# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: henrik@henriknordstrom.net-20090826120021-\
#   pb2rqz639jzlxa6m
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: 7fc1901a75d5f7bef631559a600be5c596b94386
# timestamp: 2009-08-26 14:00:46 +0200
# base_revision_id: kinkie@squid-cache.org-20090825171158-\
#   8j8sboc0fjzyhial
# 
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2009-08-25 11:31:30 +0000
+++ src/cf.data.pre	2009-08-26 11:43:52 +0000
@@ -1797,30 +1797,14 @@
 			Note: This will pass any form of authentication but
 			only Basic auth will work through a proxy unless the
 			connection-auth options are also used.
-	
-	login=PROXYPASS
-			Send login details received from client to this peer.
-			Only WWW-Authorization headers are passed to the peer.
-			If the 'originserver' option is also used this will
-			convert Proxy-Authorization: to WWW-Authorization: before
-			relaying. The header content is not altered.
-			
-			Authentication is not required by Squid for this to work
-			however it should be noted that without it somewhere down
-			the proxy chain there may be no Proxy-Authorization:
-			header to convert.
-			
-			Note: This will pass any form of authentication but
-			only Basic auth will work through a proxy unless the
-			connection-auth options are also used.
-	
+
 	login=PASS	Send login details received from client to this peer.
 			Authentication is not required by this option.
 			
 			If there are no client-provided authentication headers
 			to pass on, but username and password are available
-			from either proxy login or an external ACL user= and
-			password= result tags they may be sent instead.
+			from an external ACL user= and password= result tags
+			they may be sent instead.
 			
 			Note: To combine this with proxy_auth both proxies must
 			share the same user database as HTTP only allows for

=== modified file 'src/http.cc'
--- src/http.cc	2009-08-25 11:31:30 +0000
+++ src/http.cc	2009-08-26 12:00:21 +0000
@@ -1446,6 +1446,76 @@
     return fd < 0;
 }
 
+
+/*
+ * Fixup authentication request headers for special cases
+ */
+static void
+httpFixupAuthentication(HttpRequest * request, HttpRequest * orig_request, const HttpHeader * hdr_in, HttpHeader * hdr_out, http_state_flags flags)
+{
+    http_hdr_type header = flags.originpeer ? HDR_AUTHORIZATION : HDR_PROXY_AUTHORIZATION;
+
+    /* Nothing to do unless we are forwarding to a peer */
+    if (!request->flags.proxying)
+	return;
+
+    /* Needs to be explicitly enabled */
+    if (!orig_request->peer_login)
+	return;
+
+    /* Maybe already dealt with? */
+    if (hdr_out->has(header))
+	return;
+
+    /* Nothing to do here for PASSTHRU */
+    if (strcmp(orig_request->peer_login, "PASSTHRU") == 0)
+	return;
+
+    /* PROXYPASS is a special case, single-signon to servers with the proxy password (basic only) */
+    if (flags.originpeer && strcmp(orig_request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) {
+	const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION);
+
+	if (auth && strncasecmp(auth, "basic ", 6) == 0) {
+	    hdr_out->putStr(header, auth);
+	    return;
+	}
+    }
+
+    /* Special mode to pass the username to the upstream cache */
+    if (*orig_request->peer_login == '*') {
+	char loginbuf[256];
+	const char *username = "-";
+
+	if (orig_request->extacl_user.size())
+	    username = orig_request->extacl_user.termedBuf();
+	else if (orig_request->auth_user_request)
+	    username = orig_request->auth_user_request->username();
+
+	snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
+
+	httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+			  base64_encode(loginbuf));
+	return;
+    }
+
+    /* external_acl provided credentials */
+    if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size() &&
+	    (strcmp(orig_request->peer_login, "PASS") == 0 ||
+	     strcmp(orig_request->peer_login, "PROXYPASS"))) {
+	char loginbuf[256];
+	snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
+		 SQUIDSTRINGPRINT(orig_request->extacl_user),
+		 SQUIDSTRINGPRINT(orig_request->extacl_passwd));
+	httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+			  base64_encode(loginbuf));
+	return;
+    }
+
+    httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+		      base64_encode(orig_request->peer_login));
+    return;
+}
+
 /*
  * build request headers and append them to a given MemBuf
  * used by buildRequestPrefix()
@@ -1576,87 +1646,11 @@
         }
     }
 
