EVOLUTION-MANAGER

Edit File: NEWS

==== NEWS ==== :Authors: Toshio Kuratomi, Luke Macken, Ricky Elrod, Patrick Uiterwijk, Ralph Bean :Date: 5 May 2017 :Version: 0.10.x ------ 0.10.0 ------ * Seperate init_app in flask_fas_openid * Some py3 compatibility * Harden url() function ----- 0.9.0 ----- * Deprecated fedora.client.bodhi in favor of bodhi.client.bindings. * Added OpenID Connect client * Added file permission checks on openidbaseclient cookies ----- 0.8.0 ----- * Removed python 2.5 compatibility code * Various python 3 fixes * Documentation fixes * OpenID endpoint check * Cookie clearing on login in openidbaseclient * Removed flask_fas backwards compatibility module ----- 0.7.1 ----- * Fix a regression in BodhiClient config parsing introduced in 0.7.0. ----- 0.7.0 ----- * Removed the pkgdb1 client. The server has been gone for over a year now. * Removed the flask_fas server component in favor of flask_fas_openid. * Updated flask_fas_openid to forward along ssh and gpg public key information. * Python3 compat enhancements from Craig Rodrigues and Ville Skyttä. ----- 0.6.4 ----- * Bodhi2Client query: document new _before query params * Also perform request retries for failed POST requests. ----- 0.6.3 ----- * Adjust download URL for pypi. ----- 0.6.2 ----- * Force the Bodhi2 url in the BodhiClient shim (for /usr/bin/bodhi). ----- 0.6.1 ----- * Fix a bug in the BodhiClient where the Bodhi2Client would try to use the old Bodhi1 base url. * Raise an AuthError if no username or password is provided to the openid login function. ----- 0.6.0 ----- * Cache session cookies between use for clients using OpenID. * Retry failed requests for clients using OpenID * Remove Bodhi server version detection code. * Python3 support for the BodhiClient. * Drop support for python-requests-1.x ----- 0.5.6 ----- * Python2.6 fix for string formatting in the BodhiClient. ----- 0.5.5 ----- * Consistent exception handling in the Bodhi2Client. * More adjustments to bodhi server version detection. ----- 0.5.4 ----- * Adjust usage of python-six to be compatible with older versions on rhel7. * More updates to detection of the bodhi server version. ----- 0.5.3 ----- * Better bodhi compatibility with 'fedpkg update'. ----- 0.5.2 ----- * Better version checking against the bodhi server. ----- 0.5.1 ----- * Typofix in the BodhiClient ----- 0.5.0 ----- * Bodhi2 compatibility! * Ensure that the OpenIdBaseClient returns a munch object like the old BaseClient did. * Minor fixes to some python3 compatibility. ----- 0.4.0 ----- * Port most modules to a python2/python3 compatible codebase! Hooray! * Deprecate the wiki client (it will be removed in the next major release). * Switch over to using zanata for translations. ------ 0.3.37 ------ * Make the fedora_session file unhidden * Instead of returning the JSON returned by fedoauth/ipsilon we return the response from the application when we sent to it the data returned by fedoauth/ipsilon. * Update OpenIdProxyClient to allow specifying headers when sending a request * Update bugzilla exception list. ------ 0.3.36 ------ * Fix the OpenId BaseClient NullHandler for logging ------ 0.3.35 ------ * Add Openid BaseClient for talking to our new web services that are using openid to auth. * flask_fas_openid can return the json data from the openid request instead of the html page if requested. * Add a requirement on urllib3 in setup.py so that pip will install it. ------ 0.3.34 ------ * **SECURITY** Fix the jsglobals.html template to escape usernames and human names to fix potential XSS flaw. * **SECURITY** Make flask-fas-openid check that the page it is returning the user to after authentication is from within the application. * Updated libravatar lookups to use the user's openid identifier instead of their email address. ------ 0.3.33 ------ * Minimum version of python is now 2.6. Some things may work on older python but this is not guaranteed. Patches to make it work may or may not be accepted. * Added flask_fas_openid for the migration to OpenID This adds the requirements for python-openid, python-openid-teams and python-openid-cla. * Rename the FAS_HTTPS_REQUIRED config variable in the flask_fas auth adapter to FAS_FLASK_COOKIE_REQUIRES_HTTPS. The longer name is more cumbersome but the previous name was too often mistaken to be setting whether we needed to connect to