builtin / receive-pack.con commit builtin/config.c: treat type specifiers singularly (0a8950b)
   1#include "builtin.h"
   2#include "config.h"
   3#include "lockfile.h"
   4#include "pack.h"
   5#include "refs.h"
   6#include "pkt-line.h"
   7#include "sideband.h"
   8#include "run-command.h"
   9#include "exec_cmd.h"
  10#include "commit.h"
  11#include "object.h"
  12#include "remote.h"
  13#include "connect.h"
  14#include "transport.h"
  15#include "string-list.h"
  16#include "sha1-array.h"
  17#include "connected.h"
  18#include "argv-array.h"
  19#include "version.h"
  20#include "tag.h"
  21#include "gpg-interface.h"
  22#include "sigchain.h"
  23#include "fsck.h"
  24#include "tmp-objdir.h"
  25#include "oidset.h"
  26#include "packfile.h"
  27#include "protocol.h"
  28
  29static const char * const receive_pack_usage[] = {
  30        N_("git receive-pack <git-dir>"),
  31        NULL
  32};
  33
  34enum deny_action {
  35        DENY_UNCONFIGURED,
  36        DENY_IGNORE,
  37        DENY_WARN,
  38        DENY_REFUSE,
  39        DENY_UPDATE_INSTEAD
  40};
  41
  42static int deny_deletes;
  43static int deny_non_fast_forwards;
  44static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  45static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  46static int receive_fsck_objects = -1;
  47static int transfer_fsck_objects = -1;
  48static struct strbuf fsck_msg_types = STRBUF_INIT;
  49static int receive_unpack_limit = -1;
  50static int transfer_unpack_limit = -1;
  51static int advertise_atomic_push = 1;
  52static int advertise_push_options;
  53static int unpack_limit = 100;
  54static off_t max_input_size;
  55static int report_status;
  56static int use_sideband;
  57static int use_atomic;
  58static int use_push_options;
  59static int quiet;
  60static int prefer_ofs_delta = 1;
  61static int auto_update_server_info;
  62static int auto_gc = 1;
  63static int reject_thin;
  64static int stateless_rpc;
  65static const char *service_dir;
  66static const char *head_name;
  67static void *head_name_to_free;
  68static int sent_capabilities;
  69static int shallow_update;
  70static const char *alt_shallow_file;
  71static struct strbuf push_cert = STRBUF_INIT;
  72static struct object_id push_cert_oid;
  73static struct signature_check sigcheck;
  74static const char *push_cert_nonce;
  75static const char *cert_nonce_seed;
  76
  77static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  78static const char *NONCE_BAD = "BAD";
  79static const char *NONCE_MISSING = "MISSING";
  80static const char *NONCE_OK = "OK";
  81static const char *NONCE_SLOP = "SLOP";
  82static const char *nonce_status;
  83static long nonce_stamp_slop;
  84static timestamp_t nonce_stamp_slop_limit;
  85static struct ref_transaction *transaction;
  86
  87static enum {
  88        KEEPALIVE_NEVER = 0,
  89        KEEPALIVE_AFTER_NUL,
  90        KEEPALIVE_ALWAYS
  91} use_keepalive;
  92static int keepalive_in_sec = 5;
  93
  94static struct tmp_objdir *tmp_objdir;
  95
  96static enum deny_action parse_deny_action(const char *var, const char *value)
  97{
  98        if (value) {
  99                if (!strcasecmp(value, "ignore"))
 100                        return DENY_IGNORE;
 101                if (!strcasecmp(value, "warn"))
 102                        return DENY_WARN;
 103                if (!strcasecmp(value, "refuse"))
 104                        return DENY_REFUSE;
 105                if (!strcasecmp(value, "updateinstead"))
 106                        return DENY_UPDATE_INSTEAD;
 107        }
 108        if (git_config_bool(var, value))
 109                return DENY_REFUSE;
 110        return DENY_IGNORE;
 111}
 112
 113static int receive_pack_config(const char *var, const char *value, void *cb)
 114{
 115        int status = parse_hide_refs_config(var, value, "receive");
 116
 117        if (status)
 118                return status;
 119
 120        if (strcmp(var, "receive.denydeletes") == 0) {
 121                deny_deletes = git_config_bool(var, value);
 122                return 0;
 123        }
 124
 125        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 126                deny_non_fast_forwards = git_config_bool(var, value);
 127                return 0;
 128        }
 129
 130        if (strcmp(var, "receive.unpacklimit") == 0) {
 131                receive_unpack_limit = git_config_int(var, value);
 132                return 0;
 133        }
 134
 135        if (strcmp(var, "transfer.unpacklimit") == 0) {
 136                transfer_unpack_limit = git_config_int(var, value);
 137                return 0;
 138        }
 139
 140        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 141                const char *path;
 142
 143                if (git_config_pathname(&path, var, value))
 144                        return 1;
 145                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 146                        fsck_msg_types.len ? ',' : '=', path);
 147                free((char *)path);
 148                return 0;
 149        }
 150
 151        if (skip_prefix(var, "receive.fsck.", &var)) {
 152                if (is_valid_msg_type(var, value))
 153                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 154                                fsck_msg_types.len ? ',' : '=', var, value);
 155                else
 156                        warning("Skipping unknown msg id '%s'", var);
 157                return 0;
 158        }
 159
 160        if (strcmp(var, "receive.fsckobjects") == 0) {
 161                receive_fsck_objects = git_config_bool(var, value);
 162                return 0;
 163        }
 164
 165        if (strcmp(var, "transfer.fsckobjects") == 0) {
 166                transfer_fsck_objects = git_config_bool(var, value);
 167                return 0;
 168        }
 169
 170        if (!strcmp(var, "receive.denycurrentbranch")) {
 171                deny_current_branch = parse_deny_action(var, value);
 172                return 0;
 173        }
 174
 175        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 176                deny_delete_current = parse_deny_action(var, value);
 177                return 0;
 178        }
 179
 180        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 181                prefer_ofs_delta = git_config_bool(var, value);
 182                return 0;
 183        }
 184
 185        if (strcmp(var, "receive.updateserverinfo") == 0) {
 186                auto_update_server_info = git_config_bool(var, value);
 187                return 0;
 188        }
 189
 190        if (strcmp(var, "receive.autogc") == 0) {
 191                auto_gc = git_config_bool(var, value);
 192                return 0;
 193        }
 194
 195        if (strcmp(var, "receive.shallowupdate") == 0) {
 196                shallow_update = git_config_bool(var, value);
 197                return 0;
 198        }
 199
 200        if (strcmp(var, "receive.certnonceseed") == 0)
 201                return git_config_string(&cert_nonce_seed, var, value);
 202
 203        if (strcmp(var, "receive.certnonceslop") == 0) {
 204                nonce_stamp_slop_limit = git_config_ulong(var, value);
 205                return 0;
 206        }
 207
 208        if (strcmp(var, "receive.advertiseatomic") == 0) {
 209                advertise_atomic_push = git_config_bool(var, value);
 210                return 0;
 211        }
 212
 213        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 214                advertise_push_options = git_config_bool(var, value);
 215                return 0;
 216        }
 217
 218        if (strcmp(var, "receive.keepalive") == 0) {
 219                keepalive_in_sec = git_config_int(var, value);
 220                return 0;
 221        }
 222
 223        if (strcmp(var, "receive.maxinputsize") == 0) {
 224                max_input_size = git_config_int64(var, value);
 225                return 0;
 226        }
 227
 228        return git_default_config(var, value, cb);
 229}
 230
 231static void show_ref(const char *path, const struct object_id *oid)
 232{
 233        if (sent_capabilities) {
 234                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 235        } else {
 236                struct strbuf cap = STRBUF_INIT;
 237
 238                strbuf_addstr(&cap,
 239                              "report-status delete-refs side-band-64k quiet");
 240                if (advertise_atomic_push)
 241                        strbuf_addstr(&cap, " atomic");
 242                if (prefer_ofs_delta)
 243                        strbuf_addstr(&cap, " ofs-delta");
 244                if (push_cert_nonce)
 245                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 246                if (advertise_push_options)
 247                        strbuf_addstr(&cap, " push-options");
 248                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 249                packet_write_fmt(1, "%s %s%c%s\n",
 250                             oid_to_hex(oid), path, 0, cap.buf);
 251                strbuf_release(&cap);
 252                sent_capabilities = 1;
 253        }
 254}
 255
 256static int show_ref_cb(const char *path_full, const struct object_id *oid,
 257                       int flag, void *data)
 258{
 259        struct oidset *seen = data;
 260        const char *path = strip_namespace(path_full);
 261
 262        if (ref_is_hidden(path, path_full))
 263                return 0;
 264
 265        /*
 266         * Advertise refs outside our current namespace as ".have"
 267         * refs, so that the client can use them to minimize data
 268         * transfer but will otherwise ignore them.
