This patch is generated from the upstreamauth branch of s2_4 in squid
Wed Sep 29 01:27:40 2004 GMT
See http://devel.squid-cache.org/

Index: squid/src/acl.c
diff -u squid/src/acl.c:1.4.4.1 squid/src/acl.c:1.5.6.2
--- squid/src/acl.c:1.4.4.1	Sat Jan  6 05:32:44 2001
+++ squid/src/acl.c	Sat Jan  6 16:17:26 2001
@@ -1500,11 +1500,6 @@
 	    return -1;
 #endif
 	}
-	/*
-	 * Register that we used the proxy authentication header so that
-	 * it is not forwarded to the next proxy
-	 */
-	r->flags.used_proxy_auth = 1;
 	/* Check the password */
 	switch (aclMatchProxyAuth(ae->data,
 		header,
Index: squid/src/cf.data.pre
diff -u squid/src/cf.data.pre:1.4.4.2 squid/src/cf.data.pre:1.5.6.2
--- squid/src/cf.data.pre:1.4.4.2	Sat Jan  6 05:32:44 2001
+++ squid/src/cf.data.pre	Sat Jan  6 16:17:26 2001
@@ -228,7 +228,7 @@
 		     no-digest
 		     no-netdb-exchange
 		     no-delay
-		     login=user:password
+		     login=user:password|PASS
 		     connect-timeout=nn
 		     digest-url=url
 		     allow-miss
@@ -280,6 +280,11 @@
 		     use 'login=user:password' if this is a personal/workgroup
 		     proxy and your parent requires proxy authentication.
 
+		     use 'login=PASS' if users must authenticate against
+		     the upstream proxy. Note: To combine this with
+		     proxy_auth both proxies must share the same user
+		     database as HTTP only allows for one proxy login.
+
 		     use 'connect-timeout=nn' to specify a peer
 		     specific connect timeout (also see the
 		     peer_connect_timeout directive)
Index: squid/src/forward.c
diff -u squid/src/forward.c:1.4 squid/src/forward.c:1.5.6.2
--- squid/src/forward.c:1.4	Fri Nov  3 00:39:20 2000
+++ squid/src/forward.c	Sat Jan  6 16:17:26 2001
@@ -362,6 +362,7 @@
 	fwdState->request->peer_login = p->login;
 	httpStart(fwdState);
     } else {
+	fwdState->request->peer_login = NULL;
 	switch (request->protocol) {
 	case PROTO_HTTP:
 	    httpStart(fwdState);
Index: squid/src/http.c
diff -u squid/src/http.c:1.4.4.1 squid/src/http.c:1.5.12.1
--- squid/src/http.c:1.4.4.1	Tue Nov 14 05:33:28 2000
+++ squid/src/http.c	Sun Dec 17 04:09:36 2000
@@ -685,16 +685,26 @@
 	    continue;
 	switch (e->id) {
 	case HDR_PROXY_AUTHORIZATION:
-	    /* If we're not doing proxy auth, then it must be passed on */
-	    if (!request->flags.used_proxy_auth)
+	    /* Only pass on proxy authentication to peers for which
+	     * authentication forwarding is explicitly enabled
+	     */
+	    if (request->flags.proxying && orig_request->peer_login &&
+		    strcmp(orig_request->peer_login, "PASS") == 0)
 		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
 	    break;
 	case HDR_AUTHORIZATION:
-	    /* If we're not doing www auth, then it must be passed on */
-	    if (!request->flags.accelerated || !request->flags.used_proxy_auth)
-		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
-	    else
-		request->flags.auth = 0;	/* We have used the authentication */
+	    /* Pass on WWW authentication even if used locally. If this is
+	     * not wanted in an accelerator then the header can be removed
+	     * using the anonymization functions
+	     */
+	    httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
+	    /* XXX Some accelerators might want to strip the header
+	     * and regard the reply as cacheable, but authentication
+	     * is not normally enabled for accelerators without reading
+	     * the code, so there is not much use in adding logics here
+	     * without first defining the concept of having authentication
+	     * in the accelerator...
+	     */
 	    break;
 	case HDR_HOST:
 	    /*
@@ -782,7 +792,8 @@
     }
     /* append Proxy-Authorization if configured for peer, and proxying */
     if (!httpHeaderHas(hdr_out, HDR_PROXY_AUTHORIZATION)) {
-	if (request->flags.proxying && orig_request->peer_login) {
+	if (request->flags.proxying && orig_request->peer_login &&
+		strcmp(orig_request->peer_login, "PASS") != 0) {
 	    httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
 		base64_encode(orig_request->peer_login));
 	}
Index: squid/src/ssl.c
diff -u squid/src/ssl.c:1.3 squid/src/ssl.c:1.3.18.1
--- squid/src/ssl.c:1.3	Mon Oct 23 08:04:22 2000
+++ squid/src/ssl.c	Sun Dec 17 04:09:36 2000
@@ -586,6 +586,7 @@
 	sslState->request->peer_login = fs->peer->login;
 	sslState->request->flags.proxying = 1;
     } else {
+	sslState->request->peer_login = NULL;
 	sslState->request->flags.proxying = 0;
     }
 #if DELAY_POOLS
Index: squid/src/structs.h
diff -u squid/src/structs.h:1.6.2.3 squid/src/structs.h:1.8.6.2
--- squid/src/structs.h:1.6.2.3	Sat Jan  6 05:32:45 2001
+++ squid/src/structs.h	Sat Jan  6 16:17:27 2001
@@ -1401,7 +1401,6 @@
     unsigned int proxy_keepalive:1;
     unsigned int proxying:1;
     unsigned int refresh:1;
-    unsigned int used_proxy_auth:1;
     unsigned int redirected:1;
     unsigned int need_validation:1;
 #if HTTP_VIOLATIONS