NEWS

====
NEWS
====

:Authors: Toshio Kuratomi, Luke Macken, Ricky Elrod, Patrick Uiterwijk, Ralph Bean
:Date: 6 Aug 2014
:Version: 0.3.x


------
0.3.36
------

* Fix the OpenId BaseClient NullHandler for logging

------
0.3.35
------

* Add Openid BaseClient for talking to our new web services that are using
  openid to auth.
* flask_fas_openid can return the json data from the openid request instead of
  the html page if requested.

* Add a requirement on urllib3 in setup.py so that pip will install it.

------
0.3.34
------

* **SECURITY** Fix the jsglobals.html template to escape usernames and human
  names to fix potential XSS flaw.
* **SECURITY** Make flask-fas-openid check that the page it is returning the
  user to after authentication is from within the application.

* Updated libravatar lookups to use the user's openid identifier instead of
  their email address.

------
0.3.33
------

* Minimum version of python is now 2.6.  Some things may work on older python
  but this is not guaranteed.  Patches to make it work may or may not be
  accepted.
* Added flask_fas_openid for the migration to OpenID
  This adds the requirements for python-openid, python-openid-teams and
  python-openid-cla.
* Rename the FAS_HTTPS_REQUIRED config variable in the flask_fas auth adapter
  to FAS_FLASK_COOKIE_REQUIRES_HTTPS.  The longer name is more cumbersome but
  the previous name was too often mistaken to be setting whether we needed to
  connect to the fas server with https when it really was about whether the
  session cookie should require https to be returned to the server (the
  cookie's secure flag).
* Change the groups attribute of the flask_fas and flask_fas_openid auth
  adapters to be a frozenset instead of a list
* Set a configurable timeout on how long a client request will wait for the
  server to setup a connection in BaseClient and ProxyClient.
* Fix instance-wide default retries in BaseClient (and subclasses) being
  overridden by the default value of retries in BaseClient.send_request()
* Fix a performance bug in the client modules when the server returns large
  json strings.  python-requests defaults to trying to detect the charset of
  response strings.  This takes a very long time on large return values.
  Since we know that all responses from the services we're talking to will be
  utf-8, we can skip this detection step.
* No longer use paver for building.  We just need setuptools now
* Deprecated AccountSystem's gravatar_url method in favor of a new avatar_url
  method.  This defaults to using the free libravatar service but still allows
  API users to fall back on the proprietary gravatar service if they prefer.
  python-pylibravatar must be installed for the default to work.  If it isn't
  found on the user's system, then gravatar.com is made the new default.

--------
0.3.32.3
--------

* Fix BodhiClient's knowledge of koji tags

--------
0.3.32.2
--------

* Stop setting cookie attributes on the cookie we generate client-side as those
  aren't sent to the server and it provokes bugs in python-requests

--------
0.3.32.1
--------

* Update documentation on fasproxy.FasProxyClient.login()

------
0.3.32
------

* Replace pyCurl with python-requests in ProxyClient (ralph).
  This was in order to fix bugs we were seeing with curl/nss in some contexts.

------
0.3.31
------

* Fix a problem getting encodings in the soprovidercsrf tg1 identity provider
* Fix for login template issuing a traceback when viewed as a localized page
  (lmacken)

------
0.3.30
------

* Added a lookup_email parameter to fedora.client.AccountSystem.gravatar_url()
  to allow generating gravaar urls without looking up email addresses in fas.
* Fixed a bug in fedora.tg.utils.tg_absolute_url() where it was still appending
  the csrf_token.
* Add an auth adapter for flask web apps to authenticate to FAS
* New minimum version of python: requires python-2.5 or higher
* Fix localization of login templates (laxathom)

---------
0.3.29
---------

* Added a create_group method to AccountSystem to allow for creating FAS
  groups.

---------
0.3.28.90
---------

To finish
---------
* For the faswho repoze.who plugin, allow TG1-style authentication -- ie: if
  all of the following are set on any URL, authenticate the user prior to
  loading the web page::
    login=Login&user_name=$FAS_USERNAME&password=$FAS_PASSWORD

--------
0.3.28.1
--------

* Previous  fix for curl/apache interaction was incomplete.  Apache returns a
  417 error even if the request would have completed okay (for our case, even
  if the request is unauthenticated).  Have to apply the workaround
  unconditionally.

