builtin / receive-pack.con commit Merge branch 'ja/dir-rename-doc-markup-fix' (081b08c)
   1#include "builtin.h"
   2#include "repository.h"
   3#include "config.h"
   4#include "lockfile.h"
   5#include "pack.h"
   6#include "refs.h"
   7#include "pkt-line.h"
   8#include "sideband.h"
   9#include "run-command.h"
  10#include "exec-cmd.h"
  11#include "commit.h"
  12#include "object.h"
  13#include "remote.h"
  14#include "connect.h"
  15#include "transport.h"
  16#include "string-list.h"
  17#include "sha1-array.h"
  18#include "connected.h"
  19#include "argv-array.h"
  20#include "version.h"
  21#include "tag.h"
  22#include "gpg-interface.h"
  23#include "sigchain.h"
  24#include "fsck.h"
  25#include "tmp-objdir.h"
  26#include "oidset.h"
  27#include "packfile.h"
  28#include "object-store.h"
  29#include "protocol.h"
  30#include "commit-reach.h"
  31
  32static const char * const receive_pack_usage[] = {
  33        N_("git receive-pack <git-dir>"),
  34        NULL
  35};
  36
  37enum deny_action {
  38        DENY_UNCONFIGURED,
  39        DENY_IGNORE,
  40        DENY_WARN,
  41        DENY_REFUSE,
  42        DENY_UPDATE_INSTEAD
  43};
  44
  45static int deny_deletes;
  46static int deny_non_fast_forwards;
  47static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  48static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  49static int receive_fsck_objects = -1;
  50static int transfer_fsck_objects = -1;
  51static struct strbuf fsck_msg_types = STRBUF_INIT;
  52static int receive_unpack_limit = -1;
  53static int transfer_unpack_limit = -1;
  54static int advertise_atomic_push = 1;
  55static int advertise_push_options;
  56static int unpack_limit = 100;
  57static off_t max_input_size;
  58static int report_status;
  59static int use_sideband;
  60static int use_atomic;
  61static int use_push_options;
  62static int quiet;
  63static int prefer_ofs_delta = 1;
  64static int auto_update_server_info;
  65static int auto_gc = 1;
  66static int reject_thin;
  67static int stateless_rpc;
  68static const char *service_dir;
  69static const char *head_name;
  70static void *head_name_to_free;
  71static int sent_capabilities;
  72static int shallow_update;
  73static const char *alt_shallow_file;
  74static struct strbuf push_cert = STRBUF_INIT;
  75static struct object_id push_cert_oid;
  76static struct signature_check sigcheck;
  77static const char *push_cert_nonce;
  78static const char *cert_nonce_seed;
  79
  80static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  81static const char *NONCE_BAD = "BAD";
  82static const char *NONCE_MISSING = "MISSING";
  83static const char *NONCE_OK = "OK";
  84static const char *NONCE_SLOP = "SLOP";
  85static const char *nonce_status;
  86static long nonce_stamp_slop;
  87static timestamp_t nonce_stamp_slop_limit;
  88static struct ref_transaction *transaction;
  89
  90static enum {
  91        KEEPALIVE_NEVER = 0,
  92        KEEPALIVE_AFTER_NUL,
  93        KEEPALIVE_ALWAYS
  94} use_keepalive;
  95static int keepalive_in_sec = 5;
  96
  97static struct tmp_objdir *tmp_objdir;
  98
  99static enum deny_action parse_deny_action(const char *var, const char *value)
 100{
 101        if (value) {
 102                if (!strcasecmp(value, "ignore"))
 103                        return DENY_IGNORE;
 104                if (!strcasecmp(value, "warn"))
 105                        return DENY_WARN;
 106                if (!strcasecmp(value, "refuse"))
 107                        return DENY_REFUSE;
 108                if (!strcasecmp(value, "updateinstead"))
 109                        return DENY_UPDATE_INSTEAD;
 110        }
 111        if (git_config_bool(var, value))
 112                return DENY_REFUSE;
 113        return DENY_IGNORE;
 114}
 115
 116static int receive_pack_config(const char *var, const char *value, void *cb)
 117{
 118        int status = parse_hide_refs_config(var, value, "receive");
 119
 120        if (status)
 121                return status;
 122
 123        if (strcmp(var, "receive.denydeletes") == 0) {
 124                deny_deletes = git_config_bool(var, value);
 125                return 0;
 126        }
 127
 128        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 129                deny_non_fast_forwards = git_config_bool(var, value);
 130                return 0;
 131        }
 132
 133        if (strcmp(var, "receive.unpacklimit") == 0) {
 134                receive_unpack_limit = git_config_int(var, value);
 135                return 0;
 136        }
 137
 138        if (strcmp(var, "transfer.unpacklimit") == 0) {
 139                transfer_unpack_limit = git_config_int(var, value);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 144                const char *path;
 145
 146                if (git_config_pathname(&path, var, value))
 147                        return 1;
 148                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 149                        fsck_msg_types.len ? ',' : '=', path);
 150                free((char *)path);
 151                return 0;
 152        }
 153
 154        if (skip_prefix(var, "receive.fsck.", &var)) {
 155                if (is_valid_msg_type(var, value))
 156                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 157                                fsck_msg_types.len ? ',' : '=', var, value);
 158                else
 159                        warning("Skipping unknown msg id '%s'", var);
 160                return 0;
 161        }
 162
 163        if (strcmp(var, "receive.fsckobjects") == 0) {
 164                receive_fsck_objects = git_config_bool(var, value);
 165                return 0;
 166        }
 167
 168        if (strcmp(var, "transfer.fsckobjects") == 0) {
 169                transfer_fsck_objects = git_config_bool(var, value);
 170                return 0;
 171        }
 172
 173        if (!strcmp(var, "receive.denycurrentbranch")) {
 174                deny_current_branch = parse_deny_action(var, value);
 175                return 0;
 176        }
 177
 178        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 179                deny_delete_current = parse_deny_action(var, value);
 180                return 0;
 181        }
 182
 183        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 184                prefer_ofs_delta = git_config_bool(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.updateserverinfo") == 0) {
 189                auto_update_server_info = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        if (strcmp(var, "receive.autogc") == 0) {
 194                auto_gc = git_config_bool(var, value);
 195                return 0;
 196        }
 197
 198        if (strcmp(var, "receive.shallowupdate") == 0) {
 199                shallow_update = git_config_bool(var, value);
 200                return 0;
 201        }
 202
 203        if (strcmp(var, "receive.certnonceseed") == 0)
 204                return git_config_string(&cert_nonce_seed, var, value);
 205
 206        if (strcmp(var, "receive.certnonceslop") == 0) {
 207                nonce_stamp_slop_limit = git_config_ulong(var, value);
 208                return 0;
 209        }
 210
 211        if (strcmp(var, "receive.advertiseatomic") == 0) {
 212                advertise_atomic_push = git_config_bool(var, value);
 213                return 0;
 214        }
 215
 216        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 217                advertise_push_options = git_config_bool(var, value);
 218                return 0;
 219        }
 220
 221        if (strcmp(var, "receive.keepalive") == 0) {
 222                keepalive_in_sec = git_config_int(var, value);
 223                return 0;
 224        }
 225
 226        if (strcmp(var, "receive.maxinputsize") == 0) {
 227                max_input_size = git_config_int64(var, value);
 228                return 0;
 229        }
 230
 231        return git_default_config(var, value, cb);
 232}
 233
 234static void show_ref(const char *path, const struct object_id *oid)
 235{
 236        if (sent_capabilities) {
 237                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 238        } else {
 239                struct strbuf cap = STRBUF_INIT;
 240
 241                strbuf_addstr(&cap,
 242                              "report-status delete-refs side-band-64k quiet");
 243                if (advertise_atomic_push)
 244                        strbuf_addstr(&cap, " atomic");
 245                if (prefer_ofs_delta)
 246                        strbuf_addstr(&cap, " ofs-delta");
 247                if (push_cert_nonce)
 248                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 249                if (advertise_push_options)
 250                        strbuf_addstr(&cap, " push-options");
 251                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 252                packet_write_fmt(1, "%s %s%c%s\n",
 253                             oid_to_hex(oid), path, 0, cap.buf);
 254                strbuf_release(&cap);
 255                sent_capabilities = 1;
 256        }
 257}
 258
 259static int show_ref_cb(const char *path_full, const struct object_id *oid,
 260                       int flag, void *data)
 261{
 262        struct oidset *seen = data;
 263        const char *path = strip_namespace(path_full);
 264
 265        if (ref_is_hidden(path, path_full))
 266                return 0;
 267
 268        /*
 269         * Advertise refs outside our current namespace as ".have"
 270         * refs, so that the client can use them to minimize data
 271         * transfer but will otherwise ignore them.
