builtin / receive-pack.con commit send-email: provide whitelist of SMTP AUTH mechanisms (0f2e68b)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22
  23static const char receive_pack_usage[] = "git receive-pack <git-dir>";
  24
  25enum deny_action {
  26        DENY_UNCONFIGURED,
  27        DENY_IGNORE,
  28        DENY_WARN,
  29        DENY_REFUSE,
  30        DENY_UPDATE_INSTEAD
  31};
  32
  33static int deny_deletes;
  34static int deny_non_fast_forwards;
  35static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  36static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  37static int receive_fsck_objects = -1;
  38static int transfer_fsck_objects = -1;
  39static int receive_unpack_limit = -1;
  40static int transfer_unpack_limit = -1;
  41static int advertise_atomic_push = 1;
  42static int unpack_limit = 100;
  43static int report_status;
  44static int use_sideband;
  45static int use_atomic;
  46static int quiet;
  47static int prefer_ofs_delta = 1;
  48static int auto_update_server_info;
  49static int auto_gc = 1;
  50static int fix_thin = 1;
  51static int stateless_rpc;
  52static const char *service_dir;
  53static const char *head_name;
  54static void *head_name_to_free;
  55static int sent_capabilities;
  56static int shallow_update;
  57static const char *alt_shallow_file;
  58static struct strbuf push_cert = STRBUF_INIT;
  59static unsigned char push_cert_sha1[20];
  60static struct signature_check sigcheck;
  61static const char *push_cert_nonce;
  62static const char *cert_nonce_seed;
  63
  64static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  65static const char *NONCE_BAD = "BAD";
  66static const char *NONCE_MISSING = "MISSING";
  67static const char *NONCE_OK = "OK";
  68static const char *NONCE_SLOP = "SLOP";
  69static const char *nonce_status;
  70static long nonce_stamp_slop;
  71static unsigned long nonce_stamp_slop_limit;
  72static struct ref_transaction *transaction;
  73
  74static enum deny_action parse_deny_action(const char *var, const char *value)
  75{
  76        if (value) {
  77                if (!strcasecmp(value, "ignore"))
  78                        return DENY_IGNORE;
  79                if (!strcasecmp(value, "warn"))
  80                        return DENY_WARN;
  81                if (!strcasecmp(value, "refuse"))
  82                        return DENY_REFUSE;
  83                if (!strcasecmp(value, "updateinstead"))
  84                        return DENY_UPDATE_INSTEAD;
  85        }
  86        if (git_config_bool(var, value))
  87                return DENY_REFUSE;
  88        return DENY_IGNORE;
  89}
  90
  91static int receive_pack_config(const char *var, const char *value, void *cb)
  92{
  93        int status = parse_hide_refs_config(var, value, "receive");
  94
  95        if (status)
  96                return status;
  97
  98        if (strcmp(var, "receive.denydeletes") == 0) {
  99                deny_deletes = git_config_bool(var, value);
 100                return 0;
 101        }
 102
 103        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 104                deny_non_fast_forwards = git_config_bool(var, value);
 105                return 0;
 106        }
 107
 108        if (strcmp(var, "receive.unpacklimit") == 0) {
 109                receive_unpack_limit = git_config_int(var, value);
 110                return 0;
 111        }
 112
 113        if (strcmp(var, "transfer.unpacklimit") == 0) {
 114                transfer_unpack_limit = git_config_int(var, value);
 115                return 0;
 116        }
 117
 118        if (strcmp(var, "receive.fsckobjects") == 0) {
 119                receive_fsck_objects = git_config_bool(var, value);
 120                return 0;
 121        }
 122
 123        if (strcmp(var, "transfer.fsckobjects") == 0) {
 124                transfer_fsck_objects = git_config_bool(var, value);
 125                return 0;
 126        }
 127
 128        if (!strcmp(var, "receive.denycurrentbranch")) {
 129                deny_current_branch = parse_deny_action(var, value);
 130                return 0;
 131        }
 132
 133        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 134                deny_delete_current = parse_deny_action(var, value);
 135                return 0;
 136        }
 137
 138        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 139                prefer_ofs_delta = git_config_bool(var, value);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.updateserverinfo") == 0) {
 144                auto_update_server_info = git_config_bool(var, value);
 145                return 0;
 146        }
 147
 148        if (strcmp(var, "receive.autogc") == 0) {
 149                auto_gc = git_config_bool(var, value);
 150                return 0;
 151        }
 152
 153        if (strcmp(var, "receive.shallowupdate") == 0) {
 154                shallow_update = git_config_bool(var, value);
 155                return 0;
 156        }
 157
 158        if (strcmp(var, "receive.certnonceseed") == 0)
 159                return git_config_string(&cert_nonce_seed, var, value);
 160
 161        if (strcmp(var, "receive.certnonceslop") == 0) {
 162                nonce_stamp_slop_limit = git_config_ulong(var, value);
 163                return 0;
 164        }
 165
 166        if (strcmp(var, "receive.advertiseatomic") == 0) {
 167                advertise_atomic_push = git_config_bool(var, value);
 168                return 0;
 169        }
 170
 171        return git_default_config(var, value, cb);
 172}
 173
 174static void show_ref(const char *path, const unsigned char *sha1)
 175{
 176        if (ref_is_hidden(path))
 177                return;
 178
 179        if (sent_capabilities) {
 180                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 181        } else {
 182                struct strbuf cap = STRBUF_INIT;
 183
 184                strbuf_addstr(&cap,
 185                              "report-status delete-refs side-band-64k quiet");
 186                if (advertise_atomic_push)
 187                        strbuf_addstr(&cap, " atomic");
 188                if (prefer_ofs_delta)
 189                        strbuf_addstr(&cap, " ofs-delta");
 190                if (push_cert_nonce)
 191                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 192                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 193                packet_write(1, "%s %s%c%s\n",
 194                             sha1_to_hex(sha1), path, 0, cap.buf);
 195                strbuf_release(&cap);
 196                sent_capabilities = 1;
 197        }
 198}
 199
 200static int show_ref_cb(const char *path, const struct object_id *oid, int flag, void *unused)
 201{
 202        path = strip_namespace(path);
 203        /*
 204         * Advertise refs outside our current namespace as ".have"
 205         * refs, so that the client can use them to minimize data
 206         * transfer but will otherwise ignore them. This happens to
 207         * cover ".have" that are thrown in by add_one_alternate_ref()
 208         * to mark histories that are complete in our alternates as
 209         * well.
