fixup: NXD blob/auth: Basic Auth and raw url can now work with previous patches

internal/api/auth.go

@@ -318,7 +318,7 @@ func (a *API) verifyDownloadAccess(project string, user *url.Userinfo, query str
 	// handled by upstream auth backend for git requests only, and we might
 	// want to use e.g. https://gitlab-ci-token:token@/.../raw/...
 	//if authReply.RepoPath != "" || query != "" || len(header) != 0 {
-	if authReply.Repository.RelativePath != "" || query != "" || len(header) != 0 {
+	if authReply.RawReply.Code == http.StatusOK || query != "" || len(header) != 0 {
 		return authReply
 	}
 	if user == nil {

internal/config/config.go

@@ -54,6 +54,7 @@ type Config struct {
 	APIQueueLimit            uint          `toml:"-"`
 	APIQueueTimeout          time.Duration `toml:"-"`
 	APICILongPollingDuration time.Duration `toml:"-"`
+	RepoPath                 string        `toml:"-"`
 }
 
 // LoadConfig from a file

internal/git/xblob.go

@@ -23,15 +23,15 @@ import (
 )
 
 // HTTP handler for `.../raw/<ref>/path`
-func GetBlobRaw(a *api.API) http.Handler {
+func GetBlobRaw(a *api.API, repoPath string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handleGetBlobRaw(a, w, r)
+		handleGetBlobRaw(a, w, r, repoPath)
 	})
 }
 
 var rawRe = regexp.MustCompile(`/raw/`)
 
-func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
+func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request, repoPath string) {
 	// Extract project & refpath
 	// <project>/raw/branch/file -> <project>, branch/file
 	u := r.URL
@@ -52,8 +52,8 @@ func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
 
 	// Query download access auth for this project
 	authReply := a.VerifyDownloadAccess(project, user, u.RawQuery, r.Header)
-	//if authReply.RepoPath == "" {
-        if authReply.Repository.RelativePath == "" {
+  //if authReply.Repository.RelativePath == "" {
+  if authReply.RawReply.Code != http.StatusOK {
 		// access denied - copy auth reply to client in full -
 		// there are HTTP code and other headers / body relevant for
 		// about why access was denied.
@@ -71,7 +71,8 @@ func handleGetBlobRaw(a *api.API, w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Access granted - we can emit the blob
-	emitBlob(w, authReply.Repository.RelativePath, refpath, r)
+	p := repoPath + project + ".git"
+	emitBlob(w, p, refpath, r)
 }
 
 

internal/upstream/routes.go

@@ -189,7 +189,7 @@ func (u *upstream) configureRoutes() {
 		route("PUT", gitProjectPattern+`gitlab-lfs/objects/([0-9a-f]{64})/([0-9]+)\z`, lfs.PutStore(api, signingProxy), withMatcher(isContentType("application/octet-stream"))),
 
 		// Raw blobs
-		route("GET", projectPattern + `raw/`, git.GetBlobRaw(api)),
+		route("GET", projectPattern + `raw/`, git.GetBlobRaw(api, u.RepoPath)),
 
 		// CI Artifacts
 		route("POST", apiPattern+`v4/jobs/[0-9]+/artifacts\z`, contentEncodingHandler(artifacts.UploadArtifacts(api, signingProxy))),

main.go

@@ -60,6 +60,8 @@ var apiCiLongPollingDuration = flag.Duration("apiCiLongPollingDuration", 50, "Lo
 
 var prometheusListenAddr = flag.String("prometheusListenAddr", "", "Prometheus listening address, e.g. 'localhost:9229'")
 
+var repoPath = flag.String("repoPath", "", "Gitlab repositorie folder")
+
 var logConfig = logConfiguration{}
 
 func init() {
@@ -155,6 +157,7 @@ func main() {
 		APIQueueLimit:            *apiQueueLimit,
 		APIQueueTimeout:          *apiQueueTimeout,
 		APICILongPollingDuration: *apiCiLongPollingDuration,
+		RepoPath:                 *repoPath,
 	}
 
 	if *configFile != "" {