==================
|
repoze.who changes
|
==================
|
|
1.0.13 (2009/4/24)
|
==================
|
|
- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
|
are allowed to add keys to the ``identity`` dictionary (e.g., to save a
|
second database query in an ``IMetadataProvider`` plugin).
|
|
- Patch supplied for issue #71 (http://bugs.repoze.org/issue71)
|
whereby a downstream app can return a generator, relying on an
|
upstream component to call start_response. We do this because the
|
challenge decider needs the status and headers to decide what to do.
|
|
1.0.12 (2009/4/19)
|
==================
|
|
- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
|
existing tokens data returned by auth_tkt.parse_tkt; this was
|
incorrect; just overwrite.
|
|
- Extended auth_tkt plugin factory to allow passing secret in a separate
|
file from the main config file. See http://bugs.repoze.org/issue40 .
|
|
1.0.11 (2009/4/10)
|
==================
|
|
- Fix auth_tkt plugin; cookie values are now quoted, making it possible
|
to put spaces and other whitespace, etc in usernames. (thanks to Michael
|
Pedersen).
|
|
- Fix corner case issue of an exception raised when attempting to log
|
when there are no identifiers or authenticators.
|
|
1.0.10 (2009/1/23)
|
==================
|
|
- The RedirectingFormPlugin now passes along SetCookie headers set
|
into the response by the application within the NotFound response
|
(fixes TG2 "flash" issue).
|
|
1.0.9 (2008/12/18)
|
==================
|
|
- The RedirectingFormPlugin now attempts to find a header named
|
``X-Authentication-Failure-Reason`` among the response headers set
|
by the application when a challenge is issued. If a value for this
|
header exists (and is non-blank), the value is attached to the
|
redirect URL's query string as the ``reason`` parameter (or a
|
user-settable key). This makes it possible for downstream
|
applications to issue a response that initiates a challenge with
|
this header and subsequently display the reason in the login form
|
rendered as a result of the challenge.
|
|
1.0.8 (2008/12/13)
|
==================
|
|
- The ``PluggableAuthenticationMiddleware`` constructor accepts a
|
``log_stream`` argument, which is typically a file. After this
|
release, it can also be a PEP 333 ``Logger`` instance; if it is a
|
PEP 333 ``Logger`` instance, this logger will be used as the
|
repoze.who logger (instead of one being constructed by the
|
middleware, as was previously always the case). When the
|
``log_stream`` argument is a PEP 333 Logger object, the
|
``log_level`` argument is ignored.
|
|
1.0.7 (2008/08/28)
|
==================
|
|
- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
|
``namespace_packages`` list in setup.py, potentially making 1.0.6 a
|
brownbag release, given that making these packages namespace
|
packages was the only reason for its release.
|
|
1.0.6 (2008/08/28)
|
==================
|
|
- Make repoze.who and repoze.who.plugins into namespace packages
|
mainly so we can allow plugin authors to distribute packages in the
|
repoze.who.plugins namespace.
|
|
1.0.5 (2008/08/23)
|
==================
|
|
- Fix auth_tkt plugin to set the same cookies in its ``remember``
|
method that it does in its ``forget`` method. Previously, logging
|
out and relogging back in to a site that used auth_tkt identifier
|
plugin was slightly dicey and would only work sometimes.
|
|
- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
|
Any response from a downstream application that causes a challenge
|
and includes a Location header will cause a redirect to the value of
|
the Location header.
|
|
1.0.4 (2008/08/22)
|
===================
|
|
- Added a key to the '[general]' config section: ``remote_user_key``.
|
If you use this key in the config file, it tells who to 1) not
|
perform any authentication if it exists in the environment during
|
ingress and 2) to set the key in the environment for the downstream
|
app to use as the REMOTE_USER variable. The default is
|
``REMOTE_USER``.
|
|
- Using unicode user ids in combination with the auth_tkt plugin would
|
cause problems under mod_wsgi.
|
|
- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
|
constructor). Thanks to Gustavo Narea.
|
|
1.0.3 (2008/08/16)
|
==================
|
|
- A bug in the middleware's ``authenticate`` method made it impossible
|
to authenticate a user with a userid that was null (e.g. 0, False),
|
which are valid identifiers. The only invalid userid is now None.
