.plugins namespace.
facdf8	357
7141c7	358
TS	359	1.0.5 (2008-08-23)
	360	------------------
519300	361
9238cd	362	- Fix auth_tkt plugin to set the same cookies in its ``remember``
CM	363	method that it does in its ``forget`` method. Previously, logging
	364	out and relogging back in to a site that used auth_tkt identifier
	365	plugin was slightly dicey and would only work sometimes.
facdf8	366
9238cd	367	- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
CM	368	Any response from a downstream application that causes a challenge
	369	and includes a Location header will cause a redirect to the value of
	370	the Location header.
dee08c	371
7141c7	372
TS	373	1.0.4 (2008-08-22)
	374	------------------
b95a59	375
9238cd	376	- Added a key to the '[general]' config section: ``remote_user_key``.
CM	377	If you use this key in the config file, it tells who to 1) not
	378	perform any authentication if it exists in the environment during
	379	ingress and 2) to set the key in the environment for the downstream
	380	app to use as the REMOTE_USER variable. The default is
	381	``REMOTE_USER``.
b95a59	382
9238cd	383	- Using unicode user ids in combination with the auth_tkt plugin would
CM	384	cause problems under mod_wsgi.
55dc7a	385
9238cd	386	- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
CM	387	constructor). Thanks to Gustavo Narea.
55dc7a	388
7141c7	389
TS	390	1.0.3 (2008-08-16)
	391	------------------
f693fe	392
9238cd	393	- A bug in the middleware's ``authenticate`` method made it impossible
CM	394	to authenticate a user with a userid that was null (e.g. 0, False),
	395	which are valid identifiers. The only invalid userid is now None.
c7e12d	396
9238cd	397	- Applied patch from Olaf Conradi which logs an error when an invalid
CM	398	filename is passed to the HTPasswdPlugin.
c7e12d	399
7141c7	400
TS	401	1.0.2 (2008-06-16)
	402	------------------
cad90d	403
9238cd	404	- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
CM	405	method didn't handle userids which are Python "long" instances
	406	properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
	407	objects in "paste.auth.auth_tkt".
a2c030	408
9238cd	409	- Added predicate-based "restriction" middleware support
CM	410	(repoze.who.restrict), allowing configuratio-driven authorization as
	411	a WSGI filter. One example predicate, 'authenticated_predicate', is
	412	supplied, which requires that the user be authenticated either via
	413	'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
	414	restrict access::
cad90d	415
TS	416	[filter:authenticated_only]
	417	use = egg:repoze.who#authenticated
	418
	419	or::
	420
	421	[filter:some_predicate]
	422	use = egg:repoze.who#predicate
	423	predicate = my.module:some_predicate
	424	some_option = a value
	425
7141c7	426
TS	427	1.0.1 (2008-05-24)
	428	------------------
8199a1	429
9238cd	430	- Remove dependency-link to dist.repoze.org to prevent easy_install
CM	431	from inserting that path into its search paths (the dependencies are
	432	available from PyPI).
8199a1	433
7141c7	434
TS	435	1.0 (2008-05-04)
	436	-----------------
419946	437
9238cd	438	- The plugin at plugins.form.FormPlugin didn't redirect properly after
CM	439	collecting identification information. Symptom: a downstream app
	440	would receive a POST request with a blank body, which would
	441	sometimes result in a Bad Request error.
f39349	442
9238cd	443	- Fixed interface declarations of
CM	444	'classifiers.default_request_classifier' and
	445	'classifiers.default_password_compare'.
515c69	446
9238cd	447	- Added actual config-driven middleware factory,
CM	448	'config.make_middleware_with_config'
515c69	449
9238cd	450	- Removed fossilized 'who_conf' argument from plugin factory functions.
515c69	451
7141c7	452	- Added ConfigParser-based WhoConfig, implementing the spec outlined at
9238cd	453	http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
CM	454	with the following changes:
419946	455
7141c7	456	- "Bare" plugins (requiring no configuration options) may be specified
419946	457	as either egg entry points (e.g., 'egg:distname#entry_point_name') or
TS	458	as dotted-path-with-colon (e.g., 'dotted.name:object_id').
