fixup: NXD blob/auth: Basic Auth and raw url can now work with previous patches

workhorse/internal/api/auth.go

@@ -318,7 +318,7 @@ func (a *API) verifyDownloadAccess(project string, user *url.Userinfo, query str
 	// handled by upstream auth backend for git requests only, and we might
 	// want to use e.g. https://gitlab-ci-token:token@/.../raw/...
 	//if authReply.RepoPath != "" || query != "" || len(header) != 0 {
-	if authReply.Repository.RelativePath != "" || query != "" || len(header) != 0 {
+	if authReply.RawReply.Code == http.StatusOK || query != "" || len(header) != 0 {
 		return authReply
 	}
 	if user == nil {

workhorse/internal/config/config.go

@@ -106,6 +106,7 @@ type Config struct {
 	PropagateCorrelationID   bool                     `toml:"-"`
 	ImageResizerConfig       ImageResizerConfig       `toml:"image_resizer"`
 	AltDocumentRoot          string                   `toml:"alt_document_root"`
+	RepoPath                 string                   `toml:"-"`
 }
 
 var DefaultImageResizerConfig = ImageResizerConfig{

workhorse/internal/git/xblob.go

@@ -23,15 +23,15 @@ import (
 )
 
 // HTTP handler for `.../raw/<ref>/path`
-func GetBlobRaw(a *api.API) http.Handler {
+func GetBlobRaw(a *api.API, repoPath string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handleGetBlobRaw(a, w, r)
+		handleGetBlobRaw(a, w, r, repoPath)
 	})
 }
 
 var rawRe = regexp.MustCompile(`/raw/`)
 
-func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
+func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request, repoPath string) {
 	// Extract project & refpath
 	// <project>/raw/branch/file -> <project>, branch/file
 	u := r.URL
@@ -52,8 +52,8 @@ func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
 
 	// Query download access auth for this project
 	authReply := a.VerifyDownloadAccess(project, user, u.RawQuery, r.Header)
-	//if authReply.RepoPath == "" {
-        if authReply.Repository.RelativePath == "" {
+  //if authReply.Repository.RelativePath == "" {
+  if authReply.RawReply.Code != http.StatusOK {
 		// access denied - copy auth reply to client in full -
 		// there are HTTP code and other headers / body relevant for
 		// about why access was denied.
@@ -71,7 +71,8 @@ func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Access granted - we can emit the blob
-	emitBlob(w, authReply.Repository.RelativePath, refpath, r)
+	p := repoPath + project + ".git"
+	emitBlob(w, p, refpath, r)
 }
 
 

workhorse/internal/upstream/routes.go

@@ -237,7 +237,7 @@ func configureRoutes(u *upstream) {
 		u.route("PUT", gitProjectPattern+`gitlab-lfs/objects/([0-9a-f]{64})/([0-9]+)\z`, lfs.PutStore(api, signingProxy, preparers.lfs), withMatcher(isContentType("application/octet-stream"))),
 
 		// Raw blobs
-		u.route("GET", projectPattern + `raw/`, git.GetBlobRaw(api)),
+		u.route("GET", projectPattern+`raw/`, git.GetBlobRaw(api, u.RepoPath)),
 
 		// CI Artifacts
 		u.route("POST", apiPattern+`v4/jobs/[0-9]+/artifacts\z`, contentEncodingHandler(artifacts.UploadArtifacts(api, signingProxy, preparers.artifacts))),

workhorse/main.go

@@ -104,6 +104,7 @@ func buildConfig(arg0 string, args []string) (*bootConfig, *config.Config, error
 	fset.DurationVar(&cfg.APIQueueTimeout, "apiQueueDuration", queueing.DefaultTimeout, "Maximum queueing duration of requests")
 	fset.DurationVar(&cfg.APICILongPollingDuration, "apiCiLongPollingDuration", 50, "Long polling duration for job requesting for runners (default 50s - enabled)")
 	fset.BoolVar(&cfg.PropagateCorrelationID, "propagateCorrelationID", false, "Reuse existing Correlation-ID from the incoming request header `X-Request-ID` if present")
+	fset.StringVar(&cfg.RepoPath, "repoPath", "", "Gitlab repositorie folder")
 
 	if err := fset.Parse(args); err != nil {
 		return nil, nil, alreadyPrintedError{err}