X Factor out auth verification to separate function

blob.go

@@ -31,43 +31,63 @@ func blobPreAuthorizeHandler(handleFunc serviceHandleFunc) serviceHandleFunc {
 	}
 }
 
+
+// verify that download access is authorized by auth backend
+func verifyDownloadAccess(w http.ResponseWriter, r *gitRequest, project string) (downloadOk bool) {
+	downloadOk = false
+
+	// request to verify whether download is possible via asking as git fetch would do
+	// XXX privateToken not propagated, etc ...
+	reqDownloadAccess, err := http.NewRequest("GET", project + ".git/info/refs?service=git-upload-pack", nil)
+	if err != nil {
+		fail500(w, "GET git-upload-pack", err)
+		return
+	}
+
+	// swap original request to 'verify-download' one
+	//requestBlob := r.Request
+	r.Request = reqDownloadAccess
+
+	preAuthorizeHandler(
+		func(w http.ResponseWriter, r *gitRequest) {
+			// if we ever get to this point - auth handler approved
+			// access and thus it is ok to download
+			downloadOk = true
+		}, "") (w, r)
+	return
+}
+
+
+
+var projectRe = regexp.MustCompile(`^/[\w\.-]+/[\w\.-]+/`)
+
 func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
 	Tstart := time.Now()
 
 	// extract project & refpath
 	// /namespace/project/raw/branch/file -> /namespace/project, branch/file
-	projectRe := regexp.MustCompile(`^/[\w\.-]+/[\w\.-]+/`)
 	project := projectRe.FindString(r.Request.URL.Path)
 	refpath := r.Request.URL.Path[len(project):]
 	if project == "" {
 		fail500(w, "extract project name", nil)
 		return
 	}
-	//assert project[-1] == "/"
+	// assert project[-1] == "/"
 	project = project[:len(project)-1]
 
+	// assert refpath[:4] == "raw/"
 	if refpath[:4] != "raw/" {
 		fail500(w, "refpath != raw/...", nil)
 		return
 	}
 	refpath = refpath[4:]
-	//log.Printf("BLOB1 %v %v", project, refpath)
 
-	// request to verify whether download is possible via asking as git fetch would do
-	// XXX privateToken not propagated, etc ...
-	reqDownloadAccess, err := http.NewRequest("GET", project + ".git/info/refs?service=git-upload-pack", nil)
-	if err != nil {
-		fail500(w, "GET git-upload-pack", err)
+	if !verifyDownloadAccess(w, r, project) {
+		// XXX verifyDownloadAccess already emitted 403 headers etc ...
 		return
 	}
 
-	// swap original request to 'verify-download' one
-	//requestBlob := r.Request
-	r.Request = reqDownloadAccess
-
-	preAuthorizeHandler(func(w http.ResponseWriter, r *gitRequest) {
-			handleGetBlobRaw2(w, r, refpath)
-		}, "") (w, r)
+	handleGetBlobRaw2(w, r, refpath)
 
 	Tend := time.Now()
 
@@ -105,9 +125,9 @@ func handleGetBlobRaw2(w http.ResponseWriter, r *gitRequest, refpath string) {
 	//setRawHeaders(...)
 	w.WriteHeader(200)	// XXX too early
 	//_, err = io.Copy(os.Stdout, blobStdout)
-	if err != nil {
-		panic(err)
-	}
+	//if err != nil {
+	//	panic(err)
+	//}
 	if _, err := io.Copy(w, blobStdout); err != nil {
 		logContext("io.Copy", err)
 		return