	459
7141c7	460	- Therefore, the separator between a plugin and its classifier is now
TS	461	a semicolon, rather than a colon. E.g.::
419946	462
TS	463	[plugins:id_plugin]
	464	use = egg:another.package#identify_with_frobnatz
	465	frobnatz = baz
	466
	467	[identifiers]
	468	plugins =
	469	egg:my.egg#identify;browser
	470	dotted.name:identifier
	471	id_plugin
	472
7141c7	473
779caf	474	0.9.1 (2008-04-27)
7141c7	475	------------------
779caf	476
9238cd	477	- Fix auth_tkt plugin to be able to encode and decode integer user
CM	478	ids.
779caf	479
7141c7	480
88e646	481	0.9 (2008-04-01)
7141c7	482	----------------
88e646	483
9238cd	484	- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
CM	485	not set).
88e646	486
9238cd	487	- Add PATH_INFO to started and ended log info.
d9f046	488
9238cd	489	- Add a SQLMetadataProviderPlugin (in plugins/sql).
d9f046	490
9238cd	491	- Change constructor of SQLAuthenticatorPlugin: it now accepts only
CM	492	"query", "conn_factory", and "compare_fn". The old constructor
	493	accepted a DSN, but some database systems don't use DBAPI DSNs. The
	494	new constructor accepts no DSN; the conn_factory is assumed to do
	495	all the work to make a connection, including knowing the DSN if one
	496	is required. The "conn_factory" should return something that, when
	497	called with no arguments, returns a database connection.
d9f046	498
9238cd	499	- The "make_plugin" helper in plugins/sql has been renamed
CM	500	"make_authenticator_plugin". When called, this helper will return a
	501	SQLAuthenticatorPlugin. A bit of helper logic in the
	502	"make_authenticator_plugin" allows a connection factory to be
	503	computed. The top-level callable referred to by conn_factory in
	504	this helper should return a function that, when called with no
	505	arguments, returns a datbase connection. The top-level callable
	506	itself is called with "who_conf" (global who configuration) and any
	507	number of non-top-level keyword arguments as they are passed into
	508	the helper, to allow for a DSN or URL or whatever to be passed in.
d9f046	509
9238cd	510	- A "make_metatata_plugin" helper has been added to plugins/sql. When
CM	511	called, this will make a SQLMetadataProviderPlugin. See the
	512	implementation for details. It is similar to the
	513	"make_authenticator_plugin" helper.
d9f046	514
7141c7	515
cbe4e3	516	0.8 (2008-03-27)
7141c7	517	----------------
b5a331	518
9238cd	519	- Add a RedirectingFormIdentifier plugin. This plugin is willing to
CM	520	redirect to an external (or downstream application) login form to
	521	perform identification. The external login form must post to the
	522	"login_handler_path" of the plugin (optimally with a "came_from"
	523	value to tell the plugin where to redirect the response to if the
	524	authentication works properly). The "logout_handler_path" of this
	525	plugin can be visited to perform a logout. The "came_from" value
	526	also works there.
a400b0	527
9238cd	528	- Identifier plugins are now permitted to set a key in the environment
CM	529	named 'repoze.who.application' on ingress (in 'identify'). If an
	530	identifier plugin does so, this application is used instead of the
	531	"normal" downstream application. This feature was added to more
	532	simply support the redirecting form identifier plugin.
a400b0	533
7141c7	534
a400b0	535	0.7 (2008-03-26)
7141c7	536	----------------
a400b0	537
9238cd	538	- Change the IMetadataProvider interface: this interface used to have
CM	539	a "metadata" method which returned a dictionary. This method is not
	540	part of that API anymore. It's been replaced with an "add_metadata"
	541	method which has the signature::
b5a331	542
CM	543	def add_metadata(environ, identity):
	544	"""
	545	Add metadata to the identity (which is a dictionary)
	546	"""
	547
	548	The return value is ignored. IMetadataProvider plugins are now
	549	assumed to be responsible for 'scribbling' directly on the identity
	550	that is passed in (it's a dictionary). The user id can always be
	551	retrieved from the identity via identity['repoze.who.userid'] for
	552	metadata plugins that rely on that value.
