fixup! NXD Teach gitlab-workhorse to serve requests to get raw blobs

During 0.6.4..0.6.5 upstream reworked the way request about downloading
archive is replied. Before it was json in body, after it is json in
headers handled via so-called "senddata" workhorse mechanism:

    https://gitlab.com/gitlab-org/gitlab-workhorse/commit/153527fb

Adjust our patch accordingly about requesting whether it is ok to
download from repository or not.

internal/api/auth.go

@@ -2,7 +2,11 @@
 package api
 
 import (
+	"../badgateway"
 	"../helper"
+	proxypkg "../proxy"
+	"../senddata"
+	"../sendfile"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -19,6 +23,24 @@ type AuthReply struct {
 	Response
 }
 
+// for detecting whether archive download is ok via senddata mechanism
+type testDownloadOkViaSendArchive struct {
+	senddata.Prefix
+	authReply *AuthReply
+}
+
+func (aok *testDownloadOkViaSendArchive) Inject(w http.ResponseWriter, r *http.Request, sendData string) {
+	var param struct{ RepoPath string }
+	if err := aok.Unpack(&param, sendData); err != nil {
+		helper.Fail500(w, fmt.Errorf("testDownloadOkViaSendArchive: unpack sendData: %v", err))
+		return
+	}
+
+	// if we ever get to this point - auth handler approved
+	// access and thus it is ok to download
+	aok.authReply.RepoPath = param.RepoPath
+}
+
 // Ask auth backend about whether download is ok for a project.
 // Authorization is approved if AuthReply.RepoPath != "" on return
 // Raw auth backend response is emitted to AuthReply.RawReply
@@ -46,12 +68,18 @@ func (a *API) VerifyDownloadAccess(project, query string, header http.Header) Au
 		reqDownloadAccess.Header[k] = v
 	}
 
-	a.PreAuthorizeHandler(
-		func(w http.ResponseWriter, req *http.Request, resp *Response) {
-			// if we ever get to this point - auth handler approved
-			// access and thus it is ok to download
-			authReply.Response = *resp
-		}, "").ServeHTTP(authReply.RawReply, reqDownloadAccess)
+	// Send request to auth backend and detect via aok senddata hook
+	// whether access is permitted.
+	aok := &testDownloadOkViaSendArchive{"git-archive:", &authReply}
+	authProxy := senddata.SendData(
+		sendfile.SendFile(proxypkg.NewProxy(
+			a.URL,
+			a.Version,
+			a.Client.Transport.(*badgateway.RoundTripper),
+		)),
+		aok,
+	)
+	authProxy.ServeHTTP(authReply.RawReply, reqDownloadAccess)
 
 	return authReply
 }

main_test.go

@@ -10,6 +10,8 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -796,7 +798,7 @@ func (dl DownloadContext) ExpectCode(path string, code int) {
 
 func TestBlobDownload(t *testing.T) {
 	// Prepare test server and "all-ok" auth backend
-	ts := testAuthServer(nil, 200, gitOkBody(t))
+	ts := archiveOKServer(t, "")
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)
 	defer ws.Close()
@@ -838,13 +840,15 @@ func TestPrivateBlobDownload(t *testing.T) {
 			return
 		}
 
-		data, err := json.Marshal(gitOkBody(t))
+		// for authorized .../repository/archive.zip reply the same way archiveOKServer does.
+		aok := archiveOKServer(t, "")
+		defer aok.Close()
+		aokurl, err := url.Parse(aok.URL)
 		if err != nil {
 			t.Fatal(err)
 		}
-
-		w.WriteHeader(200)
-		w.Write(data)
+		proxy := httputil.NewSingleHostReverseProxy(aokurl)
+		proxy.ServeHTTP(w, r)
 	})
 	defer ts.Close()
 	ws := startWorkhorseServer(ts.URL)