the fas server with https when it really was about whether the session cookie should require https to be returned to the server (the cookie's secure flag). * Change the groups attribute of the flask_fas and flask_fas_openid auth adapters to be a frozenset instead of a list * Set a configurable timeout on how long a client request will wait for the server to setup a connection in BaseClient and ProxyClient. * Fix instance-wide default retries in BaseClient (and subclasses) being overridden by the default value of retries in BaseClient.send_request() * Fix a performance bug in the client modules when the server returns large json strings. python-requests defaults to trying to detect the charset of response strings. This takes a very long time on large return values. Since we know that all responses from the services we're talking to will be utf-8, we can skip this detection step. * No longer use paver for building. We just need setuptools now * Deprecated AccountSystem's gravatar_url method in favor of a new avatar_url method. This defaults to using the free libravatar service but still allows API users to fall back on the proprietary gravatar service if they prefer. python-pylibravatar must be installed for the default to work. If it isn't found on the user's system, then gravatar.com is made the new default. -------- 0.3.32.3 -------- * Fix BodhiClient's knowledge of koji tags -------- 0.3.32.2 -------- * Stop setting cookie attributes on the cookie we generate client-side as those aren't sent to the server and it provokes bugs in python-requests -------- 0.3.32.1 -------- * Update documentation on fasproxy.FasProxyClient.login() ------ 0.3.32 ------ * Replace pyCurl with python-requests in ProxyClient (ralph). This was in order to fix bugs we were seeing with curl/nss in some contexts. ------ 0.3.31 ------ * Fix a problem getting encodings in the soprovidercsrf tg1 identity provider * Fix for login template issuing a traceback when viewed as a localized page (lmacken) ------ 0.3.30 ------ * Added a lookup_email parameter to fedora.client.AccountSystem.gravatar_url() to allow generating gravaar urls without looking up email addresses in fas. * Fixed a bug in fedora.tg.utils.tg_absolute_url() where it was still appending the csrf_token. * Add an auth adapter for flask web apps to authenticate to FAS * New minimum version of python: requires python-2.5 or higher * Fix localization of login templates (laxathom) --------- 0.3.29 --------- * Added a create_group method to AccountSystem to allow for creating FAS groups. --------- 0.3.28.90 --------- To finish --------- * For the faswho repoze.who plugin, allow TG1-style authentication -- ie: if all of the following are set on any URL, authenticate the user prior to loading the web page:: login=Login&user_name=$FAS_USERNAME&password=$FAS_PASSWORD -------- 0.3.28.1 -------- * Previous fix for curl/apache interaction was incomplete. Apache returns a 417 error even if the request would have completed okay (for our case, even if the request is unauthenticated). Have to apply the workaround unconditionally. ------ 0.3.28 ------ * Fix Django auth provider with Django-1.2.x or less. These versions of Django do not have the API necessary to do httponly cookies so we need to not use httponly if that's the version of Django that we're using. * Fix for a bad curl-apache < 2.2.18 interaction. Apache < 2.2.18 has a bug in processing Expect: 100-continue headers if there's data in the body that the client expects apache to process. Curl is a client that does just that. This workaround clears the Expect: header so that we do not have those issues. ------ 0.3.27 ------ * Fix problem with tg_paginate_limit no longer being available in TG-1.1.x. Use FOO_tg_limit instead in various client libraries. ------ 0.3.26 ------ * Fix the AccountSystem() class's verify_password() method so that verification of server SSL certificates may be disabled by setting insecure=True. * Fixed AccountSystem.people_by_key() to return a list with both people who have signed the CLA and have not * Fix the tg2.utils.url handling with TG-2.0.x * Fix a deprecation warning in fedora.tg.controllers * Fix issue in proxyclient where unicode passwords might be encoded to the wrong byte sequence depending on the locale of the process running it. * Fix jsonfasprovider2's group handling