From d85def9b8875738cbb83a0b480c8ae18c4394865 Mon Sep 17 00:00:00 2001
From: Willy Kloucek <wkloucek@owncloud.com>
Date: Thu, 18 Nov 2021 15:29:05 +0100
Subject: [PATCH] check cookie for before we fall back to the default policy

---
 .../fix-basic-auth-route-claim-selector.md    |  8 ++++++++
 proxy/pkg/proxy/policy/selector.go            | 20 ++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 changelog/unreleased/fix-basic-auth-route-claim-selector.md

diff --git a/changelog/unreleased/fix-basic-auth-route-claim-selector.md b/changelog/unreleased/fix-basic-auth-route-claim-selector.md
new file mode 100644
index 000000000..9e0012717
--- /dev/null
+++ b/changelog/unreleased/fix-basic-auth-route-claim-selector.md
@@ -0,0 +1,8 @@
+Bugfix: Fix claim selector based routing for basic auth
+
+We've fixed the claim selector based routing for requests using basic auth.
+Previously requests using basic auth have always been routed to the DefaultPolicy when using the claim selector despite the set cookie because the basic auth middleware fakes some OIDC claims.
+
+Now the cookie is checked before routing to the DefaultPolicy and therefore set cookie will also be respected for requests using basic auth.
+
+https://github.com/owncloud/ocis/pull/2779
diff --git a/proxy/pkg/proxy/policy/selector.go b/proxy/pkg/proxy/policy/selector.go
index b54d54fe4..7f1638e93 100644
--- a/proxy/pkg/proxy/policy/selector.go
+++ b/proxy/pkg/proxy/policy/selector.go
@@ -165,19 +165,33 @@ func NewMigrationSelector(cfg *config.MigrationSelectorConf, ss accounts.Account
 func NewClaimsSelector(cfg *config.ClaimsSelectorConf) Selector {
 	return func(r *http.Request) (s string, err error) {
 
+		selectorCookie := func(r *http.Request) string {
+			selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
+			if err == nil {
+				// TODO check we know the routing policy?
+				return selectorCookie.Value
+			}
+			return ""
+		}
+
 		// first, try to route by selector
 		if claims := oidc.FromContext(r.Context()); claims != nil {
 			if p, ok := claims[oidc.OcisRoutingPolicy].(string); ok && p != "" {
 				// TODO check we know the routing policy?
 				return p, nil
 			}
+
+			// basic auth requests don't have a routing claim, so check for the cookie
+			if s := selectorCookie(r); s != "" {
+				return s, nil
+			}
+
 			return cfg.DefaultPolicy, nil
 		}
 
 		// use cookie if provided
-		selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
-		if err == nil {
-			return selectorCookie.Value, nil
+		if s := selectorCookie(r); s != "" {
+			return s, nil
 		}
 
 		return cfg.UnauthenticatedPolicy, nil