 210         */
 211        if (!path)
 212                path = ".have";
 213        show_ref(path, oid->hash);
 214        return 0;
 215}
 216
 217static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 218{
 219        show_ref(".have", sha1);
 220}
 221
 222static void collect_one_alternate_ref(const struct ref *ref, void *data)
 223{
 224        struct sha1_array *sa = data;
 225        sha1_array_append(sa, ref->old_sha1);
 226}
 227
 228static void write_head_info(void)
 229{
 230        struct sha1_array sa = SHA1_ARRAY_INIT;
 231
 232        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 233        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 234        sha1_array_clear(&sa);
 235        for_each_ref(show_ref_cb, NULL);
 236        if (!sent_capabilities)
 237                show_ref("capabilities^{}", null_sha1);
 238
 239        advertise_shallow_grafts(1);
 240
 241        /* EOF */
 242        packet_flush(1);
 243}
 244
 245struct command {
 246        struct command *next;
 247        const char *error_string;
 248        unsigned int skip_update:1,
 249                     did_not_exist:1;
 250        int index;
 251        unsigned char old_sha1[20];
 252        unsigned char new_sha1[20];
 253        char ref_name[FLEX_ARRAY]; /* more */
 254};
 255
 256static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 257static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 258
 259static void report_message(const char *prefix, const char *err, va_list params)
 260{
 261        int sz = strlen(prefix);
 262        char msg[4096];
 263
 264        strncpy(msg, prefix, sz);
 265        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 266        if (sz > (sizeof(msg) - 1))
 267                sz = sizeof(msg) - 1;
 268        msg[sz++] = '\n';
 269
 270        if (use_sideband)
 271                send_sideband(1, 2, msg, sz, use_sideband);
 272        else
 273                xwrite(2, msg, sz);
 274}
 275
 276static void rp_warning(const char *err, ...)
 277{
 278        va_list params;
 279        va_start(params, err);
 280        report_message("warning: ", err, params);
 281        va_end(params);
 282}
 283
 284static void rp_error(const char *err, ...)
 285{
 286        va_list params;
 287        va_start(params, err);
 288        report_message("error: ", err, params);
 289        va_end(params);
 290}
 291
 292static int copy_to_sideband(int in, int out, void *arg)
 293{
 294        char data[128];
 295        while (1) {
 296                ssize_t sz = xread(in, data, sizeof(data));
 297                if (sz <= 0)
 298                        break;
 299                send_sideband(1, 2, data, sz, use_sideband);
 300        }
 301        close(in);
 302        return 0;
 303}
 304
 305#define HMAC_BLOCK_SIZE 64
 306
 307static void hmac_sha1(unsigned char *out,
 308                      const char *key_in, size_t key_len,
 309                      const char *text, size_t text_len)
 310{
 311        unsigned char key[HMAC_BLOCK_SIZE];
 312        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 313        unsigned char k_opad[HMAC_BLOCK_SIZE];
 314        int i;
 315        git_SHA_CTX ctx;
 316
 317        /* RFC 2104 2. (1) */
 318        memset(key, '\0', HMAC_BLOCK_SIZE);
 319        if (HMAC_BLOCK_SIZE < key_len) {
 320                git_SHA1_Init(&ctx);
 321                git_SHA1_Update(&ctx, key_in, key_len);
 322                git_SHA1_Final(key, &ctx);
 323        } else {
 324                memcpy(key, key_in, key_len);
 325        }
 326
 327        /* RFC 2104 2. (2) & (5) */
 328        for (i = 0; i < sizeof(key); i++) {
 329                k_ipad[i] = key[i] ^ 0x36;
 330                k_opad[i] = key[i] ^ 0x5c;
 331        }
 332
 333        /* RFC 2104 2. (3) & (4) */
 334        git_SHA1_Init(&ctx);
 335        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 336        git_SHA1_Update(&ctx, text, text_len);
 337        git_SHA1_Final(out, &ctx);
 338
 339        /* RFC 2104 2. (6) & (7) */
 340        git_SHA1_Init(&ctx);
 341        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 342        git_SHA1_Update(&ctx, out, 20);
 343        git_SHA1_Final(out, &ctx);
 344}
 345
 346static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 347{
 348        struct strbuf buf = STRBUF_INIT;
 349        unsigned char sha1[20];
 350
 351        strbuf_addf(&buf, "%s:%lu", path, stamp);
 352        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 353        strbuf_release(&buf);
 354
 355        /* RFC 2104 5. HMAC-SHA1-80 */
 356        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 357        return strbuf_detach(&buf, NULL);
 358}
 359
 360/*
 361 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 362 * after dropping "_commit" from its name and possibly moving it out
 363 * of commit.c
 364 */
 365static char *find_header(const char *msg, size_t len, const char *key)
 366{
 367        int key_len = strlen(key);
 368        const char *line = msg;
 369
 370        while (line && line < msg + len) {
 371                const char *eol = strchrnul(line, '\n');
 372
 373                if ((msg + len <= eol) || line == eol)
 374                        return NULL;
 375                if (line + key_len < eol &&
 376                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 377                        int offset = key_len + 1;
 378                        return xmemdupz(line + offset, (eol - line) - offset);
 379                }
 380                line = *eol ? eol + 1 : NULL;
 381        }
 382        return NULL;
 383}
 384
 385static const char *check_nonce(const char *buf, size_t len)
 386{
 387        char *nonce = find_header(buf, len, "nonce");
 388        unsigned long stamp, ostamp;
 389        char *bohmac, *expect = NULL;
 390        const char *retval = NONCE_BAD;
 391
 392        if (!nonce) {
 393                retval = NONCE_MISSING;
 394                goto leave;
 395        } else if (!push_cert_nonce) {
 396                retval = NONCE_UNSOLICITED;
 397                goto leave;
 398        } else if (!strcmp(push_cert_nonce, nonce)) {
 399                retval = NONCE_OK;
 400                goto leave;
 401        }
 402
 403        if (!stateless_rpc) {
 404                /* returned nonce MUST match what we gave out earlier */
 405                retval = NONCE_BAD;
 406                goto leave;
 407        }
 408
 409        /*
 410         * In stateless mode, we may be receiving a nonce issued by
 411         * another instance of the server that serving the same
 412         * repository, and the timestamps may not match, but the
 413         * nonce-seed and dir should match, so we can recompute and
 414         * report the time slop.
 415         *
 416         * In addition, when a nonce issued by another instance has
 417         * timestamp within receive.certnonceslop seconds, we pretend
 418         * as if we issued that nonce when reporting to the hook.
 419         */
 420
 421        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 422        if (*nonce <= '0' || '9' < *nonce) {
 423                retval = NONCE_BAD;
 424                goto leave;
 425        }
 426        stamp = strtoul(nonce, &bohmac, 10);
 427        if (bohmac == nonce || bohmac[0] != '-') {
 428                retval = NONCE_BAD;
 429                goto leave;
 430        }
 431
 432        expect = prepare_push_cert_nonce(service_dir, stamp);
 433        if (strcmp(expect, nonce)) {
 434                /* Not what we would have signed earlier */
 435                retval = NONCE_BAD;
 436                goto leave;
 437        }
 438
 439        /*
 440         * By how many seconds is this nonce stale?  Negative value
 441         * would mean it was issued by another server with its clock
 442         * skewed in the future.
 443         */
 444        ostamp = strtoul(push_cert_nonce, NULL, 10);
 445        nonce_stamp_slop = (long)ostamp - (long)stamp;
 446
 447        if (nonce_stamp_slop_limit &&
 448            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 449                /*
 450                 * Pretend as if the received nonce (which passes the
 451                 * HMAC check, so it is not a forged by third-party)
 452                 * is what we issued.
