# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: henrik@henriknordstrom.net-20090826115054-\
#   5xsrhlscmmkjgr84
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: 53c0b03fbac33cd7f3f5b97d32aaa308d2b7ffe0
# timestamp: 2009-08-26 13:53:47 +0200
# base_revision_id: kinkie@squid-cache.org-20090825171158-\
#   8j8sboc0fjzyhial
# 
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2009-08-25 11:31:30 +0000
+++ src/cf.data.pre	2009-08-26 11:43:52 +0000
@@ -1797,30 +1797,14 @@
 			Note: This will pass any form of authentication but
 			only Basic auth will work through a proxy unless the
 			connection-auth options are also used.
-	
-	login=PROXYPASS
-			Send login details received from client to this peer.
-			Only WWW-Authorization headers are passed to the peer.
-			If the 'originserver' option is also used this will
-			convert Proxy-Authorization: to WWW-Authorization: before
-			relaying. The header content is not altered.
-			
-			Authentication is not required by Squid for this to work
-			however it should be noted that without it somewhere down
-			the proxy chain there may be no Proxy-Authorization:
-			header to convert.
-			
-			Note: This will pass any form of authentication but
-			only Basic auth will work through a proxy unless the
-			connection-auth options are also used.
-	
+
 	login=PASS	Send login details received from client to this peer.
 			Authentication is not required by this option.
 			
 			If there are no client-provided authentication headers
 			to pass on, but username and password are available
-			from either proxy login or an external ACL user= and
-			password= result tags they may be sent instead.
+			from an external ACL user= and password= result tags
+			they may be sent instead.
 			
 			Note: To combine this with proxy_auth both proxies must
 			share the same user database as HTTP only allows for

=== modified file 'src/http.cc'
--- src/http.cc	2009-08-25 11:31:30 +0000
+++ src/http.cc	2009-08-26 11:50:54 +0000
@@ -1446,6 +1446,75 @@
     return fd < 0;
 }
 
+
+/*
+ * Fixup authentication request headers for special cases
+ */
+static void
+httpFixupAuthentication(HttpRequest * request, HttpRequest * orig_request, const HttpHeader * hdr_in, HttpHeader * hdr_out, http_state_flags flags)
+{
+    http_hdr_type header = flags.originpeer ? HDR_AUTHORIZATION : HDR_PROXY_AUTHORIZATION;
+
+    /* Nothing to do unless we are forwarding to a peer */
+    if (!request->flags.proxying)
+	return;
+
+    /* Needs to be explicitly enabled */
+	return;
+
+    /* Maybe already dealt with? */
+    if (hdr_out->has(header))
+	return;
+
+    /* Nothing to do here for PASSTHRU */
+    if (strcmp(orig_request->peer_login, "PASSTHRU") == 0)
+	return;
+
+    /* PROXYPASS is a special case, single-signon to servers with the proxy password (basic only) */
+    if (flags.originpeer && strcmp(orig_request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) {
+	const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION);
+
+	if (auth && strncasecmp(auth, "basic ", 6) == 0) {
+	    hdr_out->putStr(header, auth);
+	    return;
+	}
+    }
+
+    /* Special mode to pass the username to the upstream cache */
+    if (*orig_request->peer_login == '*') {
+	char loginbuf[256];
+	const char *username = "-";
+
+	if (orig_request->extacl_user.size())
+	    username = orig_request->extacl_user.termedBuf();
+	else if (orig_request->auth_user_request)
+	    username = orig_request->auth_user_request->username();
+
+	snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
+
+	httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+			  base64_encode(loginbuf));
+	return;
+    }
+
+    /* external_acl provided credentials */
+    if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size() &&
+	    (strcmp(orig_request->peer_login, "PASS") == 0 ||
+	     strcmp(orig_request->peer_login, "PROXYPASS"))) {
+	char loginbuf[256];
+	snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
+		 SQUIDSTRINGPRINT(orig_request->extacl_user),
+		 SQUIDSTRINGPRINT(orig_request->extacl_passwd));
+	httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+			  base64_encode(loginbuf));
+	return;
+    }
+
+    httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+		      base64_encode(orig_request->peer_login));
+    return;
+}
+
 /*
  * build request headers and append them to a given MemBuf
  * used by buildRequestPrefix()
@@ -1576,87 +1645,11 @@
         }
     }
 