 272         */
 273        if (!path) {
 274                if (oidset_insert(seen, oid))
 275                        return 0;
 276                path = ".have";
 277        } else {
 278                oidset_insert(seen, oid);
 279        }
 280        show_ref(path, oid);
 281        return 0;
 282}
 283
 284static void show_one_alternate_ref(const struct object_id *oid,
 285                                   void *data)
 286{
 287        struct oidset *seen = data;
 288
 289        if (oidset_insert(seen, oid))
 290                return;
 291
 292        show_ref(".have", oid);
 293}
 294
 295static void write_head_info(void)
 296{
 297        static struct oidset seen = OIDSET_INIT;
 298
 299        for_each_ref(show_ref_cb, &seen);
 300        for_each_alternate_ref(show_one_alternate_ref, &seen);
 301        oidset_clear(&seen);
 302        if (!sent_capabilities)
 303                show_ref("capabilities^{}", &null_oid);
 304
 305        advertise_shallow_grafts(1);
 306
 307        /* EOF */
 308        packet_flush(1);
 309}
 310
 311struct command {
 312        struct command *next;
 313        const char *error_string;
 314        unsigned int skip_update:1,
 315                     did_not_exist:1;
 316        int index;
 317        struct object_id old_oid;
 318        struct object_id new_oid;
 319        char ref_name[FLEX_ARRAY]; /* more */
 320};
 321
 322static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 323static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 324
 325static void report_message(const char *prefix, const char *err, va_list params)
 326{
 327        int sz;
 328        char msg[4096];
 329
 330        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 331        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 332        if (sz > (sizeof(msg) - 1))
 333                sz = sizeof(msg) - 1;
 334        msg[sz++] = '\n';
 335
 336        if (use_sideband)
 337                send_sideband(1, 2, msg, sz, use_sideband);
 338        else
 339                xwrite(2, msg, sz);
 340}
 341
 342static void rp_warning(const char *err, ...)
 343{
 344        va_list params;
 345        va_start(params, err);
 346        report_message("warning: ", err, params);
 347        va_end(params);
 348}
 349
 350static void rp_error(const char *err, ...)
 351{
 352        va_list params;
 353        va_start(params, err);
 354        report_message("error: ", err, params);
 355        va_end(params);
 356}
 357
 358static int copy_to_sideband(int in, int out, void *arg)
 359{
 360        char data[128];
 361        int keepalive_active = 0;
 362
 363        if (keepalive_in_sec <= 0)
 364                use_keepalive = KEEPALIVE_NEVER;
 365        if (use_keepalive == KEEPALIVE_ALWAYS)
 366                keepalive_active = 1;
 367
 368        while (1) {
 369                ssize_t sz;
 370
 371                if (keepalive_active) {
 372                        struct pollfd pfd;
 373                        int ret;
 374
 375                        pfd.fd = in;
 376                        pfd.events = POLLIN;
 377                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 378
 379                        if (ret < 0) {
 380                                if (errno == EINTR)
 381                                        continue;
 382                                else
 383                                        break;
 384                        } else if (ret == 0) {
 385                                /* no data; send a keepalive packet */
 386                                static const char buf[] = "0005\1";
 387                                write_or_die(1, buf, sizeof(buf) - 1);
 388                                continue;
 389                        } /* else there is actual data to read */
 390                }
 391
 392                sz = xread(in, data, sizeof(data));
 393                if (sz <= 0)
 394                        break;
 395
 396                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 397                        const char *p = memchr(data, '\0', sz);
 398                        if (p) {
 399                                /*
 400                                 * The NUL tells us to start sending keepalives. Make
 401                                 * sure we send any other data we read along
 402                                 * with it.
 403                                 */
 404                                keepalive_active = 1;
 405                                send_sideband(1, 2, data, p - data, use_sideband);
 406                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 407                                continue;
 408                        }
 409                }
 410
 411                /*
 412                 * Either we're not looking for a NUL signal, or we didn't see
 413                 * it yet; just pass along the data.
 414                 */
 415                send_sideband(1, 2, data, sz, use_sideband);
 416        }
 417        close(in);
 418        return 0;
 419}
 420
 421#define HMAC_BLOCK_SIZE 64
 422
 423static void hmac_sha1(unsigned char *out,
 424                      const char *key_in, size_t key_len,
 425                      const char *text, size_t text_len)
 426{
 427        unsigned char key[HMAC_BLOCK_SIZE];
 428        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 429        unsigned char k_opad[HMAC_BLOCK_SIZE];
 430        int i;
 431        git_SHA_CTX ctx;
 432
 433        /* RFC 2104 2. (1) */
 434        memset(key, '\0', HMAC_BLOCK_SIZE);
 435        if (HMAC_BLOCK_SIZE < key_len) {
 436                git_SHA1_Init(&ctx);
 437                git_SHA1_Update(&ctx, key_in, key_len);
 438                git_SHA1_Final(key, &ctx);
 439        } else {
 440                memcpy(key, key_in, key_len);
 441        }
 442
 443        /* RFC 2104 2. (2) & (5) */
 444        for (i = 0; i < sizeof(key); i++) {
 445                k_ipad[i] = key[i] ^ 0x36;
 446                k_opad[i] = key[i] ^ 0x5c;
 447        }
 448
 449        /* RFC 2104 2. (3) & (4) */
 450        git_SHA1_Init(&ctx);
 451        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 452        git_SHA1_Update(&ctx, text, text_len);
 453        git_SHA1_Final(out, &ctx);
 454
 455        /* RFC 2104 2. (6) & (7) */
 456        git_SHA1_Init(&ctx);
 457        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 458        git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
 459        git_SHA1_Final(out, &ctx);
 460}
 461
 462static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 463{
 464        struct strbuf buf = STRBUF_INIT;
 465        unsigned char sha1[GIT_SHA1_RAWSZ];
 466
 467        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 468        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
 469        strbuf_release(&buf);
 470
 471        /* RFC 2104 5. HMAC-SHA1-80 */
 472        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
 473        return strbuf_detach(&buf, NULL);
 474}
 475
 476/*
 477 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 478 * after dropping "_commit" from its name and possibly moving it out
 479 * of commit.c
 480 */
 481static char *find_header(const char *msg, size_t len, const char *key,
 482                         const char **next_line)
 483{
 484        int key_len = strlen(key);
 485        const char *line = msg;
 486
 487        while (line && line < msg + len) {
 488                const char *eol = strchrnul(line, '\n');
 489
 490                if ((msg + len <= eol) || line == eol)
 491                        return NULL;
 492                if (line + key_len < eol &&
 493                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 494                        int offset = key_len + 1;
 495                        if (next_line)
 496                                *next_line = *eol ? eol + 1 : eol;
 497                        return xmemdupz(line + offset, (eol - line) - offset);
 498                }
 499                line = *eol ? eol + 1 : NULL;
 500        }
 501        return NULL;
 502}
 503
 504static const char *check_nonce(const char *buf, size_t len)
 505{
 506        char *nonce = find_header(buf, len, "nonce", NULL);
 507        timestamp_t stamp, ostamp;
 508        char *bohmac, *expect = NULL;
 509        const char *retval = NONCE_BAD;
 510
 511        if (!nonce) {
 512                retval = NONCE_MISSING;
 513                goto leave;
 514        } else if (!push_cert_nonce) {
 515                retval = NONCE_UNSOLICITED;
 516                goto leave;
 517        } else if (!strcmp(push_cert_nonce, nonce)) {
 518                retval = NONCE_OK;
 519                goto leave;
 520        }
 521
 522        if (!stateless_rpc) {
 523                /* returned nonce MUST match what we gave out earlier */
 524                retval = NONCE_BAD;
 525                goto leave;
 526        }
 527
 528        /*
 529         * In stateless mode, we may be receiving a nonce issued by
 530         * another instance of the server that serving the same
 531         * repository, and the timestamps may not match, but the
 532         * nonce-seed and dir should match, so we can recompute and
 533         * report the time slop.
