tenseleyflow/shithub / e860cb1

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protocol

+

+import (

+	"bytes"

+	"context"

+	"errors"

+	"io"

+	"os/exec"

+	"sync"

+	"time"

+)

+

+// stderrCap bounds the in-memory stderr drainer's buffer so a chatty

+// subprocess can't OOM us. Truncated stderr is fine — we only surface

+// it on error and a few KB is enough to identify the failure.

+const stderrCap = 16 * 1024

+

+// Service identifies which git plumbing program we're driving.

+type Service string

+

+const (

+	UploadPack  Service = "git-upload-pack"

+	ReceivePack Service = "git-receive-pack"

+)

+

+// Cmd builds an *exec.Cmd that drives the requested service against the

+// bare repo at gitDir. AdvertiseRefs flips on the --advertise-refs flag

+// used by the info/refs response. extraEnv is appended to os.Environ()

+// — the caller uses it to thread SHITHUB_USER_ID/etc. through git's

+// environment so post-receive hooks can read them.

+//

+// Subprocess lifecycle:

+//   - Killed on ctx cancel (Go ≥ 1.20: cmd.Cancel default kills with

+//     SIGKILL; we tighten to a 250ms WaitDelay so a stuck subprocess

+//     doesn't pin a worker forever).

+//   - Stderr is drained by the helper Drain() so the OS pipe buffer

+//     doesn't fill and deadlock the caller's stdout copy. Captured

+//     stderr is exposed via Stderr() on the returned Process.

+func Cmd(ctx context.Context, svc Service, gitDir string, advertiseRefs bool, extraEnv []string) *exec.Cmd {

+	args := []string{"--stateless-rpc"}

+	if advertiseRefs {

+		args = append(args, "--advertise-refs")

+	}

+	args = append(args, gitDir)

+	//nolint:gosec // G204: svc is an enum from a fixed set; gitDir is constructed via storage.RepoFS path validation.

+	cmd := exec.CommandContext(ctx, string(svc), args...)

+	cmd.Env = extraEnv

+	cmd.WaitDelay = 250 * time.Millisecond

+	return cmd

+}

+

+// DrainStderr starts a goroutine that copies stderr into a bounded ring

+// buffer; returns a function the caller invokes after Wait() to get the

+// captured bytes. The cap is `stderrCap`; further writes are silently

+// discarded.

+//

+// Always call this BEFORE Start() and call the returned closure AFTER

+// Wait() to avoid the deadlock where a verbose stderr fills the OS

+// pipe.

+func DrainStderr(cmd *exec.Cmd) func() []byte {

+	pipe, err := cmd.StderrPipe()

+	if err != nil {

+		// Stderr already wired (or another wiring error). Fall back to

+		// a no-op drain so callers don't have to special-case.

+		return func() []byte { return nil }

+	}

+	buf := &cappedBuffer{cap: stderrCap}

+	done := make(chan struct{})

+	go func() {

+		defer close(done)

+		_, _ = io.Copy(buf, pipe)

+	}()

+	return func() []byte {

+		<-done

+		return buf.Bytes()

+	}

+}

+

+// cappedBuffer is a bytes.Buffer that drops writes after the cap.

+type cappedBuffer struct {

+	mu  sync.Mutex

+	buf bytes.Buffer

+	cap int

+}

+

+func (c *cappedBuffer) Write(p []byte) (int, error) {

+	c.mu.Lock()

+	defer c.mu.Unlock()

+	free := c.cap - c.buf.Len()

+	if free <= 0 {

+		return len(p), nil // accept-and-drop

+	}

+	if len(p) > free {

+		_, _ = c.buf.Write(p[:free])

+		return len(p), nil

+	}

+	return c.buf.Write(p)

+}

+

+func (c *cappedBuffer) Bytes() []byte {

+	c.mu.Lock()

+	defer c.mu.Unlock()

+	out := make([]byte, c.buf.Len())

+	copy(out, c.buf.Bytes())

+	return out

+}

+

+// ErrSubprocessFailed is returned by Run when the git subprocess exits

+// non-zero. The captured stderr is wrapped via %s so the operator sees

+// it in logs without it being escaped through the chain.

+var ErrSubprocessFailed = errors.New("git subprocess exited non-zero")

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package protocol carries the smart-HTTP and (later) smart-SSH bits of

+// the git wire protocol that we generate ourselves. The bulk of the

+// protocol — capability negotiation, want/have, multi-ack, side-band —

+// stays inside canonical `git`'s `upload-pack` and `receive-pack`. We

+// only emit the framing we need to wrap their advertise-refs output for

+// HTTP transport.

+package protocol

+

+import (

+	"fmt"

+	"io"

+)

+

+// MaxPktLine is git's hard limit for a single packet: 65520 bytes of

+// payload + 4 bytes of length prefix. Anything longer is malformed.

+const MaxPktLine = 65520

+

+// FlushPkt is the literal pkt-line sequence that says "no more

+// packets." git uses it to terminate sub-streams.

+const FlushPkt = "0000"

+

+// WritePkt writes one pkt-line packet — a 4-hex-digit length prefix

+// (covering payload + 4) followed by the payload. Exposed so the smart-

+// HTTP info/refs handler can prepend its `# service=...` advertisement.