	553
7141c7	554
a400b0	555	0.6 (2008-03-20)
7141c7	556	----------------
e35c64	557
9238cd	558	- Renaming: repoze.pam is now repoze.who
cb5426	559
9238cd	560	- Bump ez_setup.py version.
e35c64	561
9238cd	562	- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
fa9581	563
7141c7	564
3b67e9	565	0.5 (2008-03-09)
7141c7	566	----------------
db4cf5	567
9238cd	568	- Allow "remote user key" (default: REMOTE_USER) to be overridden
CM	569	(pass in remote_user_key to middleware constructor).
db4cf5	570
9238cd	571	- Allow form plugin to override the default form.
db4cf5	572
9238cd	573	- API change: IIdentifiers are no longer required to put both 'login'
CM	574	and 'password' in a returned identity dictionary. Instead, an
	575	IIdentifier can place arbitrary key/value pairs in the identity
	576	dictionary (or return an empty dictionary).
40a968	577
9238cd	578	- API return value change: the "failure" identity which IIdentifiers
CM	579	return is now None rather than an empty dictionary.
40a968	580
9238cd	581	- The IAuthenticator interface now specifies that IAuthenticators must
CM	582	not raise an exception when evaluating an identity that does not
	583	have "expected" key/value pairs (e.g. when an IAuthenticator that
	584	expects login and password inspects an identity returned by an
	585	IP-based auth system which only puts the IP address in the
	586	identity); instead they fail gracefully by returning None.
40a968	587
9238cd	588	- Add (cookie) "auth_tkt" identification plugin.
a5b033	589
9238cd	590	- Stamp identity dictionaries with a userid by placing a key named
CM	591	'repoze.pam.userid' into the identity for each authenticated
	592	identity.
a5b033	593
9238cd	594	- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
CM	595	identity dictionary, consider this identity "preauthenticated". No
	596	authenticator plugins will be asked to authenticate this identity.
	597	This is designed for things like the recently added auth_tkt plugin,
	598	which embeds the user id into the ticket. This effectively alllows
	599	an IIdentifier plugin to become an IAuthenticator plugin when
	600	breaking apart the responsibility into two separate plugins is
	601	"make-work". Preauthenticated identities will be selected first
	602	when deciding which identity to use for any given request.
a5b033	603
9238cd	604	- Insert a 'repoze.pam.identity' key into the WSGI environment on
CM	605	ingress if an identity is found. Its value will be the identity
	606	dictionary related to the identity selected by repoze.pam on
	607	ingress. Downstream consumers are allowed to mutate this
	608	dictionary; this value is passed to "remember" and "forget", so its
	609	main use is to do a "credentials reset"; e.g. a user has changed his
	610	username or password within the application, but we don't want to
	611	force him to log in again after he does so.
a5b033	612
7141c7	613
247f34	614	0.4 (03-07-2008)
7141c7	615	----------------
247f34	616
9238cd	617	- Allow plugins to specify a classifiers list per interface (instead
CM	618	of a single classifiers list per plugin).
247f34	619
7141c7	620
fb510d	621	0.3 (03-05-2008)
7141c7	622	----------------
fb510d	623
9238cd	624	- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
CM	625	sha instead of base64'ed binary sha for simpler conversion.
fb510d	626
7141c7	627
196bc2	628	0.2 (03-04-2008)
7141c7	629	----------------
196bc2	630
9238cd	631	- Added SQLAuthenticatorPlugin (see plugins/sql.py).
196bc2	632
7141c7	633
318832	634	0.1 (02-27-2008)
7141c7	635	----------------
318832	636
9238cd	637	- Initial release (no configuration file support yet).