 534         *
 535         * In addition, when a nonce issued by another instance has
 536         * timestamp within receive.certnonceslop seconds, we pretend
 537         * as if we issued that nonce when reporting to the hook.
 538         */
 539
 540        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 541        if (*nonce <= '0' || '9' < *nonce) {
 542                retval = NONCE_BAD;
 543                goto leave;
 544        }
 545        stamp = parse_timestamp(nonce, &bohmac, 10);
 546        if (bohmac == nonce || bohmac[0] != '-') {
 547                retval = NONCE_BAD;
 548                goto leave;
 549        }
 550
 551        expect = prepare_push_cert_nonce(service_dir, stamp);
 552        if (strcmp(expect, nonce)) {
 553                /* Not what we would have signed earlier */
 554                retval = NONCE_BAD;
 555                goto leave;
 556        }
 557
 558        /*
 559         * By how many seconds is this nonce stale?  Negative value
 560         * would mean it was issued by another server with its clock
 561         * skewed in the future.
 562         */
 563        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 564        nonce_stamp_slop = (long)ostamp - (long)stamp;
 565
 566        if (nonce_stamp_slop_limit &&
 567            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 568                /*
 569                 * Pretend as if the received nonce (which passes the
 570                 * HMAC check, so it is not a forged by third-party)
 571                 * is what we issued.
 572                 */
 573                free((void *)push_cert_nonce);
 574                push_cert_nonce = xstrdup(nonce);
 575                retval = NONCE_OK;
 576        } else {
 577                retval = NONCE_SLOP;
 578        }
 579
 580leave:
 581        free(nonce);
 582        free(expect);
 583        return retval;
 584}
 585
 586/*
 587 * Return 1 if there is no push_cert or if the push options in push_cert are
 588 * the same as those in the argument; 0 otherwise.
 589 */
 590static int check_cert_push_options(const struct string_list *push_options)
 591{
 592        const char *buf = push_cert.buf;
 593        int len = push_cert.len;
 594
 595        char *option;
 596        const char *next_line;
 597        int options_seen = 0;
 598
 599        int retval = 1;
 600
 601        if (!len)
 602                return 1;
 603
 604        while ((option = find_header(buf, len, "push-option", &next_line))) {
 605                len -= (next_line - buf);
 606                buf = next_line;
 607                options_seen++;
 608                if (options_seen > push_options->nr
 609                    || strcmp(option,
 610                              push_options->items[options_seen - 1].string)) {
 611                        retval = 0;
 612                        goto leave;
 613                }
 614                free(option);
 615        }
 616
 617        if (options_seen != push_options->nr)
 618                retval = 0;
 619
 620leave:
 621        free(option);
 622        return retval;
 623}
 624
 625static void prepare_push_cert_sha1(struct child_process *proc)
 626{
 627        static int already_done;
 628
 629        if (!push_cert.len)
 630                return;
 631
 632        if (!already_done) {
 633                int bogs /* beginning_of_gpg_sig */;
 634
 635                already_done = 1;
 636                if (write_object_file(push_cert.buf, push_cert.len, "blob",
 637                                      &push_cert_oid))
 638                        oidclr(&push_cert_oid);
 639
 640                memset(&sigcheck, '\0', sizeof(sigcheck));
 641
 642                bogs = parse_signature(push_cert.buf, push_cert.len);
 643                check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
 644                                push_cert.len - bogs, &sigcheck);
 645
 646                nonce_status = check_nonce(push_cert.buf, bogs);
 647        }
 648        if (!is_null_oid(&push_cert_oid)) {
 649                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 650                                 oid_to_hex(&push_cert_oid));
 651                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 652                                 sigcheck.signer ? sigcheck.signer : "");
 653                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 654                                 sigcheck.key ? sigcheck.key : "");
 655                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 656                                 sigcheck.result);
 657                if (push_cert_nonce) {
 658                        argv_array_pushf(&proc->env_array,
 659                                         "GIT_PUSH_CERT_NONCE=%s",
 660                                         push_cert_nonce);
 661                        argv_array_pushf(&proc->env_array,
 662                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 663                                         nonce_status);
 664                        if (nonce_status == NONCE_SLOP)
 665                                argv_array_pushf(&proc->env_array,
 666                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 667                                                 nonce_stamp_slop);
 668                }
 669        }
 670}
 671
 672struct receive_hook_feed_state {
 673        struct command *cmd;
 674        int skip_broken;
 675        struct strbuf buf;
 676        const struct string_list *push_options;
 677};
 678
 679typedef int (*feed_fn)(void *, const char **, size_t *);
 680static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 681                             struct receive_hook_feed_state *feed_state)
 682{
 683        struct child_process proc = CHILD_PROCESS_INIT;
 684        struct async muxer;
 685        const char *argv[2];
 686        int code;
 687
 688        argv[0] = find_hook(hook_name);
 689        if (!argv[0])
 690                return 0;
 691
 692        argv[1] = NULL;
 693
 694        proc.argv = argv;
 695        proc.in = -1;
 696        proc.stdout_to_stderr = 1;
 697        proc.trace2_hook_name = hook_name;
 698
 699        if (feed_state->push_options) {
 700                int i;
 701                for (i = 0; i < feed_state->push_options->nr; i++)
 702                        argv_array_pushf(&proc.env_array,
 703                                "GIT_PUSH_OPTION_%d=%s", i,
 704                                feed_state->push_options->items[i].string);
 705                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 706                                 feed_state->push_options->nr);
 707        } else
 708                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 709
 710        if (tmp_objdir)
 711                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 712
 713        if (use_sideband) {
 714                memset(&muxer, 0, sizeof(muxer));
 715                muxer.proc = copy_to_sideband;
 716                muxer.in = -1;
 717                code = start_async(&muxer);
 718                if (code)
 719                        return code;
 720                proc.err = muxer.in;
 721        }
 722
 723        prepare_push_cert_sha1(&proc);
 724
 725        code = start_command(&proc);
 726        if (code) {
 727                if (use_sideband)
 728                        finish_async(&muxer);
 729                return code;
 730        }
 731
 732        sigchain_push(SIGPIPE, SIG_IGN);
 733
 734        while (1) {
 735                const char *buf;
 736                size_t n;
 737                if (feed(feed_state, &buf, &n))
 738                        break;
 739                if (write_in_full(proc.in, buf, n) < 0)
 740                        break;
 741        }
 742        close(proc.in);
 743        if (use_sideband)
 744                finish_async(&muxer);
 745
 746        sigchain_pop(SIGPIPE);
 747
 748        return finish_command(&proc);
 749}
 750
 751static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 752{
 753        struct receive_hook_feed_state *state = state_;
 754        struct command *cmd = state->cmd;
 755
 756        while (cmd &&
 757               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 758                cmd = cmd->next;
 759        if (!cmd)
 760                return -1; /* EOF */
 761        strbuf_reset(&state->buf);
 762        strbuf_addf(&state->buf, "%s %s %s\n",
 763                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 764                    cmd->ref_name);
 765        state->cmd = cmd->next;
 766        if (bufp) {
 767                *bufp = state->buf.buf;
 768                *sizep = state->buf.len;
 769        }
 770        return 0;
 771}
 772
 773static int run_receive_hook(struct command *commands,
 774                            const char *hook_name,
 775                            int skip_broken,
 776                            const struct string_list *push_options)
 777{
 778        struct receive_hook_feed_state state;
 779        int status;
 780
 781        strbuf_init(&state.buf, 0);
 782        state.cmd = commands;
 783        state.skip_broken = skip_broken;
 784        if (feed_receive_hook(&state, NULL, NULL))
 785                return 0;
 786        state.cmd = commands;
 787        state.push_options = push_options;