 269         */
 270        if (!path) {
 271                if (oidset_insert(seen, oid))
 272                        return 0;
 273                path = ".have";
 274        } else {
 275                oidset_insert(seen, oid);
 276        }
 277        show_ref(path, oid);
 278        return 0;
 279}
 280
 281static void show_one_alternate_ref(const char *refname,
 282                                   const struct object_id *oid,
 283                                   void *data)
 284{
 285        struct oidset *seen = data;
 286
 287        if (oidset_insert(seen, oid))
 288                return;
 289
 290        show_ref(".have", oid);
 291}
 292
 293static void write_head_info(void)
 294{
 295        static struct oidset seen = OIDSET_INIT;
 296
 297        for_each_ref(show_ref_cb, &seen);
 298        for_each_alternate_ref(show_one_alternate_ref, &seen);
 299        oidset_clear(&seen);
 300        if (!sent_capabilities)
 301                show_ref("capabilities^{}", &null_oid);
 302
 303        advertise_shallow_grafts(1);
 304
 305        /* EOF */
 306        packet_flush(1);
 307}
 308
 309struct command {
 310        struct command *next;
 311        const char *error_string;
 312        unsigned int skip_update:1,
 313                     did_not_exist:1;
 314        int index;
 315        struct object_id old_oid;
 316        struct object_id new_oid;
 317        char ref_name[FLEX_ARRAY]; /* more */
 318};
 319
 320static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 321static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 322
 323static void report_message(const char *prefix, const char *err, va_list params)
 324{
 325        int sz;
 326        char msg[4096];
 327
 328        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 329        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 330        if (sz > (sizeof(msg) - 1))
 331                sz = sizeof(msg) - 1;
 332        msg[sz++] = '\n';
 333
 334        if (use_sideband)
 335                send_sideband(1, 2, msg, sz, use_sideband);
 336        else
 337                xwrite(2, msg, sz);
 338}
 339
 340static void rp_warning(const char *err, ...)
 341{
 342        va_list params;
 343        va_start(params, err);
 344        report_message("warning: ", err, params);
 345        va_end(params);
 346}
 347
 348static void rp_error(const char *err, ...)
 349{
 350        va_list params;
 351        va_start(params, err);
 352        report_message("error: ", err, params);
 353        va_end(params);
 354}
 355
 356static int copy_to_sideband(int in, int out, void *arg)
 357{
 358        char data[128];
 359        int keepalive_active = 0;
 360
 361        if (keepalive_in_sec <= 0)
 362                use_keepalive = KEEPALIVE_NEVER;
 363        if (use_keepalive == KEEPALIVE_ALWAYS)
 364                keepalive_active = 1;
 365
 366        while (1) {
 367                ssize_t sz;
 368
 369                if (keepalive_active) {
 370                        struct pollfd pfd;
 371                        int ret;
 372
 373                        pfd.fd = in;
 374                        pfd.events = POLLIN;
 375                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 376
 377                        if (ret < 0) {
 378                                if (errno == EINTR)
 379                                        continue;
 380                                else
 381                                        break;
 382                        } else if (ret == 0) {
 383                                /* no data; send a keepalive packet */
 384                                static const char buf[] = "0005\1";
 385                                write_or_die(1, buf, sizeof(buf) - 1);
 386                                continue;
 387                        } /* else there is actual data to read */
 388                }
 389
 390                sz = xread(in, data, sizeof(data));
 391                if (sz <= 0)
 392                        break;
 393
 394                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 395                        const char *p = memchr(data, '\0', sz);
 396                        if (p) {
 397                                /*
 398                                 * The NUL tells us to start sending keepalives. Make
 399                                 * sure we send any other data we read along
 400                                 * with it.
 401                                 */
 402                                keepalive_active = 1;
 403                                send_sideband(1, 2, data, p - data, use_sideband);
 404                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 405                                continue;
 406                        }
 407                }
 408
 409                /*
 410                 * Either we're not looking for a NUL signal, or we didn't see
 411                 * it yet; just pass along the data.
 412                 */
 413                send_sideband(1, 2, data, sz, use_sideband);
 414        }
 415        close(in);
 416        return 0;
 417}
 418
 419#define HMAC_BLOCK_SIZE 64
 420
 421static void hmac_sha1(unsigned char *out,
 422                      const char *key_in, size_t key_len,
 423                      const char *text, size_t text_len)
 424{
 425        unsigned char key[HMAC_BLOCK_SIZE];
 426        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 427        unsigned char k_opad[HMAC_BLOCK_SIZE];
 428        int i;
 429        git_SHA_CTX ctx;
 430
 431        /* RFC 2104 2. (1) */
 432        memset(key, '\0', HMAC_BLOCK_SIZE);
 433        if (HMAC_BLOCK_SIZE < key_len) {
 434                git_SHA1_Init(&ctx);
 435                git_SHA1_Update(&ctx, key_in, key_len);
 436                git_SHA1_Final(key, &ctx);
 437        } else {
 438                memcpy(key, key_in, key_len);
 439        }
 440
 441        /* RFC 2104 2. (2) & (5) */
 442        for (i = 0; i < sizeof(key); i++) {
 443                k_ipad[i] = key[i] ^ 0x36;
 444                k_opad[i] = key[i] ^ 0x5c;
 445        }
 446
 447        /* RFC 2104 2. (3) & (4) */
 448        git_SHA1_Init(&ctx);
 449        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 450        git_SHA1_Update(&ctx, text, text_len);
 451        git_SHA1_Final(out, &ctx);
 452
 453        /* RFC 2104 2. (6) & (7) */
 454        git_SHA1_Init(&ctx);
 455        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 456        git_SHA1_Update(&ctx, out, 20);
 457        git_SHA1_Final(out, &ctx);
 458}
 459
 460static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 461{
 462        struct strbuf buf = STRBUF_INIT;
 463        unsigned char sha1[20];
 464
 465        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 466        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 467        strbuf_release(&buf);
 468
 469        /* RFC 2104 5. HMAC-SHA1-80 */
 470        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
 471        return strbuf_detach(&buf, NULL);
 472}
 473
 474/*
 475 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 476 * after dropping "_commit" from its name and possibly moving it out
 477 * of commit.c
 478 */
 479static char *find_header(const char *msg, size_t len, const char *key,
 480                         const char **next_line)
 481{
 482        int key_len = strlen(key);
 483        const char *line = msg;
 484
 485        while (line && line < msg + len) {
 486                const char *eol = strchrnul(line, '\n');
 487
 488                if ((msg + len <= eol) || line == eol)
 489                        return NULL;
 490                if (line + key_len < eol &&
 491                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 492                        int offset = key_len + 1;
 493                        if (next_line)
 494                                *next_line = *eol ? eol + 1 : eol;
 495                        return xmemdupz(line + offset, (eol - line) - offset);
 496                }
 497                line = *eol ? eol + 1 : NULL;
 498        }
 499        return NULL;
 500}
 501
 502static const char *check_nonce(const char *buf, size_t len)
 503{
 504        char *nonce = find_header(buf, len, "nonce", NULL);
 505        timestamp_t stamp, ostamp;
 506        char *bohmac, *expect = NULL;
 507        const char *retval = NONCE_BAD;
 508
 509        if (!nonce) {
 510                retval = NONCE_MISSING;
 511                goto leave;
 512        } else if (!push_cert_nonce) {
 513                retval = NONCE_UNSOLICITED;
 514                goto leave;
 515        } else if (!strcmp(push_cert_nonce, nonce)) {
 516                retval = NONCE_OK;
 517                goto leave;
 518        }
 519
 520        if (!stateless_rpc) {
 521                /* returned nonce MUST match what we gave out earlier */
 522                retval = NONCE_BAD;
 523                goto leave;
 524        }
 525
 526        /*
 527         * In stateless mode, we may be receiving a nonce issued by
 528         * another instance of the server that serving the same
 529         * repository, and the timestamps may not match, but the
 530         * nonce-seed and dir should match, so we can recompute and
 531         * report the time slop.
