Possibility to limit the max pack size on receive-pack

The maxPackSizeLimit, when set, will reject a pack if it exceeds
that limit.

This feature is intended to provide a mechanism to control disk space
quota on Git repositories.

Change-Id: I83d8db670875c395f8171461b402083323e623a5
CQ: 7896

org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties

@@ -403,6 +403,8 @@ readingObjectsFromLocalRepositoryFailed=reading objects from local repository fa
 readTimedOut=Read timed out after {0} ms
 receivePackObjectTooLarge1=Object too large, rejecting the pack. Max object size limit is {0} bytes.
 receivePackObjectTooLarge2=Object too large ({0} bytes), rejecting the pack. Max object size limit is {1} bytes.
+receivePackInvalidLimit=Illegal limit parameter value {0}
+receivePackTooLarge=Pack exceeds the limit of {0} bytes, rejecting the pack
 receivingObjects=Receiving objects
 refAlreadyExists=already exists
 refAlreadyExists1=Ref {0} already exists

org.eclipse.jgit/src/org/eclipse/jgit/errors/TooLargePackException.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2014, Sasa Zivkov <sasa.zivkov@sap.com>, SAP AG
+ * and other copyright owners as documented in the project's IP log.
+ *
+ * This program and the accompanying materials are made available
+ * under the terms of the Eclipse Distribution License v1.0 which
+ * accompanies this distribution, is reproduced below, and is
+ * available at http://www.eclipse.org/org/documents/edl-v10.php
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ * - Neither the name of the Eclipse Foundation, Inc. nor the
+ *   names of its contributors may be used to endorse or promote
+ *   products derived from this software without specific prior
+ *   written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+ * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.eclipse.jgit.errors;
+
+import java.io.IOException;
+import java.text.MessageFormat;
+
+import org.eclipse.jgit.internal.JGitText;
+
+/**
+ * Thrown when a pack exceeds a given size limit
+ *
+ * @since 3.3
+ */
+public class TooLargePackException extends IOException {
+	private static final long serialVersionUID = 1L;
+
+	/**
+	 * Construct a too large pack exception.
+	 *
+	 * @param packSizeLimit
+	 *            the pack size limit (in bytes) that was exceeded
+	 */
+	public TooLargePackException(long packSizeLimit) {
+		super(MessageFormat.format(JGitText.get().receivePackTooLarge,
+				Long.valueOf(packSizeLimit)));
+	}
+}

org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java

@@ -465,6 +465,8 @@ public class JGitText extends TranslationBundle {
 	/***/ public String readTimedOut;
 	/***/ public String receivePackObjectTooLarge1;
 	/***/ public String receivePackObjectTooLarge2;
+	/***/ public String receivePackInvalidLimit;
+	/***/ public String receivePackTooLarge;
 	/***/ public String receivingObjects;
 	/***/ public String refAlreadyExists;
 	/***/ public String refAlreadyExists1;

org.eclipse.jgit/src/org/eclipse/jgit/transport/BaseReceivePack.java

@@ -55,6 +55,7 @@ import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
@@ -65,6 +66,7 @@ import java.util.concurrent.TimeUnit;
 
 import org.eclipse.jgit.errors.MissingObjectException;
 import org.eclipse.jgit.errors.PackProtocolException;
+import org.eclipse.jgit.errors.TooLargePackException;
 import org.eclipse.jgit.internal.JGitText;
 import org.eclipse.jgit.internal.storage.file.PackLock;
 import org.eclipse.jgit.lib.BatchRefUpdate;
@@ -89,6 +91,7 @@ import org.eclipse.jgit.revwalk.RevTree;
 import org.eclipse.jgit.revwalk.RevWalk;
 import org.eclipse.jgit.transport.ReceiveCommand.Result;
 import org.eclipse.jgit.util.io.InterruptTimer;
+import org.eclipse.jgit.util.io.LimitedInputStream;
 import org.eclipse.jgit.util.io.TimeoutInputStream;
 import org.eclipse.jgit.util.io.TimeoutOutputStream;
 
@@ -234,6 +237,9 @@ public abstract class BaseReceivePack {
 	/** Git object size limit */
 	private long maxObjectSizeLimit;
 
+	/** Total pack size limit */
+	private long maxPackSizeLimit = -1;
+
 	/**
 	 * Create a new pack receive for an open repository.
 	 *
@@ -622,6 +628,24 @@ public abstract class BaseReceivePack {
 		maxObjectSizeLimit = limit;
 	}
 
