From 6928090b4b7354018348a5714fbde0a2349490ec Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Tue, 16 Apr 2013 20:01:22 +0000
Subject: [PATCH] mod_auth_basic: Allow AuthBasicFake to be switched off for an
 URL space.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1468581 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_auth_basic.xml | 16 +++++++--
 modules/aaa/mod_auth_basic.c       | 56 +++++++++++++++++++++---------
 2 files changed, 53 insertions(+), 19 deletions(-)

diff --git a/docs/manual/mod/mod_auth_basic.xml b/docs/manual/mod/mod_auth_basic.xml
index 299eccaa36..1e22d0a5c4 100644
--- a/docs/manual/mod/mod_auth_basic.xml
+++ b/docs/manual/mod/mod_auth_basic.xml
@@ -113,7 +113,7 @@ lower level modules</description>
 <name>AuthBasicFake</name>
 <description>Fake basic authentication using the given expressions for
 username and password</description>
-<syntax>AuthBasicFake username password</syntax>
+<syntax>AuthBasicFake off|username [password]</syntax>
 <default>none</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
@@ -127,6 +127,10 @@ username and password</description>
     which allows both the username and password to be set based on
     request parameters.</p>
 
+    <p>If the password is not specified, the default value "password"
+    will be used. To disable fake basic authentication for an URL
+    space, specify "AuthBasicFake off".</p>
+
     <p>In this example, we pass a fixed username and password to a
     backend server.</p>
 
@@ -147,7 +151,7 @@ username and password</description>
     <example><title>Certificate Example</title>
     <highlight language="config">
 &lt;Location /secure&gt;
-    AuthBasicFake %{SSL_CLIENT_S_DN_Email} password
+    AuthBasicFake %{SSL_CLIENT_S_DN_Email}
 &lt;/Location&gt;
     </highlight>
     </example>
@@ -165,6 +169,14 @@ username and password</description>
     </highlight>
     </example>
 
+    <example><title>Exclusion Example</title>
+    <highlight language="config">
+&lt;Location /public&gt;
+    AuthBasicFake off
+&lt;/Location&gt;
+    </highlight>
+    </example>
+
 </usage>
 </directivesynopsis>
 
diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c
index 9d451b6344..8c1367b30a 100644
--- a/modules/aaa/mod_auth_basic.c
+++ b/modules/aaa/mod_auth_basic.c
@@ -130,26 +130,47 @@ static const char *set_authoritative(cmd_parms * cmd, void *config, int flag)
     return NULL;
 }
 
-static const char *add_basic_fake(cmd_parms * cmd, void *config, const char *user, const char *pass)
+static const char *add_basic_fake(cmd_parms * cmd, void *config,
+        const char *user, const char *pass)
 {
     auth_basic_config_rec *conf = (auth_basic_config_rec *) config;
     const char *err;
 
-    conf->fakeuser = ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
-                                        &err, NULL);
-    if (err) {
-        return apr_psprintf(cmd->pool,
-                            "Could not parse fake username expression '%s': %s",
-                            user, err);
+    if (!strcasecmp(user, "off")) {
+
+        conf->fakeuser = NULL;
+        conf->fakepass = NULL;
+        conf->fake_set = 1;
+
     }
-    conf->fakepass = ap_expr_parse_cmd(cmd, pass, AP_EXPR_FLAG_STRING_RESULT,
-                                        &err, NULL);
-    if (err) {
-        return apr_psprintf(cmd->pool,
-                            "Could not parse fake password expression '%s': %s",
-                            user, err);
+    else {
+
+        /* if password is unspecified, set it to the fixed string "password" to
+         * be compatible with the behaviour of mod_ssl.
+         */
+        if (!pass) {
+            pass = "password";
+        }
+
+        conf->fakeuser =
+                ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
+                        &err, NULL);
+        if (err) {
+            return apr_psprintf(cmd->pool,
+                    "Could not parse fake username expression '%s': %s", user,
+                    err);
+        }
+        conf->fakepass =
+                ap_expr_parse_cmd(cmd, pass, AP_EXPR_FLAG_STRING_RESULT,
+                        &err, NULL);
+        if (err) {
+            return apr_psprintf(cmd->pool,
+                    "Could not parse fake password expression '%s': %s", user,
+                    err);
+        }
+        conf->fake_set = 1;
+
     }
-    conf->fake_set = 1;
 
     return NULL;
 }
@@ -161,9 +182,10 @@ static const command_rec auth_basic_cmds[] =
     AP_INIT_FLAG("AuthBasicAuthoritative", set_authoritative, NULL, OR_AUTHCFG,
                  "Set to 'Off' to allow access control to be passed along to "
                  "lower modules if the UserID is not known to this module"),
-    AP_INIT_TAKE2("AuthBasicFake", add_basic_fake, NULL, OR_AUTHCFG,
+    AP_INIT_TAKE12("AuthBasicFake", add_basic_fake, NULL, OR_AUTHCFG,
                   "Fake basic authentication using the given expressions for "
-                  "username and password"),
+                  "username and password, 'off' to disable. Password defaults "
+                  "to 'password' if missing."),
     {NULL}
 };
 
@@ -365,7 +387,7 @@ static int authenticate_basic_fake(request_rec *r)
     auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                        &auth_basic_module);
 
-    if (!conf->fake_set) {
+    if (!conf->fakeuser) {
         return DECLINED;
     }