-    /* append Proxy-Authorization if configured for peer, and proxying */
-    if (request->flags.proxying && orig_request->peer_login &&
-            !hdr_out->has(HDR_PROXY_AUTHORIZATION)) {
-        if (*orig_request->peer_login == '*') {
-            /* Special mode, to pass the username to the upstream cache */
-            char loginbuf[256];
-            const char *username = "-";
-
-            if (orig_request->extacl_user.size())
-                username = orig_request->extacl_user.termedBuf();
-            else if (orig_request->auth_user_request)
-                username = orig_request->auth_user_request->username();
-
-            snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
-
-            httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                              base64_encode(loginbuf));
-        } else if (strcmp(orig_request->peer_login, "PASS") == 0) {
-            if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size()) {
-                char loginbuf[256];
-                snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
-                         SQUIDSTRINGPRINT(orig_request->extacl_user),
-                         SQUIDSTRINGPRINT(orig_request->extacl_passwd));
-                httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                                  base64_encode(loginbuf));
-            }
-        } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
-            /* Nothing to do */
-        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
-            /* Nothing to do (yet) */
-        } else {
-            httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
-                              base64_encode(orig_request->peer_login));
-        }
-    }
-
-    /* append WWW-Authorization if configured for peer */
-    if (flags.originpeer && orig_request->peer_login &&
-            !hdr_out->has(HDR_AUTHORIZATION)) {
-        if (strcmp(orig_request->peer_login, "PASS") == 0) {
-            /* No credentials to forward.. (should have been done above if available) */
-        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
-            /* Nothing to do (yet) */
-        } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
-            /* Special mode, convert proxy authentication to WWW authentication
-            * (also applies to authentication provided by external acl)
-             */
-            const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION);
-
-            if (auth && strncasecmp(auth, "basic ", 6) == 0) {
-                hdr_out->putStr(HDR_AUTHORIZATION, auth);
-            } else if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size()) {
-                char loginbuf[256];
-                snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
-                         SQUIDSTRINGPRINT(orig_request->extacl_user),
-                         SQUIDSTRINGPRINT(orig_request->extacl_passwd));
-                httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                                  base64_encode(loginbuf));
-            }
-        } else if (*orig_request->peer_login == '*') {
-            /* Special mode, to pass the username to the upstream cache */
-            char loginbuf[256];
-            const char *username = "-";
-
-            if (orig_request->auth_user_request)
-                username = orig_request->auth_user_request->username();
-            else if (orig_request->extacl_user.size())
-                username = orig_request->extacl_user.termedBuf();
-
-            snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
-
-            httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                              base64_encode(loginbuf));
-        } else {
-            /* Fixed login string */
-            httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
-                              base64_encode(orig_request->peer_login));
-        }
-    }
-
-    /* append Cache-Control, add max-age if not there already */ {
+    /* Fixup (Proxy-)Authorization special cases. Plain relaying dealt with above */
+    httpFixupAuthentication(request, orig_request, hdr_in, hdr_out, flags);
+
+    /* append Cache-Control, add max-age if not there already */
+    {
         HttpHdrCc *cc = hdr_in->getCc();
 
         if (!cc)
@@ -1727,9 +1721,10 @@
          * Only pass on proxy authentication to peers for which
          * authentication forwarding is explicitly enabled
          */
-        if (flags.proxying && orig_request->peer_login &&
-                (strcmp(orig_request->peer_login, "PASS") == 0 ||
-                 strcmp(orig_request->peer_login, "PASSTHRU") == 0)) {
+        if (!flags.originpeer && flags.proxying && orig_request->peer_login &&
+		(strcmp(orig_request->peer_login, "PASS") == 0 ||
+		 strcmp(orig_request->peer_login, "PROXYPASS") == 0 ||
+		 strcmp(orig_request->peer_login, "PASSTHRU") == 0)) {
             hdr_out->addEntry(e->clone());
         }
         break;
@@ -1756,8 +1751,7 @@
             hdr_out->addEntry(e->clone());
         } else {
             /** \note In accelerators, only forward authentication if enabled
-             * by login=PASS or login=PROXYPASS or login=PASSTHRU
-             * (see also below for proxy->server authentication)
+             * (see also httpFixupAuthentication for special cases)
              */
             if (orig_request->peer_login &&
                     (strcmp(orig_request->peer_login, "PASS") == 0 ||

