gitserver: Fetch in GitBackend

This PR moves Fetch to the GitBackend to benefit from all the observability and so forth that this package provides. Also, it's a git command. All git commands should live here eventually.

Test plan:

E2E tests verify that fetching still works.

Author: eseliger

cmd/gitserver/internal/git/gitcli/command.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
 	"os/exec"
 	"runtime"
 	"strconv"
@@ -47,8 +48,11 @@ var (
 
 type commandOpts struct {
 	arguments []string
+	addtlEnv  []string
+	redactor  func(string) string
 
-	stdin io.Reader
+	stdin  io.Reader
+	stderr io.Writer
 }
 
 func optsFromFuncs(optFns ...CommandOptionFunc) commandOpts {
@@ -68,13 +72,38 @@ func WithArguments(args ...string) CommandOptionFunc {
 	}
 }
 
+// WithEnv sets the given environment variables on the command. os.Environ()
+// is always passed, the additional env vars passed here will be appended.
+func WithEnv(env ...string) CommandOptionFunc {
+	return func(o *commandOpts) {
+		o.addtlEnv = append(o.addtlEnv, env...)
+	}
+}
+
 // WithStdin specifies the reader to use for the command's stdin input.
 func WithStdin(stdin io.Reader) CommandOptionFunc {
 	return func(o *commandOpts) {
 		o.stdin = stdin
 	}
 }
 
+// WithStderr sets the stderr writer for the command. When set, stderr will be
+// written to the passed writer, and also tracked internally for corruption detection
+// and error reporting using a io.MultiWriter.
+func WithStderr(stderr io.Writer) CommandOptionFunc {
+	return func(o *commandOpts) {
+		o.stderr = stderr
+	}
+}
+
+// WithOutputRedactor sets the command recorder redactor function to use for the command,
+// and best-effort redacts any outputs from stdout/stderr.
+func WithOutputRedactor(f func(string) string) CommandOptionFunc {
+	return func(o *commandOpts) {
+		o.redactor = f
+	}
+}
+
 const gitCommandDefaultTimeout = time.Minute
 
 func (g *gitCLIBackend) NewCommand(ctx context.Context, optFns ...CommandOptionFunc) (_ io.ReadCloser, err error) {
@@ -116,10 +145,23 @@ func (g *gitCLIBackend) NewCommand(ctx context.Context, optFns ...CommandOptionF
 	g.dir.Set(cmd)
 
 	stderr, stderrBuf := stderrBuffer()
-	cmd.Stderr = stderr
+	stderrWriter := stderr
+	if opts.stderr != nil {
+		stderrWriter = io.MultiWriter(stderrBuf, opts.stderr)
+	}
+	cmd.Stderr = stderrWriter
+
+	if cmd.Env == nil {
+		cmd.Env = os.Environ()
+	}
+	cmd.Env = append(cmd.Env, opts.addtlEnv...)
 
 	wrappedCmd := g.rcf.WrapWithRepoName(ctx, logger, g.repoName, cmd)
 
+	if opts.redactor != nil {
+		wrappedCmd = wrappedCmd.WithRedactorFunc(opts.redactor)
+	}
+
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
 		cancel()
@@ -151,6 +193,7 @@ func (g *gitCLIBackend) NewCommand(ctx context.Context, optFns ...CommandOptionF
 		logger:     logger,
 		git:        g,
 		tr:         tr,
+		redactor:   opts.redactor,
 	}, nil
 }
 
@@ -201,6 +244,7 @@ type cmdReader struct {
 	closed    bool
 	tr        trace.Trace
 	err       error
+	redactor  func(string) string
 }
 
 func (rc *cmdReader) Read(p []byte) (n int, err error) {
@@ -242,10 +286,14 @@ func (rc *cmdReader) waitCmd() (err error) {
 	rc.err = rc.cmd.Wait()
 
 	if rc.err != nil {
-		if checkMaybeCorruptRepo(rc.ctx, rc.logger, rc.git, rc.repoName, rc.stderr.String()) {
-			rc.err = common.ErrRepoCorrupted{Reason: rc.stderr.String()}
+		redactedStderr := rc.stderr.String()
+		if rc.redactor != nil {
+			redactedStderr = rc.redactor(rc.stderr.String())
+		}
+		if checkMaybeCorruptRepo(rc.ctx, rc.logger, rc.git, rc.repoName, redactedStderr) {
+			rc.err = common.ErrRepoCorrupted{Reason: redactedStderr}
 		} else {
-			rc.err = commandFailedError(rc.ctx, err, rc.cmd, rc.stderr.Bytes())
+			rc.err = commandFailedError(rc.ctx, err, rc.cmd, []byte(redactedStderr))
 		}
 	}
 