 788        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 789        strbuf_release(&state.buf);
 790        return status;
 791}
 792
 793static int run_update_hook(struct command *cmd)
 794{
 795        const char *argv[5];
 796        struct child_process proc = CHILD_PROCESS_INIT;
 797        int code;
 798
 799        argv[0] = find_hook("update");
 800        if (!argv[0])
 801                return 0;
 802
 803        argv[1] = cmd->ref_name;
 804        argv[2] = oid_to_hex(&cmd->old_oid);
 805        argv[3] = oid_to_hex(&cmd->new_oid);
 806        argv[4] = NULL;
 807
 808        proc.no_stdin = 1;
 809        proc.stdout_to_stderr = 1;
 810        proc.err = use_sideband ? -1 : 0;
 811        proc.argv = argv;
 812        proc.trace2_hook_name = "update";
 813
 814        code = start_command(&proc);
 815        if (code)
 816                return code;
 817        if (use_sideband)
 818                copy_to_sideband(proc.err, -1, NULL);
 819        return finish_command(&proc);
 820}
 821
 822static int is_ref_checked_out(const char *ref)
 823{
 824        if (is_bare_repository())
 825                return 0;
 826
 827        if (!head_name)
 828                return 0;
 829        return !strcmp(head_name, ref);
 830}
 831
 832static char *refuse_unconfigured_deny_msg =
 833        N_("By default, updating the current branch in a non-bare repository\n"
 834           "is denied, because it will make the index and work tree inconsistent\n"
 835           "with what you pushed, and will require 'git reset --hard' to match\n"
 836           "the work tree to HEAD.\n"
 837           "\n"
 838           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 839           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 840           "its current branch; however, this is not recommended unless you\n"
 841           "arranged to update its work tree to match what you pushed in some\n"
 842           "other way.\n"
 843           "\n"
 844           "To squelch this message and still keep the default behaviour, set\n"
 845           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 846
 847static void refuse_unconfigured_deny(void)
 848{
 849        rp_error("%s", _(refuse_unconfigured_deny_msg));
 850}
 851
 852static char *refuse_unconfigured_deny_delete_current_msg =
 853        N_("By default, deleting the current branch is denied, because the next\n"
 854           "'git clone' won't result in any file checked out, causing confusion.\n"
 855           "\n"
 856           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 857           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 858           "current branch, with or without a warning message.\n"
 859           "\n"
 860           "To squelch this message, you can set it to 'refuse'.");
 861
 862static void refuse_unconfigured_deny_delete_current(void)
 863{
 864        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 865}
 866
 867static int command_singleton_iterator(void *cb_data, struct object_id *oid);
 868static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 869{
 870        struct lock_file shallow_lock = LOCK_INIT;
 871        struct oid_array extra = OID_ARRAY_INIT;
 872        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 873        uint32_t mask = 1 << (cmd->index % 32);
 874        int i;
 875
 876        trace_printf_key(&trace_shallow,
 877                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 878        for (i = 0; i < si->shallow->nr; i++)
 879                if (si->used_shallow[i] &&
 880                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 881                    !delayed_reachability_test(si, i))
 882                        oid_array_append(&extra, &si->shallow->oid[i]);
 883
 884        opt.env = tmp_objdir_env(tmp_objdir);
 885        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 886        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 887                rollback_lock_file(&shallow_lock);
 888                oid_array_clear(&extra);
 889                return -1;
 890        }
 891
 892        commit_lock_file(&shallow_lock);
 893
 894        /*
 895         * Make sure setup_alternate_shallow() for the next ref does
 896         * not lose these new roots..
 897         */
 898        for (i = 0; i < extra.nr; i++)
 899                register_shallow(the_repository, &extra.oid[i]);
 900
 901        si->shallow_ref[cmd->index] = 0;
 902        oid_array_clear(&extra);
 903        return 0;
 904}
 905
 906/*
 907 * NEEDSWORK: we should consolidate various implementions of "are we
 908 * on an unborn branch?" test into one, and make the unified one more
 909 * robust. !get_sha1() based check used here and elsewhere would not
 910 * allow us to tell an unborn branch from corrupt ref, for example.
 911 * For the purpose of fixing "deploy-to-update does not work when
 912 * pushing into an empty repository" issue, this should suffice for
 913 * now.
 914 */
 915static int head_has_history(void)
 916{
 917        struct object_id oid;
 918
 919        return !get_oid("HEAD", &oid);
 920}
 921
 922static const char *push_to_deploy(unsigned char *sha1,
 923                                  struct argv_array *env,
 924                                  const char *work_tree)
 925{
 926        const char *update_refresh[] = {
 927                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 928        };
 929        const char *diff_files[] = {
 930                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 931        };
 932        const char *diff_index[] = {
 933                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 934                NULL, "--", NULL
 935        };
 936        const char *read_tree[] = {
 937                "read-tree", "-u", "-m", NULL, NULL
 938        };
 939        struct child_process child = CHILD_PROCESS_INIT;
 940
 941        child.argv = update_refresh;
 942        child.env = env->argv;
 943        child.dir = work_tree;
 944        child.no_stdin = 1;
 945        child.stdout_to_stderr = 1;
 946        child.git_cmd = 1;
 947        if (run_command(&child))
 948                return "Up-to-date check failed";
 949
 950        /* run_command() does not clean up completely; reinitialize */
 951        child_process_init(&child);
 952        child.argv = diff_files;
 953        child.env = env->argv;
 954        child.dir = work_tree;
 955        child.no_stdin = 1;
 956        child.stdout_to_stderr = 1;
 957        child.git_cmd = 1;
 958        if (run_command(&child))
 959                return "Working directory has unstaged changes";
 960
 961        /* diff-index with either HEAD or an empty tree */
 962        diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
 963
 964        child_process_init(&child);
 965        child.argv = diff_index;
 966        child.env = env->argv;
 967        child.no_stdin = 1;
 968        child.no_stdout = 1;
 969        child.stdout_to_stderr = 0;
 970        child.git_cmd = 1;
 971        if (run_command(&child))
 972                return "Working directory has staged changes";
 973
 974        read_tree[3] = sha1_to_hex(sha1);
 975        child_process_init(&child);
 976        child.argv = read_tree;
 977        child.env = env->argv;
 978        child.dir = work_tree;
 979        child.no_stdin = 1;
 980        child.no_stdout = 1;
 981        child.stdout_to_stderr = 0;
 982        child.git_cmd = 1;
 983        if (run_command(&child))
 984                return "Could not update working tree to new HEAD";
 985
 986        return NULL;
 987}
 988
 989static const char *push_to_checkout_hook = "push-to-checkout";
 990
 991static const char *push_to_checkout(unsigned char *sha1,
 992                                    struct argv_array *env,
 993                                    const char *work_tree)
 994{
 995        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 996        if (run_hook_le(env->argv, push_to_checkout_hook,
 997                        sha1_to_hex(sha1), NULL))
 998                return "push-to-checkout hook declined";
 999        else
1000                return NULL;
1001}
1002
1003static const char *update_worktree(unsigned char *sha1)
1004{
1005        const char *retval;
1006        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1007        struct argv_array env = ARGV_ARRAY_INIT;
1008
1009        if (is_bare_repository())
1010                return "denyCurrentBranch = updateInstead needs a worktree";
1011
1012        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1013
1014        if (!find_hook(push_to_checkout_hook))
1015                retval = push_to_deploy(sha1, &env, work_tree);
1016        else
1017                retval = push_to_checkout(sha1, &env, work_tree);
1018
1019        argv_array_clear(&env);
1020        return retval;
1021}
1022
1023static const char *update(struct command *cmd, struct shallow_info *si)
1024{
1025        const char *name = cmd->ref_name;
1026        struct strbuf namespaced_name_buf = STRBUF_INIT;
1027        static char *namespaced_name;
1028        const char *ret;
1029        struct object_id *old_oid = &cmd->old_oid;
1030        struct object_id *new_oid = &cmd->new_oid;
1031        int do_update_worktree = 0;
1032
1033        /* only refs/... are allowed */
1034        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1035                rp_error("refusing to create funny ref '%s' remotely", name);
