1 files changed, 138 insertions, 20 deletions
diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go
index 191a696..c7feeff 100644
--- a/cmd/git-lfs-server/main.go
+++ b/cmd/git-lfs-server/main.go
@@ -163,19 +163,35 @@ func (h *handler) handleDownloadObject(ctx context.Context, repo string, obj par
                return makeObjError(obj, "Failed to query object information", http.StatusInternalServerError)
        }
        if info.ChecksumSHA256 != "" && strings.ToLower(info.ChecksumSHA256) != obj.fullHash {
-                return makeObjError(obj, "Corrupted file", http.StatusUnprocessableEntity)
+                return makeObjError(obj, "Object corrupted", http.StatusUnprocessableEntity)
        }
        if info.Size != obj.size {
-                return makeObjError(obj, "Incorrect size specified for object", http.StatusUnprocessableEntity)
+                return makeObjError(obj, "Incorrect size specified for object or object currupted", http.StatusUnprocessableEntity)
        }
-        presigned, err := h.mc.PresignedGetObject(ctx, h.bucket, fullPath, expiresIn, url.Values{})
+        claims := handleObjectCustomClaims{
+                Gitolfs3: handleObjectGitolfs3Claims{
+                        Type:       "basic-transfer",
+                        Operation:  operationDownload,
+                        Repository: repo,
+                        OID:        obj.fullHash,
+                        Size:       obj.size,
+                },
+                RegisteredClaims: &jwt.RegisteredClaims{
+                        IssuedAt:  jwt.NewNumericDate(time.Now()),
+                        ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),
+                },
+        }
+        token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
+        ss, err := token.SignedString(h.privateKey)
        if err != nil {
                // TODO: consider not making this an object-specific, but rather a
                // generic error such that the entire Batch API request fails.
-                reqlog(ctx, "Failed to generate action href (full path: %s): %s", fullPath, err)
+                reqlog(ctx, "Fatal: failed to generate JWT: %s", err)
-                return makeObjError(obj, "Failed to generate action href", http.StatusInternalServerError)
+                return makeObjError(obj, "Failed to generate token", http.StatusInternalServerError)
        }
+        uploadPath := path.Join(repo+".git", "info/lfs/objects", obj.firstByte, obj.secondByte, obj.fullHash)
        authenticated := true
        return batchResponseObject{
@@ -184,21 +200,26 @@ func (h *handler) handleDownloadObject(ctx context.Context, repo string, obj par
                Authenticated: &authenticated,
                Actions: map[operation]batchAction{
                        operationDownload: {
-                                HRef:      presigned.String(),
+                                Header: map[string]string{
+                                        "Authorization": "Bearer " + ss,
+                                },
+                                HRef:      h.baseURL.ResolveReference(&url.URL{Path: uploadPath}).String(),
                                ExpiresIn: int64(expiresIn.Seconds()),
                        },
                },
        }
 }
-type uploadObjectGitolfs3Claims struct {
+type handleObjectGitolfs3Claims struct {
-        Repository string `json:"repository"`
+        Type       string    `json:"type"`
-        OID        string `json:"oid"`
+        Operation  operation `json:"operation"`
-        Size       int64  `json:"size"`
+        Repository string    `json:"repository"`
+        OID        string    `json:"oid"`
+        Size       int64     `json:"size"`
 }
-type uploadObjectCustomClaims struct {
+type handleObjectCustomClaims struct {
-        Gitolfs3 uploadObjectGitolfs3Claims `json:"gitolfs3"`
+        Gitolfs3 handleObjectGitolfs3Claims `json:"gitolfs3"`
        *jwt.RegisteredClaims
 }
@@ -221,8 +242,10 @@ func (h *handler) handleUploadObject(ctx context.Context, repo string, obj parse
        }
        expiresIn := time.Hour * 24
-        claims := uploadObjectCustomClaims{
+        claims := handleObjectCustomClaims{
-                Gitolfs3: uploadObjectGitolfs3Claims{
+                Gitolfs3: handleObjectGitolfs3Claims{
+                        Type:       "basic-transfer",
+                        Operation:  operationUpload,
                        Repository: repo,
                        OID:        obj.fullHash,