 453                 */
 454                free((void *)push_cert_nonce);
 455                push_cert_nonce = xstrdup(nonce);
 456                retval = NONCE_OK;
 457        } else {
 458                retval = NONCE_SLOP;
 459        }
 460
 461leave:
 462        free(nonce);
 463        free(expect);
 464        return retval;
 465}
 466
 467static void prepare_push_cert_sha1(struct child_process *proc)
 468{
 469        static int already_done;
 470
 471        if (!push_cert.len)
 472                return;
 473
 474        if (!already_done) {
 475                struct strbuf gpg_output = STRBUF_INIT;
 476                struct strbuf gpg_status = STRBUF_INIT;
 477                int bogs /* beginning_of_gpg_sig */;
 478
 479                already_done = 1;
 480                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 481                        hashclr(push_cert_sha1);
 482
 483                memset(&sigcheck, '\0', sizeof(sigcheck));
 484                sigcheck.result = 'N';
 485
 486                bogs = parse_signature(push_cert.buf, push_cert.len);
 487                if (verify_signed_buffer(push_cert.buf, bogs,
 488                                         push_cert.buf + bogs, push_cert.len - bogs,
 489                                         &gpg_output, &gpg_status) < 0) {
 490                        ; /* error running gpg */
 491                } else {
 492                        sigcheck.payload = push_cert.buf;
 493                        sigcheck.gpg_output = gpg_output.buf;
 494                        sigcheck.gpg_status = gpg_status.buf;
 495                        parse_gpg_output(&sigcheck);
 496                }
 497
 498                strbuf_release(&gpg_output);
 499                strbuf_release(&gpg_status);
 500                nonce_status = check_nonce(push_cert.buf, bogs);
 501        }
 502        if (!is_null_sha1(push_cert_sha1)) {
 503                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 504                                 sha1_to_hex(push_cert_sha1));
 505                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 506                                 sigcheck.signer ? sigcheck.signer : "");
 507                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 508                                 sigcheck.key ? sigcheck.key : "");
 509                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 510                                 sigcheck.result);
 511                if (push_cert_nonce) {
 512                        argv_array_pushf(&proc->env_array,
 513                                         "GIT_PUSH_CERT_NONCE=%s",
 514                                         push_cert_nonce);
 515                        argv_array_pushf(&proc->env_array,
 516                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 517                                         nonce_status);
 518                        if (nonce_status == NONCE_SLOP)
 519                                argv_array_pushf(&proc->env_array,
 520                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 521                                                 nonce_stamp_slop);
 522                }
 523        }
 524}
 525
 526typedef int (*feed_fn)(void *, const char **, size_t *);
 527static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 528{
 529        struct child_process proc = CHILD_PROCESS_INIT;
 530        struct async muxer;
 531        const char *argv[2];
 532        int code;
 533
 534        argv[0] = find_hook(hook_name);
 535        if (!argv[0])
 536                return 0;
 537
 538        argv[1] = NULL;
 539
 540        proc.argv = argv;
 541        proc.in = -1;
 542        proc.stdout_to_stderr = 1;
 543
 544        if (use_sideband) {
 545                memset(&muxer, 0, sizeof(muxer));
 546                muxer.proc = copy_to_sideband;
 547                muxer.in = -1;
 548                code = start_async(&muxer);
 549                if (code)
 550                        return code;
 551                proc.err = muxer.in;
 552        }
 553
 554        prepare_push_cert_sha1(&proc);
 555
 556        code = start_command(&proc);
 557        if (code) {
 558                if (use_sideband)
 559                        finish_async(&muxer);
 560                return code;
 561        }
 562
 563        sigchain_push(SIGPIPE, SIG_IGN);
 564
 565        while (1) {
 566                const char *buf;
 567                size_t n;
 568                if (feed(feed_state, &buf, &n))
 569                        break;
 570                if (write_in_full(proc.in, buf, n) != n)
 571                        break;
 572        }
 573        close(proc.in);
 574        if (use_sideband)
 575                finish_async(&muxer);
 576
 577        sigchain_pop(SIGPIPE);
 578
 579        return finish_command(&proc);
 580}
 581
 582struct receive_hook_feed_state {
 583        struct command *cmd;
 584        int skip_broken;
 585        struct strbuf buf;
 586};
 587
 588static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 589{
 590        struct receive_hook_feed_state *state = state_;
 591        struct command *cmd = state->cmd;
 592
 593        while (cmd &&
 594               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 595                cmd = cmd->next;
 596        if (!cmd)
 597                return -1; /* EOF */
 598        strbuf_reset(&state->buf);
 599        strbuf_addf(&state->buf, "%s %s %s\n",
 600                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 601                    cmd->ref_name);
 602        state->cmd = cmd->next;
 603        if (bufp) {
 604                *bufp = state->buf.buf;
 605                *sizep = state->buf.len;
 606        }
 607        return 0;
 608}
 609
 610static int run_receive_hook(struct command *commands, const char *hook_name,
 611                            int skip_broken)
 612{
 613        struct receive_hook_feed_state state;
 614        int status;
 615
 616        strbuf_init(&state.buf, 0);
 617        state.cmd = commands;
 618        state.skip_broken = skip_broken;
 619        if (feed_receive_hook(&state, NULL, NULL))
 620                return 0;
 621        state.cmd = commands;
 622        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 623        strbuf_release(&state.buf);
 624        return status;
 625}
 626
 627static int run_update_hook(struct command *cmd)
 628{
 629        const char *argv[5];
 630        struct child_process proc = CHILD_PROCESS_INIT;
 631        int code;
 632
 633        argv[0] = find_hook("update");
 634        if (!argv[0])
 635                return 0;
 636
 637        argv[1] = cmd->ref_name;
 638        argv[2] = sha1_to_hex(cmd->old_sha1);
 639        argv[3] = sha1_to_hex(cmd->new_sha1);
 640        argv[4] = NULL;
 641
 642        proc.no_stdin = 1;
 643        proc.stdout_to_stderr = 1;
 644        proc.err = use_sideband ? -1 : 0;
 645        proc.argv = argv;
 646
 647        code = start_command(&proc);
 648        if (code)
 649                return code;
 650        if (use_sideband)
 651                copy_to_sideband(proc.err, -1, NULL);
 652        return finish_command(&proc);
 653}
 654
 655static int is_ref_checked_out(const char *ref)
 656{
 657        if (is_bare_repository())
 658                return 0;
 659
 660        if (!head_name)
 661                return 0;
 662        return !strcmp(head_name, ref);
 663}
 664
 665static char *refuse_unconfigured_deny_msg[] = {
 666        "By default, updating the current branch in a non-bare repository",
 667        "is denied, because it will make the index and work tree inconsistent",
 668        "with what you pushed, and will require 'git reset --hard' to match",
 669        "the work tree to HEAD.",
 670        "",
 671        "You can set 'receive.denyCurrentBranch' configuration variable to",
 672        "'ignore' or 'warn' in the remote repository to allow pushing into",
 673        "its current branch; however, this is not recommended unless you",
 674        "arranged to update its work tree to match what you pushed in some",
 675        "other way.",
 676        "",
 677        "To squelch this message and still keep the default behaviour, set",
 678        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 679};
 680
 681static void refuse_unconfigured_deny(void)
 682{
 683        int i;
 684        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 685                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 686}
 687
 688static char *refuse_unconfigured_deny_delete_current_msg[] = {
 689        "By default, deleting the current branch is denied, because the next",
 690        "'git clone' won't result in any file checked out, causing confusion.",
 691        "",
 692        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 693        "'warn' or 'ignore' in the remote repository to allow deleting the",
 694        "current branch, with or without a warning message.",
 695        "",
 696        "To squelch this message, you can set it to 'refuse'."