 532         *
 533         * In addition, when a nonce issued by another instance has
 534         * timestamp within receive.certnonceslop seconds, we pretend
 535         * as if we issued that nonce when reporting to the hook.
 536         */
 537
 538        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 539        if (*nonce <= '0' || '9' < *nonce) {
 540                retval = NONCE_BAD;
 541                goto leave;
 542        }
 543        stamp = parse_timestamp(nonce, &bohmac, 10);
 544        if (bohmac == nonce || bohmac[0] != '-') {
 545                retval = NONCE_BAD;
 546                goto leave;
 547        }
 548
 549        expect = prepare_push_cert_nonce(service_dir, stamp);
 550        if (strcmp(expect, nonce)) {
 551                /* Not what we would have signed earlier */
 552                retval = NONCE_BAD;
 553                goto leave;
 554        }
 555
 556        /*
 557         * By how many seconds is this nonce stale?  Negative value
 558         * would mean it was issued by another server with its clock
 559         * skewed in the future.
 560         */
 561        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 562        nonce_stamp_slop = (long)ostamp - (long)stamp;
 563
 564        if (nonce_stamp_slop_limit &&
 565            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 566                /*
 567                 * Pretend as if the received nonce (which passes the
 568                 * HMAC check, so it is not a forged by third-party)
 569                 * is what we issued.
 570                 */
 571                free((void *)push_cert_nonce);
 572                push_cert_nonce = xstrdup(nonce);
 573                retval = NONCE_OK;
 574        } else {
 575                retval = NONCE_SLOP;
 576        }
 577
 578leave:
 579        free(nonce);
 580        free(expect);
 581        return retval;
 582}
 583
 584/*
 585 * Return 1 if there is no push_cert or if the push options in push_cert are
 586 * the same as those in the argument; 0 otherwise.
 587 */
 588static int check_cert_push_options(const struct string_list *push_options)
 589{
 590        const char *buf = push_cert.buf;
 591        int len = push_cert.len;
 592
 593        char *option;
 594        const char *next_line;
 595        int options_seen = 0;
 596
 597        int retval = 1;
 598
 599        if (!len)
 600                return 1;
 601
 602        while ((option = find_header(buf, len, "push-option", &next_line))) {
 603                len -= (next_line - buf);
 604                buf = next_line;
 605                options_seen++;
 606                if (options_seen > push_options->nr
 607                    || strcmp(option,
 608                              push_options->items[options_seen - 1].string)) {
 609                        retval = 0;
 610                        goto leave;
 611                }
 612                free(option);
 613        }
 614
 615        if (options_seen != push_options->nr)
 616                retval = 0;
 617
 618leave:
 619        free(option);
 620        return retval;
 621}
 622
 623static void prepare_push_cert_sha1(struct child_process *proc)
 624{
 625        static int already_done;
 626
 627        if (!push_cert.len)
 628                return;
 629
 630        if (!already_done) {
 631                struct strbuf gpg_output = STRBUF_INIT;
 632                struct strbuf gpg_status = STRBUF_INIT;
 633                int bogs /* beginning_of_gpg_sig */;
 634
 635                already_done = 1;
 636                if (write_object_file(push_cert.buf, push_cert.len, "blob",
 637                                      &push_cert_oid))
 638                        oidclr(&push_cert_oid);
 639
 640                memset(&sigcheck, '\0', sizeof(sigcheck));
 641                sigcheck.result = 'N';
 642
 643                bogs = parse_signature(push_cert.buf, push_cert.len);
 644                if (verify_signed_buffer(push_cert.buf, bogs,
 645                                         push_cert.buf + bogs, push_cert.len - bogs,
 646                                         &gpg_output, &gpg_status) < 0) {
 647                        ; /* error running gpg */
 648                } else {
 649                        sigcheck.payload = push_cert.buf;
 650                        sigcheck.gpg_output = gpg_output.buf;
 651                        sigcheck.gpg_status = gpg_status.buf;
 652                        parse_gpg_output(&sigcheck);
 653                }
 654
 655                strbuf_release(&gpg_output);
 656                strbuf_release(&gpg_status);
 657                nonce_status = check_nonce(push_cert.buf, bogs);
 658        }
 659        if (!is_null_oid(&push_cert_oid)) {
 660                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 661                                 oid_to_hex(&push_cert_oid));
 662                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 663                                 sigcheck.signer ? sigcheck.signer : "");
 664                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 665                                 sigcheck.key ? sigcheck.key : "");
 666                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 667                                 sigcheck.result);
 668                if (push_cert_nonce) {
 669                        argv_array_pushf(&proc->env_array,
 670                                         "GIT_PUSH_CERT_NONCE=%s",
 671                                         push_cert_nonce);
 672                        argv_array_pushf(&proc->env_array,
 673                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 674                                         nonce_status);
 675                        if (nonce_status == NONCE_SLOP)
 676                                argv_array_pushf(&proc->env_array,
 677                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 678                                                 nonce_stamp_slop);
 679                }
 680        }
 681}
 682
 683struct receive_hook_feed_state {
 684        struct command *cmd;
 685        int skip_broken;
 686        struct strbuf buf;
 687        const struct string_list *push_options;
 688};
 689
 690typedef int (*feed_fn)(void *, const char **, size_t *);
 691static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 692                             struct receive_hook_feed_state *feed_state)
 693{
 694        struct child_process proc = CHILD_PROCESS_INIT;
 695        struct async muxer;
 696        const char *argv[2];
 697        int code;
 698
 699        argv[0] = find_hook(hook_name);
 700        if (!argv[0])
 701                return 0;
 702
 703        argv[1] = NULL;
 704
 705        proc.argv = argv;
 706        proc.in = -1;
 707        proc.stdout_to_stderr = 1;
 708        if (feed_state->push_options) {
 709                int i;
 710                for (i = 0; i < feed_state->push_options->nr; i++)
 711                        argv_array_pushf(&proc.env_array,
 712                                "GIT_PUSH_OPTION_%d=%s", i,
 713                                feed_state->push_options->items[i].string);
 714                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 715                                 feed_state->push_options->nr);
 716        } else
 717                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 718
 719        if (tmp_objdir)
 720                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 721
 722        if (use_sideband) {
 723                memset(&muxer, 0, sizeof(muxer));
 724                muxer.proc = copy_to_sideband;
 725                muxer.in = -1;
 726                code = start_async(&muxer);
 727                if (code)
 728                        return code;
 729                proc.err = muxer.in;
 730        }
 731
 732        prepare_push_cert_sha1(&proc);
 733
 734        code = start_command(&proc);
 735        if (code) {
 736                if (use_sideband)
 737                        finish_async(&muxer);
 738                return code;
 739        }
 740
 741        sigchain_push(SIGPIPE, SIG_IGN);
 742
 743        while (1) {
 744                const char *buf;
 745                size_t n;
 746                if (feed(feed_state, &buf, &n))
 747                        break;
 748                if (write_in_full(proc.in, buf, n) < 0)
 749                        break;
 750        }
 751        close(proc.in);
 752        if (use_sideband)
 753                finish_async(&muxer);
 754
 755        sigchain_pop(SIGPIPE);
 756
 757        return finish_command(&proc);
 758}
 759
 760static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 761{
 762        struct receive_hook_feed_state *state = state_;
 763        struct command *cmd = state->cmd;
 764
 765        while (cmd &&
 766               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 767                cmd = cmd->next;
 768        if (!cmd)
 769                return -1; /* EOF */
 770        strbuf_reset(&state->buf);
 771        strbuf_addf(&state->buf, "%s %s %s\n",
 772                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 773                    cmd->ref_name);
 774        state->cmd = cmd->next;
 775        if (bufp) {
 776                *bufp = state->buf.buf;
 777                *sizep = state->buf.len;
 778        }