                        Size:       obj.size,
@@ -327,7 +350,7 @@ func (h *handler) handlePutObject(w http.ResponseWriter, r *http.Request, repo,
        }
        authz = strings.TrimPrefix(authz, "Bearer ")
-        var claims uploadObjectCustomClaims
+        var claims handleObjectCustomClaims
        _, err := jwt.ParseWithClaims(authz, &claims, func(token *jwt.Token) (any, error) {
                if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
                        return nil, fmt.Errorf("expected signing method EdDSA, got %s", token.Header["alg"])
@@ -338,6 +361,10 @@ func (h *handler) handlePutObject(w http.ResponseWriter, r *http.Request, repo,
                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
                return
        }
+        if claims.Gitolfs3.Type != "basic-transfer" {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
        if claims.Gitolfs3.Repository != repo {
                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
                return
@@ -346,6 +373,10 @@ func (h *handler) handlePutObject(w http.ResponseWriter, r *http.Request, repo,
                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
                return
        }
+        if claims.Gitolfs3.Operation != operationUpload {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
        // Check with claims
        if lengthStr := r.Header.Get("Content-Length"); lengthStr != "" {
@@ -387,6 +418,85 @@ func (h *handler) handlePutObject(w http.ResponseWriter, r *http.Request, repo,
        }
 }
+func (h *handler) handleGetObject(w http.ResponseWriter, r *http.Request, repo, oid string) {
+        ctx := r.Context()
+        authz := r.Header.Get("Authorization")
+        if authz == "" {
+                makeRespError(ctx, w, "Missing Authorization header", http.StatusBadRequest)
+                return
+        }
+        if !strings.HasPrefix(authz, "Bearer ") {
+                makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest)
+                return
+        }
+        authz = strings.TrimPrefix(authz, "Bearer ")
+        var claims handleObjectCustomClaims
+        _, err := jwt.ParseWithClaims(authz, &claims, func(token *jwt.Token) (any, error) {
+                if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
+                        return nil, fmt.Errorf("expected signing method EdDSA, got %s", token.Header["alg"])
+                }
+                return h.privateKey.Public(), nil
+        })
+        if err != nil {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
+        if claims.Gitolfs3.Type != "basic-transfer" {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
+        if claims.Gitolfs3.Repository != repo {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
+        if claims.Gitolfs3.OID != oid {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
+        if claims.Gitolfs3.Operation != operationDownload {
+                makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                return
+        }
+        sha256Raw, err := hex.DecodeString(oid)
+        if err != nil || len(sha256Raw) != sha256.Size {
+                makeRespError(ctx, w, "Invalid OID", http.StatusBadRequest)
+                return
+        }
+        fullPath := path.Join(repo+".git", "lfs/objects", oid[:2], oid[2:4], oid)
+        obj, err := h.mc.GetObject(ctx, h.bucket, fullPath, minio.GetObjectOptions{})
+        var resp minio.ErrorResponse
+        if errors.As(err, &resp) && resp.StatusCode != http.StatusNotFound {
+                makeRespError(ctx, w, "Not found", http.StatusNotFound)
+                return
+        } else if err != nil {
+                reqlog(ctx, "Failed to get object: %s", err)
+                makeRespError(ctx, w, "Failed to get object", http.StatusInternalServerError)
+                return
+        }
+        stat, err := obj.Stat()
+        if err != nil {
+                reqlog(ctx, "Failed to stat: %s", err)
+                makeRespError(ctx, w, "Internal server error", http.StatusInternalServerError)
+        }
+        if stat.Size != claims.Gitolfs3.Size {
+                reqlog(ctx, "Claims size does not match S3 object size")
+                makeRespError(ctx, w, "Internal server error", http.StatusInternalServerError)
+        }
+        vr := newValidatingReader(claims.Gitolfs3.Size, sha256Raw, obj)
+        _, err = io.Copy(w, vr)
+        if errors.Is(err, errBadSum) {
+                reqlog(ctx, "Bad object checksum")