cmd/gitserver/internal/git/gitcli/fetch.go

@@ -0,0 +1,177 @@
+package gitcli
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"io"
+
+	"github.com/sourcegraph/sourcegraph/cmd/gitserver/internal/git"
+	"github.com/sourcegraph/sourcegraph/cmd/gitserver/internal/urlredactor"
+	"github.com/sourcegraph/sourcegraph/internal/api"
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+)
+
+func (g *gitCLIBackend) Fetch(ctx context.Context, opt git.FetchOptions) (git.RefUpdateIterator, io.Reader, error) {
+	redactor := urlredactor.New(opt.RemoteURL)
+
+	args, env := buildFetchArgs(opt)
+	// see issue #7322: skip LFS content in repositories with Git LFS configured.
+	env = append(env, "GIT_LFS_SKIP_SMUDGE=1")
+
+	stderrR, stderrW := io.Pipe()
+	r, err := g.NewCommand(ctx,
+		WithArguments(args...),
+		WithEnv(env...),
+		WithOutputRedactor(redactor.Redact),
+		WithStderr(stderrW),
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &refUpdateIterator{
+		stdout: r,
+		onCancel: func() error {
+			return errors.Append(stderrR.Close(), stderrW.Close())
+		},
+		sc: bufio.NewScanner(r),
+	}, stderrR, nil
+}
+
+type refUpdateIterator struct {
+	stdout   io.ReadCloser
+	sc       *bufio.Scanner
+	onCancel func() error
+}
+
+func (i *refUpdateIterator) Next() (git.RefUpdate, error) {
+	for i.sc.Scan() {
+		if len(i.sc.Bytes()) == 0 {
+			continue
+		}
+		return parseRefUpdateLine(i.sc.Bytes())
+	}
+
+	if err := i.sc.Err(); err != nil {
+		return git.RefUpdate{}, err
+	}
+
+	return git.RefUpdate{}, io.EOF
+}
+
+func (i *refUpdateIterator) Close() error {
+	cancelErr := i.onCancel()
+	err := i.stdout.Close()
+	if cancelErr != nil {
+		err = errors.Append(err, cancelErr)
+	}
+	return err
+}
+
+func buildFetchArgs(opt git.FetchOptions) (args, env []string) {
+	env = []string{
+		// disable password prompt
+		"GIT_ASKPASS=true",
+		// Suppress asking to add SSH host key to known_hosts (which will hang because
+		// the command is non-interactive).
+		//
+		// And set a timeout to avoid indefinite hangs if the server is unreachable.
+		"GIT_SSH_COMMAND=ssh -o BatchMode=yes -o ConnectTimeout=30",
+		// Identify HTTP requests with a user agent. Please keep the git/ prefix because GitHub breaks the protocol v2
+		// negotiation of clone URLs without a `.git` suffix (which we use) without it. Don't ask.
+		"GIT_HTTP_USER_AGENT=git/Sourcegraph-Bot",
+	}
+
+	if opt.TLSConfig.SSLNoVerify {
+		env = append(env, "GIT_SSL_NO_VERIFY=true")
+	}
+	if opt.TLSConfig.SSLCAInfo != "" {
+		env = append(env, "GIT_SSL_CAINFO="+opt.TLSConfig.SSLCAInfo)
+	}
+
+	// If we have creds in the URL, pass them in via the credHelper instead of
+	// as part of the URL, because args are visible in `ps` output, leaking the
+	// credentials easily.
+	remoteURLArg := opt.RemoteURL.String()
+	credentialHelper := []string{}
+	password, ok := opt.RemoteURL.User.Password()
+	if ok && !opt.RemoteURL.IsSSH() {
+		// Remove the user section from the remoteURL so that git consults credential
+		// helpers for the username/password.
+		ru := *opt.RemoteURL
+		ru.User = nil
+		remoteURLArg = ru.String()
+
+		// Next up, add out credential helper.
+		// Note: We add an ADDITIONAL credential helper here, the previous
+		// one is just unsetting any existing ones.
+		credentialHelper = []string{"-c", "credential.helper=!f() { echo \"username=$GIT_SG_USERNAME\npassword=$GIT_SG_PASSWORD\"; }; f"}
+		env = append(env,
+			"GIT_SG_USERNAME="+opt.RemoteURL.User.Username(),
+			"GIT_SG_PASSWORD="+password,
+		)
+	}
+
+	args = []string{
+		// Unset credential helper because the command is non-interactive.
+		// Even when we pass a second credential helper for HTTP credentials,
+		// we will need this. Otherwise, the original credential helper will be used
+		// as well.
+		"-c", "credential.helper=",
+	}
+	args = append(args, credentialHelper...)
+	args = append(args,
+		"-c", "protocol.version=2",
+		"fetch",
+		"--progress",
+		"--prune",
+		"--porcelain",
+		remoteURLArg,
+	)
+
+	return args, env
+}
+
+func parseRefUpdateLine(line []byte) (u git.RefUpdate, _ error) {
+	line = bytes.TrimSpace(line)
+	// format:
+	// <flag> <old-object-id> <new-object-id> <local-reference>
+	if len(line) == 0 {
+		return git.RefUpdate{}, errors.New("empty git ref update output")
+	}
+	if line[0] == ' ' {
+		u.Type = git.RefUpdateTypeFastForwardUpdate
+		line[0] = 'x'
+	}
+	parts := bytes.Fields(line)
+	if len(parts) != 4 {
+		return git.RefUpdate{}, errors.Newf("invalid ref update format, expected exactly 4 fields %q", line)
+	}
+
+	if line[0] != 'x' {
+		switch git.RefUpdateType(line[0]) {
+		case git.RefUpdateTypeFastForwardUpdate:
+			u.Type = git.RefUpdateTypeFastForwardUpdate
+		case git.RefUpdateTypeForcedUpdate:
+			u.Type = git.RefUpdateTypeForcedUpdate
+		case git.RefUpdateTypePruned:
+			u.Type = git.RefUpdateTypePruned
+		case git.RefUpdateTypeTagUpdate:
+			u.Type = git.RefUpdateTypeTagUpdate
+		case git.RefUpdateTypeNewRef:
+			u.Type = git.RefUpdateTypeNewRef
+		case git.RefUpdateTypeFailed:
+			u.Type = git.RefUpdateTypeFailed
+		case git.RefUpdateTypeUnchanged:
+			u.Type = git.RefUpdateTypeUnchanged
+		default:
+			return git.RefUpdate{}, errors.Newf("invalid ref update type %q", line[0])
+		}
+	}
+	u.OldSHA = api.CommitID(parts[1])
+	u.NewSHA = api.CommitID(parts[2])
+	u.LocalReference = string(parts[3])
+
+	return u, nil
+}