1036                return "funny refname";
1037        }
1038
1039        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1040        free(namespaced_name);
1041        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1042
1043        if (is_ref_checked_out(namespaced_name)) {
1044                switch (deny_current_branch) {
1045                case DENY_IGNORE:
1046                        break;
1047                case DENY_WARN:
1048                        rp_warning("updating the current branch");
1049                        break;
1050                case DENY_REFUSE:
1051                case DENY_UNCONFIGURED:
1052                        rp_error("refusing to update checked out branch: %s", name);
1053                        if (deny_current_branch == DENY_UNCONFIGURED)
1054                                refuse_unconfigured_deny();
1055                        return "branch is currently checked out";
1056                case DENY_UPDATE_INSTEAD:
1057                        /* pass -- let other checks intervene first */
1058                        do_update_worktree = 1;
1059                        break;
1060                }
1061        }
1062
1063        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1064                error("unpack should have generated %s, "
1065                      "but I can't find it!", oid_to_hex(new_oid));
1066                return "bad pack";
1067        }
1068
1069        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1070                if (deny_deletes && starts_with(name, "refs/heads/")) {
1071                        rp_error("denying ref deletion for %s", name);
1072                        return "deletion prohibited";
1073                }
1074
1075                if (head_name && !strcmp(namespaced_name, head_name)) {
1076                        switch (deny_delete_current) {
1077                        case DENY_IGNORE:
1078                                break;
1079                        case DENY_WARN:
1080                                rp_warning("deleting the current branch");
1081                                break;
1082                        case DENY_REFUSE:
1083                        case DENY_UNCONFIGURED:
1084                        case DENY_UPDATE_INSTEAD:
1085                                if (deny_delete_current == DENY_UNCONFIGURED)
1086                                        refuse_unconfigured_deny_delete_current();
1087                                rp_error("refusing to delete the current branch: %s", name);
1088                                return "deletion of the current branch prohibited";
1089                        default:
1090                                return "Invalid denyDeleteCurrent setting";
1091                        }
1092                }
1093        }
1094
1095        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1096            !is_null_oid(old_oid) &&
1097            starts_with(name, "refs/heads/")) {
1098                struct object *old_object, *new_object;
1099                struct commit *old_commit, *new_commit;
1100
1101                old_object = parse_object(the_repository, old_oid);
1102                new_object = parse_object(the_repository, new_oid);
1103
1104                if (!old_object || !new_object ||
1105                    old_object->type != OBJ_COMMIT ||
1106                    new_object->type != OBJ_COMMIT) {
1107                        error("bad sha1 objects for %s", name);
1108                        return "bad ref";
1109                }
1110                old_commit = (struct commit *)old_object;
1111                new_commit = (struct commit *)new_object;
1112                if (!in_merge_bases(old_commit, new_commit)) {
1113                        rp_error("denying non-fast-forward %s"
1114                                 " (you should pull first)", name);
1115                        return "non-fast-forward";
1116                }
1117        }
1118        if (run_update_hook(cmd)) {
1119                rp_error("hook declined to update %s", name);
1120                return "hook declined";
1121        }
1122
1123        if (do_update_worktree) {
1124                ret = update_worktree(new_oid->hash);
1125                if (ret)
1126                        return ret;
1127        }
1128
1129        if (is_null_oid(new_oid)) {
1130                struct strbuf err = STRBUF_INIT;
1131                if (!parse_object(the_repository, old_oid)) {
1132                        old_oid = NULL;
1133                        if (ref_exists(name)) {
1134                                rp_warning("Allowing deletion of corrupt ref.");
1135                        } else {
1136                                rp_warning("Deleting a non-existent ref.");
1137                                cmd->did_not_exist = 1;
1138                        }
1139                }
1140                if (ref_transaction_delete(transaction,
1141                                           namespaced_name,
1142                                           old_oid,
1143                                           0, "push", &err)) {
1144                        rp_error("%s", err.buf);
1145                        strbuf_release(&err);
1146                        return "failed to delete";
1147                }
1148                strbuf_release(&err);
1149                return NULL; /* good */
1150        }
1151        else {
1152                struct strbuf err = STRBUF_INIT;
1153                if (shallow_update && si->shallow_ref[cmd->index] &&
1154                    update_shallow_ref(cmd, si))
1155                        return "shallow error";
1156
1157                if (ref_transaction_update(transaction,
1158                                           namespaced_name,
1159                                           new_oid, old_oid,
1160                                           0, "push",
1161                                           &err)) {
1162                        rp_error("%s", err.buf);
1163                        strbuf_release(&err);
1164
1165                        return "failed to update ref";
1166                }
1167                strbuf_release(&err);
1168
1169                return NULL; /* good */
1170        }
1171}
1172
1173static void run_update_post_hook(struct command *commands)
1174{
1175        struct command *cmd;
1176        struct child_process proc = CHILD_PROCESS_INIT;
1177        const char *hook;
1178
1179        hook = find_hook("post-update");
1180        if (!hook)
1181                return;
1182
1183        for (cmd = commands; cmd; cmd = cmd->next) {
1184                if (cmd->error_string || cmd->did_not_exist)
1185                        continue;
1186                if (!proc.args.argc)
1187                        argv_array_push(&proc.args, hook);
1188                argv_array_push(&proc.args, cmd->ref_name);
1189        }
1190        if (!proc.args.argc)
1191                return;
1192
1193        proc.no_stdin = 1;
1194        proc.stdout_to_stderr = 1;
1195        proc.err = use_sideband ? -1 : 0;
1196        proc.trace2_hook_name = "post-update";
1197
1198        if (!start_command(&proc)) {
1199                if (use_sideband)
1200                        copy_to_sideband(proc.err, -1, NULL);
1201                finish_command(&proc);
1202        }
1203}
1204
1205static void check_aliased_update_internal(struct command *cmd,
1206                                          struct string_list *list,
1207                                          const char *dst_name, int flag)
1208{
1209        struct string_list_item *item;
1210        struct command *dst_cmd;
1211
1212        if (!(flag & REF_ISSYMREF))
1213                return;
1214
1215        if (!dst_name) {
1216                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1217                cmd->skip_update = 1;
1218                cmd->error_string = "broken symref";
1219                return;
1220        }
1221        dst_name = strip_namespace(dst_name);
1222
1223        if ((item = string_list_lookup(list, dst_name)) == NULL)
1224                return;
1225
1226        cmd->skip_update = 1;
1227
1228        dst_cmd = (struct command *) item->util;
1229
1230        if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1231            oideq(&cmd->new_oid, &dst_cmd->new_oid))
1232                return;
1233
1234        dst_cmd->skip_update = 1;
1235
1236        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1237                 " its target '%s' (%s..%s)",
1238                 cmd->ref_name,
1239                 find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1240                 find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1241                 dst_cmd->ref_name,
1242                 find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1243                 find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1244
1245        cmd->error_string = dst_cmd->error_string =
1246                "inconsistent aliased update";
1247}
1248
1249static void check_aliased_update(struct command *cmd, struct string_list *list)
1250{
1251        struct strbuf buf = STRBUF_INIT;
1252        const char *dst_name;
1253        int flag;
1254
1255        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1256        dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1257        check_aliased_update_internal(cmd, list, dst_name, flag);