to not traceback when assigning groups if there is no record for a given username. * Fix a traceback in jsonfasprovider2's user_id handling. * Fix comparison of passwords in jsonfasprovider when unicode passwords are used. However, this method is actually not invoked under normal use as the password comparison is done on the server. * Fix faswho plugin to handle unicode passwords and usernames. Note that this is a different bug than affected the TG1 auth provider. * Fix faswho auth plugin to set session cookies as secure and httponly * Set the Django session cookies httponly * Add a genshi login template for TG2 * For faswho repoze.who plugin, remove caching during authentication (as caching does not pick up on logout of a different app invalidating the session and password changes). We could use caching again if retrieving the full information about a user took more time than validating their username and password. * Simplify implementation of the faswho plugin. Should save on per-request memory and cache. * Add AccountSystem.gravatar_url() method that will return a url to a gravatar for a person. -------- 0.3.25.1 -------- * Update bugzilla email mapping ------ 0.3.25 ------ * Modify caching of User data in the tg1 identity provider, jsonfas2provider so that anonymous page requests don't call fas excessively. * Make :func:`fedora.tg.tg2utils.enable_csrf` a public function so that TG2 users can use it without using faswho * Make :func:`fedora.tg.tg2utils.url` work with other repoze.who plugins other than faswho. * Allow using a test fas server with :func:`make_faswho_middleware` * Update faswho metadata to be compatible with the default TG2 identity metadata for portability * Allow recovering authenticated state from lack of csrf_token when using the TG2 csrf protecting middleware * Split the TG1 and TG2 code into two separate directories so packagers can split the dependencies even more * Add login and jsglobals template for TG2-mako * Modify fedora_template for TG2 -- now defaults to mako templates and returns a dotted_lookup string by default. This matches with the templates we have and the default template lookup strategy in TG2. ------ 0.3.24 ------ * Fix tg.tg2utils._enable_csrf so that redirect() appends the CSRF token in TG2. * Fix an example in the documentation * Fix a proxyclient error with new pycurl and cookies * Use transifex.net for translations ------ 0.3.23 ------ * Get BodhiClient.comment() working with older version of bodhi ------ 0.3.22 ------ * Bodhi.comment() adds an email parameter to control whether to send email for a comment * Fix ProxyClient issue when using unicode type for a URL * Fix for AccountSystem.group_members() bug with the Bunch port ------ 0.3.21 ------ * Add support for uploading files in BaseClient and ProxyClient. * Add retry capability to BaseClient and ProxyClient. * Have identity and visit managers retry 3 times. * Fix some errors in the wsgi csrf middleware. * Fix wsgi csrf middleware to work with webob >= 1.0 * Fix how we're using data from FasProxy.group_list() in the django auth provider * New PackageDB() methods, :meth:`~fedora.client.PackageDB.add_comaintainers` and :meth:`~fedora.client.PackageDB.change_owner` Internal Cleanups ================= * Port to kitchen for things that have moved there. * Port from DictContainer to python-bunch * Add code to fallback to the stdlib json library so that simplejson is no longer required ------ 0.3.20 ------ * Fix Django auth provider so it times out when the auth provider is used in a django + djblets app. ------ 0.3.19 ------ * Fix DJango Auth Provider to use a cookie shared with the TG apps * Fix DJango Auth Provider to timeout with the fas session * Optimize group lookup in DJango auth provider for ReviewBoard * Add absolute_url() and tg_absolute_url() functions to tg1utils * Attempt to stop tracebacks in tg.visit code * Don't crash DJango auth if the user is hiding their Real Name. ------ 0.3.18 ------ * Fixes for Django auth provider tracebacks and session not being cleared between users. * Revert the connection pool for ProxyClient. It was part of the reason that Django auth (and the other auth providers although no one noticed) were failing. ------ 0.3.17 ------ * Add a connection pool to ProxyClient. Reusing the curl objects from the pool speeds up requests that go to the