[jira] [Created] (NIFI-15692) GitLabRepositoryClient.deleteContent() fails with 403 when GitLab is behind reverse proxy due to getRawFile() usage

Tue, 10 Mar 2026 07:36:04 -0700 

Ivan Majsinger created NIFI-15692:
-------------------------------------

             Summary: GitLabRepositoryClient.deleteContent() fails with 403 
when GitLab is behind reverse proxy due to getRawFile() usage
                 Key: NIFI-15692
                 URL: https://issues.apache.org/jira/browse/NIFI-15692
             Project: Apache NiFi
          Issue Type: Bug
          Components: Extensions
    Affects Versions: 2.7.2
            Reporter: Ivan Majsinger


h3. Problem

GitLabFlowRegistryClient fails to register flow snapshots when GitLab is behind 
an Apache reverse proxy. The verification passes all checks, but "Start Version 
Control" fails with 403 Forbidden.
h3. Root Cause


The \{{deleteContent()}} method in \{{GitLabRepositoryClient.java}} uses 
\{{getRawFile()}} which hits the 
\{{/api/v4/projects/.../repository/files/.../raw}} endpoint. This endpoint is 
handled differently by some reverse proxies, causing a redirect to HTTP port 80 
where authentication fails.

 
{code:java}
// Current implementation (line ~266)
public InputStream deleteContent(...) {
    return execute(() -> {
        final InputStream content = 
gitLab.getRepositoryFileApi().getRawFile(...); // FAILS HERE
        gitLab.getRepositoryFileApi().deleteFile(...);
        return content;
    }); {code}
 

 

{code:java}

}
{code}

h3. Error
{code}
org.gitlab4j.api.GitLabApiException: 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html><head><title>403 Forbidden</title></head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address>Apache Server at [hostname] Port 80</address>
</body></html>
    at org.gitlab4j.api.RepositoryFileApi.getRawFile(RepositoryFileApi.java:422)
    at org.apache.nifi.gitlab.GitLabRepositoryClient.lambda$deleteContent$8
{code}

h3. Proposed Fix
Use \{{getFile()}} instead of \{{getRawFile()}}. The \{{getFile()}} method uses 
the standard \{{/api/v4/projects/.../repository/files/...}} endpoint (without 
\{{/raw}}) which returns Base64-encoded content and works correctly behind 
reverse proxies.

{code:java}
// Proposed fix
public InputStream deleteContent(...) {
    return execute(() -> {
        RepositoryFile file = 
gitLab.getRepositoryFileApi().getFile(projectPath, resolvedPath, branch);
        byte[] content = Base64.getDecoder().decode(file.getContent());
        gitLab.getRepositoryFileApi().deleteFile(...);
        return new ByteArrayInputStream(content);
    });
}
{code}

h3. Related
- gitlab4j-api issue: https://github.com/gmessner/gitlab4j-api/issues/282

h3. Environment
- NiFi 2.7.0
- GitLab behind Apache reverse proxy



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to