1258        strbuf_release(&buf);
1259}
1260
1261static void check_aliased_updates(struct command *commands)
1262{
1263        struct command *cmd;
1264        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1265
1266        for (cmd = commands; cmd; cmd = cmd->next) {
1267                struct string_list_item *item =
1268                        string_list_append(&ref_list, cmd->ref_name);
1269                item->util = (void *)cmd;
1270        }
1271        string_list_sort(&ref_list);
1272
1273        for (cmd = commands; cmd; cmd = cmd->next) {
1274                if (!cmd->error_string)
1275                        check_aliased_update(cmd, &ref_list);
1276        }
1277
1278        string_list_clear(&ref_list, 0);
1279}
1280
1281static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1282{
1283        struct command **cmd_list = cb_data;
1284        struct command *cmd = *cmd_list;
1285
1286        if (!cmd || is_null_oid(&cmd->new_oid))
1287                return -1; /* end of list */
1288        *cmd_list = NULL; /* this returns only one */
1289        oidcpy(oid, &cmd->new_oid);
1290        return 0;
1291}
1292
1293static void set_connectivity_errors(struct command *commands,
1294                                    struct shallow_info *si)
1295{
1296        struct command *cmd;
1297
1298        for (cmd = commands; cmd; cmd = cmd->next) {
1299                struct command *singleton = cmd;
1300                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1301
1302                if (shallow_update && si->shallow_ref[cmd->index])
1303                        /* to be checked in update_shallow_ref() */
1304                        continue;
1305
1306                opt.env = tmp_objdir_env(tmp_objdir);
1307                if (!check_connected(command_singleton_iterator, &singleton,
1308                                     &opt))
1309                        continue;
1310
1311                cmd->error_string = "missing necessary objects";
1312        }
1313}
1314
1315struct iterate_data {
1316        struct command *cmds;
1317        struct shallow_info *si;
1318};
1319
1320static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1321{
1322        struct iterate_data *data = cb_data;
1323        struct command **cmd_list = &data->cmds;
1324        struct command *cmd = *cmd_list;
1325
1326        for (; cmd; cmd = cmd->next) {
1327                if (shallow_update && data->si->shallow_ref[cmd->index])
1328                        /* to be checked in update_shallow_ref() */
1329                        continue;
1330                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1331                        oidcpy(oid, &cmd->new_oid);
1332                        *cmd_list = cmd->next;
1333                        return 0;
1334                }
1335        }
1336        *cmd_list = NULL;
1337        return -1; /* end of list */
1338}
1339
1340static void reject_updates_to_hidden(struct command *commands)
1341{
1342        struct strbuf refname_full = STRBUF_INIT;
1343        size_t prefix_len;
1344        struct command *cmd;
1345
1346        strbuf_addstr(&refname_full, get_git_namespace());
1347        prefix_len = refname_full.len;
1348
1349        for (cmd = commands; cmd; cmd = cmd->next) {
1350                if (cmd->error_string)
1351                        continue;
1352
1353                strbuf_setlen(&refname_full, prefix_len);
1354                strbuf_addstr(&refname_full, cmd->ref_name);
1355
1356                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1357                        continue;
1358                if (is_null_oid(&cmd->new_oid))
1359                        cmd->error_string = "deny deleting a hidden ref";
1360                else
1361                        cmd->error_string = "deny updating a hidden ref";
1362        }
1363
1364        strbuf_release(&refname_full);
1365}
1366
1367static int should_process_cmd(struct command *cmd)
1368{
1369        return !cmd->error_string && !cmd->skip_update;
1370}
1371
1372static void warn_if_skipped_connectivity_check(struct command *commands,
1373                                               struct shallow_info *si)
1374{
1375        struct command *cmd;
1376        int checked_connectivity = 1;
1377
1378        for (cmd = commands; cmd; cmd = cmd->next) {
1379                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1380                        error("BUG: connectivity check has not been run on ref %s",
1381                              cmd->ref_name);
1382                        checked_connectivity = 0;
1383                }
1384        }
1385        if (!checked_connectivity)
1386                BUG("connectivity check skipped???");
1387}
1388
1389static void execute_commands_non_atomic(struct command *commands,
1390                                        struct shallow_info *si)
1391{
1392        struct command *cmd;
1393        struct strbuf err = STRBUF_INIT;
1394
1395        for (cmd = commands; cmd; cmd = cmd->next) {
1396                if (!should_process_cmd(cmd))
1397                        continue;
1398
1399                transaction = ref_transaction_begin(&err);
1400                if (!transaction) {
1401                        rp_error("%s", err.buf);
1402                        strbuf_reset(&err);
1403                        cmd->error_string = "transaction failed to start";
1404                        continue;
1405                }
1406
1407                cmd->error_string = update(cmd, si);
1408
1409                if (!cmd->error_string
1410                    && ref_transaction_commit(transaction, &err)) {
1411                        rp_error("%s", err.buf);
1412                        strbuf_reset(&err);
1413                        cmd->error_string = "failed to update ref";
1414                }
1415                ref_transaction_free(transaction);
1416        }
1417        strbuf_release(&err);
1418}
1419
1420static void execute_commands_atomic(struct command *commands,
1421                                        struct shallow_info *si)
1422{
1423        struct command *cmd;
1424        struct strbuf err = STRBUF_INIT;
1425        const char *reported_error = "atomic push failure";
1426
1427        transaction = ref_transaction_begin(&err);
1428        if (!transaction) {
1429                rp_error("%s", err.buf);
1430                strbuf_reset(&err);
1431                reported_error = "transaction failed to start";
1432                goto failure;
1433        }
1434
1435        for (cmd = commands; cmd; cmd = cmd->next) {
1436                if (!should_process_cmd(cmd))
1437                        continue;
1438
1439                cmd->error_string = update(cmd, si);
1440
1441                if (cmd->error_string)
1442                        goto failure;
1443        }
1444
1445        if (ref_transaction_commit(transaction, &err)) {
1446                rp_error("%s", err.buf);
1447                reported_error = "atomic transaction failed";
1448                goto failure;
1449        }
1450        goto cleanup;
1451
1452failure:
1453        for (cmd = commands; cmd; cmd = cmd->next)
1454                if (!cmd->error_string)
1455                        cmd->error_string = reported_error;
1456
1457cleanup:
1458        ref_transaction_free(transaction);
1459        strbuf_release(&err);
1460}
1461
1462static void execute_commands(struct command *commands,
1463                             const char *unpacker_error,
1464                             struct shallow_info *si,
1465                             const struct string_list *push_options)
1466{
1467        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1468        struct command *cmd;
1469        struct iterate_data data;
1470        struct async muxer;
1471        int err_fd = 0;
1472
1473        if (unpacker_error) {
1474                for (cmd = commands; cmd; cmd = cmd->next)
1475                        cmd->error_string = "unpacker error";
1476                return;
1477        }
1478
1479        if (use_sideband) {
1480                memset(&muxer, 0, sizeof(muxer));
1481                muxer.proc = copy_to_sideband;
1482                muxer.in = -1;
1483                if (!start_async(&muxer))
1484                        err_fd = muxer.in;
1485                /* ...else, continue without relaying sideband */
1486        }
1487
1488        data.cmds = commands;
1489        data.si = si;
1490        opt.err_fd = err_fd;
1491        opt.progress = err_fd && !quiet;
1492        opt.env = tmp_objdir_env(tmp_objdir);
1493        if (check_connected(iterate_receive_command_list, &data, &opt))
1494                set_connectivity_errors(commands, si);
1495
1496        if (use_sideband)
1497                finish_async(&muxer);
1498
1499        reject_updates_to_hidden(commands);
1500
1501        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1502                for (cmd = commands; cmd; cmd = cmd->next) {
1503                        if (!cmd->error_string)
1504                                cmd->error_string = "pre-receive hook declined";
1505                }
1506                return;
1507        }
1508
1509        /*
1510         * Now we'll start writing out refs, which means the objects need
1511         * to be in their final positions so that other processes can see them.