 779        return 0;
 780}
 781
 782static int run_receive_hook(struct command *commands,
 783                            const char *hook_name,
 784                            int skip_broken,
 785                            const struct string_list *push_options)
 786{
 787        struct receive_hook_feed_state state;
 788        int status;
 789
 790        strbuf_init(&state.buf, 0);
 791        state.cmd = commands;
 792        state.skip_broken = skip_broken;
 793        if (feed_receive_hook(&state, NULL, NULL))
 794                return 0;
 795        state.cmd = commands;
 796        state.push_options = push_options;
 797        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 798        strbuf_release(&state.buf);
 799        return status;
 800}
 801
 802static int run_update_hook(struct command *cmd)
 803{
 804        const char *argv[5];
 805        struct child_process proc = CHILD_PROCESS_INIT;
 806        int code;
 807
 808        argv[0] = find_hook("update");
 809        if (!argv[0])
 810                return 0;
 811
 812        argv[1] = cmd->ref_name;
 813        argv[2] = oid_to_hex(&cmd->old_oid);
 814        argv[3] = oid_to_hex(&cmd->new_oid);
 815        argv[4] = NULL;
 816
 817        proc.no_stdin = 1;
 818        proc.stdout_to_stderr = 1;
 819        proc.err = use_sideband ? -1 : 0;
 820        proc.argv = argv;
 821
 822        code = start_command(&proc);
 823        if (code)
 824                return code;
 825        if (use_sideband)
 826                copy_to_sideband(proc.err, -1, NULL);
 827        return finish_command(&proc);
 828}
 829
 830static int is_ref_checked_out(const char *ref)
 831{
 832        if (is_bare_repository())
 833                return 0;
 834
 835        if (!head_name)
 836                return 0;
 837        return !strcmp(head_name, ref);
 838}
 839
 840static char *refuse_unconfigured_deny_msg =
 841        N_("By default, updating the current branch in a non-bare repository\n"
 842           "is denied, because it will make the index and work tree inconsistent\n"
 843           "with what you pushed, and will require 'git reset --hard' to match\n"
 844           "the work tree to HEAD.\n"
 845           "\n"
 846           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 847           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 848           "its current branch; however, this is not recommended unless you\n"
 849           "arranged to update its work tree to match what you pushed in some\n"
 850           "other way.\n"
 851           "\n"
 852           "To squelch this message and still keep the default behaviour, set\n"
 853           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 854
 855static void refuse_unconfigured_deny(void)
 856{
 857        rp_error("%s", _(refuse_unconfigured_deny_msg));
 858}
 859
 860static char *refuse_unconfigured_deny_delete_current_msg =
 861        N_("By default, deleting the current branch is denied, because the next\n"
 862           "'git clone' won't result in any file checked out, causing confusion.\n"
 863           "\n"
 864           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 865           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 866           "current branch, with or without a warning message.\n"
 867           "\n"
 868           "To squelch this message, you can set it to 'refuse'.");
 869
 870static void refuse_unconfigured_deny_delete_current(void)
 871{
 872        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 873}
 874
 875static int command_singleton_iterator(void *cb_data, struct object_id *oid);
 876static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 877{
 878        static struct lock_file shallow_lock;
 879        struct oid_array extra = OID_ARRAY_INIT;
 880        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 881        uint32_t mask = 1 << (cmd->index % 32);
 882        int i;
 883
 884        trace_printf_key(&trace_shallow,
 885                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 886        for (i = 0; i < si->shallow->nr; i++)
 887                if (si->used_shallow[i] &&
 888                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 889                    !delayed_reachability_test(si, i))
 890                        oid_array_append(&extra, &si->shallow->oid[i]);
 891
 892        opt.env = tmp_objdir_env(tmp_objdir);
 893        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 894        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 895                rollback_lock_file(&shallow_lock);
 896                oid_array_clear(&extra);
 897                return -1;
 898        }
 899
 900        commit_lock_file(&shallow_lock);
 901
 902        /*
 903         * Make sure setup_alternate_shallow() for the next ref does
 904         * not lose these new roots..
 905         */
 906        for (i = 0; i < extra.nr; i++)
 907                register_shallow(&extra.oid[i]);
 908
 909        si->shallow_ref[cmd->index] = 0;
 910        oid_array_clear(&extra);
 911        return 0;
 912}
 913
 914/*
 915 * NEEDSWORK: we should consolidate various implementions of "are we
 916 * on an unborn branch?" test into one, and make the unified one more
 917 * robust. !get_sha1() based check used here and elsewhere would not
 918 * allow us to tell an unborn branch from corrupt ref, for example.
 919 * For the purpose of fixing "deploy-to-update does not work when
 920 * pushing into an empty repository" issue, this should suffice for
 921 * now.
 922 */
 923static int head_has_history(void)
 924{
 925        struct object_id oid;
 926
 927        return !get_oid("HEAD", &oid);
 928}
 929
 930static const char *push_to_deploy(unsigned char *sha1,
 931                                  struct argv_array *env,
 932                                  const char *work_tree)
 933{
 934        const char *update_refresh[] = {
 935                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 936        };
 937        const char *diff_files[] = {
 938                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 939        };
 940        const char *diff_index[] = {
 941                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 942                NULL, "--", NULL
 943        };
 944        const char *read_tree[] = {
 945                "read-tree", "-u", "-m", NULL, NULL
 946        };
 947        struct child_process child = CHILD_PROCESS_INIT;
 948
 949        child.argv = update_refresh;
 950        child.env = env->argv;
 951        child.dir = work_tree;
 952        child.no_stdin = 1;
 953        child.stdout_to_stderr = 1;
 954        child.git_cmd = 1;
 955        if (run_command(&child))
 956                return "Up-to-date check failed";
 957
 958        /* run_command() does not clean up completely; reinitialize */
 959        child_process_init(&child);
 960        child.argv = diff_files;
 961        child.env = env->argv;
 962        child.dir = work_tree;
 963        child.no_stdin = 1;
 964        child.stdout_to_stderr = 1;
 965        child.git_cmd = 1;
 966        if (run_command(&child))
 967                return "Working directory has unstaged changes";
 968
 969        /* diff-index with either HEAD or an empty tree */
 970        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 971
 972        child_process_init(&child);
 973        child.argv = diff_index;
 974        child.env = env->argv;
 975        child.no_stdin = 1;
 976        child.no_stdout = 1;
 977        child.stdout_to_stderr = 0;
 978        child.git_cmd = 1;
 979        if (run_command(&child))
 980                return "Working directory has staged changes";
 981
 982        read_tree[3] = sha1_to_hex(sha1);
 983        child_process_init(&child);
 984        child.argv = read_tree;
 985        child.env = env->argv;
 986        child.dir = work_tree;
 987        child.no_stdin = 1;
 988        child.no_stdout = 1;
 989        child.stdout_to_stderr = 0;
 990        child.git_cmd = 1;
 991        if (run_command(&child))
 992                return "Could not update working tree to new HEAD";
 993
 994        return NULL;
 995}
 996
 997static const char *push_to_checkout_hook = "push-to-checkout";
 998
 999static const char *push_to_checkout(unsigned char *sha1,
1000                                    struct argv_array *env,
1001                                    const char *work_tree)
1002{
1003        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1004        if (run_hook_le(env->argv, push_to_checkout_hook,
1005                        sha1_to_hex(sha1), NULL))
1006                return "push-to-checkout hook declined";
1007        else
1008                return NULL;
1009}
1010
1011static const char *update_worktree(unsigned char *sha1)
1012{
1013        const char *retval;
1014        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1015        struct argv_array env = ARGV_ARRAY_INIT;
1016
1017        if (is_bare_repository())
1018                return "denyCurrentBranch = updateInstead needs a worktree";
1019
1020        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1021
1022        if (!find_hook(push_to_checkout_hook))
1023                retval = push_to_deploy(sha1, &env, work_tree);
1024        else
1025                retval = push_to_checkout(sha1, &env, work_tree);
1026
1027        argv_array_clear(&env);