-    /* append Proxy-Authorization if configured for peer, and proxying */
-    if (request->flags.proxying && orig_request->peer_login &&
-            !hdr_out->has(HDR_PROXY_AUTHORIZATION)) {
-        if (*orig_request->peer_login == '*') {
-            /* Special mode, to pass the username to the upstream cache */
-            char loginbuf[256];
-            const char *username = "-";
-
-            if (orig_request->extacl_user.size())
-                username = orig_request->extacl_user.termedBuf();
-            else if (orig_request->auth_user_request)
-                username = orig_request->auth_user_request->username();
-
-            snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
-
-            httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                              base64_encode(loginbuf));
-        } else if (strcmp(orig_request->peer_login, "PASS") == 0) {
-            if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size()) {
-                char loginbuf[256];
-                snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
-                         SQUIDSTRINGPRINT(orig_request->extacl_user),
-                         SQUIDSTRINGPRINT(orig_request->extacl_passwd));
-                httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                                  base64_encode(loginbuf));
-            }
-        } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
-            /* Nothing to do */
-        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
-            /* Nothing to do (yet) */
-        } else {
-            httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                              base64_encode(orig_request->peer_login));
-        }
-    }
-
-    /* append WWW-Authorization if configured for peer */
-    if (flags.originpeer && orig_request->peer_login &&
-            !hdr_out->has(HDR_AUTHORIZATION)) {
-        if (strcmp(orig_request->peer_login, "PASS") == 0) {
-            /* No credentials to forward.. (should have been done above if available) */
-        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
-            /* Nothing to do (yet) */
-        } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
-            /* Special mode, convert proxy authentication to WWW authentication
-            * (also applies to authentication provided by external acl)
-             */
-            const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION);
-
-            if (auth && strncasecmp(auth, "basic ", 6) == 0) {
-                hdr_out->putStr(HDR_AUTHORIZATION, auth);
-            } else if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size()) {
-                char loginbuf[256];
-                snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
-                         SQUIDSTRINGPRINT(orig_request->extacl_user),
-                         SQUIDSTRINGPRINT(orig_request->extacl_passwd));
-                httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                                  base64_encode(loginbuf));
-            }
-        } else if (*orig_request->peer_login == '*') {
-            /* Special mode, to pass the username to the upstream cache */
-            char loginbuf[256];
-            const char *username = "-";
-
-            if (orig_request->auth_user_request)
-                username = orig_request->auth_user_request->username();
-            else if (orig_request->extacl_user.size())
-                username = orig_request->extacl_user.termedBuf();
-
-            snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
-
-            httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                              base64_encode(loginbuf));
-        } else {
-            /* Fixed login string */
-            httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                              base64_encode(orig_request->peer_login));
-        }
-    }
-
-    /* append Cache-Control, add max-age if not there already */ {
+    /* Fixup (Proxy-)Authorization special cases. Plain relaying dealt with above */
+    httpFixupAuthentication(request, orig_request, hdr_in, hdr_out, flags);
+
+    /* append Cache-Control, add max-age if not there already */
+    {
         HttpHdrCc *cc = hdr_in->getCc();
 
         if (!cc)
@@ -1727,9 +1720,10 @@
          * Only pass on proxy authentication to peers for which
          * authentication forwarding is explicitly enabled
          */
-        if (flags.proxying && orig_request->peer_login &&
-                (strcmp(orig_request->peer_login, "PASS") == 0 ||
-                 strcmp(orig_request->peer_login, "PASSTHRU") == 0)) {
+        if (!flags.originpeer && flags.proxying && orig_request->peer_login &&
+		(strcmp(orig_request->peer_login, "PASS") == 0 ||
+		 strcmp(orig_request->peer_login, "PROXYPASS") == 0 ||
+		 strcmp(orig_request->peer_login, "PASSTHRU") == 0)) {
             hdr_out->addEntry(e->clone());
         }
         break;
@@ -1756,8 +1750,7 @@
             hdr_out->addEntry(e->clone());
         } else {
             /** \note In accelerators, only forward authentication if enabled
-             * by login=PASS or login=PROXYPASS or login=PASSTHRU
-             * (see also below for proxy->server authentication)
+             * (see also httpFixupAuthentication for special cases)
              */
             if (orig_request->peer_login &&
                     (strcmp(orig_request->peer_login, "PASS") == 0 ||