+func WritePkt(w io.Writer, payload string) error {

+	if len(payload)+4 > MaxPktLine {

+		return fmt.Errorf("pkt-line: payload too long (%d > %d)", len(payload), MaxPktLine-4)

+	}

+	if _, err := fmt.Fprintf(w, "%04x%s", len(payload)+4, payload); err != nil {

+		return err

+	}

+	return nil

+}

+

+// WriteFlush emits the flush packet (`0000`). Marks the end of a

+// sub-stream like the service advertisement preamble.

+func WriteFlush(w io.Writer) error {

+	_, err := io.WriteString(w, FlushPkt)

+	return err

+}

+

+// WriteServiceAdvertisement writes the standard preamble that the smart-

+// HTTP info/refs response uses to tell git which service is being

+// advertised. The wire format is:

+//

+//	001e# service=git-upload-pack\n0000

+//	└┬┘└──────────┬─────────────┘└─┬─┘

+//	 │            │                └ flush

+//	 │            └ payload (trailing newline included)

+//	 └ length prefix (hex)

+//

+// Then `git upload-pack --advertise-refs --stateless-rpc <repo>` writes

+// its actual ref advertisement after this.

+func WriteServiceAdvertisement(w io.Writer, service string) error {

+	if err := WritePkt(w, "# service="+service+"\n"); err != nil {

+		return err

+	}

+	return WriteFlush(w)

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protocol_test

+

+import (

+	"bytes"

+	"context"

+	"os/exec"

+	"path/filepath"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/tenseleyFlow/shithub/internal/git/protocol"

+)

+

+func TestWritePkt_Format(t *testing.T) {

+	t.Parallel()

+	var buf bytes.Buffer

+	if err := protocol.WritePkt(&buf, "hi"); err != nil {

+		t.Fatalf("WritePkt: %v", err)

+	}

+	// 4-hex prefix = len(payload)+4 = 6 -> "0006"

+	if got := buf.String(); got != "0006hi" {

+		t.Fatalf("got %q, want %q", got, "0006hi")

+	}

+}

+

+func TestWritePkt_RejectsTooLong(t *testing.T) {

+	t.Parallel()

+	var buf bytes.Buffer

+	huge := strings.Repeat("a", protocol.MaxPktLine)

+	if err := protocol.WritePkt(&buf, huge); err == nil {

+		t.Fatal("expected error for over-length pkt")

+	}

+}

+

+func TestServiceAdvertisement(t *testing.T) {

+	t.Parallel()

+	var buf bytes.Buffer

+	if err := protocol.WriteServiceAdvertisement(&buf, "git-upload-pack"); err != nil {

+		t.Fatalf("WriteServiceAdvertisement: %v", err)

+	}

+	got := buf.String()

+	// Expected: "001e# service=git-upload-pack\n0000"

+	want := "001e# service=git-upload-pack\n0000"

+	if got != want {

+		t.Fatalf("got %q, want %q", got, want)

+	}

+}

+

+// TestCmd_StreamsAndDrainsStderr exercises the exec wrapper end-to-end:

+// init a bare repo, run upload-pack --advertise-refs against it, drain

+// stderr, and check stdout looks like a valid (empty) ref advertisement.

+func TestCmd_StreamsAndDrainsStderr(t *testing.T) {

+	t.Parallel()

+	gitDir := initBare(t)

+

+	cmd := protocol.Cmd(context.Background(), protocol.UploadPack, gitDir, true, nil)

+	stderr := protocol.DrainStderr(cmd)

+	out, err := cmd.Output()

+	if err != nil {

+		t.Fatalf("Cmd run: %v\nstderr: %s", err, stderr())

+	}

+	// First 4 chars are a hex length prefix; the body should mention

+	// either a ref or the no-refs sentinel git emits for unborn HEAD.

+	if len(out) < 4 {

+		t.Fatalf("output too short: %q", out)

+	}

+}

+

+// TestCmd_KillsOnContextCancel verifies that cancelling ctx kills the

+// subprocess promptly (Go's default cmd.Cancel sends SIGKILL).

+func TestCmd_KillsOnContextCancel(t *testing.T) {

+	t.Parallel()

+	ctx, cancel := context.WithCancel(context.Background())

+

+	// `git fetch` against a never-resolving URL hangs indefinitely;

+	// we'll use that as our long-running subprocess.

+	gitDir := initBare(t)

+	//nolint:gosec // G204: gitDir is t.TempDir.

+	cmd := exec.CommandContext(ctx, "git", "-C", gitDir, "fetch", "https://example.invalid/never-resolves")

+	cmd.WaitDelay = 250 * time.Millisecond

+	if err := cmd.Start(); err != nil {

+		t.Fatalf("Start: %v", err)

+	}

+

+	go func() {

+		time.Sleep(100 * time.Millisecond)

+		cancel()

+	}()

+	start := time.Now()

+	_ = cmd.Wait() // expect non-nil; we just care it returns

+	if elapsed := time.Since(start); elapsed > 5*time.Second {

+		t.Fatalf("subprocess took %s to die after cancel; expected <5s", elapsed)

+	}

+}

+

+func initBare(t *testing.T) string {

+	t.Helper()

+	root := t.TempDir()

+	gitDir := filepath.Join(root, "x.git")

+	//nolint:gosec // G204: t.TempDir.

+	if out, err := exec.Command("git", "init", "--bare", "--initial-branch=trunk", gitDir).CombinedOutput(); err != nil {

+		t.Fatalf("git init: %v\n%s", err, out)

+	}

+	return gitDir

+}