1028        return retval;
1029}
1030
1031static const char *update(struct command *cmd, struct shallow_info *si)
1032{
1033        const char *name = cmd->ref_name;
1034        struct strbuf namespaced_name_buf = STRBUF_INIT;
1035        static char *namespaced_name;
1036        const char *ret;
1037        struct object_id *old_oid = &cmd->old_oid;
1038        struct object_id *new_oid = &cmd->new_oid;
1039
1040        /* only refs/... are allowed */
1041        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1042                rp_error("refusing to create funny ref '%s' remotely", name);
1043                return "funny refname";
1044        }
1045
1046        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1047        free(namespaced_name);
1048        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1049
1050        if (is_ref_checked_out(namespaced_name)) {
1051                switch (deny_current_branch) {
1052                case DENY_IGNORE:
1053                        break;
1054                case DENY_WARN:
1055                        rp_warning("updating the current branch");
1056                        break;
1057                case DENY_REFUSE:
1058                case DENY_UNCONFIGURED:
1059                        rp_error("refusing to update checked out branch: %s", name);
1060                        if (deny_current_branch == DENY_UNCONFIGURED)
1061                                refuse_unconfigured_deny();
1062                        return "branch is currently checked out";
1063                case DENY_UPDATE_INSTEAD:
1064                        ret = update_worktree(new_oid->hash);
1065                        if (ret)
1066                                return ret;
1067                        break;
1068                }
1069        }
1070
1071        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1072                error("unpack should have generated %s, "
1073                      "but I can't find it!", oid_to_hex(new_oid));
1074                return "bad pack";
1075        }
1076
1077        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1078                if (deny_deletes && starts_with(name, "refs/heads/")) {
1079                        rp_error("denying ref deletion for %s", name);
1080                        return "deletion prohibited";
1081                }
1082
1083                if (head_name && !strcmp(namespaced_name, head_name)) {
1084                        switch (deny_delete_current) {
1085                        case DENY_IGNORE:
1086                                break;
1087                        case DENY_WARN:
1088                                rp_warning("deleting the current branch");
1089                                break;
1090                        case DENY_REFUSE:
1091                        case DENY_UNCONFIGURED:
1092                        case DENY_UPDATE_INSTEAD:
1093                                if (deny_delete_current == DENY_UNCONFIGURED)
1094                                        refuse_unconfigured_deny_delete_current();
1095                                rp_error("refusing to delete the current branch: %s", name);
1096                                return "deletion of the current branch prohibited";
1097                        default:
1098                                return "Invalid denyDeleteCurrent setting";
1099                        }
1100                }
1101        }
1102
1103        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1104            !is_null_oid(old_oid) &&
1105            starts_with(name, "refs/heads/")) {
1106                struct object *old_object, *new_object;
1107                struct commit *old_commit, *new_commit;
1108
1109                old_object = parse_object(old_oid);
1110                new_object = parse_object(new_oid);
1111
1112                if (!old_object || !new_object ||
1113                    old_object->type != OBJ_COMMIT ||
1114                    new_object->type != OBJ_COMMIT) {
1115                        error("bad sha1 objects for %s", name);
1116                        return "bad ref";
1117                }
1118                old_commit = (struct commit *)old_object;
1119                new_commit = (struct commit *)new_object;
1120                if (!in_merge_bases(old_commit, new_commit)) {
1121                        rp_error("denying non-fast-forward %s"
1122                                 " (you should pull first)", name);
1123                        return "non-fast-forward";
1124                }
1125        }
1126        if (run_update_hook(cmd)) {
1127                rp_error("hook declined to update %s", name);
1128                return "hook declined";
1129        }
1130
1131        if (is_null_oid(new_oid)) {
1132                struct strbuf err = STRBUF_INIT;
1133                if (!parse_object(old_oid)) {
1134                        old_oid = NULL;
1135                        if (ref_exists(name)) {
1136                                rp_warning("Allowing deletion of corrupt ref.");
1137                        } else {
1138                                rp_warning("Deleting a non-existent ref.");
1139                                cmd->did_not_exist = 1;
1140                        }
1141                }
1142                if (ref_transaction_delete(transaction,
1143                                           namespaced_name,
1144                                           old_oid,
1145                                           0, "push", &err)) {
1146                        rp_error("%s", err.buf);
1147                        strbuf_release(&err);
1148                        return "failed to delete";
1149                }
1150                strbuf_release(&err);
1151                return NULL; /* good */
1152        }
1153        else {
1154                struct strbuf err = STRBUF_INIT;
1155                if (shallow_update && si->shallow_ref[cmd->index] &&
1156                    update_shallow_ref(cmd, si))
1157                        return "shallow error";
1158
1159                if (ref_transaction_update(transaction,
1160                                           namespaced_name,
1161                                           new_oid, old_oid,
1162                                           0, "push",
1163                                           &err)) {
1164                        rp_error("%s", err.buf);
1165                        strbuf_release(&err);
1166
1167                        return "failed to update ref";
1168                }
1169                strbuf_release(&err);
1170
1171                return NULL; /* good */
1172        }
1173}
1174
1175static void run_update_post_hook(struct command *commands)
1176{
1177        struct command *cmd;
1178        struct child_process proc = CHILD_PROCESS_INIT;
1179        const char *hook;
1180
1181        hook = find_hook("post-update");
1182        if (!hook)
1183                return;
1184
1185        for (cmd = commands; cmd; cmd = cmd->next) {
1186                if (cmd->error_string || cmd->did_not_exist)
1187                        continue;
1188                if (!proc.args.argc)
1189                        argv_array_push(&proc.args, hook);
1190                argv_array_push(&proc.args, cmd->ref_name);
1191        }
1192        if (!proc.args.argc)
1193                return;
1194
1195        proc.no_stdin = 1;
1196        proc.stdout_to_stderr = 1;
1197        proc.err = use_sideband ? -1 : 0;
1198
1199        if (!start_command(&proc)) {
1200                if (use_sideband)
1201                        copy_to_sideband(proc.err, -1, NULL);
1202                finish_command(&proc);
1203        }
1204}
1205
1206static void check_aliased_update(struct command *cmd, struct string_list *list)
1207{
1208        struct strbuf buf = STRBUF_INIT;
1209        const char *dst_name;
1210        struct string_list_item *item;
1211        struct command *dst_cmd;
1212        int flag;
1213
1214        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1215        dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1216        strbuf_release(&buf);
1217
1218        if (!(flag & REF_ISSYMREF))
1219                return;
1220
1221        if (!dst_name) {
1222                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1223                cmd->skip_update = 1;
1224                cmd->error_string = "broken symref";
1225                return;
1226        }
1227        dst_name = strip_namespace(dst_name);
1228
1229        if ((item = string_list_lookup(list, dst_name)) == NULL)
1230                return;
1231
1232        cmd->skip_update = 1;
1233
1234        dst_cmd = (struct command *) item->util;
1235
1236        if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1237            !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1238                return;
1239
1240        dst_cmd->skip_update = 1;
1241
1242        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1243                 " its target '%s' (%s..%s)",
1244                 cmd->ref_name,
1245                 find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1246                 find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1247                 dst_cmd->ref_name,
1248                 find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1249                 find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1250