------
0.3.28
------

* Fix Django auth provider with Django-1.2.x or less.  These versions of Django
  do not have the API necessary to do httponly cookies so we need to not use
  httponly if that's the version of Django that we're using.
* Fix for a bad curl-apache < 2.2.18 interaction.  Apache < 2.2.18 has a bug in
  processing Expect: 100-continue headers if there's data in the body that the
  client expects apache to process.  Curl is a client that does just that.  This
  workaround clears the Expect: header so that we do not have those issues.

------
0.3.27
------

* Fix problem with tg_paginate_limit no longer being available in TG-1.1.x.
  Use FOO_tg_limit instead in various client libraries.

------
0.3.26
------

* Fix the AccountSystem() class's verify_password() method so that
  verification of server SSL certificates may be disabled by setting
  insecure=True.
* Fixed AccountSystem.people_by_key() to return a list with both people who
  have signed the CLA and have not
* Fix the tg2.utils.url handling with TG-2.0.x
* Fix a deprecation warning in fedora.tg.controllers
* Fix issue in proxyclient where unicode passwords might be encoded to the
  wrong byte sequence depending on the locale of the process running it.
* Fix jsonfasprovider2's group handling to not traceback when assigning groups
  if there is no record for a given username.
* Fix a traceback in jsonfasprovider2's user_id handling.
* Fix comparison of passwords in jsonfasprovider when unicode passwords are
  used.  However, this method is actually not invoked under normal use as the
  password comparison is done on the server.
* Fix faswho plugin to handle unicode passwords and usernames.  Note that this
  is a different bug than affected the TG1 auth provider.
* Fix faswho auth plugin to set session cookies as secure and httponly
* Set the Django session cookies httponly
* Add a genshi login template for TG2
* For faswho repoze.who plugin, remove caching during authentication (as caching
  does not pick up on logout of a different app invalidating the session and
  password changes).  We could use caching again if retrieving the full
  information about a user took more time than validating their username and
  password.
* Simplify implementation of the faswho plugin.  Should save on per-request
  memory and cache.
* Add AccountSystem.gravatar_url() method that will return a url to a gravatar
  for a person.

--------
0.3.25.1
--------

* Update bugzilla email mapping

------
0.3.25
------

* Modify caching of User data in the tg1 identity provider, jsonfas2provider
  so that anonymous page requests don't call fas excessively.
* Make :func:`fedora.tg.tg2utils.enable_csrf` a public function so that TG2
  users can use it without using faswho
* Make :func:`fedora.tg.tg2utils.url` work with other repoze.who plugins other
  than faswho.
* Allow using a test fas server with :func:`make_faswho_middleware`
* Update faswho metadata to be compatible with the default TG2 identity
  metadata for portability
* Allow recovering authenticated state from lack of csrf_token when using the
  TG2 csrf protecting middleware
* Split the TG1 and TG2 code into two separate directories so packagers can
  split the dependencies even more
* Add login and jsglobals template for TG2-mako
* Modify fedora_template for TG2 -- now defaults to mako templates and returns
  a dotted_lookup string by default.  This matches with the templates we have
  and the default template lookup strategy in TG2.

------
0.3.24
------

* Fix tg.tg2utils._enable_csrf so that redirect() appends the CSRF token
  in TG2.
* Fix an example in the documentation
* Fix a proxyclient error with new pycurl and cookies
* Use transifex.net for translations

------
0.3.23
------
* Get BodhiClient.comment() working with older version of bodhi

------
0.3.22
------

* Bodhi.comment() adds an email parameter to control whether to send email for
  a comment
* Fix ProxyClient issue when using unicode type for a URL
* Fix for AccountSystem.group_members() bug with the Bunch port

------
0.3.21
------

* Add support for uploading files in BaseClient and ProxyClient.
* Add retry capability to BaseClient and ProxyClient.
* Have identity and visit managers retry 3 times.
* Fix some errors in the wsgi csrf middleware.
* Fix wsgi csrf middleware to work with webob >= 1.0
* Fix how we're using data from FasProxy.group_list() in the django auth
  provider
* New PackageDB() methods, :meth:`~fedora.client.PackageDB.add_comaintainers`
  and :meth:`~fedora.client.PackageDB.change_owner`

Internal Cleanups
=================

* Port to kitchen for things that have moved there.
* Port from DictContainer to python-bunch
* Add code to fallback to the stdlib json library so that simplejson is no
  longer required


------
0.3.20
------
* Fix Django auth provider so it times out when the auth provider is used in a
  django + djblets app.