+
+	/**
+	 * Set the maximum allowed pack size.
+	 * <p>
+	 * A pack exceeding this size will be rejected.
+	 *
+	 * @param limit
+	 *            the pack size limit, in bytes
+	 *
+	 * @since 3.3
+	 */
+	public void setMaxPackSizeLimit(final long limit) {
+		if (limit < 0)
+			throw new IllegalArgumentException(MessageFormat.format(
+					JGitText.get().receivePackInvalidLimit, Long.valueOf(limit)));
+		maxPackSizeLimit = limit;
+	}
+
 	/**
 	 * Check whether the client expects a side-band stream.
 	 *
@@ -741,6 +765,14 @@ public abstract class BaseReceivePack {
 			rawOut = o;
 		}
 
+		if (maxPackSizeLimit >= 0)
+			rawIn = new LimitedInputStream(rawIn, maxPackSizeLimit) {
+				@Override
+				protected void limitExceeded() throws TooLargePackException {
+					throw new TooLargePackException(limit);
+				}
+			};
+
 		pckIn = new PacketLineIn(rawIn);
 		pckOut = new PacketLineOut(rawOut);
 		pckOut.setFlushOnEnd(false);

org.eclipse.jgit/src/org/eclipse/jgit/util/io/LimitedInputStream.java

@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2007 The Guava Authors
+ * Copyright (C) 2014, Sasa Zivkov <sasa.zivkov@sap.com>, SAP AG
+ * and other copyright owners as documented in the project's IP log.
+ *
+ * This program and the accompanying materials are made available
+ * under the terms of the Eclipse Distribution License v1.0 which
+ * accompanies this distribution, is reproduced below, and is
+ * available at http://www.eclipse.org/org/documents/edl-v10.php
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ * - Neither the name of the Eclipse Foundation, Inc. nor the
+ *   names of its contributors may be used to endorse or promote
+ *   products derived from this software without specific prior
+ *   written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+ * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.eclipse.jgit.util.io;
+
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Wraps a {@link InputStream}, limiting the number of bytes which can be
+ * read.
+ *
+ * This class was copied and modifed from the Google Guava 16.0. Differently from
+ * the original Guava code, when a caller tries to read from this stream past
+ * the given limit and the wrapped stream hasn't yet reached its EOF this class
+ * will call the limitExceeded method instead of returning EOF.
+ *
+ * @since 3.3
+ */
+public abstract class LimitedInputStream extends FilterInputStream {
+
+	private long left;
+	/** Max number of bytes to be read from the wrapped stream */
+	protected final long limit;
+	private long mark = -1;
+
+	/**
+	 * Create a new LimitedInputStream
+	 *
+	 * @param in an InputStream
+	 * @param limit max number of bytes to read from the InputStream
+	 */
+	protected LimitedInputStream(InputStream in, long limit) {
+		super(in);
+		left = limit;
+		this.limit = limit;
+	}
+
+	@Override
+	public int available() throws IOException {
+		return (int) Math.min(in.available(), left);
+	}
+
+	// it's okay to mark even if mark isn't supported, as reset won't work
+	@Override
+	public synchronized void mark(int readLimit) {
+		in.mark(readLimit);
+		mark = left;
+	}
+
+	@Override
+	public int read() throws IOException {
+		if (left == 0) {
+			if (in.available() == 0)
+				return -1;
+			else
+				limitExceeded();
+		}
+
+		int result = in.read();
+		if (result != -1)
+			--left;
+		return result;
+	}
+
+	@Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		if (left == 0) {
+			if (in.available() == 0)
+				return -1;
+			else
+				limitExceeded();
+		}
+
+		len = (int) Math.min(len, left);
+		int result = in.read(b, off, len);
+		if (result != -1)
+			left -= result;
+		return result;
+	}
+
+	@Override
+	public synchronized void reset() throws IOException {
+		if (!in.markSupported())
+			throw new IOException("Mark not supported");
+
+		if (mark == -1)
+			throw new IOException("Mark not set");
+
+		in.reset();
+		left = mark;
+	}
+
+	@Override
+	public long skip(long n) throws IOException {
+		n = Math.min(n, left);
+		long skipped = in.skip(n);
+		left -= skipped;
+		return skipped;
+	}
+
+	/**
+	 * Called when trying to read past the given {@link #limit} and the wrapped
+	 * InputStream {@link #in} hasn't yet reached its EOF
+	 *
+	 * @throws IOException
+	 *            subclasses can throw an IOException when the limit is exceeded.
+	 *            The throws IOException will be forwarded back to the caller of
+	 *            the read method which read the stream past the limit.
+	 */
+	protected abstract void limitExceeded() throws IOException;
+}