 697};
 698
 699static void refuse_unconfigured_deny_delete_current(void)
 700{
 701        int i;
 702        for (i = 0;
 703             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 704             i++)
 705                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 706}
 707
 708static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 709static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 710{
 711        static struct lock_file shallow_lock;
 712        struct sha1_array extra = SHA1_ARRAY_INIT;
 713        const char *alt_file;
 714        uint32_t mask = 1 << (cmd->index % 32);
 715        int i;
 716
 717        trace_printf_key(&trace_shallow,
 718                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 719        for (i = 0; i < si->shallow->nr; i++)
 720                if (si->used_shallow[i] &&
 721                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 722                    !delayed_reachability_test(si, i))
 723                        sha1_array_append(&extra, si->shallow->sha1[i]);
 724
 725        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 726        if (check_shallow_connected(command_singleton_iterator,
 727                                    0, cmd, alt_file)) {
 728                rollback_lock_file(&shallow_lock);
 729                sha1_array_clear(&extra);
 730                return -1;
 731        }
 732
 733        commit_lock_file(&shallow_lock);
 734
 735        /*
 736         * Make sure setup_alternate_shallow() for the next ref does
 737         * not lose these new roots..
 738         */
 739        for (i = 0; i < extra.nr; i++)
 740                register_shallow(extra.sha1[i]);
 741
 742        si->shallow_ref[cmd->index] = 0;
 743        sha1_array_clear(&extra);
 744        return 0;
 745}
 746
 747/*
 748 * NEEDSWORK: we should consolidate various implementions of "are we
 749 * on an unborn branch?" test into one, and make the unified one more
 750 * robust. !get_sha1() based check used here and elsewhere would not
 751 * allow us to tell an unborn branch from corrupt ref, for example.
 752 * For the purpose of fixing "deploy-to-update does not work when
 753 * pushing into an empty repository" issue, this should suffice for
 754 * now.
 755 */
 756static int head_has_history(void)
 757{
 758        unsigned char sha1[20];
 759
 760        return !get_sha1("HEAD", sha1);
 761}
 762
 763static const char *push_to_deploy(unsigned char *sha1,
 764                                  struct argv_array *env,
 765                                  const char *work_tree)
 766{
 767        const char *update_refresh[] = {
 768                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 769        };
 770        const char *diff_files[] = {
 771                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 772        };
 773        const char *diff_index[] = {
 774                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 775                NULL, "--", NULL
 776        };
 777        const char *read_tree[] = {
 778                "read-tree", "-u", "-m", NULL, NULL
 779        };
 780        struct child_process child = CHILD_PROCESS_INIT;
 781
 782        child.argv = update_refresh;
 783        child.env = env->argv;
 784        child.dir = work_tree;
 785        child.no_stdin = 1;
 786        child.stdout_to_stderr = 1;
 787        child.git_cmd = 1;
 788        if (run_command(&child))
 789                return "Up-to-date check failed";
 790
 791        /* run_command() does not clean up completely; reinitialize */
 792        child_process_init(&child);
 793        child.argv = diff_files;
 794        child.env = env->argv;
 795        child.dir = work_tree;
 796        child.no_stdin = 1;
 797        child.stdout_to_stderr = 1;
 798        child.git_cmd = 1;
 799        if (run_command(&child))
 800                return "Working directory has unstaged changes";
 801
 802        /* diff-index with either HEAD or an empty tree */
 803        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 804
 805        child_process_init(&child);
 806        child.argv = diff_index;
 807        child.env = env->argv;
 808        child.no_stdin = 1;
 809        child.no_stdout = 1;
 810        child.stdout_to_stderr = 0;
 811        child.git_cmd = 1;
 812        if (run_command(&child))
 813                return "Working directory has staged changes";
 814
 815        read_tree[3] = sha1_to_hex(sha1);
 816        child_process_init(&child);
 817        child.argv = read_tree;
 818        child.env = env->argv;
 819        child.dir = work_tree;
 820        child.no_stdin = 1;
 821        child.no_stdout = 1;
 822        child.stdout_to_stderr = 0;
 823        child.git_cmd = 1;
 824        if (run_command(&child))
 825                return "Could not update working tree to new HEAD";
 826
 827        return NULL;
 828}
 829
 830static const char *push_to_checkout_hook = "push-to-checkout";
 831
 832static const char *push_to_checkout(unsigned char *sha1,
 833                                    struct argv_array *env,
 834                                    const char *work_tree)
 835{
 836        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 837        if (run_hook_le(env->argv, push_to_checkout_hook,
 838                        sha1_to_hex(sha1), NULL))
 839                return "push-to-checkout hook declined";
 840        else
 841                return NULL;
 842}
 843
 844static const char *update_worktree(unsigned char *sha1)
 845{
 846        const char *retval;
 847        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 848        struct argv_array env = ARGV_ARRAY_INIT;
 849
 850        if (is_bare_repository())
 851                return "denyCurrentBranch = updateInstead needs a worktree";
 852
 853        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 854
 855        if (!find_hook(push_to_checkout_hook))
 856                retval = push_to_deploy(sha1, &env, work_tree);
 857        else
 858                retval = push_to_checkout(sha1, &env, work_tree);
 859
 860        argv_array_clear(&env);
 861        return retval;
 862}
 863
 864static const char *update(struct command *cmd, struct shallow_info *si)
 865{
 866        const char *name = cmd->ref_name;
 867        struct strbuf namespaced_name_buf = STRBUF_INIT;
 868        const char *namespaced_name, *ret;
 869        unsigned char *old_sha1 = cmd->old_sha1;
 870        unsigned char *new_sha1 = cmd->new_sha1;
 871
 872        /* only refs/... are allowed */
 873        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 874                rp_error("refusing to create funny ref '%s' remotely", name);
 875                return "funny refname";
 876        }
 877
 878        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 879        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 880
 881        if (is_ref_checked_out(namespaced_name)) {
 882                switch (deny_current_branch) {
 883                case DENY_IGNORE:
 884                        break;
 885                case DENY_WARN:
 886                        rp_warning("updating the current branch");
 887                        break;
 888                case DENY_REFUSE:
 889                case DENY_UNCONFIGURED:
 890                        rp_error("refusing to update checked out branch: %s", name);
 891                        if (deny_current_branch == DENY_UNCONFIGURED)
 892                                refuse_unconfigured_deny();
 893                        return "branch is currently checked out";
 894                case DENY_UPDATE_INSTEAD:
 895                        ret = update_worktree(new_sha1);
 896                        if (ret)
 897                                return ret;
 898                        break;
 899                }
 900        }
 901
 902        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 903                error("unpack should have generated %s, "
 904                      "but I can't find it!", sha1_to_hex(new_sha1));
 905                return "bad pack";
 906        }
 907
 908        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 909                if (deny_deletes && starts_with(name, "refs/heads/")) {
 910                        rp_error("denying ref deletion for %s", name);
 911                        return "deletion prohibited";
 912                }
 913
 914                if (!strcmp(namespaced_name, head_name)) {
 915                        switch (deny_delete_current) {
 916                        case DENY_IGNORE:
 917                                break;
 918                        case DENY_WARN:
 919                                rp_warning("deleting the current branch");
 920                                break;