------
0.3.19
------
* Fix DJango Auth Provider to use a cookie shared with the TG apps
* Fix DJango Auth Provider to timeout with the fas session
* Optimize group lookup in DJango auth provider for ReviewBoard
* Add absolute_url() and tg_absolute_url() functions to tg1utils
* Attempt to stop tracebacks in tg.visit code
* Don't crash DJango auth if the user is hiding their Real Name.

------
0.3.18
------
* Fixes for Django auth provider tracebacks and session not being cleared between users.
* Revert the connection pool for ProxyClient.  It was part of the reason that
  Django auth (and the other auth providers although no one noticed) were
  failing.

------
0.3.17
------
* Add a connection pool to ProxyClient.  Reusing the curl objects from the pool
  speeds up requests that go to the same server.
* New class FasProxyClient that is used to implement thread-safe communication
  with the Fedora Account System.  Our authentication plugins that talk to
  FAS have been ported to use this internally.
* For all clients, remove tg_format=json from the requests that are sent.  The
  Accept header that we send has been serving this purpose for a long time.
* New PackageDB methods
  - get_collection_list() that returns the list of collections that are
    registered in the pkgdb.
  - orphan_packages() that returns the list of packages orphaned in non-EOL
    releases.
  - get_critpath_pkgs(): Return the packages marked for the critical path
  - set_critpath(): Mark pkgs as critical path
* In fedora.client.pkgdb, Wherever a collection is asked for, have the API take
  params named collctn_* for consistency.  Using the old names as keyword
  arguments will yield a deprecation warning.
* fedora.client.PackageDB now works with pkgdb server 0.5.x rather than 0.4.x
* fedora.client.wiki: add ignore_wikibot and callback kwargs to
  Wiki.fetch_all_revisions() and minor bug fixes
* New functions:
  - fedora.iterutils.isiterable(): Can tell whether an object is an iterable.
    Can also exclude strings if desired.
  - fedora.urlutils.update_qs(): Updates a http query string.
  - fedora.textutils.to_unicode(): Converts a byte string to unicode string.
  - fedora.textutils.to_bytes(): Converts a unicode string into a byte string.
* Fix fedora.tg.tg1utils.request_format() to return a symbolic name for the
  data format requested whether using the Accept header or tg_format query
  parameter.
* fedora.tg.tg2utils module added with some of the functions from
  fedora.tg.tg1utils ported to TG2.
* faswho and csrf middleware that allow TG2 apps to authenticate against FAS
* Documentation on how to use faswho and CSRF in a TG2 app.
* Fix some bugs in the Django auth layer.

------
0.3.16
------
* Update paver-minilib.zip to pull in more of paver.  Fixes a bug when used
  with easy_install
* Fix a bug in fedora.tg.util.url that was creating more than one _csrf_token
  entry.

------
0.3.15
------
* Relicense to LGPLv2+
* Fix user_gencert URL

------
0.3.14
------
* Save the original tg.url() function as fedora.tg.tg_url().  That allows us
  to change the url to have the base_url without adding the csrf token.
* Update fedora.client.AccountSystem for compatibility with the next FAS
  server update (backwards compatible).
* Add fedora.client.PackageDB.user_packages() method that retrieves the packages
  that a particular user owns.
* Add a function for fetching all revisions of the wiki (fetch_all_revisions)
* Add a function for seeing if we have the wiki API high limits right
  (check_api_limits)
* Add an identity provider, sqlobjectcsrf, to implement csrf_token protection
  for applications that use sqlobject for database interaction and don't want
  to use FAS for auth.

--------
0.3.13.1
--------
* Merge the 0.3.13 and 0.3.12.1 release together.
* Bugfix for Django Auth provider and new fas server.

------
0.3.13
------
* Add new pkgdb methods: add_package() to add a new package and edit_package()
  to edit an existing one.  add_edit_package() was removed.
* More translations.
* Change from 401 response code to 403.  401 was causing problems for konqueror
  and webkit and our usage wasn't http spec compliant.
* New fedora.compat25 that has python-2.5 features for older releases.
  - fedora.compat25.defaultdict a defaultdict implementation for older python
    releases.

--------
0.3.12.1
--------

* Add people_query method
* Rename group_by_id and person_by_id request parameters
* Add force_refresh parameter to group_data

------
0.3.12
------

* Bugfix to django auth to allow login
* Bugfix to jsonfas2 that allows login when using json calls with Cherrypy 2.3+
* Get i18n infrastructure ready and take translations from transifex
* Include a setup.py so easy_install works
* Update build to work with paver 1.0 and somewhat with 0.8
* Add remove_user() to pkgdb client module.