1512         */
1513        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1514                for (cmd = commands; cmd; cmd = cmd->next) {
1515                        if (!cmd->error_string)
1516                                cmd->error_string = "unable to migrate objects to permanent storage";
1517                }
1518                return;
1519        }
1520        tmp_objdir = NULL;
1521
1522        check_aliased_updates(commands);
1523
1524        free(head_name_to_free);
1525        head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1526
1527        if (use_atomic)
1528                execute_commands_atomic(commands, si);
1529        else
1530                execute_commands_non_atomic(commands, si);
1531
1532        if (shallow_update)
1533                warn_if_skipped_connectivity_check(commands, si);
1534}
1535
1536static struct command **queue_command(struct command **tail,
1537                                      const char *line,
1538                                      int linelen)
1539{
1540        struct object_id old_oid, new_oid;
1541        struct command *cmd;
1542        const char *refname;
1543        int reflen;
1544        const char *p;
1545
1546        if (parse_oid_hex(line, &old_oid, &p) ||
1547            *p++ != ' ' ||
1548            parse_oid_hex(p, &new_oid, &p) ||
1549            *p++ != ' ')
1550                die("protocol error: expected old/new/ref, got '%s'", line);
1551
1552        refname = p;
1553        reflen = linelen - (p - line);
1554        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1555        oidcpy(&cmd->old_oid, &old_oid);
1556        oidcpy(&cmd->new_oid, &new_oid);
1557        *tail = cmd;
1558        return &cmd->next;
1559}
1560
1561static void queue_commands_from_cert(struct command **tail,
1562                                     struct strbuf *push_cert)
1563{
1564        const char *boc, *eoc;
1565
1566        if (*tail)
1567                die("protocol error: got both push certificate and unsigned commands");
1568
1569        boc = strstr(push_cert->buf, "\n\n");
1570        if (!boc)
1571                die("malformed push certificate %.*s", 100, push_cert->buf);
1572        else
1573                boc += 2;
1574        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1575
1576        while (boc < eoc) {
1577                const char *eol = memchr(boc, '\n', eoc - boc);
1578                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1579                boc = eol ? eol + 1 : eoc;
1580        }
1581}
1582
1583static struct command *read_head_info(struct packet_reader *reader,
1584                                      struct oid_array *shallow)
1585{
1586        struct command *commands = NULL;
1587        struct command **p = &commands;
1588        for (;;) {
1589                int linelen;
1590
1591                if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1592                        break;
1593
1594                if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1595                        struct object_id oid;
1596                        if (get_oid_hex(reader->line + 8, &oid))
1597                                die("protocol error: expected shallow sha, got '%s'",
1598                                    reader->line + 8);
1599                        oid_array_append(shallow, &oid);
1600                        continue;
1601                }
1602
1603                linelen = strlen(reader->line);
1604                if (linelen < reader->pktlen) {
1605                        const char *feature_list = reader->line + linelen + 1;
1606                        if (parse_feature_request(feature_list, "report-status"))
1607                                report_status = 1;
1608                        if (parse_feature_request(feature_list, "side-band-64k"))
1609                                use_sideband = LARGE_PACKET_MAX;
1610                        if (parse_feature_request(feature_list, "quiet"))
1611                                quiet = 1;
1612                        if (advertise_atomic_push
1613                            && parse_feature_request(feature_list, "atomic"))
1614                                use_atomic = 1;
1615                        if (advertise_push_options
1616                            && parse_feature_request(feature_list, "push-options"))
1617                                use_push_options = 1;
1618                }
1619
1620                if (!strcmp(reader->line, "push-cert")) {
1621                        int true_flush = 0;
1622                        int saved_options = reader->options;
1623                        reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1624
1625                        for (;;) {
1626                                packet_reader_read(reader);
1627                                if (reader->status == PACKET_READ_FLUSH) {
1628                                        true_flush = 1;
1629                                        break;
1630                                }
1631                                if (reader->status != PACKET_READ_NORMAL) {
1632                                        die("protocol error: got an unexpected packet");
1633                                }
1634                                if (!strcmp(reader->line, "push-cert-end\n"))
1635                                        break; /* end of cert */
1636                                strbuf_addstr(&push_cert, reader->line);
1637                        }
1638                        reader->options = saved_options;
1639
1640                        if (true_flush)
1641                                break;
1642                        continue;
1643                }
1644
1645                p = queue_command(p, reader->line, linelen);
1646        }
1647
1648        if (push_cert.len)
1649                queue_commands_from_cert(p, &push_cert);
1650
1651        return commands;
1652}
1653
1654static void read_push_options(struct packet_reader *reader,
1655                              struct string_list *options)
1656{
1657        while (1) {
1658                if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1659                        break;
1660
1661                string_list_append(options, reader->line);
1662        }
1663}
1664
1665static const char *parse_pack_header(struct pack_header *hdr)
1666{
1667        switch (read_pack_header(0, hdr)) {
1668        case PH_ERROR_EOF:
1669                return "eof before pack header was fully read";
1670
1671        case PH_ERROR_PACK_SIGNATURE:
1672                return "protocol error (pack signature mismatch detected)";
1673
1674        case PH_ERROR_PROTOCOL:
1675                return "protocol error (pack version unsupported)";
1676
1677        default:
1678                return "unknown error in parse_pack_header";
1679
1680        case 0:
1681                return NULL;
1682        }
1683}
1684
1685static const char *pack_lockfile;
1686
1687static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1688{
1689        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1690                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1691}
1692
1693static const char *unpack(int err_fd, struct shallow_info *si)
1694{
1695        struct pack_header hdr;
1696        const char *hdr_err;
1697        int status;
1698        struct child_process child = CHILD_PROCESS_INIT;
1699        int fsck_objects = (receive_fsck_objects >= 0
1700                            ? receive_fsck_objects
1701                            : transfer_fsck_objects >= 0
1702                            ? transfer_fsck_objects
1703                            : 0);
1704
1705        hdr_err = parse_pack_header(&hdr);
1706        if (hdr_err) {
1707                if (err_fd > 0)
1708                        close(err_fd);
1709                return hdr_err;
1710        }
1711
1712        if (si->nr_ours || si->nr_theirs) {
1713                alt_shallow_file = setup_temporary_shallow(si->shallow);
1714                argv_array_push(&child.args, "--shallow-file");
1715                argv_array_push(&child.args, alt_shallow_file);
1716        }
1717
1718        tmp_objdir = tmp_objdir_create();
1719        if (!tmp_objdir) {
1720                if (err_fd > 0)
1721                        close(err_fd);
1722                return "unable to create temporary object directory";
1723        }
1724        child.env = tmp_objdir_env(tmp_objdir);
1725
1726        /*
1727         * Normally we just pass the tmp_objdir environment to the child
1728         * processes that do the heavy lifting, but we may need to see these
1729         * objects ourselves to set up shallow information.
1730         */
1731        tmp_objdir_add_as_alternate(tmp_objdir);
1732
1733        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1734                argv_array_push(&child.args, "unpack-objects");
1735                push_header_arg(&child.args, &hdr);
1736                if (quiet)
1737                        argv_array_push(&child.args, "-q");
1738                if (fsck_objects)
1739                        argv_array_pushf(&child.args, "--strict%s",
1740                                fsck_msg_types.buf);
1741                if (max_input_size)
1742                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1743                                (uintmax_t)max_input_size);
1744                child.no_stdout = 1;
1745                child.err = err_fd;
1746                child.git_cmd = 1;
1747                status = run_command(&child);
1748                if (status)
1749                        return "unpack-objects abnormal exit";
1750        } else {
1751                char hostname[HOST_NAME_MAX + 1];
1752
1753                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1754                push_header_arg(&child.args, &hdr);
1755
1756                if (xgethostname(hostname, sizeof(hostname)))
1757                        xsnprintf(hostname, sizeof(hostname), "localhost");
1758                argv_array_pushf(&child.args,
1759                                 "--keep=receive-pack %"PRIuMAX" on %s",
1760                                 (uintmax_t)getpid(),
1761                                 hostname);
1762
1763                if (!quiet && err_fd)
1764                        argv_array_push(&child.args, "--show-resolving-progress");
1765                if (use_sideband)
1766                        argv_array_push(&child.args, "--report-end-of-input");
1767                if (fsck_objects)
1768                        argv_array_pushf(&child.args, "--strict%s",
1769                                fsck_msg_types.buf);
1770                if (!reject_thin)
1771                        argv_array_push(&child.args, "--fix-thin");
1772                if (max_input_size)
1773                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1774                                (uintmax_t)max_input_size);
1775                child.out = -1;
1776                child.err = err_fd;
1777                child.git_cmd = 1;
1778                status = start_command(&child);
1779                if (status)
1780                        return "index-pack fork failed";
1781                pack_lockfile = index_pack_lockfile(child.out);
1782                close(child.out);
1783                status = finish_command(&child);
1784                if (status)
1785                        return "index-pack abnormal exit";
1786                reprepare_packed_git(the_repository);
1787        }
1788        return NULL;
1789}
1790
1791static const char *unpack_with_sideband(struct shallow_info *si)
1792{
1793        struct async muxer;
1794        const char *ret;
1795
1796        if (!use_sideband)
1797                return unpack(0, si);
1798
1799        use_keepalive = KEEPALIVE_AFTER_NUL;
1800        memset(&muxer, 0, sizeof(muxer));
1801        muxer.proc = copy_to_sideband;
1802        muxer.in = -1;
1803        if (start_async(&muxer))
1804                return NULL;
1805
1806        ret = unpack(muxer.in, si);
1807
1808        finish_async(&muxer);
1809        return ret;
1810}
1811
1812static void prepare_shallow_update(struct command *commands,
1813                                   struct shallow_info *si)
1814{
1815        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1816
1817        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1818        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1819
1820        si->need_reachability_test =
1821                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1822        si->reachable =
1823                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1824        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1825
1826        for (i = 0; i < si->nr_ours; i++)
1827                si->need_reachability_test[si->ours[i]] = 1;
1828
1829        for (i = 0; i < si->shallow->nr; i++) {
1830                if (!si->used_shallow[i])
1831                        continue;
1832                for (j = 0; j < bitmap_size; j++) {
1833                        if (!si->used_shallow[i][j])
1834                                continue;
1835                        si->need_reachability_test[i]++;
1836                        for (k = 0; k < 32; k++)
1837                                if (si->used_shallow[i][j] & (1U << k))
1838                                        si->shallow_ref[j * 32 + k]++;
1839                }
1840
1841                /*
1842                 * true for those associated with some refs and belong
1843                 * in "ours" list aka "step 7 not done yet"
1844                 */
1845                si->need_reachability_test[i] =
1846                        si->need_reachability_test[i] > 1;
1847        }
1848
1849        /*
1850         * keep hooks happy by forcing a temporary shallow file via
1851         * env variable because we can't add --shallow-file to every
1852         * command. check_connected() will be done with
1853         * true .git/shallow though.
