Merge pull request #2779 from owncloud/claim-selector-basic-auth

changelog/unreleased/fix-basic-auth-route-claim-selector.md

@@ -0,0 +1,8 @@
+Bugfix: Fix claim selector based routing for basic auth
+
+We've fixed the claim selector based routing for requests using basic auth.
+Previously requests using basic auth have always been routed to the DefaultPolicy when using the claim selector despite the set cookie because the basic auth middleware fakes some OIDC claims.
+
+Now the cookie is checked before routing to the DefaultPolicy and therefore set cookie will also be respected for requests using basic auth.
+
+https://github.com/owncloud/ocis/pull/2779

proxy/pkg/proxy/policy/selector.go

@@ -165,19 +165,33 @@ func NewMigrationSelector(cfg *config.MigrationSelectorConf, ss accounts.Account
 func NewClaimsSelector(cfg *config.ClaimsSelectorConf) Selector {
 	return func(r *http.Request) (s string, err error) {
 
+		selectorCookie := func(r *http.Request) string {
+			selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
+			if err == nil {
+				// TODO check we know the routing policy?
+				return selectorCookie.Value
+			}
+			return ""
+		}
+
 		// first, try to route by selector
 		if claims := oidc.FromContext(r.Context()); claims != nil {
 			if p, ok := claims[oidc.OcisRoutingPolicy].(string); ok && p != "" {
 				// TODO check we know the routing policy?
 				return p, nil
 			}
+
+			// basic auth requests don't have a routing claim, so check for the cookie
+			if s := selectorCookie(r); s != "" {
+				return s, nil
+			}
+
 			return cfg.DefaultPolicy, nil
 		}
 
 		// use cookie if provided
-		selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
-		if err == nil {
-			return selectorCookie.Value, nil
+		if s := selectorCookie(r); s != "" {
+			return s, nil
 		}
 
 		return cfg.UnauthenticatedPolicy, nil