1251        cmd->error_string = dst_cmd->error_string =
1252                "inconsistent aliased update";
1253}
1254
1255static void check_aliased_updates(struct command *commands)
1256{
1257        struct command *cmd;
1258        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1259
1260        for (cmd = commands; cmd; cmd = cmd->next) {
1261                struct string_list_item *item =
1262                        string_list_append(&ref_list, cmd->ref_name);
1263                item->util = (void *)cmd;
1264        }
1265        string_list_sort(&ref_list);
1266
1267        for (cmd = commands; cmd; cmd = cmd->next) {
1268                if (!cmd->error_string)
1269                        check_aliased_update(cmd, &ref_list);
1270        }
1271
1272        string_list_clear(&ref_list, 0);
1273}
1274
1275static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1276{
1277        struct command **cmd_list = cb_data;
1278        struct command *cmd = *cmd_list;
1279
1280        if (!cmd || is_null_oid(&cmd->new_oid))
1281                return -1; /* end of list */
1282        *cmd_list = NULL; /* this returns only one */
1283        oidcpy(oid, &cmd->new_oid);
1284        return 0;
1285}
1286
1287static void set_connectivity_errors(struct command *commands,
1288                                    struct shallow_info *si)
1289{
1290        struct command *cmd;
1291
1292        for (cmd = commands; cmd; cmd = cmd->next) {
1293                struct command *singleton = cmd;
1294                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1295
1296                if (shallow_update && si->shallow_ref[cmd->index])
1297                        /* to be checked in update_shallow_ref() */
1298                        continue;
1299
1300                opt.env = tmp_objdir_env(tmp_objdir);
1301                if (!check_connected(command_singleton_iterator, &singleton,
1302                                     &opt))
1303                        continue;
1304
1305                cmd->error_string = "missing necessary objects";
1306        }
1307}
1308
1309struct iterate_data {
1310        struct command *cmds;
1311        struct shallow_info *si;
1312};
1313
1314static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1315{
1316        struct iterate_data *data = cb_data;
1317        struct command **cmd_list = &data->cmds;
1318        struct command *cmd = *cmd_list;
1319
1320        for (; cmd; cmd = cmd->next) {
1321                if (shallow_update && data->si->shallow_ref[cmd->index])
1322                        /* to be checked in update_shallow_ref() */
1323                        continue;
1324                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1325                        oidcpy(oid, &cmd->new_oid);
1326                        *cmd_list = cmd->next;
1327                        return 0;
1328                }
1329        }
1330        *cmd_list = NULL;
1331        return -1; /* end of list */
1332}
1333
1334static void reject_updates_to_hidden(struct command *commands)
1335{
1336        struct strbuf refname_full = STRBUF_INIT;
1337        size_t prefix_len;
1338        struct command *cmd;
1339
1340        strbuf_addstr(&refname_full, get_git_namespace());
1341        prefix_len = refname_full.len;
1342
1343        for (cmd = commands; cmd; cmd = cmd->next) {
1344                if (cmd->error_string)
1345                        continue;
1346
1347                strbuf_setlen(&refname_full, prefix_len);
1348                strbuf_addstr(&refname_full, cmd->ref_name);
1349
1350                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1351                        continue;
1352                if (is_null_oid(&cmd->new_oid))
1353                        cmd->error_string = "deny deleting a hidden ref";
1354                else
1355                        cmd->error_string = "deny updating a hidden ref";
1356        }
1357
1358        strbuf_release(&refname_full);
1359}
1360
1361static int should_process_cmd(struct command *cmd)
1362{
1363        return !cmd->error_string && !cmd->skip_update;
1364}
1365
1366static void warn_if_skipped_connectivity_check(struct command *commands,
1367                                               struct shallow_info *si)
1368{
1369        struct command *cmd;
1370        int checked_connectivity = 1;
1371
1372        for (cmd = commands; cmd; cmd = cmd->next) {
1373                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1374                        error("BUG: connectivity check has not been run on ref %s",
1375                              cmd->ref_name);
1376                        checked_connectivity = 0;
1377                }
1378        }
1379        if (!checked_connectivity)
1380                die("BUG: connectivity check skipped???");
1381}
1382
1383static void execute_commands_non_atomic(struct command *commands,
1384                                        struct shallow_info *si)
1385{
1386        struct command *cmd;
1387        struct strbuf err = STRBUF_INIT;
1388
1389        for (cmd = commands; cmd; cmd = cmd->next) {
1390                if (!should_process_cmd(cmd))
1391                        continue;
1392
1393                transaction = ref_transaction_begin(&err);
1394                if (!transaction) {
1395                        rp_error("%s", err.buf);
1396                        strbuf_reset(&err);
1397                        cmd->error_string = "transaction failed to start";
1398                        continue;
1399                }
1400
1401                cmd->error_string = update(cmd, si);
1402
1403                if (!cmd->error_string
1404                    && ref_transaction_commit(transaction, &err)) {
1405                        rp_error("%s", err.buf);
1406                        strbuf_reset(&err);
1407                        cmd->error_string = "failed to update ref";
1408                }
1409                ref_transaction_free(transaction);
1410        }
1411        strbuf_release(&err);
1412}
1413
1414static void execute_commands_atomic(struct command *commands,
1415                                        struct shallow_info *si)
1416{
1417        struct command *cmd;
1418        struct strbuf err = STRBUF_INIT;
1419        const char *reported_error = "atomic push failure";
1420
1421        transaction = ref_transaction_begin(&err);
1422        if (!transaction) {
1423                rp_error("%s", err.buf);
1424                strbuf_reset(&err);
1425                reported_error = "transaction failed to start";
1426                goto failure;
1427        }
1428
1429        for (cmd = commands; cmd; cmd = cmd->next) {
1430                if (!should_process_cmd(cmd))
1431                        continue;
1432
1433                cmd->error_string = update(cmd, si);
1434
1435                if (cmd->error_string)
1436                        goto failure;
1437        }
1438
1439        if (ref_transaction_commit(transaction, &err)) {
1440                rp_error("%s", err.buf);
1441                reported_error = "atomic transaction failed";
1442                goto failure;
1443        }
1444        goto cleanup;
1445
1446failure:
1447        for (cmd = commands; cmd; cmd = cmd->next)
1448                if (!cmd->error_string)
1449                        cmd->error_string = reported_error;
1450
1451cleanup:
1452        ref_transaction_free(transaction);
1453        strbuf_release(&err);
1454}
1455
1456static void execute_commands(struct command *commands,
1457                             const char *unpacker_error,
1458                             struct shallow_info *si,
1459                             const struct string_list *push_options)
1460{
1461        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1462        struct command *cmd;
1463        struct iterate_data data;
1464        struct async muxer;
1465        int err_fd = 0;
1466
1467        if (unpacker_error) {
1468                for (cmd = commands; cmd; cmd = cmd->next)
1469                        cmd->error_string = "unpacker error";
1470                return;
1471        }
1472
1473        if (use_sideband) {
1474                memset(&muxer, 0, sizeof(muxer));
1475                muxer.proc = copy_to_sideband;
1476                muxer.in = -1;
1477                if (!start_async(&muxer))
1478                        err_fd = muxer.in;
1479                /* ...else, continue without relaying sideband */
1480        }
1481
1482        data.cmds = commands;
1483        data.si = si;
1484        opt.err_fd = err_fd;
1485        opt.progress = err_fd && !quiet;
1486        opt.env = tmp_objdir_env(tmp_objdir);
1487        if (check_connected(iterate_receive_command_list, &data, &opt))
1488                set_connectivity_errors(commands, si);
1489
1490        if (use_sideband)
1491                finish_async(&muxer);
1492
1493        reject_updates_to_hidden(commands);
1494
1495        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1496                for (cmd = commands; cmd; cmd = cmd->next) {
1497                        if (!cmd->error_string)
1498                                cmd->error_string = "pre-receive hook declined";
1499                }
1500                return;
1501        }
1502
1503        /*
1504         * Now we'll start writing out refs, which means the objects need
1505         * to be in their final positions so that other processes can see them.