+        }
+}
 type parsedBatchObject struct {
        firstByte  string
        secondByte string
@@ -414,6 +524,7 @@ var requestIDKey requestID
 // TODO: make a shared package for this
 type lfsAuthGitolfs3Claims struct {
+        Type       string    `json:"type"`
        Repository string    `json:"repository"`
        Permission operation `json:"permission"`
 }
@@ -448,7 +559,7 @@ func (h *handler) getGitoliteAccess(repo, user, gitolitePerm string, refspec *st
        return true, nil
 }
-func (h *handler) authorize(w http.ResponseWriter, r *http.Request, or operationRequest) bool {
+func (h *handler) authorizeBatchAPI(w http.ResponseWriter, r *http.Request, or operationRequest) bool {
        user := h.anonUser
        ctx := r.Context()
@@ -471,6 +582,10 @@ func (h *handler) authorize(w http.ResponseWriter, r *http.Request, or operation
                        return false
                }
+                if claims.Gitolfs3.Type != "batch-api" {
+                        makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
+                        return false
+                }
                if claims.Gitolfs3.Repository != or.repository {
                        makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
                        return false
@@ -539,7 +654,7 @@ func (h *handler) handleBatchAPI(w http.ResponseWriter, r *http.Request, repo st
        if body.Ref != nil {
                or.refspec = &body.Ref.Name
        }
-        if !h.authorize(w, r.WithContext(ctx), or) {
+        if !h.authorizeBatchAPI(w, r.WithContext(ctx), or) {
                return
        }
@@ -632,12 +747,15 @@ func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
                repo := strings.TrimPrefix(path.Clean(submatches[1]), "/")
                reqlog(ctx, "Handling object PUT for repository: %s, OID: %s", repo, oid)
-                if r.Method != http.MethodPut {
+                switch r.Method {
+                case http.MethodGet:
+                        h.handleGetObject(w, r.WithContext(ctx), repo, oid)
+                case http.MethodPut:
+                        h.handlePutObject(w, r.WithContext(ctx), repo, oid)
+                default:
                        makeRespError(ctx, w, "Method not allowed", http.StatusMethodNotAllowed)
-                        return
                }
-                h.handlePutObject(w, r.WithContext(ctx), repo, oid)
                return
        }

diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go index 191a696..c7feeff 100644 --- a/cmd/git-lfs-server/main.go +++ b/cmd/git-lfs-server/main.go
@@ -163,19 +163,35 @@ func (h *handler) handleDownloadObject(ctx context.Context, repo string, obj par
163	return makeObjError(obj, "Failed to query object information", http.StatusInternalServerError)	163	return makeObjError(obj, "Failed to query object information", http.StatusInternalServerError)
164	}	164	}
165	if info.ChecksumSHA256 != "" && strings.ToLower(info.ChecksumSHA256) != obj.fullHash {	165	if info.ChecksumSHA256 != "" && strings.ToLower(info.ChecksumSHA256) != obj.fullHash {
166	return makeObjError(obj, "Corrupted file", http.StatusUnprocessableEntity)	166	return makeObjError(obj, "Object corrupted", http.StatusUnprocessableEntity)
167	}	167	}
168	if info.Size != obj.size {	168	if info.Size != obj.size {
169	return makeObjError(obj, "Incorrect size specified for object", http.StatusUnprocessableEntity)	169	return makeObjError(obj, "Incorrect size specified for object or object currupted", http.StatusUnprocessableEntity)
170	}	170	}
171		171
172	presigned, err := h.mc.PresignedGetObject(ctx, h.bucket, fullPath, expiresIn, url.Values{})	172	claims := handleObjectCustomClaims{
		173	Gitolfs3: handleObjectGitolfs3Claims{
		174	Type: "basic-transfer",
		175	Operation: operationDownload,
		176	Repository: repo,
		177	OID: obj.fullHash,
		178	Size: obj.size,
		179	},
		180	RegisteredClaims: &jwt.RegisteredClaims{
		181	IssuedAt: jwt.NewNumericDate(time.Now()),
		182	ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),
		183	},
		184	}
		185
		186	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
		187	ss, err := token.SignedString(h.privateKey)
173	if err != nil {	188	if err != nil {
174	// TODO: consider not making this an object-specific, but rather a	189	// TODO: consider not making this an object-specific, but rather a
175	// generic error such that the entire Batch API request fails.	190	// generic error such that the entire Batch API request fails.