|
|
- Applied patch from Olaf Conradi which logs an error when an invalid
|
filename is passed to the HTPasswdPlugin.
|
|
1.0.2 (2008/06/16)
|
==================
|
|
- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
|
method didn't handle userids which are Python "long" instances
|
properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
|
objects in "paste.auth.auth_tkt".
|
|
- Added predicate-based "restriction" middleware support
|
(repoze.who.restrict), allowing configuratio-driven authorization as
|
a WSGI filter. One example predicate, 'authenticated_predicate', is
|
supplied, which requires that the user be authenticated either via
|
'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
|
restrict access::
|
|
[filter:authenticated_only]
|
use = egg:repoze.who#authenticated
|
|
or::
|
|
[filter:some_predicate]
|
use = egg:repoze.who#predicate
|
predicate = my.module:some_predicate
|
some_option = a value
|
|
1.0.1
|
=====
|
|
- Remove dependency-link to dist.repoze.org to prevent easy_install
|
from inserting that path into its search paths (the dependencies are
|
available from PyPI).
|
|
1.0
|
===
|
|
- The plugin at plugins.form.FormPlugin didn't redirect properly after
|
collecting identification information. Symptom: a downstream app
|
would receive a POST request with a blank body, which would
|
sometimes result in a Bad Request error.
|
|
- Fixed interface declarations of
|
'classifiers.default_request_classifier' and
|
'classifiers.default_password_compare'.
|
|
- Added actual config-driven middleware factory,
|
'config.make_middleware_with_config'
|
|
- Removed fossilized 'who_conf' argument from plugin factory functions.
|
|
- Added ConfigParser-based WhoConfig, implementing the spec outlined
|
at
|
http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file,
|
with the following changes:
|
|
o "Bare" plugins (requiring no configuration options) may be specified
|
as either egg entry points (e.g., 'egg:distname#entry_point_name') or
|
as dotted-path-with-colon (e.g., 'dotted.name:object_id').
|
|
o Therefore, the separator between a plugin and its classifier is now
|
a semicolon, rather than a colon. E.g.::
|
|
[plugins:id_plugin]
|
use = egg:another.package#identify_with_frobnatz
|
frobnatz = baz
|
|
[identifiers]
|
plugins =
|
egg:my.egg#identify;browser
|
dotted.name:identifier
|
id_plugin
|
|
0.9.1 (2008-04-27)
|
==================
|
|
- Fix auth_tkt plugin to be able to encode and decode integer user
|
ids.
|
|
0.9 (2008-04-01)
|
================
|
|
- Fix bug introduced in FormPlugin in 0.8 release (rememberer headers
|
not set).
|
|
- Add PATH_INFO to started and ended log info.
|
|
- Add a SQLMetadataProviderPlugin (in plugins/sql).
|
|
- Change constructor of SQLAuthenticatorPlugin: it now accepts only
|
"query", "conn_factory", and "compare_fn". The old constructor
|
accepted a DSN, but some database systems don't use DBAPI DSNs. The
|
new constructor accepts no DSN; the conn_factory is assumed to do
|
all the work to make a connection, including knowing the DSN if one
|
is required. The "conn_factory" should return something that, when
|
called with no arguments, returns a database connection.
|
|
- The "make_plugin" helper in plugins/sql has been renamed
|
"make_authenticator_plugin". When called, this helper will return a
|
SQLAuthenticatorPlugin. A bit of helper logic in the
|
"make_authenticator_plugin" allows a connection factory to be
|
computed. The top-level callable referred to by conn_factory in
|
this helper should return a function that, when called with no
|
arguments, returns a datbase connection. The top-level callable
|
itself is called with "who_conf" (global who configuration) and any
|
number of non-top-level keyword arguments as they are passed into
|
the helper, to allow for a DSN or URL or whatever to be passed in.
|
|
- A "make_metatata_plugin" helper has been added to plugins/sql. When
|
called, this will make a SQLMetadataProviderPlugin. See the
|
implementation for details. It is similar to the
|
"make_authenticator_plugin" helper.