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZ8B9TEABbFfgHQwc//////n
/vq////+YAvc+bbcLnPoaAAmsCogDtgAqlElUOGSEk/TU0h6gyZHlMJ6g09NTQDIaDQAAHqGQRNJ
6U9NNPKMpkTQAAyAAAAAAAADjJgmhkMjIyaGgDQZGEA0GjTIYhoAJEUNIGip+1PVPUzIGI1TyjQD
Q9Rpo0BkGjQB6QZKagek0JjTUYaEepiNMgxMBNNAMmAgNMgkiCaACAIE0elPQ0NAmkyZMTamQDQM
jxSxJKxFg0NtiYEQiGCY9B4PVC75uh9+28qlSWtnhrUksXr1wiGzb0dPLnd3N0daMudXRT1Uz5is
gcuVANGtcWjaOcrfDpRscxSQwojDYQqbNpEkCxNf5aOa3kaW1GqkaqYfpGz+Wv/GWvoABdGaBmQE
RAgCBAgi8JeBYBWfh+emr0X6/Id7H6SsgjQ2EhfHGWapebx6/P34qF/vI0YLBNDY2myEqv4Sz1mk
8e6Gg7DHc5DrdcvE4cu1y0rJPOdcJ9Ty9/DV1OZ8QI9mlGIoDeqKDBOEEz9ekyWi2PWDz2WGw0Qp
TXGRY07LnjQk7boE9q/Y1wM7YKZRWFj8IDKhl40C8sEdFtIko5rOs9jHXL4JwshYuDJPLChERckr
EApAbKwzCM7WiYUuZGqAIQPVGy9xiF2MaqhFZQeozdA7FKUAiPU0QAakbMbiVJGcRK/gIueCq5qh
rYLACDyJYI8ba6XEvqXC06srU5CDIwbJ5BqSbebbtXRsC24QwpKYKGejhBPYaxiDVkAulKhW31AD
8tlNBuK1YNAwQ1TbvAkDYM4NYK9xThuk7GWJ11xYVBHpGTYBSezujJt7Hpzcr3HVejkxP7aBPU/f
In27DSpzzV1rsshhHp921tjAMGTJFTGKq9zWLEC+W1QaXlzgosccm0KG2BySY+RxVBA8S8DOKiA0
EJOtle/tALpni4S4GVCC23BZYD9cXkCwNi9gI9hcq15kxdeu0R9Pag8CN+rVaO7wz/AR6XIMerfW
IPKwb2UhxwiDc/BAm8pUlUUUT0JWigEJlVqSLUkcC4sROhsLjw+yR9NZyXiNPOwp3DosCLwMy6sh
HQqBOmFgpFeBJE17L+mqm4ppMZYYJfeQhyCdY4bMgKIFLWiCrBqAPpYOqWtA9aLShgXkDIuOw1gr
i6MJ4CTZmCSNWglglErmlwIWl45IuGX6Dyi4REEzaMXLM0IG0qNtEtDQiBQyJEjcaEjHGFaVauHH
CKsdLYZYlwKtL4ERy2ZjgazI1lhgQHLhnVk3WKTajEYqHRMsL+0FHMkOCsIDqsuygm1F+stoljUM
wKg5M0RWqGZEyPmStJ7MjcF6Th0dAKEFjVqBdwyVxoLTfI2HRYStUSSjYtpvOtLiKqupit8dba0m
ICRiTsNZwWdhqLd0eBQUDMwGNhYXmBgYbnxk08M6FpeUKlVYrIBnUPQrzIYs5ZkQuStt4BiTMjMr
SwYMFbempiPEbdk8kkfJKBIOo0YHKyBbBYmhJWcDcsQXxXHnLaMzhSL2pMPkkjducgUJnF0rRiRl
HY0i1BkXLjfXJg1l7Kg6LEowReIl6PgwN8zljOvS0DXiDtFuGheYYaO5BywHFfQ3YgZLGrCFWYxj
ZAxUQZj40dR7pJYQFBkHOVDAXbbWAIfl0K+iD/E7iW1iSXFLRECAIiIjR2SNTS7xP8hbUZFrDOT8
4w8qRWjMSqvMH+isSaX79Fn+JZhOhksEpgviosWjO6/6Dp1uE97eBfiGAZl6TArg/VLQyqQVhtQn
