Add cookie-pass-not-exclude config

CHANGES.rst

@@ -4,6 +4,8 @@ Changelog
 6.0.13 (unreleased)
 -------------------
 
+- Add `cookie-pass-not-exclude` config [mamico]
+
 - Use Varnish 6.0.13 LTS [mamico]
 
 - Add vcl_synth options to insert arbitrary vcl. [mamico]

README.rst

@@ -285,6 +285,11 @@ These options are available for the recipe part plone.recipe.varnish:configurati
     When an authenticated user requests a js/css/kss file,
     Plone will see you as anonymous because no cookies reach Plone.
 
+``cookie-pass-not-exclude``
+    If url matches this regexp, ``cookie-pass`` exclude rules are skipped. This is useful
+    for url like ``++resource++zmi`` that requires authentication also for resources
+    like js, css, ...
+
 ``cookie-whitelist``
     When the ``cookie-pass`` is processed and does not match, this means you are
     anonymous, at least with the default ``cookie-pass`` settings.

plone/recipe/varnish/recipe.py

@@ -30,6 +30,7 @@
 "auth_token|__ac(|_(name|password|persistent))=":"\.(js|css|kss)$"
 """  # noqa: W605
 COOKIE_PASS_RE = re.compile('"(.*)":"(.*)"')
+COOKIE_PASS_NOT_EXCLUDE_DEFAULT = "/\\+\\+resource\\+\\+zmi/"
 
 
 class BaseRecipe(object):
@@ -155,6 +156,9 @@ def __init__(self, buildout, name, options):
         self.options.setdefault("between-bytes-timeout", "60s")
         self.options.setdefault("purge-hosts", "")
         self.options.setdefault("cookie-pass", COOKIE_PASS_DEFAULT)
+        self.options.setdefault(
+            "cookie-pass-not-exclude", COOKIE_PASS_NOT_EXCLUDE_DEFAULT
+        )
         self.options.setdefault("cookie-whitelist", COOKIE_WHITELIST_DEFAULT)
         # Set default vcl_hash function so it doesn't use the default.vcl hostname
         self.options.setdefault("vcl_hash", DEFAULT_VCL_HASH)
@@ -287,6 +291,7 @@ def create_varnish_configuration(self):
             if not mg and len(mg) != 2:
                 continue
             config["cookiepass"].append(dict(zip(("match", "exclude"), mg)))
+        config["cookiepassnotexclude"] = self.options["cookie-pass-not-exclude"]
         # inject custom vcl
         config["custom"] = {}
         for name in (

plone/recipe/varnish/templates/varnish6.vcl.jinja2

@@ -147,7 +147,7 @@ sub vcl_recv {
     {# this part need review #}
     set req.http.UrlNoQs = regsub(req.url, "\?.*$", "");
     if (req.http.Cookie && req.http.Cookie ~ "{{rule['match']}}") {
-        if (req.http.UrlNoQs ~ "{{rule['exclude']}}") {
+        if (req.url !~ "{{cookiepassnotexclude}}" && req.http.UrlNoQs ~ "{{rule['exclude']}}") {
             unset req.http.cookie;
             return(pipe);
         }

plone/recipe/varnish/tests/vclgen.rst

@@ -72,6 +72,7 @@ Basic check::
     ...         {'match': '__ac(|_(name|password|persistent))=',
     ...          'exclude': '\.(js|css|kss)' }
     ...     ],
+    ...     'cookiepassnotexclude': '/\\+\\+resource\\+\\+zmi/',
     ...     'gracehealthy': '10s',
     ...     'gracesick': '1h',
     ...     'code404page' : True,
@@ -274,6 +275,7 @@ When gracehealthy is set, probes for the backend are activated::
     ...         {'match': '__ac(|_(name|password|persistent))=',
     ...          'exclude': '\.(js|css|kss)' }
     ...     ],
+    ...     'cookiepassnotexclude': '/\\+\\+resource\\+\\+zmi/',
     ...     'gracehealthy': '10s',
     ...     'gracesick': '1h',
     ...     'code404page' : True,

plone/recipe/varnish/vclgen.py

@@ -120,6 +120,7 @@ def __call__(self):
         data["custom"] = self.cfg["custom"]
         data["cookiewhitelist"] = self.cfg["cookiewhitelist"]
         data["cookiepass"] = self.cfg["cookiepass"]
+        data["cookiepassnotexclude"] = self.cfg["cookiepassnotexclude"]
         data["code404page"] = self.cfg["code404page"]
         data["gracehealthy"] = self.cfg["gracehealthy"]
         data["gracesick"] = self.cfg["gracesick"]