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWdI0wpcABxnfgHQwc//////n
/vq////+YA08+Wtwu+91lgAAGxUNoUKK21mlMbVazTaszfDRUHqNNA0NAA0TARmgAAAQwAE0wamk
wJgphIAAaHqAAA0AAAAAHGTBNDIZGRk0NAGgyMIBoNGmQxDQARJIIKej0kzRNqaNMTU0yaGRiaGg
AAyaAPSCKRCZNCZPRGmp6npTaeUeSYapp5TTA1NAAABk0EkQTI0TJpop5Cek00npRk9Jk9EaGg0w
TQNBoMmAAYJgRJJBgFUlQGEyNnrp6rblTq5uuXWbGaQ4r2xaD7NtJUhzcvNzdrKbuft9zpXVuZMr
N67qZFSH2jGR6qgatasBatq56o+nWjZm9BJJkEUybdaklvaamAG42Pr12gM5JX4XGtI3UMvujefZ
w9eW/2lAe1rQkEkhAhCHa/Pw+awNn98/9bK9VuKxNuIHU4ZiOZLGokIQRAYm4sxPv/SaB6uRO1QF
QDIjOQkZClu/gTdvd58nPUtRGPgoOi7ms256Do9qjAqpPOdYT60hP5+evVzToBH1dvnO7Ffo5ORP
uTHsr34x0HMxMwJTaDm0PBztca5MMXIckyrku2wJew/tI64QvQZMrYV+INCxNpT86Mgs4lPSxhIA
hPVruSltu+M81QVflMp7KJRjE8zUxCJqyY1UpGqitZSFDUoqdSIpM4CmpjYELKaa6yI6KHAQg2iC
rUZCMXALIEQBVxXPBqDTUvIkYFDNXADa/g20mkLTCMXMsG5PnWL/U+nGu0eNosR84vSsBTJtWi+N
hLXKiVJsSihj5AboVMkwnB7LJPUIRSYidNAXI+RnEeIUj2VWWXOtqbzCEIsNfh2ATA1MO2A4nZKx
73dsd+GDL76wLgr0kLYAY27/nrT3e/N7HVyz3Dy1R5MXftqE9X/LIn37GNzn5K1XlfDKPX4+LbMA
wZxTGG64+WaHdA1X7G0v9zXZuhx5TeMxssdIkPYaGsF1iaxNLNDAQAftfs+G4Hvuo8wnE3+UaCvN
mr7cEzhvYLMnhQyHG7lXsOBtelg4MbtE8+1DmXbs4NJVVVVbXufWr4rN0PHt0APggdiN7TQXA3Xo
IRYfoTE9BFCvoGInviMREAhQvxQBegDoZEjBJqHIMT0+2R8lTNd5rf7HQXWTpYCi+aUTQzN1iM2N
5UFBMIwUjCAs1ICYe3d1pGuHFYFeA5QzEfSOk0ATSGHYdOVBQcRBlo5MloygB4sHfPgCe9LAYobj
EiMaGIx6jYFYttOL03EGBPqpC3IA2yS3iKDCHEbFxhURzIYrcOTmWTuvuIGpdOApAlQzGORpoHAv
JFiq5XiN4VIpFDQkQJGBvCZoLPOOeAiqyHHCSs4jYnmYgqiP/ERzCZmaGBMWZwN5oWJkBzEZ1abh
mkNqsxlcOlNXm7Q8gUsryJoUJArER1YypABjgV0LUEZ3DMCoOTLJVRQNCJgszqIte1NszkhmySHR
3N3AoOqXaguXujiMTgI4ciczQ7sCdlEkKJgxu3QORsWPQI6CL7F7Kz79m2EMQEBI3jF57ot+i6Kp
wscSBXHUZud3QxAgbFBjzGpYxLjQ3mRnyqKFJtTO+pYwKG6ipYLQDhQfMvMN5vlvaBjcXEchFrcg
0LjEsbzUsItIcHC2Sau7MhIbhF5IA/ARAkHeashxlUgYKIZmqkK/oc1uBfete4woMNCAUd8BDD5o
A5cnIFCZzcRsQLECYaE2JuSMAWZZTA6Y1mwuCwwNhJbRKJrhRp6vfAR45F+JO+JEPUPkQ1sUPpYO
XnQ5KDg6+Lz5xtTIxwaal5oIyEhTAMUNT5V6X32zg0OLGntlzEHwZvCq3u0t/KP/L1LwcGg33ZbR
JAgyEkNT6+v6tWfzr/QV0Fr3gxk/SQHsUpTCzaPaHuGpYX+Lqv9XCNDF3FwB6m6GklU/4FNPCNap