cmd/gitserver/internal/git/iface.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sourcegraph/sourcegraph/internal/api"
 	"github.com/sourcegraph/sourcegraph/internal/gitserver/gitdomain"
+	"github.com/sourcegraph/sourcegraph/internal/vcs"
 )
 
 // GitBackend is the interface through which operations on a git repository can
@@ -90,6 +91,12 @@ type GitBackend interface {
 	// Aggregations are done by email address.
 	// If range does not exist, a RevisionNotFoundError is returned.
 	ContributorCounts(ctx context.Context, opt ContributorCountsOpts) ([]*gitdomain.ContributorCount, error)
+	// Fetch fetches the configured revspecs from the remote repository using the
+	// given URL.
+	// The returned iterator can be used to read all the ref updates in a structured
+	// way.
+	// The returned Reader can be used to read the progress of the fetch operation.
+	Fetch(ctx context.Context, opt FetchOptions) (_ RefUpdateIterator, progress io.Reader, _ error)
 
 	// Exec is a temporary helper to run arbitrary git commands from the exec endpoint.
 	// No new usages of it should be introduced and once the migration is done we will
@@ -193,3 +200,65 @@ type ContributorCountsOpts struct {
 	// (e.g., "foo/bar/").
 	Path string
 }
+
+// FetchOptions are options for the Fetch method. All options must be specified.
+type FetchOptions struct {
+	// RemoteURL is the URL of the remote to fetch from. It may contain credentials
+	// in the User field.
+	RemoteURL *vcs.URL
+	// Refspecs specifies which refs to fetch and update.
+	// Example format: {"+refs/heads/*:refs/heads/*", "+refs/tags/*:refs/tags/*"}.
+	Refspecs []string
+	// TLSConfig, if set, contains additional information about certificate settings
+	// to pass to git.
+	TLSConfig GitTLSConfig
+}
+
+type GitTLSConfig struct {
+	// Whether to not verify the SSL certificate when fetching or pushing over
+	// HTTPS.
+	//
+	// https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslVerify
+	SSLNoVerify bool
+
+	// File containing the certificates to verify the peer with when fetching
+	// or pushing over HTTPS.
+	//
+	// https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslCAInfo
+	SSLCAInfo string
+}
+
+// RefUpdateIterator is an interface that allows iterating over a set of RefUpdates.
+type RefUpdateIterator interface {
+	// Next returns the next RefUpdate.
+	Next() (RefUpdate, error)
+	// Close releases resources associated with the iterator.
+	Close() error
+}
+
+type RefUpdate struct {
+	Type           RefUpdateType
+	OldSHA         api.CommitID
+	NewSHA         api.CommitID
+	LocalReference string
+}
+
+// RefUpdateType indicates what kind of update has been made.
+type RefUpdateType byte
+
+const (
+	// for a successfully fetched fast-forward
+	RefUpdateTypeFastForwardUpdate RefUpdateType = ' '
+	// for a successful forced update
+	RefUpdateTypeForcedUpdate RefUpdateType = '+'
+	// for a successfully pruned ref
+	RefUpdateTypePruned RefUpdateType = '-'
+	// for a successful tag update
+	RefUpdateTypeTagUpdate RefUpdateType = 't'
+	// for a successfully fetched new ref
+	RefUpdateTypeNewRef RefUpdateType = '*'
+	// for a ref that was rejected or failed to update
+	RefUpdateTypeFailed RefUpdateType = '!'
+	// for a ref that was up to date and did not need fetching
+	RefUpdateTypeUnchanged RefUpdateType = '='
+)