 921                        case DENY_REFUSE:
 922                        case DENY_UNCONFIGURED:
 923                        case DENY_UPDATE_INSTEAD:
 924                                if (deny_delete_current == DENY_UNCONFIGURED)
 925                                        refuse_unconfigured_deny_delete_current();
 926                                rp_error("refusing to delete the current branch: %s", name);
 927                                return "deletion of the current branch prohibited";
 928                        default:
 929                                return "Invalid denyDeleteCurrent setting";
 930                        }
 931                }
 932        }
 933
 934        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 935            !is_null_sha1(old_sha1) &&
 936            starts_with(name, "refs/heads/")) {
 937                struct object *old_object, *new_object;
 938                struct commit *old_commit, *new_commit;
 939
 940                old_object = parse_object(old_sha1);
 941                new_object = parse_object(new_sha1);
 942
 943                if (!old_object || !new_object ||
 944                    old_object->type != OBJ_COMMIT ||
 945                    new_object->type != OBJ_COMMIT) {
 946                        error("bad sha1 objects for %s", name);
 947                        return "bad ref";
 948                }
 949                old_commit = (struct commit *)old_object;
 950                new_commit = (struct commit *)new_object;
 951                if (!in_merge_bases(old_commit, new_commit)) {
 952                        rp_error("denying non-fast-forward %s"
 953                                 " (you should pull first)", name);
 954                        return "non-fast-forward";
 955                }
 956        }
 957        if (run_update_hook(cmd)) {
 958                rp_error("hook declined to update %s", name);
 959                return "hook declined";
 960        }
 961
 962        if (is_null_sha1(new_sha1)) {
 963                struct strbuf err = STRBUF_INIT;
 964                if (!parse_object(old_sha1)) {
 965                        old_sha1 = NULL;
 966                        if (ref_exists(name)) {
 967                                rp_warning("Allowing deletion of corrupt ref.");
 968                        } else {
 969                                rp_warning("Deleting a non-existent ref.");
 970                                cmd->did_not_exist = 1;
 971                        }
 972                }
 973                if (ref_transaction_delete(transaction,
 974                                           namespaced_name,
 975                                           old_sha1,
 976                                           0, "push", &err)) {
 977                        rp_error("%s", err.buf);
 978                        strbuf_release(&err);
 979                        return "failed to delete";
 980                }
 981                strbuf_release(&err);
 982                return NULL; /* good */
 983        }
 984        else {
 985                struct strbuf err = STRBUF_INIT;
 986                if (shallow_update && si->shallow_ref[cmd->index] &&
 987                    update_shallow_ref(cmd, si))
 988                        return "shallow error";
 989
 990                if (ref_transaction_update(transaction,
 991                                           namespaced_name,
 992                                           new_sha1, old_sha1,
 993                                           0, "push",
 994                                           &err)) {
 995                        rp_error("%s", err.buf);
 996                        strbuf_release(&err);
 997
 998                        return "failed to update ref";
 999                }
1000                strbuf_release(&err);
1001
1002                return NULL; /* good */
1003        }
1004}
1005
1006static void run_update_post_hook(struct command *commands)
1007{
1008        struct command *cmd;
1009        int argc;
1010        const char **argv;
1011        struct child_process proc = CHILD_PROCESS_INIT;
1012        const char *hook;
1013
1014        hook = find_hook("post-update");
1015        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1016                if (cmd->error_string || cmd->did_not_exist)
1017                        continue;
1018                argc++;
1019        }
1020        if (!argc || !hook)
1021                return;
1022
1023        argv = xmalloc(sizeof(*argv) * (2 + argc));
1024        argv[0] = hook;
1025
1026        for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1027                if (cmd->error_string || cmd->did_not_exist)
1028                        continue;
1029                argv[argc] = xstrdup(cmd->ref_name);
1030                argc++;
1031        }
1032        argv[argc] = NULL;
1033
1034        proc.no_stdin = 1;
1035        proc.stdout_to_stderr = 1;
1036        proc.err = use_sideband ? -1 : 0;
1037        proc.argv = argv;
1038
1039        if (!start_command(&proc)) {
1040                if (use_sideband)
1041                        copy_to_sideband(proc.err, -1, NULL);
1042                finish_command(&proc);
1043        }
1044}
1045
1046static void check_aliased_update(struct command *cmd, struct string_list *list)
1047{
1048        struct strbuf buf = STRBUF_INIT;
1049        const char *dst_name;
1050        struct string_list_item *item;
1051        struct command *dst_cmd;
1052        unsigned char sha1[20];
1053        char cmd_oldh[41], cmd_newh[41], dst_oldh[41], dst_newh[41];
1054        int flag;
1055
1056        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1057        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1058        strbuf_release(&buf);
1059
1060        if (!(flag & REF_ISSYMREF))
1061                return;
1062
1063        dst_name = strip_namespace(dst_name);
1064        if (!dst_name) {
1065                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1066                cmd->skip_update = 1;
1067                cmd->error_string = "broken symref";
1068                return;
1069        }
1070
1071        if ((item = string_list_lookup(list, dst_name)) == NULL)
1072                return;
1073
1074        cmd->skip_update = 1;
1075
1076        dst_cmd = (struct command *) item->util;
1077
1078        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1079            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1080                return;
1081
1082        dst_cmd->skip_update = 1;
1083
1084        strcpy(cmd_oldh, find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV));
1085        strcpy(cmd_newh, find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV));
1086        strcpy(dst_oldh, find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV));
1087        strcpy(dst_newh, find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1088        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1089                 " its target '%s' (%s..%s)",
1090                 cmd->ref_name, cmd_oldh, cmd_newh,
1091                 dst_cmd->ref_name, dst_oldh, dst_newh);
1092
1093        cmd->error_string = dst_cmd->error_string =
1094                "inconsistent aliased update";
1095}
1096
1097static void check_aliased_updates(struct command *commands)
1098{
1099        struct command *cmd;
1100        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1101
1102        for (cmd = commands; cmd; cmd = cmd->next) {
1103                struct string_list_item *item =
1104                        string_list_append(&ref_list, cmd->ref_name);
1105                item->util = (void *)cmd;
1106        }
1107        string_list_sort(&ref_list);
1108
1109        for (cmd = commands; cmd; cmd = cmd->next) {
1110                if (!cmd->error_string)
1111                        check_aliased_update(cmd, &ref_list);
1112        }
1113
1114        string_list_clear(&ref_list, 0);
1115}
1116
1117static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1118{
1119        struct command **cmd_list = cb_data;
1120        struct command *cmd = *cmd_list;
1121
1122        if (!cmd || is_null_sha1(cmd->new_sha1))
1123                return -1; /* end of list */
1124        *cmd_list = NULL; /* this returns only one */
1125        hashcpy(sha1, cmd->new_sha1);
1126        return 0;
1127}
1128
1129static void set_connectivity_errors(struct command *commands,
1130                                    struct shallow_info *si)
1131{
1132        struct command *cmd;
1133
1134        for (cmd = commands; cmd; cmd = cmd->next) {
1135                struct command *singleton = cmd;
1136                if (shallow_update && si->shallow_ref[cmd->index])
1137                        /* to be checked in update_shallow_ref() */