--------
0.3.11.1
--------

* Fix a bug with django auth and redirects

------
0.3.11
------

Re-add the old jsonfasprovider and jsonfasvisit plugins until we get everything
ported over to CSRF protection.  To use the new providers, change your app.cfg::

  -visit.manager="jsonfas"
  -identity.provider="jsonfas"
  +visit.manager="jsonfas2"
  +identity.provider="jsonfas2"

------
0.3.10
------

CSRF
====
CSRF is a vulnerability that can allow malicious web sites to execute server
methods on behalf of an authenticated user.  This update has some methods to
help deal with that:

* Added helpers for enabling CSRF protection to services.  For information on
  adding support to your app, read doc/CSRF.rst or the html version:
  https://fedorahosted.org/releases/p/y/python-fedora/doc/CSRF.html
* Update client code to use CSRF tokens when needed.

Other Feature Changes
=====================
* Add Django Authentication provider.
* Undeprecate AccountSystem.people_by_id() for now -- we need a fas server
  update before we can use people_by_key().
* Correct loggers to show messages originate from jsonfasprovider and
  jsonfasvisit.
* Add parameter to client classes to allow not checking server certificates.
  This is **only** intended for use when running test servers with bad certs.

Bugfixes
========
* python-2.4 compatibility fix when an http error is received in ProxyClient
* Fix fedora.client.ServerError to print information about the error in the
  traceback.

0.3.9.1
-------
* Fix to the mediawiki client for python-2.4 compatibility.

-----
0.3.9
-----
* Minor fix for traceback when the session file is unreadable.
* Fix so that ProxyClient follows redirects.
* Fix a bug where fas2.py::AccountSystem::verify_password() always returns
  True.
* Add task to publish documentation to the website.  Publish documentation to
  the website at: https://fedorahosted.org/releases/p/y/python-fedora/doc/

-----
0.3.8
-----
* Port the client module to use pycurl instead of urllib2.  This prepares the
  way for SSL authentication and fixes a problem with https proxying.
* Fix bug in BodhiClient.testable()
* Update proxyclient to accept either 403 or 401 as http status codes raising
  AuthErrors.
* New client.fas2.AccountSystem methods to make fasClient more efficient:
  - group_data(): returns mapping group names to group type and the userids of
    the administrator, sponsors, and users of the group.
  - user_data(): returns mapping of userids to a username, password hash,
    SSH pub key, email address, and status.
* Fix AppError exception on python-2.4

-----
0.3.7
-----
* Update to bugzilla email addresses.
* Add documentation for working with translations.
* add username argument for BodhiClient.
* Update PackageDB.clone_branch() command for new server method.
* Allow exceptions passed back by the server to contain extra information.
* New fedora.tg.util.json_or_redirect() decorator that allows server methods to
  either return a dict per normal or redirect to another URL.

-----
0.3.6
-----
* fedora.client.pkgdb merge with pkgdb-client from Mike Watters and Toshio
  Kuratomi.
* Generate documentation for json and util modules.
* Delay import of koji, yum, and iniparse in the bodhi client libraries so
  they're not strict dependencies for now.

-----
0.3.5
-----
* Fix client.AccountSystem.person_by_username() to not traceback when given an
  unknown username.
* Deprecate cookie auth in favor of session_id auth (but maintain compatibility)
* Internally, use session_id instead of cookie.
* Change the session file from ~/.fedora_session to ~/.fedora/.fedora_session
* Switch from using setuptools to build the package to paver_.
* Generate html documentation using sphinx_.
* Bodhi update template parsing improvements, thanks to Ricky.

.. _paver:: http://www.blueskyonmars.com/projects/paver/
.. _sphix:: http://sphinx.pocoo.org/

-----
0.3.4
-----
* Fix to proxyclient allow sending sequence types via send_request().
* New fedora.client.fas2.AccountSystem method people_by_groupname()

-----
0.3.3
-----
* Allow json_props in SABase to follow class inheritance.
* Remove 0.2 compatibility variable jsonProps.  This was broken and everything
  that was using it has been ported to use json_props instead.
* Misc bugfixes with the jsonfas provider.

