---------------------
PatchSet 902 
Date: 2000/12/10 13:59:35
Author: rbcollins
Branch: auth_rewrite
Tag: (none) 
Log:
squid.conf option for cache_peer - determine whether to send authentication headers upstream or not.

Members: 
	src/acl.c:1.1.1.3.12.26.2.7->1.1.1.3.12.26.2.8 
	src/cache_cf.c:1.1.1.3.4.1.2.9.2.2->1.1.1.3.4.1.2.9.2.3 
	src/cf.data.pre:1.1.1.3.4.1.2.18.2.2->1.1.1.3.4.1.2.18.2.3 
	src/http.c:1.1.1.3.4.1.2.10->1.1.1.3.4.1.2.10.2.1 
	src/structs.h:1.1.1.3.4.1.2.26.2.9->1.1.1.3.4.1.2.26.2.10 

Index: squid/src/acl.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/acl.c,v
retrieving revision 1.1.1.3.12.26.2.7
retrieving revision 1.1.1.3.12.26.2.8
diff -u -r1.1.1.3.12.26.2.7 -r1.1.1.3.12.26.2.8
--- squid/src/acl.c	24 Nov 2000 00:19:20 -0000	1.1.1.3.12.26.2.7
+++ squid/src/acl.c	10 Dec 2000 13:59:35 -0000	1.1.1.3.12.26.2.8
@@ -1,6 +1,6 @@
 
 /*
- * $Id: acl.c,v 1.1.1.3.12.26.2.7 2000/11/24 00:19:20 rbcollins Exp $
+ * $Id: acl.c,v 1.1.1.3.12.26.2.8 2000/12/10 13:59:35 rbcollins Exp $
  *
  * DEBUG: section 28    Access Control
  * AUTHOR: Duane Wessels
@@ -1160,17 +1160,7 @@
  * 1 : Authenticated OK, Authorisation failed.
  * -1 : send data to an external authenticator
  * -2 : send data to the client
-#if 0
-invalid Proxy-Authorization: header or midway in ntlm handshake.
-
- * -3 : get something from an external stateful authenticator;
-#endif
  */
-#if 0
-static int
-aclMatchProxyAuth(void *data, const char *proxy_auth,
-    acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype)
-#endif
 static int
 aclMatchProxyAuth(void *data, http_hdr_type headertype,
     acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype)
@@ -1316,22 +1306,10 @@
             authenticateUserUsername(auth_user), USER_IDENT_SZ);
 #endif
         if (authenticateCheckAuthUserIP(checklist->src_addr, auth_user)) {
-#if 0
-            if (auth_user->auth_type==AUTH_NTLM) {
-                /* save the auth_user for the next request on the same 
-                 * connection */
-                checklist->conn->auth_type=AUTH_NTLM;
-                checklist->conn->auth_user=auth_user;
-            }
-#endif
             /* Once the match is completed we have finished with the
              * auth_user structure */
             /* But IFF it is a connection based authenticate we only unlock 
              * when closing the connection */
-#if 0
-            if (!checklist->conn->auth_user)
-auth_user->auth_type!=AUTH_NTLM)
-#endif
             /* this ACL check completed */
             authenticateAuthUserUnlock(auth_user);
             /* check to see if we have matched the user-acl before */
@@ -1358,7 +1336,7 @@
         /* and trigger the external helper in case the password is still ok */
         return -1;
     }
-    
+   /* unreachable code. Spit a debug info and fatal squid out of here */ 
 debug(29,1)("auth user %d connauth user %d conn type %d creds %d timeout %d\n",auth_user,checklist->conn->auth_user,checklist->conn->auth_type,auth_user->flags.credentials_ok, auth_user->expiretime + Config.authenticateTTL > current_time.tv_sec ? 1: 0);
 fatal("acl unreachable code!");
 return -2;
@@ -1656,11 +1634,14 @@
                 ae->name); return -1;
 #endif
         }
+#if 0
+   /* we no longer check this here. See http.c - it's now a peer based option */
 	/*
 	 * Register that we used the proxy authentication header so that
 	 * it is not forwarded to the next proxy
 	 */
 	r->flags.used_proxy_auth = 1;
+#endif
         /* Check the password */
 	switch (aclMatchProxyAuth(ae->data, headertype,
 		checklist->auth_user, checklist, ae->type)) {
Index: squid/src/cache_cf.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/cache_cf.c,v
retrieving revision 1.1.1.3.4.1.2.9.2.2
retrieving revision 1.1.1.3.4.1.2.9.2.3
diff -u -r1.1.1.3.4.1.2.9.2.2 -r1.1.1.3.4.1.2.9.2.3
--- squid/src/cache_cf.c	30 Nov 2000 10:52:01 -0000	1.1.1.3.4.1.2.9.2.2
+++ squid/src/cache_cf.c	10 Dec 2000 13:59:35 -0000	1.1.1.3.4.1.2.9.2.3
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cache_cf.c,v 1.1.1.3.4.1.2.9.2.2 2000/11/30 10:52:01 rbcollins Exp $
+ * $Id: cache_cf.c,v 1.1.1.3.4.1.2.9.2.3 2000/12/10 13:59:35 rbcollins Exp $
  *
  * DEBUG: section 3     Configuration File Parsing
  * AUTHOR: Harvest Derived
@@ -1119,6 +1119,8 @@
 #endif
 	} else if (!strcasecmp(token, "allow-miss")) {
 	    p->options.allow_miss = 1;
+        } else if (!strcasecmp(token, "pass_on_auth_headers")) {
+            p->options.pass_on_auth_headers = 1;
 	} else {
 	    debug(3, 0) ("parse_peer: token='%s'\n", token);
 	    self_destruct();
Index: squid/src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v
retrieving revision 1.1.1.3.4.1.2.18.2.2
retrieving revision 1.1.1.3.4.1.2.18.2.3
diff -u -r1.1.1.3.4.1.2.18.2.2 -r1.1.1.3.4.1.2.18.2.3
--- squid/src/cf.data.pre	4 Dec 2000 12:36:10 -0000	1.1.1.3.4.1.2.18.2.2
+++ squid/src/cf.data.pre	10 Dec 2000 13:59:35 -0000	1.1.1.3.4.1.2.18.2.3
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.2 2000/12/04 12:36:10 rbcollins Exp $
+# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.3 2000/12/10 13:59:35 rbcollins Exp $
 #
 #
 # SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
@@ -232,6 +232,7 @@
 		     connect-timeout=nn
 		     digest-url=url
 		     allow-miss
+                     pass_on_auth_headers
 