1138                        continue;
1139                if (!check_everything_connected(command_singleton_iterator,
1140                                                0, &singleton))
1141                        continue;
1142                cmd->error_string = "missing necessary objects";
1143        }
1144}
1145
1146struct iterate_data {
1147        struct command *cmds;
1148        struct shallow_info *si;
1149};
1150
1151static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1152{
1153        struct iterate_data *data = cb_data;
1154        struct command **cmd_list = &data->cmds;
1155        struct command *cmd = *cmd_list;
1156
1157        for (; cmd; cmd = cmd->next) {
1158                if (shallow_update && data->si->shallow_ref[cmd->index])
1159                        /* to be checked in update_shallow_ref() */
1160                        continue;
1161                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1162                        hashcpy(sha1, cmd->new_sha1);
1163                        *cmd_list = cmd->next;
1164                        return 0;
1165                }
1166        }
1167        *cmd_list = NULL;
1168        return -1; /* end of list */
1169}
1170
1171static void reject_updates_to_hidden(struct command *commands)
1172{
1173        struct command *cmd;
1174
1175        for (cmd = commands; cmd; cmd = cmd->next) {
1176                if (cmd->error_string || !ref_is_hidden(cmd->ref_name))
1177                        continue;
1178                if (is_null_sha1(cmd->new_sha1))
1179                        cmd->error_string = "deny deleting a hidden ref";
1180                else
1181                        cmd->error_string = "deny updating a hidden ref";
1182        }
1183}
1184
1185static int should_process_cmd(struct command *cmd)
1186{
1187        return !cmd->error_string && !cmd->skip_update;
1188}
1189
1190static void warn_if_skipped_connectivity_check(struct command *commands,
1191                                               struct shallow_info *si)
1192{
1193        struct command *cmd;
1194        int checked_connectivity = 1;
1195
1196        for (cmd = commands; cmd; cmd = cmd->next) {
1197                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1198                        error("BUG: connectivity check has not been run on ref %s",
1199                              cmd->ref_name);
1200                        checked_connectivity = 0;
1201                }
1202        }
1203        if (!checked_connectivity)
1204                die("BUG: connectivity check skipped???");
1205}
1206
1207static void execute_commands_non_atomic(struct command *commands,
1208                                        struct shallow_info *si)
1209{
1210        struct command *cmd;
1211        struct strbuf err = STRBUF_INIT;
1212
1213        for (cmd = commands; cmd; cmd = cmd->next) {
1214                if (!should_process_cmd(cmd))
1215                        continue;
1216
1217                transaction = ref_transaction_begin(&err);
1218                if (!transaction) {
1219                        rp_error("%s", err.buf);
1220                        strbuf_reset(&err);
1221                        cmd->error_string = "transaction failed to start";
1222                        continue;
1223                }
1224
1225                cmd->error_string = update(cmd, si);
1226
1227                if (!cmd->error_string
1228                    && ref_transaction_commit(transaction, &err)) {
1229                        rp_error("%s", err.buf);
1230                        strbuf_reset(&err);
1231                        cmd->error_string = "failed to update ref";
1232                }
1233                ref_transaction_free(transaction);
1234        }
1235        strbuf_release(&err);
1236}
1237
1238static void execute_commands_atomic(struct command *commands,
1239                                        struct shallow_info *si)
1240{
1241        struct command *cmd;
1242        struct strbuf err = STRBUF_INIT;
1243        const char *reported_error = "atomic push failure";
1244
1245        transaction = ref_transaction_begin(&err);
1246        if (!transaction) {
1247                rp_error("%s", err.buf);
1248                strbuf_reset(&err);
1249                reported_error = "transaction failed to start";
1250                goto failure;
1251        }
1252
1253        for (cmd = commands; cmd; cmd = cmd->next) {
1254                if (!should_process_cmd(cmd))
1255                        continue;
1256
1257                cmd->error_string = update(cmd, si);
1258
1259                if (cmd->error_string)
1260                        goto failure;
1261        }
1262
1263        if (ref_transaction_commit(transaction, &err)) {
1264                rp_error("%s", err.buf);
1265                reported_error = "atomic transaction failed";
1266                goto failure;
1267        }
1268        goto cleanup;
1269
1270failure:
1271        for (cmd = commands; cmd; cmd = cmd->next)
1272                if (!cmd->error_string)
1273                        cmd->error_string = reported_error;
1274
1275cleanup:
1276        ref_transaction_free(transaction);
1277        strbuf_release(&err);
1278}
1279
1280static void execute_commands(struct command *commands,
1281                             const char *unpacker_error,
1282                             struct shallow_info *si)
1283{
1284        struct command *cmd;
1285        unsigned char sha1[20];
1286        struct iterate_data data;
1287
1288        if (unpacker_error) {
1289                for (cmd = commands; cmd; cmd = cmd->next)
1290                        cmd->error_string = "unpacker error";
1291                return;
1292        }
1293
1294        data.cmds = commands;
1295        data.si = si;
1296        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1297                set_connectivity_errors(commands, si);
1298
1299        reject_updates_to_hidden(commands);
1300
1301        if (run_receive_hook(commands, "pre-receive", 0)) {
1302                for (cmd = commands; cmd; cmd = cmd->next) {
1303                        if (!cmd->error_string)
1304                                cmd->error_string = "pre-receive hook declined";
1305                }
1306                return;
1307        }
1308
1309        check_aliased_updates(commands);
1310
1311        free(head_name_to_free);
1312        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1313
1314        if (use_atomic)
1315                execute_commands_atomic(commands, si);
1316        else
1317                execute_commands_non_atomic(commands, si);
1318
1319        if (shallow_update)
1320                warn_if_skipped_connectivity_check(commands, si);
1321}
1322
1323static struct command **queue_command(struct command **tail,
1324                                      const char *line,
1325                                      int linelen)
1326{
1327        unsigned char old_sha1[20], new_sha1[20];
1328        struct command *cmd;
1329        const char *refname;
1330        int reflen;
1331
1332        if (linelen < 83 ||
1333            line[40] != ' ' ||
1334            line[81] != ' ' ||
1335            get_sha1_hex(line, old_sha1) ||
1336            get_sha1_hex(line + 41, new_sha1))
1337                die("protocol error: expected old/new/ref, got '%s'", line);
1338
1339        refname = line + 82;
1340        reflen = linelen - 82;
1341        cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1342        hashcpy(cmd->old_sha1, old_sha1);
1343        hashcpy(cmd->new_sha1, new_sha1);
1344        memcpy(cmd->ref_name, refname, reflen);
1345        cmd->ref_name[reflen] = '\0';
1346        *tail = cmd;
1347        return &cmd->next;
1348}
1349
1350static void queue_commands_from_cert(struct command **tail,
1351                                     struct strbuf *push_cert)
1352{
1353        const char *boc, *eoc;
1354
1355        if (*tail)
1356                die("protocol error: got both push certificate and unsigned commands");
1357
1358        boc = strstr(push_cert->buf, "\n\n");
1359        if (!boc)
1360                die("malformed push certificate %.*s", 100, push_cert->buf);
1361        else
1362                boc += 2;
1363        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1364
1365        while (boc < eoc) {
1366                const char *eol = memchr(boc, '\n', eoc - boc);
1367                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1368                boc = eol ? eol + 1 : eoc;
1369        }
1370}
1371
1372static struct command *read_head_info(struct sha1_array *shallow)
1373{
1374        struct command *commands = NULL;
1375        struct command **p = &commands;
1376        for (;;) {
1377                char *line;