same server. * New class FasProxyClient that is used to implement thread-safe communication with the Fedora Account System. Our authentication plugins that talk to FAS have been ported to use this internally. * For all clients, remove tg_format=json from the requests that are sent. The Accept header that we send has been serving this purpose for a long time. * New PackageDB methods - get_collection_list() that returns the list of collections that are registered in the pkgdb. - orphan_packages() that returns the list of packages orphaned in non-EOL releases. - get_critpath_pkgs(): Return the packages marked for the critical path - set_critpath(): Mark pkgs as critical path * In fedora.client.pkgdb, Wherever a collection is asked for, have the API take params named collctn_* for consistency. Using the old names as keyword arguments will yield a deprecation warning. * fedora.client.PackageDB now works with pkgdb server 0.5.x rather than 0.4.x * fedora.client.wiki: add ignore_wikibot and callback kwargs to Wiki.fetch_all_revisions() and minor bug fixes * New functions: - fedora.iterutils.isiterable(): Can tell whether an object is an iterable. Can also exclude strings if desired. - fedora.urlutils.update_qs(): Updates a http query string. - fedora.textutils.to_unicode(): Converts a byte string to unicode string. - fedora.textutils.to_bytes(): Converts a unicode string into a byte string. * Fix fedora.tg.tg1utils.request_format() to return a symbolic name for the data format requested whether using the Accept header or tg_format query parameter. * fedora.tg.tg2utils module added with some of the functions from fedora.tg.tg1utils ported to TG2. * faswho and csrf middleware that allow TG2 apps to authenticate against FAS * Documentation on how to use faswho and CSRF in a TG2 app. * Fix some bugs in the Django auth layer. ------ 0.3.16 ------ * Update paver-minilib.zip to pull in more of paver. Fixes a bug when used with easy_install * Fix a bug in fedora.tg.util.url that was creating more than one _csrf_token entry. ------ 0.3.15 ------ * Relicense to LGPLv2+ * Fix user_gencert URL ------ 0.3.14 ------ * Save the original tg.url() function as fedora.tg.tg_url(). That allows us to change the url to have the base_url without adding the csrf token. * Update fedora.client.AccountSystem for compatibility with the next FAS server update (backwards compatible). * Add fedora.client.PackageDB.user_packages() method that retrieves the packages that a particular user owns. * Add a function for fetching all revisions of the wiki (fetch_all_revisions) * Add a function for seeing if we have the wiki API high limits right (check_api_limits) * Add an identity provider, sqlobjectcsrf, to implement csrf_token protection for applications that use sqlobject for database interaction and don't want to use FAS for auth. -------- 0.3.13.1 -------- * Merge the 0.3.13 and 0.3.12.1 release together. * Bugfix for Django Auth provider and new fas server. ------ 0.3.13 ------ * Add new pkgdb methods: add_package() to add a new package and edit_package() to edit an existing one. add_edit_package() was removed. * More translations. * Change from 401 response code to 403. 401 was causing problems for konqueror and webkit and our usage wasn't http spec compliant. * New fedora.compat25 that has python-2.5 features for older releases. - fedora.compat25.defaultdict a defaultdict implementation for older python releases. -------- 0.3.12.1 -------- * Add people_query method * Rename group_by_id and person_by_id request parameters * Add force_refresh parameter to group_data ------ 0.3.12 ------ * Bugfix to django auth to allow login * Bugfix to jsonfas2 that allows login when using json calls with Cherrypy 2.3+ * Get i18n infrastructure ready and take translations from transifex * Include a setup.py so easy_install works * Update build to work with paver 1.0 and somewhat with 0.8 * Add remove_user() to pkgdb client module. -------- 0.3.11.1 -------- * Fix a bug with django auth and redirects ------ 0.3.11 ------ Re-add the old jsonfasprovider and jsonfasvisit plugins until we get everything ported over to CSRF protection. To use the new providers, change your app.cfg:: -visit.manager="jsonfas" -identity.provider="jsonfas" +visit.manager="jsonfas2" +identity.provider="jsonfas2" ------ 0.3.10 ------ CSRF ==== CSRF is a