1506         */
1507        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1508                for (cmd = commands; cmd; cmd = cmd->next) {
1509                        if (!cmd->error_string)
1510                                cmd->error_string = "unable to migrate objects to permanent storage";
1511                }
1512                return;
1513        }
1514        tmp_objdir = NULL;
1515
1516        check_aliased_updates(commands);
1517
1518        free(head_name_to_free);
1519        head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1520
1521        if (use_atomic)
1522                execute_commands_atomic(commands, si);
1523        else
1524                execute_commands_non_atomic(commands, si);
1525
1526        if (shallow_update)
1527                warn_if_skipped_connectivity_check(commands, si);
1528}
1529
1530static struct command **queue_command(struct command **tail,
1531                                      const char *line,
1532                                      int linelen)
1533{
1534        struct object_id old_oid, new_oid;
1535        struct command *cmd;
1536        const char *refname;
1537        int reflen;
1538        const char *p;
1539
1540        if (parse_oid_hex(line, &old_oid, &p) ||
1541            *p++ != ' ' ||
1542            parse_oid_hex(p, &new_oid, &p) ||
1543            *p++ != ' ')
1544                die("protocol error: expected old/new/ref, got '%s'", line);
1545
1546        refname = p;
1547        reflen = linelen - (p - line);
1548        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1549        oidcpy(&cmd->old_oid, &old_oid);
1550        oidcpy(&cmd->new_oid, &new_oid);
1551        *tail = cmd;
1552        return &cmd->next;
1553}
1554
1555static void queue_commands_from_cert(struct command **tail,
1556                                     struct strbuf *push_cert)
1557{
1558        const char *boc, *eoc;
1559
1560        if (*tail)
1561                die("protocol error: got both push certificate and unsigned commands");
1562
1563        boc = strstr(push_cert->buf, "\n\n");
1564        if (!boc)
1565                die("malformed push certificate %.*s", 100, push_cert->buf);
1566        else
1567                boc += 2;
1568        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1569
1570        while (boc < eoc) {
1571                const char *eol = memchr(boc, '\n', eoc - boc);
1572                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1573                boc = eol ? eol + 1 : eoc;
1574        }
1575}
1576
1577static struct command *read_head_info(struct oid_array *shallow)
1578{
1579        struct command *commands = NULL;
1580        struct command **p = &commands;
1581        for (;;) {
1582                char *line;
1583                int len, linelen;
1584
1585                line = packet_read_line(0, &len);
1586                if (!line)
1587                        break;
1588
1589                if (len > 8 && starts_with(line, "shallow ")) {
1590                        struct object_id oid;
1591                        if (get_oid_hex(line + 8, &oid))
1592                                die("protocol error: expected shallow sha, got '%s'",
1593                                    line + 8);
1594                        oid_array_append(shallow, &oid);
1595                        continue;
1596                }
1597
1598                linelen = strlen(line);
1599                if (linelen < len) {
1600                        const char *feature_list = line + linelen + 1;
1601                        if (parse_feature_request(feature_list, "report-status"))
1602                                report_status = 1;
1603                        if (parse_feature_request(feature_list, "side-band-64k"))
1604                                use_sideband = LARGE_PACKET_MAX;
1605                        if (parse_feature_request(feature_list, "quiet"))
1606                                quiet = 1;
1607                        if (advertise_atomic_push
1608                            && parse_feature_request(feature_list, "atomic"))
1609                                use_atomic = 1;
1610                        if (advertise_push_options
1611                            && parse_feature_request(feature_list, "push-options"))
1612                                use_push_options = 1;
1613                }
1614
1615                if (!strcmp(line, "push-cert")) {
1616                        int true_flush = 0;
1617                        char certbuf[1024];
1618
1619                        for (;;) {
1620                                len = packet_read(0, NULL, NULL,
1621                                                  certbuf, sizeof(certbuf), 0);
1622                                if (!len) {
1623                                        true_flush = 1;
1624                                        break;
1625                                }
1626                                if (!strcmp(certbuf, "push-cert-end\n"))
1627                                        break; /* end of cert */
1628                                strbuf_addstr(&push_cert, certbuf);
1629                        }
1630
1631                        if (true_flush)
1632                                break;
1633                        continue;
1634                }
1635
1636                p = queue_command(p, line, linelen);
1637        }
1638
1639        if (push_cert.len)
1640                queue_commands_from_cert(p, &push_cert);
1641
1642        return commands;
1643}
1644
1645static void read_push_options(struct string_list *options)
1646{
1647        while (1) {
1648                char *line;
1649                int len;
1650
1651                line = packet_read_line(0, &len);
1652
1653                if (!line)
1654                        break;
1655
1656                string_list_append(options, line);
1657        }
1658}
1659
1660static const char *parse_pack_header(struct pack_header *hdr)
1661{
1662        switch (read_pack_header(0, hdr)) {
1663        case PH_ERROR_EOF:
1664                return "eof before pack header was fully read";
1665
1666        case PH_ERROR_PACK_SIGNATURE:
1667                return "protocol error (pack signature mismatch detected)";
1668
1669        case PH_ERROR_PROTOCOL:
1670                return "protocol error (pack version unsupported)";
1671
1672        default:
1673                return "unknown error in parse_pack_header";
1674
1675        case 0:
1676                return NULL;
1677        }
1678}
1679
1680static const char *pack_lockfile;
1681
1682static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1683{
1684        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1685                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1686}
1687
1688static const char *unpack(int err_fd, struct shallow_info *si)
1689{
1690        struct pack_header hdr;
1691        const char *hdr_err;
1692        int status;
1693        struct child_process child = CHILD_PROCESS_INIT;
1694        int fsck_objects = (receive_fsck_objects >= 0
1695                            ? receive_fsck_objects
1696                            : transfer_fsck_objects >= 0
1697                            ? transfer_fsck_objects
1698                            : 0);
1699
1700        hdr_err = parse_pack_header(&hdr);
1701        if (hdr_err) {
1702                if (err_fd > 0)
1703                        close(err_fd);
1704                return hdr_err;
1705        }
1706
1707        if (si->nr_ours || si->nr_theirs) {
1708                alt_shallow_file = setup_temporary_shallow(si->shallow);
1709                argv_array_push(&child.args, "--shallow-file");
1710                argv_array_push(&child.args, alt_shallow_file);
1711        }
1712
1713        tmp_objdir = tmp_objdir_create();
1714        if (!tmp_objdir) {
1715                if (err_fd > 0)
1716                        close(err_fd);
1717                return "unable to create temporary object directory";
1718        }
1719        child.env = tmp_objdir_env(tmp_objdir);
1720
1721        /*
1722         * Normally we just pass the tmp_objdir environment to the child
1723         * processes that do the heavy lifting, but we may need to see these
1724         * objects ourselves to set up shallow information.
1725         */
1726        tmp_objdir_add_as_alternate(tmp_objdir);
1727
1728        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1729                argv_array_push(&child.args, "unpack-objects");
1730                push_header_arg(&child.args, &hdr);
1731                if (quiet)
1732                        argv_array_push(&child.args, "-q");
1733                if (fsck_objects)
1734                        argv_array_pushf(&child.args, "--strict%s",
1735                                fsck_msg_types.buf);
1736                if (max_input_size)
1737                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1738                                (uintmax_t)max_input_size);
1739                child.no_stdout = 1;
1740                child.err = err_fd;
1741                child.git_cmd = 1;
1742                status = run_command(&child);
1743                if (status)
1744                        return "unpack-objects abnormal exit";
1745        } else {
1746                char hostname[HOST_NAME_MAX + 1];
1747
1748                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1749                push_header_arg(&child.args, &hdr);
1750
1751                if (xgethostname(hostname, sizeof(hostname)))
1752                        xsnprintf(hostname, sizeof(hostname), "localhost");
1753                argv_array_pushf(&child.args,
1754                                 "--keep=receive-pack %"PRIuMAX" on %s",
1755                                 (uintmax_t)getpid(),
1756                                 hostname);
1757
1758                if (!quiet && err_fd)
1759                        argv_array_push(&child.args, "--show-resolving-progress");
1760                if (use_sideband)
1761                        argv_array_push(&child.args, "--report-end-of-input");
1762                if (fsck_objects)
1763                        argv_array_pushf(&child.args, "--strict%s",
1764                                fsck_msg_types.buf);
1765                if (!reject_thin)
1766                        argv_array_push(&child.args, "--fix-thin");
1767                if (max_input_size)
1768                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1769                                (uintmax_t)max_input_size);
1770                child.out = -1;
1771                child.err = err_fd;
1772                child.git_cmd = 1;
1773                status = start_command(&child);
1774                if (status)
1775                        return "index-pack fork failed";
1776                pack_lockfile = index_pack_lockfile(child.out);
1777                close(child.out);
1778                status = finish_command(&child);
1779                if (status)
1780                        return "index-pack abnormal exit";
1781                reprepare_packed_git();
1782        }
1783        return NULL;
1784}
1785
1786static const char *unpack_with_sideband(struct shallow_info *si)
1787{
1788        struct async muxer;
1789        const char *ret;
1790
1791        if (!use_sideband)
1792                return unpack(0, si);
1793
1794        use_keepalive = KEEPALIVE_AFTER_NUL;
1795        memset(&muxer, 0, sizeof(muxer));
1796        muxer.proc = copy_to_sideband;
1797        muxer.in = -1;
1798        if (start_async(&muxer))
1799                return NULL;
1800
1801        ret = unpack(muxer.in, si);
1802
1803        finish_async(&muxer);
1804        return ret;
1805}
1806
1807static void prepare_shallow_update(struct command *commands,
1808                                   struct shallow_info *si)
1809{
1810        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1811
1812        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1813        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1814
1815        si->need_reachability_test =
1816                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1817        si->reachable =
1818                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1819        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1820
1821        for (i = 0; i < si->nr_ours; i++)
1822                si->need_reachability_test[si->ours[i]] = 1;
1823
1824        for (i = 0; i < si->shallow->nr; i++) {
1825                if (!si->used_shallow[i])
1826                        continue;
1827                for (j = 0; j < bitmap_size; j++) {
1828                        if (!si->used_shallow[i][j])
1829                                continue;
1830                        si->need_reachability_test[i]++;
1831                        for (k = 0; k < 32; k++)
1832                                if (si->used_shallow[i][j] & (1U << k))
1833                                        si->shallow_ref[j * 32 + k]++;
1834                }
1835
1836                /*
1837                 * true for those associated with some refs and belong
1838                 * in "ours" list aka "step 7 not done yet"
1839                 */
1840                si->need_reachability_test[i] =
1841                        si->need_reachability_test[i] > 1;
1842        }
1843
1844        /*
1845         * keep hooks happy by forcing a temporary shallow file via
1846         * env variable because we can't add --shallow-file to every
1847         * command. check_everything_connected() will be done with
1848         * true .git/shallow though.