176	reqlog(ctx, "Failed to generate action href (full path: %s): %s", fullPath, err)	191	reqlog(ctx, "Fatal: failed to generate JWT: %s", err)
177	return makeObjError(obj, "Failed to generate action href", http.StatusInternalServerError)	192	return makeObjError(obj, "Failed to generate token", http.StatusInternalServerError)
178	}	193	}
		194	uploadPath := path.Join(repo+".git", "info/lfs/objects", obj.firstByte, obj.secondByte, obj.fullHash)
179		195
180	authenticated := true	196	authenticated := true
181	return batchResponseObject{	197	return batchResponseObject{
@@ -184,21 +200,26 @@ func (h *handler) handleDownloadObject(ctx context.Context, repo string, obj par
184	Authenticated: &authenticated,	200	Authenticated: &authenticated,
185	Actions: map[operation]batchAction{	201	Actions: map[operation]batchAction{
186	operationDownload: {	202	operationDownload: {
187	HRef: presigned.String(),	203	Header: map[string]string{
		204	"Authorization": "Bearer " + ss,
		205	},
		206	HRef: h.baseURL.ResolveReference(&url.URL{Path: uploadPath}).String(),
188	ExpiresIn: int64(expiresIn.Seconds()),	207	ExpiresIn: int64(expiresIn.Seconds()),
189	},	208	},
190	},	209	},
191	}	210	}
192	}	211	}
193		212
194	type uploadObjectGitolfs3Claims struct {	213	type handleObjectGitolfs3Claims struct {
195	Repository string `json:"repository"`	214	Type string `json:"type"`
196	OID string `json:"oid"`	215	Operation operation `json:"operation"`
197	Size int64 `json:"size"`	216	Repository string `json:"repository"`
		217	OID string `json:"oid"`
		218	Size int64 `json:"size"`
198	}	219	}
199		220
200	type uploadObjectCustomClaims struct {	221	type handleObjectCustomClaims struct {
201	Gitolfs3 uploadObjectGitolfs3Claims `json:"gitolfs3"`	222	Gitolfs3 handleObjectGitolfs3Claims `json:"gitolfs3"`
202	*jwt.RegisteredClaims	223	*jwt.RegisteredClaims
203	}	224	}
204		225
@@ -221,8 +242,10 @@ func (h *handler) handleUploadObject(ctx context.Context, repo string, obj parse
221	}	242	}
222		243
223	expiresIn := time.Hour * 24	244	expiresIn := time.Hour * 24
224	claims := uploadObjectCustomClaims{	245	claims := handleObjectCustomClaims{
225	Gitolfs3: uploadObjectGitolfs3Claims{	246	Gitolfs3: handleObjectGitolfs3Claims{
		247	Type: "basic-transfer",
		248	Operation: operationUpload,
226	Repository: repo,	249	Repository: repo,
227	OID: obj.fullHash,	250	OID: obj.fullHash,
228	Size: obj.size,	251	Size: obj.size,
@@ -327,7 +350,7 @@ func (h handler) handlePutObject(w http.ResponseWriter, r http.Request, repo,
327	}	350	}
328	authz = strings.TrimPrefix(authz, "Bearer ")	351	authz = strings.TrimPrefix(authz, "Bearer ")
329		352
330	var claims uploadObjectCustomClaims	353	var claims handleObjectCustomClaims
331	_, err := jwt.ParseWithClaims(authz, &claims, func(token *jwt.Token) (any, error) {	354	_, err := jwt.ParseWithClaims(authz, &claims, func(token *jwt.Token) (any, error) {
332	if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {	355	if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
333	return nil, fmt.Errorf("expected signing method EdDSA, got %s", token.Header["alg"])	356	return nil, fmt.Errorf("expected signing method EdDSA, got %s", token.Header["alg"])
@@ -338,6 +361,10 @@ func (h handler) handlePutObject(w http.ResponseWriter, r http.Request, repo,
338	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)	361	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