vulnerability that can allow malicious web sites to execute server methods on behalf of an authenticated user. This update has some methods to help deal with that: * Added helpers for enabling CSRF protection to services. For information on adding support to your app, read doc/CSRF.rst or the html version: https://fedorahosted.org/releases/p/y/python-fedora/doc/CSRF.html * Update client code to use CSRF tokens when needed. Other Feature Changes ===================== * Add Django Authentication provider. * Undeprecate AccountSystem.people_by_id() for now -- we need a fas server update before we can use people_by_key(). * Correct loggers to show messages originate from jsonfasprovider and jsonfasvisit. * Add parameter to client classes to allow not checking server certificates. This is **only** intended for use when running test servers with bad certs. Bugfixes ======== * python-2.4 compatibility fix when an http error is received in ProxyClient * Fix fedora.client.ServerError to print information about the error in the traceback. 0.3.9.1 ------- * Fix to the mediawiki client for python-2.4 compatibility. ----- 0.3.9 ----- * Minor fix for traceback when the session file is unreadable. * Fix so that ProxyClient follows redirects. * Fix a bug where fas2.py::AccountSystem::verify_password() always returns True. * Add task to publish documentation to the website. Publish documentation to the website at: https://fedorahosted.org/releases/p/y/python-fedora/doc/ ----- 0.3.8 ----- * Port the client module to use pycurl instead of urllib2. This prepares the way for SSL authentication and fixes a problem with https proxying. * Fix bug in BodhiClient.testable() * Update proxyclient to accept either 403 or 401 as http status codes raising AuthErrors. * New client.fas2.AccountSystem methods to make fasClient more efficient: - group_data(): returns mapping group names to group type and the userids of the administrator, sponsors, and users of the group. - user_data(): returns mapping of userids to a username, password hash, SSH pub key, email address, and status. * Fix AppError exception on python-2.4 ----- 0.3.7 ----- * Update to bugzilla email addresses. * Add documentation for working with translations. * add username argument for BodhiClient. * Update PackageDB.clone_branch() command for new server method. * Allow exceptions passed back by the server to contain extra information. * New fedora.tg.util.json_or_redirect() decorator that allows server methods to either return a dict per normal or redirect to another URL. ----- 0.3.6 ----- * fedora.client.pkgdb merge with pkgdb-client from Mike Watters and Toshio Kuratomi. * Generate documentation for json and util modules. * Delay import of koji, yum, and iniparse in the bodhi client libraries so they're not strict dependencies for now. ----- 0.3.5 ----- * Fix client.AccountSystem.person_by_username() to not traceback when given an unknown username. * Deprecate cookie auth in favor of session_id auth (but maintain compatibility) * Internally, use session_id instead of cookie. * Change the session file from ~/.fedora_session to ~/.fedora/.fedora_session * Switch from using setuptools to build the package to paver_. * Generate html documentation using sphinx_. * Bodhi update template parsing improvements, thanks to Ricky. .. _paver:: http://www.blueskyonmars.com/projects/paver/ .. _sphix:: http://sphinx.pocoo.org/ ----- 0.3.4 ----- * Fix to proxyclient allow sending sequence types via send_request(). * New fedora.client.fas2.AccountSystem method people_by_groupname() ----- 0.3.3 ----- * Allow json_props in SABase to follow class inheritance. * Remove 0.2 compatibility variable jsonProps. This was broken and everything that was using it has been ported to use json_props instead. * Misc bugfixes with the jsonfas provider. ----- 0.3.2 ----- * Bodhi API parameter 'type' renamed to 'type_' * Added BodhiClient.latest_builds method * New FAS group_members() method to return people's status in a group. * Fixed the default fas.url value in the jsonfas visit manager * Creation of a new FedoraClientError base Exception class * Better i18n support * Added all clients to the base of the fedora.client module * Various other bugfixes ----- 0.3.1 ----- * Fix an unported portion of the jsonfasvisit manager. * Make validation errors set a flash message for both html