CQQ5I2GxKQTSYNs21h8Akl7yWIL4gt6X1HpK+ImF9HeuvY3jQw2tcQgAyQTIj/cJDeTyeWgzBXKg
SNBeqab5iIjM856wcImJ6z6z8dLtp+7uZafX5dBZ30LiyAK89Vo3o3huAt3ILvjZ92pkvkzssBmi
oJFC+NgxYxjqoTJqZo4v1VdUiTKYJtofkTqR5EcizXUbORmAy9f5Xp/SD2G3Vj4jnOoNDwDjFa/V
vnviazlJQG4+ZRFCNgHOCjmD3Ek1qNuxQHoU9ZeZTeSYGTKtJGV3NEI6SPuFWdS0/Q6Fo6L8y5G0
Cr7SSBpZTUKvwAXGIxpoxjxThSXR1DTeN55jngjhRTfWcN5I4kzqKxaipJyJfUCtX4GirIHAqzS0
KSiIjgc5zHjReqzDeCsiJFcrDf+NXYvvp4LOEzmPRLnVR3Z3zpSL0hdAodyhFNTWSJ2smXFthodB
DIkVqZ0F63F6Mw4LX5g2MxepAdRD9poDJtS2DVFDck+ZF3pNtsDDQ6CmMsPq2yLxAyl4bqdHeqoG
o1AIpWsc4h0iikbydvqIglYUGZqnm0HT1PeQUQUCsaKYUIzuAiDt2tFq+AbsAmJJiPDiJDSgB1Mg
Ms8Rd4mHM7C4R4WbQZ+vG1RKyAuhec6DsKLYROo0OwOskULCZAgaSQx1mQu865YWGuofsyhViUAb
SdoRYIqmYUgSF0yC82sCSsKFhB5xWUQek2C2NNpnoIhm8RYSiMp4iRIM0w39ddJe9gcJzNT/me09
qGIph03xBFETb3L1Dlo24TegrKxinTlzjEIAquAKmaXcrZbUeh/D6HCZOHST6u1HEFd86sD4aGpj
Uzs540XYCFmVgukFAQjRBaGRW2zwugyBgKwI8xtwW0hhNVBZeN1dpaQKjATJLC2UnNiAfu6Qy7y8
+SGtA5+xaC6QVDcnHKmO9KAIz4q8FwA8HIyFUCKhFbHXklxIRFgB/HZ6vFYqMqDKhLdn7FO+ssMw
XSJ1vmuYVr++jncTOqd5neqmQjzpecFzowJJD3eQ8RtDiBYbhVoZBWcyI4FQY9DzkMw7JMhMrwGQ
pOBWiIDyIq9nRECEz6gRIjBkEmfIzgqomZGzwAhprpLBCHqTjGwgaGxOYSJJFkObBLrtICLzmUYS
NptOzAvOAkdkrmAVFgqmW53HZJe4jKQ6+2CCpZwOM7jGCL1iOlttNfTCCVs2240b2sgsL8uq4414
8kpU/M0sYXgIoLheQFAgMoAq+LLkcjklC8YojuOsX5ayTN7QTbtgFMf8x7Ic6rMjIGLCJXk1nyF6
SWhFxCMozPARBxEIPZExcAYJpMNEDmJ0VQESCYSJj3aLiUql4nN5pESZ2Y62A+hkKyPr9gm3nlIr
gMKBas12GoWq6IhcwhGswpFKcAGAgjsGBHKlSDe3eMVJVsJo7WFcnVVyTCqqkm729kV+tGspaPYy
EM0Ax0Dgsor3ajVMPllQlwYtU1oqRgiZRr454kBvU1AwS6S8gL6Faetdor9SLnBzFNxZCV+UawNF
dgx8ud+YSN1tHC5i9lHB7jSe1yMxoJhmZnEDQQwTcHhKi0JrCi0iqTFltCZHDqswNsyoVZMrLhgu
dxmCSGBs4jweVrBzBIJORq2RYMsecCBXCDsJQcZCrmsYkMMbSoeNB9oyYYtNSCMw41+aZvtgJL8P
IA6NXYS1vWbzMZWTjrKmAupG8GY7/IQ87XgdXaqz5xgGZl96UsxbB1tbcgLHitCGw0cW0FORVEue
0TAFiJo2Um/UXDW0Y3Ri4zn3JRHKvapu0TIg0CFi2YwDiCjvLBYUXv8XckU4UJCfAfUx