1854         */
1855        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1856}
1857
1858static void update_shallow_info(struct command *commands,
1859                                struct shallow_info *si,
1860                                struct oid_array *ref)
1861{
1862        struct command *cmd;
1863        int *ref_status;
1864        remove_nonexistent_theirs_shallow(si);
1865        if (!si->nr_ours && !si->nr_theirs) {
1866                shallow_update = 0;
1867                return;
1868        }
1869
1870        for (cmd = commands; cmd; cmd = cmd->next) {
1871                if (is_null_oid(&cmd->new_oid))
1872                        continue;
1873                oid_array_append(ref, &cmd->new_oid);
1874                cmd->index = ref->nr - 1;
1875        }
1876        si->ref = ref;
1877
1878        if (shallow_update) {
1879                prepare_shallow_update(commands, si);
1880                return;
1881        }
1882
1883        ALLOC_ARRAY(ref_status, ref->nr);
1884        assign_shallow_commits_to_refs(si, NULL, ref_status);
1885        for (cmd = commands; cmd; cmd = cmd->next) {
1886                if (is_null_oid(&cmd->new_oid))
1887                        continue;
1888                if (ref_status[cmd->index]) {
1889                        cmd->error_string = "shallow update not allowed";
1890                        cmd->skip_update = 1;
1891                }
1892        }
1893        free(ref_status);
1894}
1895
1896static void report(struct command *commands, const char *unpack_status)
1897{
1898        struct command *cmd;
1899        struct strbuf buf = STRBUF_INIT;
1900
1901        packet_buf_write(&buf, "unpack %s\n",
1902                         unpack_status ? unpack_status : "ok");
1903        for (cmd = commands; cmd; cmd = cmd->next) {
1904                if (!cmd->error_string)
1905                        packet_buf_write(&buf, "ok %s\n",
1906                                         cmd->ref_name);
1907                else
1908                        packet_buf_write(&buf, "ng %s %s\n",
1909                                         cmd->ref_name, cmd->error_string);
1910        }
1911        packet_buf_flush(&buf);
1912
1913        if (use_sideband)
1914                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1915        else
1916                write_or_die(1, buf.buf, buf.len);
1917        strbuf_release(&buf);
1918}
1919
1920static int delete_only(struct command *commands)
1921{
1922        struct command *cmd;
1923        for (cmd = commands; cmd; cmd = cmd->next) {
1924                if (!is_null_oid(&cmd->new_oid))
1925                        return 0;
1926        }
1927        return 1;
1928}
1929
1930int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1931{
1932        int advertise_refs = 0;
1933        struct command *commands;
1934        struct oid_array shallow = OID_ARRAY_INIT;
1935        struct oid_array ref = OID_ARRAY_INIT;
1936        struct shallow_info si;
1937        struct packet_reader reader;
1938
1939        struct option options[] = {
1940                OPT__QUIET(&quiet, N_("quiet")),
1941                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1942                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1943                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1944                OPT_END()
1945        };
1946
1947        packet_trace_identity("receive-pack");
1948
1949        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1950
1951        if (argc > 1)
1952                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1953        if (argc == 0)
1954                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1955
1956        service_dir = argv[0];
1957
1958        setup_path();
1959
1960        if (!enter_repo(service_dir, 0))
1961                die("'%s' does not appear to be a git repository", service_dir);
1962
1963        git_config(receive_pack_config, NULL);
1964        if (cert_nonce_seed)
1965                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1966
1967        if (0 <= transfer_unpack_limit)
1968                unpack_limit = transfer_unpack_limit;
1969        else if (0 <= receive_unpack_limit)
1970                unpack_limit = receive_unpack_limit;
1971
1972        switch (determine_protocol_version_server()) {
1973        case protocol_v2:
1974                /*
1975                 * push support for protocol v2 has not been implemented yet,
1976                 * so ignore the request to use v2 and fallback to using v0.
1977                 */
1978                break;
1979        case protocol_v1:
1980                /*
1981                 * v1 is just the original protocol with a version string,
1982                 * so just fall through after writing the version string.
1983                 */
1984                if (advertise_refs || !stateless_rpc)
1985                        packet_write_fmt(1, "version 1\n");
1986
1987                /* fallthrough */
1988        case protocol_v0:
1989                break;
1990        case protocol_unknown_version:
1991                BUG("unknown protocol version");
1992        }
1993
1994        if (advertise_refs || !stateless_rpc) {
1995                write_head_info();
1996        }
1997        if (advertise_refs)
1998                return 0;
1999
2000        packet_reader_init(&reader, 0, NULL, 0,
2001                           PACKET_READ_CHOMP_NEWLINE |
2002                           PACKET_READ_DIE_ON_ERR_PACKET);
2003
2004        if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2005                const char *unpack_status = NULL;
2006                struct string_list push_options = STRING_LIST_INIT_DUP;
2007
2008                if (use_push_options)
2009                        read_push_options(&reader, &push_options);
2010                if (!check_cert_push_options(&push_options)) {
2011                        struct command *cmd;
2012                        for (cmd = commands; cmd; cmd = cmd->next)
2013                                cmd->error_string = "inconsistent push options";
2014                }
2015
2016                prepare_shallow_info(&si, &shallow);
2017                if (!si.nr_ours && !si.nr_theirs)
2018                        shallow_update = 0;
2019                if (!delete_only(commands)) {
2020                        unpack_status = unpack_with_sideband(&si);
2021                        update_shallow_info(commands, &si, &ref);
2022                }
2023                use_keepalive = KEEPALIVE_ALWAYS;
2024                execute_commands(commands, unpack_status, &si,
2025                                 &push_options);
2026                if (pack_lockfile)
2027                        unlink_or_warn(pack_lockfile);
2028                if (report_status)
2029                        report(commands, unpack_status);
2030                run_receive_hook(commands, "post-receive", 1,
2031                                 &push_options);
2032                run_update_post_hook(commands);
2033                string_list_clear(&push_options, 0);
2034                if (auto_gc) {
2035                        const char *argv_gc_auto[] = {
2036                                "gc", "--auto", "--quiet", NULL,
2037                        };
2038                        struct child_process proc = CHILD_PROCESS_INIT;
2039
2040                        proc.no_stdin = 1;
2041                        proc.stdout_to_stderr = 1;
2042                        proc.err = use_sideband ? -1 : 0;
2043                        proc.git_cmd = 1;
2044                        proc.argv = argv_gc_auto;
2045
2046                        close_all_packs(the_repository->objects);
2047                        if (!start_command(&proc)) {
2048                                if (use_sideband)
2049                                        copy_to_sideband(proc.err, -1, NULL);
2050                                finish_command(&proc);
2051                        }
2052                }
2053                if (auto_update_server_info)
2054                        update_server_info(0);
2055                clear_shallow_info(&si);
2056        }
2057        if (use_sideband)
2058                packet_flush(1);
2059        oid_array_clear(&shallow);
2060        oid_array_clear(&ref);
2061        free((void *)push_cert_nonce);
2062        return 0;
2063}