1378                int len, linelen;
1379
1380                line = packet_read_line(0, &len);
1381                if (!line)
1382                        break;
1383
1384                if (len == 48 && starts_with(line, "shallow ")) {
1385                        unsigned char sha1[20];
1386                        if (get_sha1_hex(line + 8, sha1))
1387                                die("protocol error: expected shallow sha, got '%s'",
1388                                    line + 8);
1389                        sha1_array_append(shallow, sha1);
1390                        continue;
1391                }
1392
1393                linelen = strlen(line);
1394                if (linelen < len) {
1395                        const char *feature_list = line + linelen + 1;
1396                        if (parse_feature_request(feature_list, "report-status"))
1397                                report_status = 1;
1398                        if (parse_feature_request(feature_list, "side-band-64k"))
1399                                use_sideband = LARGE_PACKET_MAX;
1400                        if (parse_feature_request(feature_list, "quiet"))
1401                                quiet = 1;
1402                        if (advertise_atomic_push
1403                            && parse_feature_request(feature_list, "atomic"))
1404                                use_atomic = 1;
1405                }
1406
1407                if (!strcmp(line, "push-cert")) {
1408                        int true_flush = 0;
1409                        char certbuf[1024];
1410
1411                        for (;;) {
1412                                len = packet_read(0, NULL, NULL,
1413                                                  certbuf, sizeof(certbuf), 0);
1414                                if (!len) {
1415                                        true_flush = 1;
1416                                        break;
1417                                }
1418                                if (!strcmp(certbuf, "push-cert-end\n"))
1419                                        break; /* end of cert */
1420                                strbuf_addstr(&push_cert, certbuf);
1421                        }
1422
1423                        if (true_flush)
1424                                break;
1425                        continue;
1426                }
1427
1428                p = queue_command(p, line, linelen);
1429        }
1430
1431        if (push_cert.len)
1432                queue_commands_from_cert(p, &push_cert);
1433
1434        return commands;
1435}
1436
1437static const char *parse_pack_header(struct pack_header *hdr)
1438{
1439        switch (read_pack_header(0, hdr)) {
1440        case PH_ERROR_EOF:
1441                return "eof before pack header was fully read";
1442
1443        case PH_ERROR_PACK_SIGNATURE:
1444                return "protocol error (pack signature mismatch detected)";
1445
1446        case PH_ERROR_PROTOCOL:
1447                return "protocol error (pack version unsupported)";
1448
1449        default:
1450                return "unknown error in parse_pack_header";
1451
1452        case 0:
1453                return NULL;
1454        }
1455}
1456
1457static const char *pack_lockfile;
1458
1459static const char *unpack(int err_fd, struct shallow_info *si)
1460{
1461        struct pack_header hdr;
1462        const char *hdr_err;
1463        int status;
1464        char hdr_arg[38];
1465        struct child_process child = CHILD_PROCESS_INIT;
1466        int fsck_objects = (receive_fsck_objects >= 0
1467                            ? receive_fsck_objects
1468                            : transfer_fsck_objects >= 0
1469                            ? transfer_fsck_objects
1470                            : 0);
1471
1472        hdr_err = parse_pack_header(&hdr);
1473        if (hdr_err) {
1474                if (err_fd > 0)
1475                        close(err_fd);
1476                return hdr_err;
1477        }
1478        snprintf(hdr_arg, sizeof(hdr_arg),
1479                        "--pack_header=%"PRIu32",%"PRIu32,
1480                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1481
1482        if (si->nr_ours || si->nr_theirs) {
1483                alt_shallow_file = setup_temporary_shallow(si->shallow);
1484                argv_array_push(&child.args, "--shallow-file");
1485                argv_array_push(&child.args, alt_shallow_file);
1486        }
1487
1488        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1489                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1490                if (quiet)
1491                        argv_array_push(&child.args, "-q");
1492                if (fsck_objects)
1493                        argv_array_push(&child.args, "--strict");
1494                child.no_stdout = 1;
1495                child.err = err_fd;
1496                child.git_cmd = 1;
1497                status = run_command(&child);
1498                if (status)
1499                        return "unpack-objects abnormal exit";
1500        } else {
1501                int s;
1502                char keep_arg[256];
1503
1504                s = sprintf(keep_arg, "--keep=receive-pack %"PRIuMAX" on ", (uintmax_t) getpid());
1505                if (gethostname(keep_arg + s, sizeof(keep_arg) - s))
1506                        strcpy(keep_arg + s, "localhost");
1507
1508                argv_array_pushl(&child.args, "index-pack",
1509                                 "--stdin", hdr_arg, keep_arg, NULL);
1510                if (fsck_objects)
1511                        argv_array_push(&child.args, "--strict");
1512                if (fix_thin)
1513                        argv_array_push(&child.args, "--fix-thin");
1514                child.out = -1;
1515                child.err = err_fd;
1516                child.git_cmd = 1;
1517                status = start_command(&child);
1518                if (status)
1519                        return "index-pack fork failed";
1520                pack_lockfile = index_pack_lockfile(child.out);
1521                close(child.out);
1522                status = finish_command(&child);
1523                if (status)
1524                        return "index-pack abnormal exit";
1525                reprepare_packed_git();
1526        }
1527        return NULL;
1528}
1529
1530static const char *unpack_with_sideband(struct shallow_info *si)
1531{
1532        struct async muxer;
1533        const char *ret;
1534
1535        if (!use_sideband)
1536                return unpack(0, si);
1537
1538        memset(&muxer, 0, sizeof(muxer));
1539        muxer.proc = copy_to_sideband;
1540        muxer.in = -1;
1541        if (start_async(&muxer))
1542                return NULL;
1543
1544        ret = unpack(muxer.in, si);
1545
1546        finish_async(&muxer);
1547        return ret;
1548}
1549
1550static void prepare_shallow_update(struct command *commands,
1551                                   struct shallow_info *si)
1552{
1553        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1554
1555        si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1556                                   si->shallow->nr);
1557        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1558
1559        si->need_reachability_test =
1560                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1561        si->reachable =
1562                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1563        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1564
1565        for (i = 0; i < si->nr_ours; i++)
1566                si->need_reachability_test[si->ours[i]] = 1;
1567
1568        for (i = 0; i < si->shallow->nr; i++) {
1569                if (!si->used_shallow[i])
1570                        continue;
1571                for (j = 0; j < bitmap_size; j++) {
1572                        if (!si->used_shallow[i][j])
1573                                continue;
1574                        si->need_reachability_test[i]++;
1575                        for (k = 0; k < 32; k++)
1576                                if (si->used_shallow[i][j] & (1 << k))
1577                                        si->shallow_ref[j * 32 + k]++;
1578                }
1579
1580                /*
1581                 * true for those associated with some refs and belong
1582                 * in "ours" list aka "step 7 not done yet"
1583                 */
1584                si->need_reachability_test[i] =
1585                        si->need_reachability_test[i] > 1;
1586        }
1587
1588        /*
1589         * keep hooks happy by forcing a temporary shallow file via
1590         * env variable because we can't add --shallow-file to every
1591         * command. check_everything_connected() will be done with
1592         * true .git/shallow though.