and json * Create a function to jsonify sets. * Make sure we don't log a user's password. * Bugfixes in the bodhi update template parsing code --- 0.3 --- * New fedora.client.bodhi API * Lots of bugfixes * New fedora.client.ProxyClient class that can be used for writing proxies and lower level clients that talk to Fedora Services. - BaseClient rewritten to run on top of ProxyClient. * Rearranging of many modules. The old names should still work but issue a DeprecationWarning and the new location to import the module from. * Documentation on how to build a Fedora Service that will work well with BaseClient and documentation on building apps with BaseClient. - Note that present Fedora Services (Bodhi, PackageDB, MirrorManager, FAS2) will need to be updated to conform to this spec. Until that happens, not everything (notably, error handling) will work 100% correctly. Incompatibilities ================= * Removal of camelCase. Rename keyword arguments and public instance variables: * client.BaseClient *Note* that changes to this class propogate out to the same variable in derived classes like fas2.AccountSystem and the BaseClient used in JsonFasIdentity. * __init__(): baseURL => base_url * _sessionCookie => _session_cookie: this is a private variable but some users use this anyway. For users needing to access this, there's now a more appropriate class for doing so (ProxyClient). * accounts.fas2.AccountSystem * group_by_id(): groupId => group_id * person_by_id(): personId => person_id * tg.widgets * All widgets had widgetId => widget_id * Also means accessing the variable is done via self.widget_id * tg.json.SABase * self.jsonProps => self.json_props *Note*: jsonProps will still work but is Deprecated. Please update your code as we will be removing jsonProps in 0.4.x. * The input keyword argument to BaseClient.send_request has been deprecated in favor of req_params. *Note*: Using input will still work in 0.3. Please update your code as we will be removing input in 0.4.x. * Restructuring of Exceptions in BaseClient * New base exception is FedoraServiceError if you want to catch that. * Movement of fedora.tg.client to fedora.client * Movement of fedora.accounts.fas2 to fedora.client.fas2 * Rename fedora.client.fas2.AccountSystem.authenticate() to verify_password() ----------- 0.2.99.11.1 ----------- Brown paper bag the previous release. Fix a crasher bug. --------- 0.2.99.11 --------- Hopefully the last in this line of API. * Fix handling of tg_format=json asa query param when the server uses tg.util.request_format() * Add a default jsonify method for SA ResultProxys * Don't traceback if there's a corrupted session file * Set permissions on the session file so only the user can read it. * Add a default BaseURL for fas2.AccountSystem --------- 0.2.99.10 --------- * Minor update that: 1) Adds bugzilla email to the return from people_by_id(). 2) Adds several more users whose bugzilla address don't match their fas email. -------- 0.2.99.9 -------- * This is what 0.2.99.9 was supposed to be. The last release compatible with 0.2.99.7 and less. Unfortunately, some incompatibilities snuck in. Reverting those changes here. -------- 0.2.99.8 -------- * Fix a bug involving bugzilla_email addresses. * Fix a bug where an expired session cookie will cause send_request to complete successfully but report failure. -------- 0.2.99.7 -------- * Fixes to json.py for JSON output with SA-0.4 * Add bugzila_email to output of fas2 methods * Add people_by_id() method to fas2.AccountSystem that returns a dict of people indexed by ID. The people structure contains username, email, and human_name... what we need for most of our lookups. -------- 0.2.99.6 -------- Remove fas1 code. Document how BaseClient interacts with a server Move client code. Change BaseClient to work with Accept headers. -------- 0.2.99.5 -------- fas2.py shim to connect to fas2 via json for certain information. BaseClient bugfixes. -------- 0.2.99.4 -------- Enhancement to jsonfasprovider to provide both user.human_name and user['human_name']. -------- 0.2.99.3 -------- Bugfixes to BaseClient -------- 0.2.99.2 -------- Integrate a first working json fas identity provider and visit manager. -------- 0.2.99.0 -------- This release is the first to offer TG-1.0.4 and SA-0.4 compatibility. When this is considered stable we will release as 0.3.