 		     use 'proxy-only' to specify that objects fetched
 		     from this cache should not be saved locally.
@@ -298,6 +299,12 @@
 		     requests from peer by denying cache_peer_access if the
 		     source is a peer)
 
+	             use 'pass_on_auth_headers' to instruct squid to pass authentication
+	   	     headers (if present) onto the next upstream cache server. They will 
+		     not get sent to origin servers. 
+		     ****WARNING: use of this option may result in unintended exposure of
+		     your users login details across the internet. USE WITH CAUTION****
+
 	NOTE: non-ICP neighbors must be specified as 'parent'.
 DOC_END
 
@@ -1138,7 +1145,7 @@
 	program reads a line containing "username password" and replies
 	"OK" or "ERR" in an endless loop.  If you use an authenticator,
 	make sure you have 1 acl of type proxy_auth.  By default, the
-	authenticator_program is not used.
+	authenticate_program is not used.
 
 	If you want to use the traditional proxy authentication,
 	jump over to the ../auth_modules/NCSA directory and
Index: squid/src/http.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/http.c,v
retrieving revision 1.1.1.3.4.1.2.10
retrieving revision 1.1.1.3.4.1.2.10.2.1
diff -u -r1.1.1.3.4.1.2.10 -r1.1.1.3.4.1.2.10.2.1
--- squid/src/http.c	16 Nov 2000 11:47:00 -0000	1.1.1.3.4.1.2.10
+++ squid/src/http.c	10 Dec 2000 13:59:35 -0000	1.1.1.3.4.1.2.10.2.1
@@ -1,6 +1,6 @@
 
 /*
- * $Id: http.c,v 1.1.1.3.4.1.2.10 2000/11/16 11:47:00 rbcollins Exp $
+ * $Id: http.c,v 1.1.1.3.4.1.2.10.2.1 2000/12/10 13:59:35 rbcollins Exp $
  *
  * DEBUG: section 11    Hypertext Transfer Protocol (HTTP)
  * AUTHOR: Harvest Derived
@@ -684,13 +684,19 @@
 	    continue;
 	switch (e->id) {
 	case HDR_PROXY_AUTHORIZATION:
-	    /* If we're not doing proxy auth, then it must be passed on */
+	    /* If we're configured to pass proxy auth, then it must be passed on */
+#if 0
 	    if (!request->flags.used_proxy_auth)
+#endif
+            if (!flags.used_proxy_auth)
 		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
 	    break;
 	case HDR_AUTHORIZATION:
 	    /* If we're not doing www auth, then it must be passed on */
+#if 0
 	    if (!request->flags.accelerated || !request->flags.used_proxy_auth)
+#endif
+            if (!request->flags.accelerated || !flags.used_proxy_auth)
 		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
 	    else
 		request->flags.auth = 0;	/* We have used the authentication */
@@ -867,7 +873,15 @@
 	cfd = entry->mem_obj->fd;
     assert(-1 == cfd || FD_SOCKET == fd_table[cfd].type);
     if (p != NULL)
+    {
 	httpState->flags.proxying = 1;
+        httpState->flags.used_proxy_auth=p->options.pass_on_auth_headers ? 0:1;
+    }
+    else
+    {
+        /* direct connection - never send on auth credentials */
+        httpState->flags.used_proxy_auth=1;
+    }
     /*
      * Is keep-alive okay for all request methods?
      */
Index: squid/src/structs.h
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/structs.h,v
retrieving revision 1.1.1.3.4.1.2.26.2.9
retrieving revision 1.1.1.3.4.1.2.26.2.10
diff -u -r1.1.1.3.4.1.2.26.2.9 -r1.1.1.3.4.1.2.26.2.10
--- squid/src/structs.h	7 Dec 2000 10:46:58 -0000	1.1.1.3.4.1.2.26.2.9
+++ squid/src/structs.h	10 Dec 2000 13:59:35 -0000	1.1.1.3.4.1.2.26.2.10
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.9 2000/12/07 10:46:58 rbcollins Exp $
+ * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.10 2000/12/10 13:59:35 rbcollins Exp $
  *
  *
  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
@@ -870,6 +870,7 @@
     unsigned int proxying:1;
     unsigned int keepalive:1;
     unsigned int only_if_cached:1;
+    unsigned int used_proxy_auth:1;
 };
 
 struct _HttpStateData {
@@ -1175,6 +1176,7 @@
 	unsigned int no_delay:1;
 #endif
 	unsigned int allow_miss:1;
+        unsigned int pass_on_auth_headers:1;
     } options;
     int weight;
     struct {
@@ -1495,7 +1497,9 @@
     unsigned int proxy_keepalive:1;
     unsigned int proxying:1;
     unsigned int refresh:1;
+#if 0
     unsigned int used_proxy_auth:1;
+#endif
     unsigned int redirected:1;
     unsigned int need_validation:1;
 #if HTTP_VIOLATIONS