#!/usr/bin/bash

set -e -o pipefail

if test -n "$GIT_PUSH_OPTION_COUNT"; then
  i=0
  while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"; do
    eval "value=\$GIT_PUSH_OPTION_$i"
    case "$value" in
    real-force)
      REAL_FORCE=1
      echo "WARNING: Real force is set. All branches will be unprotected."
      ;;
    esac
    i=$((i + 1))
  done
fi

stdin_record=$(cat)

handle_line() {
  old=$(expr substr "$1" 1 8)
  new=$(expr substr "$2" 1 8)
  ref_name="$3"
  protected_file="$GIT_DIR/protected"

  if [[ -f "$protected_file" ]] && ! git merge-base --is-ancestor "$old" "$new"; then
    while read -r line; do
      if grep -q "^$ref_name$" <<<"$line"; then
        echo "ERROR: $ref_name is not fast-forward and protected by rule $line : $old -> $new" 1>&2
        has_error=1
      fi
    done <"$protected_file"
  fi
  if [[ -n "$has_error" ]]; then
    [[ -n "$REAL_FORCE" ]] || exit 1
    echo "WARNING: Real force is set. Continuing with the push."
  fi
}

while read -r line; do
  handle_line $line
done <<<"$stdin_record"

if [[ -x /git/private/git/hooks/pre-receive ]]; then
  /git/private/git/hooks/pre-receive "$@"
fi

if [[ -x "$GIT_DIR/hooks/pre-receive" ]]; then
  "$GIT_DIR/hooks/pre-receive" "$@"
fi