3H7g3A1mpYBwB/i8JjvIWBxIyCkJ60zGZaQqWA4qoyh7wpX6yngB/4HOvoN5ZoGB83W+DNG0CGMo
aAmpAJUUMvaqRu3c5WRA2U1hScK/HUx4igXCSMh0nlCQTPsHIfIes7suLjO7oh9eaPJlG7DUULF8
QWJ8Mxvf6C5pGHNBb77/36sB+DOyyGaKgjmdV2hhohouxbWOKGW/6m+6wJDHgZIk9DLkfKl2LHK5
mOjGQy/N9eKf4EPecdd3oO03HeaCY3noBxjAP9t8e6JQ9UjUaI3Pzp3on7QOoJ/OHvpAy5rw7gcX
zH2KOJ6wibGRI9RQmeYxyW84ENzaMh0eA/0oOw2+eh5GQ3aS/c2BZNgv5nBG4VWJcSLTFydol/GB
vGg0sXSQz248bTGXGumpplrV6HHPXcpvM8x3T/EdpQ85UOhgB5jYvEQUjdRAYLtPoNk5gRHPipgc
Eti+6QiOZ2nU8UtyzvG7AV8RAVledn1Xetfwp4390zuPgl1C49mmM6U0lCscYFT2KEU1eBInZkwc
zp2w5FxsdTmSu4FB7Kp2GYauS747Xh5U4iENwL1O4W9BsCM4XiJi5jOdg6JR3k3e+jc4HmM+B0K2
nnQ/XzmZJAwT8ca9fgV0DZbCSVKhnviHegiAdCeHtIoSvKDM1zzaDp7nxUFFCgVGimFCM7Aog7eT
RavYLzZCmkmN23soBL7AbYg5a90DxDGjXoesD0SbzK9O7BRKkBdF6zuPAotiJ1N54h4EiheTIEDf
4k1kcxkA/ANwUBQ+CR7t8jRqkLrjqYmJoY6zCqVwiF+baqXhiYFF/4iTFD0vIPJGRj+Q7seoSmQQ
9j3iSkGiYb+nCkvoYHCczV/7L4j4kQuYUEphTOpVzJhPM+Mo0k4RJ7xnc7GvVj0kE5q3uQGvIB0N
tPEnXLm65BUVT1NXLtTQgYO1vj7+FuguiUSdy4MSjkLAdQM0AOEHAWZVtvBxGYMBVIj2HHJcSGRN
XBfiN18lgoN5xLApitppkZkHfPp5Qx5KXEfBIwIadjcJqBrPIOdmza4d4k1W7vPADoU8GwyCXlW8
kVY8NBHaQiLID+PL4fG8KMFBgopc9Pap41V5kR+IZPJU98S2XnrkdDU/KPNexHD5TgCyJMKsbxN4
OpcZUjLF0Pjc41aUbXkEmkIWPfWjgMQy7dYXsjUWCwNQEUL6AzrcBV7c6pSXKYXQPjVby60EvlZO
9ZxuNZdo51WYPKaEAKxZWiJREkQlqALNkNJy7F6cw4Pqd6faAzJt/ryMTsSR65WYEFAyRcy5O48C
k7tLKqok900a3GpyHobVXK2HNERDD3ds0EV3eNcEvcZWQctsee47a5+4lKn2mt7C9BFBZB7wM2bD
MGzTAbHY7BJ4SDMNi9R4R+7MVRHmRN5uIKmfzR8odqqaLQTK8iSw7T5DgAGaMjkKCaiGVBVGwpDo
Ei94IjFhLlOy4ZwxAiQTCAmPjquwpdLxc6LWIIZ2Y9DAeDCV+js7RjkedoDQwhNtcjylwl2ChR0o
AZTFXQhVMCAJjsIVddd5HPG8g9I1oX4HjgkPgg42OzdttTddYtl4eSr/YnIY5iaYUkdYxmI7XAJl
itM85RqmyXbA550pQvEs5pp0W0ZUHY3gmYhOUxEx9DgOwNomK5cBIJGNjRCrh0jVI1VsmPw7n7BA
cMKOFmMWUcnsb58XIzTQTEklAsQqIyUcTc5hteGIbwFzB62ZIQTO0Z7LjMuAqplSwwWdxmRJDA2k
R4PLTA2jeNsZxxqw8EMJuqUhuInfLIdgpvtSQIEDfgSt3A/OQwQWlyFFQ6LOmoz020Kv084Eku8T
TllfM5kYbaqMpegDDXRiCIN/OT6oxA6+tVPzjIGZl8wiWiDYdcW5IFe8VvIbG9xcQU5F0S3UULCG
SDBFyONbnuLJsKMuUYuSn6RLmnHyOFS4yMhu1KeYdLHINkOX2NNWUf4u5IpwoSGkaYUu