|
|
0.8 (2008-03-27)
|
================
|
|
- Add a RedirectingFormIdentifier plugin. This plugin is willing to
|
redirect to an external (or downstream application) login form to
|
perform identification. The external login form must post to the
|
"login_handler_path" of the plugin (optimally with a "came_from"
|
value to tell the plugin where to redirect the response to if the
|
authentication works properly). The "logout_handler_path" of this
|
plugin can be visited to perform a logout. The "came_from" value
|
also works there.
|
|
- Identifier plugins are now permitted to set a key in the environment
|
named 'repoze.who.application' on ingress (in 'identify'). If an
|
identifier plugin does so, this application is used instead of the
|
"normal" downstream application. This feature was added to more
|
simply support the redirecting form identifier plugin.
|
|
0.7 (2008-03-26)
|
================
|
|
- Change the IMetadataProvider interface: this interface used to have
|
a "metadata" method which returned a dictionary. This method is not
|
part of that API anymore. It's been replaced with an "add_metadata"
|
method which has the signature::
|
|
def add_metadata(environ, identity):
|
"""
|
Add metadata to the identity (which is a dictionary)
|
"""
|
|
The return value is ignored. IMetadataProvider plugins are now
|
assumed to be responsible for 'scribbling' directly on the identity
|
that is passed in (it's a dictionary). The user id can always be
|
retrieved from the identity via identity['repoze.who.userid'] for
|
metadata plugins that rely on that value.
|
|
0.6 (2008-03-20)
|
================
|
|
- Renaming: repoze.pam is now repoze.who
|
|
- Bump ez_setup.py version.
|
|
- Add IMetadataProvider plugin type. Chris says 'Whit rules'.
|
|
0.5 (2008-03-09)
|
================
|
|
- Allow "remote user key" (default: REMOTE_USER) to be overridden
|
(pass in remote_user_key to middleware constructor).
|
|
- Allow form plugin to override the default form.
|
|
- API change: IIdentifiers are no longer required to put both 'login'
|
and 'password' in a returned identity dictionary. Instead, an
|
IIdentifier can place arbitrary key/value pairs in the identity
|
dictionary (or return an empty dictionary).
|
|
- API return value change: the "failure" identity which IIdentifiers
|
return is now None rather than an empty dictionary.
|
|
- The IAuthenticator interface now specifies that IAuthenticators must
|
not raise an exception when evaluating an identity that does not
|
have "expected" key/value pairs (e.g. when an IAuthenticator that
|
expects login and password inspects an identity returned by an
|
IP-based auth system which only puts the IP address in the
|
identity); instead they fail gracefully by returning None.
|
|
- Add (cookie) "auth_tkt" identification plugin.
|
|
- Stamp identity dictionaries with a userid by placing a key named
|
'repoze.pam.userid' into the identity for each authenticated
|
identity.
|
|
- If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
|
identity dictionary, consider this identity "preauthenticated". No
|
authenticator plugins will be asked to authenticate this identity.
|
This is designed for things like the recently added auth_tkt plugin,
|
which embeds the user id into the ticket. This effectively alllows
|
an IIdentifier plugin to become an IAuthenticator plugin when
|
breaking apart the responsibility into two separate plugins is
|
"make-work". Preauthenticated identities will be selected first
|
when deciding which identity to use for any given request.
|
|
- Insert a 'repoze.pam.identity' key into the WSGI environment on
|
ingress if an identity is found. Its value will be the identity
|
dictionary related to the identity selected by repoze.pam on
|
ingress. Downstream consumers are allowed to mutate this
|
dictionary; this value is passed to "remember" and "forget", so its
|
main use is to do a "credentials reset"; e.g. a user has changed his
|
username or password within the application, but we don't want to
|
force him to log in again after he does so.
|
|
0.4 (03-07-2008)
|
================
|
|
- Allow plugins to specify a classifiers list per interface (instead
|
of a single classifiers list per plugin).
|
|
0.3 (03-05-2008)
|
================
|
|
- Make SQLAuthenticatorPlugin's default_password_compare use hexdigest
|
sha instead of base64'ed binary sha for simpler conversion.
|
|
0.2 (03-04-2008)
|
================
|
|
- Added SQLAuthenticatorPlugin (see plugins/sql.py).
|
|
0.1 (02-27-2008)
|
================
|
|
- Initial release (no configuration file support yet).
|