339	return	362	return
340	}	363	}
		364	if claims.Gitolfs3.Type != "basic-transfer" {
		365	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		366	return
		367	}
341	if claims.Gitolfs3.Repository != repo {	368	if claims.Gitolfs3.Repository != repo {
342	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)	369	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
343	return	370	return
@@ -346,6 +373,10 @@ func (h handler) handlePutObject(w http.ResponseWriter, r http.Request, repo,
346	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)	373	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
347	return	374	return
348	}	375	}
		376	if claims.Gitolfs3.Operation != operationUpload {
		377	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		378	return
		379	}
349		380
350	// Check with claims	381	// Check with claims
351	if lengthStr := r.Header.Get("Content-Length"); lengthStr != "" {	382	if lengthStr := r.Header.Get("Content-Length"); lengthStr != "" {
@@ -387,6 +418,85 @@ func (h handler) handlePutObject(w http.ResponseWriter, r http.Request, repo,
387	}	418	}
388	}	419	}
389		420
		421	func (h handler) handleGetObject(w http.ResponseWriter, r http.Request, repo, oid string) {
		422	ctx := r.Context()
		423
		424	authz := r.Header.Get("Authorization")
		425	if authz == "" {
		426	makeRespError(ctx, w, "Missing Authorization header", http.StatusBadRequest)
		427	return
		428	}
		429	if !strings.HasPrefix(authz, "Bearer ") {
		430	makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest)
		431	return
		432	}
		433	authz = strings.TrimPrefix(authz, "Bearer ")
		434
		435	var claims handleObjectCustomClaims
		436	_, err := jwt.ParseWithClaims(authz, &claims, func(token *jwt.Token) (any, error) {
		437	if _, ok := token.Method.(*jwt.SigningMethodEd25519); !ok {
		438	return nil, fmt.Errorf("expected signing method EdDSA, got %s", token.Header["alg"])
		439	}
		440	return h.privateKey.Public(), nil
		441	})
		442	if err != nil {
		443	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		444	return
		445	}
		446	if claims.Gitolfs3.Type != "basic-transfer" {
		447	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		448	return
		449	}
		450	if claims.Gitolfs3.Repository != repo {
		451	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		452	return
		453	}
		454	if claims.Gitolfs3.OID != oid {
		455	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		456	return
		457	}
		458	if claims.Gitolfs3.Operation != operationDownload {
		459	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		460	return
		461	}
		462
		463	sha256Raw, err := hex.DecodeString(oid)
		464	if err != nil \|\| len(sha256Raw) != sha256.Size {
		465	makeRespError(ctx, w, "Invalid OID", http.StatusBadRequest)
		466	return
		467	}
		468
		469	fullPath := path.Join(repo+".git", "lfs/objects", oid[:2], oid[2:4], oid)
		470	obj, err := h.mc.GetObject(ctx, h.bucket, fullPath, minio.GetObjectOptions{})
		471
		472	var resp minio.ErrorResponse
		473	if errors.As(err, &resp) && resp.StatusCode != http.StatusNotFound {
		474	makeRespError(ctx, w, "Not found", http.StatusNotFound)
		475	return
		476	} else if err != nil {
		477	reqlog(ctx, "Failed to get object: %s", err)
		478	makeRespError(ctx, w, "Failed to get object", http.StatusInternalServerError)
		479	return
		480	}
		481
		482	stat, err := obj.Stat()
		483	if err != nil {
		484	reqlog(ctx, "Failed to stat: %s", err)