1849         */
1850        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1851}
1852
1853static void update_shallow_info(struct command *commands,
1854                                struct shallow_info *si,
1855                                struct oid_array *ref)
1856{
1857        struct command *cmd;
1858        int *ref_status;
1859        remove_nonexistent_theirs_shallow(si);
1860        if (!si->nr_ours && !si->nr_theirs) {
1861                shallow_update = 0;
1862                return;
1863        }
1864
1865        for (cmd = commands; cmd; cmd = cmd->next) {
1866                if (is_null_oid(&cmd->new_oid))
1867                        continue;
1868                oid_array_append(ref, &cmd->new_oid);
1869                cmd->index = ref->nr - 1;
1870        }
1871        si->ref = ref;
1872
1873        if (shallow_update) {
1874                prepare_shallow_update(commands, si);
1875                return;
1876        }
1877
1878        ALLOC_ARRAY(ref_status, ref->nr);
1879        assign_shallow_commits_to_refs(si, NULL, ref_status);
1880        for (cmd = commands; cmd; cmd = cmd->next) {
1881                if (is_null_oid(&cmd->new_oid))
1882                        continue;
1883                if (ref_status[cmd->index]) {
1884                        cmd->error_string = "shallow update not allowed";
1885                        cmd->skip_update = 1;
1886                }
1887        }
1888        free(ref_status);
1889}
1890
1891static void report(struct command *commands, const char *unpack_status)
1892{
1893        struct command *cmd;
1894        struct strbuf buf = STRBUF_INIT;
1895
1896        packet_buf_write(&buf, "unpack %s\n",
1897                         unpack_status ? unpack_status : "ok");
1898        for (cmd = commands; cmd; cmd = cmd->next) {
1899                if (!cmd->error_string)
1900                        packet_buf_write(&buf, "ok %s\n",
1901                                         cmd->ref_name);
1902                else
1903                        packet_buf_write(&buf, "ng %s %s\n",
1904                                         cmd->ref_name, cmd->error_string);
1905        }
1906        packet_buf_flush(&buf);
1907
1908        if (use_sideband)
1909                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1910        else
1911                write_or_die(1, buf.buf, buf.len);
1912        strbuf_release(&buf);
1913}
1914
1915static int delete_only(struct command *commands)
1916{
1917        struct command *cmd;
1918        for (cmd = commands; cmd; cmd = cmd->next) {
1919                if (!is_null_oid(&cmd->new_oid))
1920                        return 0;
1921        }
1922        return 1;
1923}
1924
1925int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1926{
1927        int advertise_refs = 0;
1928        struct command *commands;
1929        struct oid_array shallow = OID_ARRAY_INIT;
1930        struct oid_array ref = OID_ARRAY_INIT;
1931        struct shallow_info si;
1932
1933        struct option options[] = {
1934                OPT__QUIET(&quiet, N_("quiet")),
1935                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1936                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1937                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1938                OPT_END()
1939        };
1940
1941        packet_trace_identity("receive-pack");
1942
1943        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1944
1945        if (argc > 1)
1946                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1947        if (argc == 0)
1948                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1949
1950        service_dir = argv[0];
1951
1952        setup_path();
1953
1954        if (!enter_repo(service_dir, 0))
1955                die("'%s' does not appear to be a git repository", service_dir);
1956
1957        git_config(receive_pack_config, NULL);
1958        if (cert_nonce_seed)
1959                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1960
1961        if (0 <= transfer_unpack_limit)
1962                unpack_limit = transfer_unpack_limit;
1963        else if (0 <= receive_unpack_limit)
1964                unpack_limit = receive_unpack_limit;
1965
1966        switch (determine_protocol_version_server()) {
1967        case protocol_v1:
1968                /*
1969                 * v1 is just the original protocol with a version string,
1970                 * so just fall through after writing the version string.
1971                 */
1972                if (advertise_refs || !stateless_rpc)
1973                        packet_write_fmt(1, "version 1\n");
1974
1975                /* fallthrough */
1976        case protocol_v0:
1977                break;
1978        case protocol_unknown_version:
1979                BUG("unknown protocol version");
1980        }
1981
1982        if (advertise_refs || !stateless_rpc) {
1983                write_head_info();
1984        }
1985        if (advertise_refs)
1986                return 0;
1987
1988        if ((commands = read_head_info(&shallow)) != NULL) {
1989                const char *unpack_status = NULL;
1990                struct string_list push_options = STRING_LIST_INIT_DUP;
1991
1992                if (use_push_options)
1993                        read_push_options(&push_options);
1994                if (!check_cert_push_options(&push_options)) {
1995                        struct command *cmd;
1996                        for (cmd = commands; cmd; cmd = cmd->next)
1997                                cmd->error_string = "inconsistent push options";
1998                }
1999
2000                prepare_shallow_info(&si, &shallow);
2001                if (!si.nr_ours && !si.nr_theirs)
2002                        shallow_update = 0;
2003                if (!delete_only(commands)) {
2004                        unpack_status = unpack_with_sideband(&si);
2005                        update_shallow_info(commands, &si, &ref);
2006                }
2007                use_keepalive = KEEPALIVE_ALWAYS;
2008                execute_commands(commands, unpack_status, &si,
2009                                 &push_options);
2010                if (pack_lockfile)
2011                        unlink_or_warn(pack_lockfile);
2012                if (report_status)
2013                        report(commands, unpack_status);
2014                run_receive_hook(commands, "post-receive", 1,
2015                                 &push_options);
2016                run_update_post_hook(commands);
2017                string_list_clear(&push_options, 0);
2018                if (auto_gc) {
2019                        const char *argv_gc_auto[] = {
2020                                "gc", "--auto", "--quiet", NULL,
2021                        };
2022                        struct child_process proc = CHILD_PROCESS_INIT;
2023
2024                        proc.no_stdin = 1;
2025                        proc.stdout_to_stderr = 1;
2026                        proc.err = use_sideband ? -1 : 0;
2027                        proc.git_cmd = 1;
2028                        proc.argv = argv_gc_auto;
2029
2030                        close_all_packs();
2031                        if (!start_command(&proc)) {
2032                                if (use_sideband)
2033                                        copy_to_sideband(proc.err, -1, NULL);
2034                                finish_command(&proc);
2035                        }
2036                }
2037                if (auto_update_server_info)
2038                        update_server_info(0);
2039                clear_shallow_info(&si);
2040        }
2041        if (use_sideband)
2042                packet_flush(1);
2043        oid_array_clear(&shallow);
2044        oid_array_clear(&ref);
2045        free((void *)push_cert_nonce);
2046        return 0;
2047}