Original design by "arronax28".
This adds a %un token (different to %LOGIN and %EXT_USER) which passes
any pre-known username details to the external ACL helper. But does not
trigger or require authentication verifications.
This will not process auth headers if presented but not yet
authenticated. But it will allow IDENT and external ACL out-of-band
authorization usernames to be sent to the helper.
On the upside it will solve some of the cases where people want to
process usernames without accidental auth challenges.
On the downside I am expecting some small amount of confusion as admin
send HTTP auth headers and expect Squid to magically understand them
without doing any auth processing.
Amos
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2011-11-27 10:59:41 +0000
+++ src/cf.data.pre 2011-12-12 09:14:49 +0000
@@ -563,7 +563,10 @@
FORMAT specifications
- %LOGIN Authenticated user login name
+ %LOGIN Authenticated user login name. Will perform
authenticateion
+ challenges if no valid credentials are present.
+ %un A user name. Pulls any name available from both
+ authenticated and non-authenticated sources.
%EXT_USER Username from previous external acl
%EXT_LOG Log details from previous external acl
%EXT_TAG Tag from previous external acl
=== modified file 'src/external_acl.cc'
--- src/external_acl.cc 2011-12-04 06:44:05 +0000
+++ src/external_acl.cc 2011-12-12 09:08:11 +0000
@@ -187,6 +187,7 @@
#endif
#if USE_AUTH
EXT_ACL_EXT_USER,
+ EXT_ACL_USERNAME,
#endif
EXT_ACL_EXT_LOG,
EXT_ACL_TAG,
@@ -467,6 +468,8 @@
#if USE_AUTH
else if (strcmp(token, "%EXT_USER") == 0)
format->type = _external_acl_format::EXT_ACL_EXT_USER;
+ else if (strcmp(token, "%un") == 0)
+ format->type = _external_acl_format::EXT_ACL_USERNAME;
#endif
else if (strcmp(token, "%EXT_LOG") == 0)
format->type = _external_acl_format::EXT_ACL_EXT_LOG;
@@ -611,6 +614,9 @@
#endif
#if USE_AUTH
DUMP_EXT_ACL_TYPE(EXT_USER);
+ case _external_acl_format::EXT_ACL_USERNAME:
+ storeAppendPrintf(sentry, " %%un");
+ break;
#endif
DUMP_EXT_ACL_TYPE(EXT_LOG);
DUMP_EXT_ACL_TYPE(TAG);
@@ -1104,6 +1110,17 @@
case _external_acl_format::EXT_ACL_EXT_USER:
str = request->extacl_user.termedBuf();
break;
+ case _external_acl_format::EXT_ACL_USERNAME:
+ // find any name from: auth, ext ACL, ssl cert, and rfc931
usernames; in that order of preference.
+ if (!str && ch->auth_user_request != NULL)
+ str = ch->auth_user_request->username();
+ if(!str && strcmp(request->extacl_user.termedBuf(), "-") != 0)
+ str = request->extacl_user.termedBuf();
+ // TODO ssl client certificate name
+ // TODO rfc931 user identity
+
+ // TODO apply URL-encoding
+ break;
#endif
case _external_acl_format::EXT_ACL_EXT_LOG:
str = request->extacl_log.termedBuf();