		485	makeRespError(ctx, w, "Internal server error", http.StatusInternalServerError)
		486	}
		487
		488	if stat.Size != claims.Gitolfs3.Size {
		489	reqlog(ctx, "Claims size does not match S3 object size")
		490	makeRespError(ctx, w, "Internal server error", http.StatusInternalServerError)
		491	}
		492
		493	vr := newValidatingReader(claims.Gitolfs3.Size, sha256Raw, obj)
		494	_, err = io.Copy(w, vr)
		495	if errors.Is(err, errBadSum) {
		496	reqlog(ctx, "Bad object checksum")
		497	}
		498	}
		499
390	type parsedBatchObject struct {	500	type parsedBatchObject struct {
391	firstByte string	501	firstByte string
392	secondByte string	502	secondByte string
@@ -414,6 +524,7 @@ var requestIDKey requestID
414		524
415	// TODO: make a shared package for this	525	// TODO: make a shared package for this
416	type lfsAuthGitolfs3Claims struct {	526	type lfsAuthGitolfs3Claims struct {
		527	Type string `json:"type"`
417	Repository string `json:"repository"`	528	Repository string `json:"repository"`
418	Permission operation `json:"permission"`	529	Permission operation `json:"permission"`
419	}	530	}
@@ -448,7 +559,7 @@ func (h handler) getGitoliteAccess(repo, user, gitolitePerm string, refspec st
448	return true, nil	559	return true, nil
449	}	560	}
450		561
451	func (h handler) authorize(w http.ResponseWriter, r http.Request, or operationRequest) bool {	562	func (h handler) authorizeBatchAPI(w http.ResponseWriter, r http.Request, or operationRequest) bool {
452	user := h.anonUser	563	user := h.anonUser
453	ctx := r.Context()	564	ctx := r.Context()
454		565
@@ -471,6 +582,10 @@ func (h handler) authorize(w http.ResponseWriter, r http.Request, or operation
471	return false	582	return false
472	}	583	}
473		584
		585	if claims.Gitolfs3.Type != "batch-api" {
		586	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
		587	return false
		588	}
474	if claims.Gitolfs3.Repository != or.repository {	589	if claims.Gitolfs3.Repository != or.repository {
475	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)	590	makeRespError(ctx, w, "Invalid token", http.StatusUnauthorized)
476	return false	591	return false
@@ -539,7 +654,7 @@ func (h handler) handleBatchAPI(w http.ResponseWriter, r http.Request, repo st
539	if body.Ref != nil {	654	if body.Ref != nil {
540	or.refspec = &body.Ref.Name	655	or.refspec = &body.Ref.Name
541	}	656	}
542	if !h.authorize(w, r.WithContext(ctx), or) {	657	if !h.authorizeBatchAPI(w, r.WithContext(ctx), or) {
543	return	658	return
544	}	659	}
545		660
@@ -632,12 +747,15 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r http.Request) {
632	repo := strings.TrimPrefix(path.Clean(submatches[1]), "/")	747	repo := strings.TrimPrefix(path.Clean(submatches[1]), "/")
633	reqlog(ctx, "Handling object PUT for repository: %s, OID: %s", repo, oid)	748	reqlog(ctx, "Handling object PUT for repository: %s, OID: %s", repo, oid)
634		749
635	if r.Method != http.MethodPut {	750	switch r.Method {
		751	case http.MethodGet:
		752	h.handleGetObject(w, r.WithContext(ctx), repo, oid)
		753	case http.MethodPut:
		754	h.handlePutObject(w, r.WithContext(ctx), repo, oid)
		755	default:
636	makeRespError(ctx, w, "Method not allowed", http.StatusMethodNotAllowed)	756	makeRespError(ctx, w, "Method not allowed", http.StatusMethodNotAllowed)
637	return
638	}	757	}
639		758
640	h.handlePutObject(w, r.WithContext(ctx), repo, oid)
641	return	759	return
642	}	760	}
643		761