-----
0.3.2
-----
* Bodhi API parameter 'type' renamed to 'type_'
* Added BodhiClient.latest_builds method
* New FAS group_members() method to return people's status in a group.
* Fixed the default fas.url value in the jsonfas visit manager
* Creation of a new FedoraClientError base Exception class
* Better i18n support
* Added all clients to the base of the fedora.client module
* Various other bugfixes

-----
0.3.1
-----
* Fix an unported portion of the jsonfasvisit manager.
* Make validation errors set a flash message for both html and json
* Create a function to jsonify sets.
* Make sure we don't log a user's password.
* Bugfixes in the bodhi update template parsing code

---
0.3
---
* New fedora.client.bodhi API
* Lots of bugfixes
* New fedora.client.ProxyClient class that can be used for writing proxies and
  lower level clients that talk to Fedora Services.
  - BaseClient rewritten to run on top of ProxyClient.
* Rearranging of many modules.  The old names should still work but issue a
  DeprecationWarning and the new location to import the module from.
* Documentation on how to build a Fedora Service that will work well with
  BaseClient and documentation on building apps with BaseClient.
  - Note that present Fedora Services (Bodhi, PackageDB, MirrorManager, FAS2)
    will need to be updated to conform to this spec.  Until that happens, not
    everything (notably, error handling) will work 100% correctly.

Incompatibilities
=================
* Removal of camelCase.  Rename keyword arguments and public instance variables:
  * client.BaseClient
    *Note* that changes to this class propogate out to the same variable in
    derived classes like fas2.AccountSystem and the BaseClient used in
    JsonFasIdentity.
    * __init__(): baseURL => base_url
    * _sessionCookie => _session_cookie: this is a private variable but some
      users use this anyway.  For users needing to access this, there's now
      a more appropriate class for doing so (ProxyClient).
  * accounts.fas2.AccountSystem
    * group_by_id(): groupId => group_id
    * person_by_id(): personId => person_id
  * tg.widgets
    * All widgets had widgetId => widget_id
    * Also means accessing the variable is done via self.widget_id
  * tg.json.SABase
    * self.jsonProps => self.json_props
      *Note*: jsonProps will still work but is Deprecated.  Please update your
      code as we will be removing jsonProps in 0.4.x.
* The input keyword argument to BaseClient.send_request has been
  deprecated in favor of req_params.
  *Note*: Using input will still work in 0.3.  Please update your code as we
  will be removing input in 0.4.x.
* Restructuring of Exceptions in BaseClient
  * New base exception is FedoraServiceError if you want to catch that.
* Movement of fedora.tg.client to fedora.client
* Movement of fedora.accounts.fas2 to fedora.client.fas2
* Rename fedora.client.fas2.AccountSystem.authenticate() to verify_password()

-----------
0.2.99.11.1
-----------
Brown paper bag the previous release.  Fix a crasher bug.

---------
0.2.99.11
---------
Hopefully the last in this line of API.

* Fix handling of tg_format=json asa query param when the server uses
  tg.util.request_format()
* Add a default jsonify method for SA ResultProxys
* Don't traceback if there's a corrupted session file
* Set permissions on the session file so only the user can read it.
* Add a default BaseURL for fas2.AccountSystem

---------
0.2.99.10
---------
* Minor update that:

  1) Adds bugzilla email to the return from people_by_id().

  2) Adds several more users whose bugzilla address don't match their fas email.

--------
0.2.99.9
--------
* This is what 0.2.99.9 was supposed to be.  The last release compatible with
  0.2.99.7 and less.  Unfortunately, some incompatibilities snuck in.
  Reverting those changes here.

--------
0.2.99.8
--------
* Fix a bug involving bugzilla_email addresses.
* Fix a bug where an expired session cookie will cause send_request to complete
  successfully but report failure.

--------
0.2.99.7
--------
* Fixes to json.py for JSON output with SA-0.4
* Add bugzila_email to output of fas2 methods
* Add people_by_id() method to fas2.AccountSystem that returns a dict of people
  indexed by ID.  The people structure contains username, email, and
  human_name... what we need for most of our lookups.

--------
0.2.99.6
--------
Remove fas1 code.
Document how BaseClient interacts with a server
Move client code.
Change BaseClient to work with Accept headers.

--------
0.2.99.5
--------
fas2.py shim to connect to fas2 via json for certain information.
BaseClient bugfixes.

--------
0.2.99.4
--------
Enhancement to jsonfasprovider to provide both user.human_name and
user['human_name'].

--------
0.2.99.3
--------
Bugfixes to BaseClient

--------
0.2.99.2
--------
Integrate a first working json fas identity provider and visit manager.

--------
0.2.99.0
--------
This release is the first to offer TG-1.0.4 and SA-0.4 compatibility.  When
this is considered stable we will release as 0.3.