1593         */
1594        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1595}
1596
1597static void update_shallow_info(struct command *commands,
1598                                struct shallow_info *si,
1599                                struct sha1_array *ref)
1600{
1601        struct command *cmd;
1602        int *ref_status;
1603        remove_nonexistent_theirs_shallow(si);
1604        if (!si->nr_ours && !si->nr_theirs) {
1605                shallow_update = 0;
1606                return;
1607        }
1608
1609        for (cmd = commands; cmd; cmd = cmd->next) {
1610                if (is_null_sha1(cmd->new_sha1))
1611                        continue;
1612                sha1_array_append(ref, cmd->new_sha1);
1613                cmd->index = ref->nr - 1;
1614        }
1615        si->ref = ref;
1616
1617        if (shallow_update) {
1618                prepare_shallow_update(commands, si);
1619                return;
1620        }
1621
1622        ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1623        assign_shallow_commits_to_refs(si, NULL, ref_status);
1624        for (cmd = commands; cmd; cmd = cmd->next) {
1625                if (is_null_sha1(cmd->new_sha1))
1626                        continue;
1627                if (ref_status[cmd->index]) {
1628                        cmd->error_string = "shallow update not allowed";
1629                        cmd->skip_update = 1;
1630                }
1631        }
1632        free(ref_status);
1633}
1634
1635static void report(struct command *commands, const char *unpack_status)
1636{
1637        struct command *cmd;
1638        struct strbuf buf = STRBUF_INIT;
1639
1640        packet_buf_write(&buf, "unpack %s\n",
1641                         unpack_status ? unpack_status : "ok");
1642        for (cmd = commands; cmd; cmd = cmd->next) {
1643                if (!cmd->error_string)
1644                        packet_buf_write(&buf, "ok %s\n",
1645                                         cmd->ref_name);
1646                else
1647                        packet_buf_write(&buf, "ng %s %s\n",
1648                                         cmd->ref_name, cmd->error_string);
1649        }
1650        packet_buf_flush(&buf);
1651
1652        if (use_sideband)
1653                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1654        else
1655                write_or_die(1, buf.buf, buf.len);
1656        strbuf_release(&buf);
1657}
1658
1659static int delete_only(struct command *commands)
1660{
1661        struct command *cmd;
1662        for (cmd = commands; cmd; cmd = cmd->next) {
1663                if (!is_null_sha1(cmd->new_sha1))
1664                        return 0;
1665        }
1666        return 1;
1667}
1668
1669int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1670{
1671        int advertise_refs = 0;
1672        int i;
1673        struct command *commands;
1674        struct sha1_array shallow = SHA1_ARRAY_INIT;
1675        struct sha1_array ref = SHA1_ARRAY_INIT;
1676        struct shallow_info si;
1677
1678        packet_trace_identity("receive-pack");
1679
1680        argv++;
1681        for (i = 1; i < argc; i++) {
1682                const char *arg = *argv++;
1683
1684                if (*arg == '-') {
1685                        if (!strcmp(arg, "--quiet")) {
1686                                quiet = 1;
1687                                continue;
1688                        }
1689
1690                        if (!strcmp(arg, "--advertise-refs")) {
1691                                advertise_refs = 1;
1692                                continue;
1693                        }
1694                        if (!strcmp(arg, "--stateless-rpc")) {
1695                                stateless_rpc = 1;
1696                                continue;
1697                        }
1698                        if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1699                                fix_thin = 0;
1700                                continue;
1701                        }
1702
1703                        usage(receive_pack_usage);
1704                }
1705                if (service_dir)
1706                        usage(receive_pack_usage);
1707                service_dir = arg;
1708        }
1709        if (!service_dir)
1710                usage(receive_pack_usage);
1711
1712        setup_path();
1713
1714        if (!enter_repo(service_dir, 0))
1715                die("'%s' does not appear to be a git repository", service_dir);
1716
1717        git_config(receive_pack_config, NULL);
1718        if (cert_nonce_seed)
1719                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1720
1721        if (0 <= transfer_unpack_limit)
1722                unpack_limit = transfer_unpack_limit;
1723        else if (0 <= receive_unpack_limit)
1724                unpack_limit = receive_unpack_limit;
1725
1726        if (advertise_refs || !stateless_rpc) {
1727                write_head_info();
1728        }
1729        if (advertise_refs)
1730                return 0;
1731
1732        if ((commands = read_head_info(&shallow)) != NULL) {
1733                const char *unpack_status = NULL;
1734
1735                prepare_shallow_info(&si, &shallow);
1736                if (!si.nr_ours && !si.nr_theirs)
1737                        shallow_update = 0;
1738                if (!delete_only(commands)) {
1739                        unpack_status = unpack_with_sideband(&si);
1740                        update_shallow_info(commands, &si, &ref);
1741                }
1742                execute_commands(commands, unpack_status, &si);
1743                if (pack_lockfile)
1744                        unlink_or_warn(pack_lockfile);
1745                if (report_status)
1746                        report(commands, unpack_status);
1747                run_receive_hook(commands, "post-receive", 1);
1748                run_update_post_hook(commands);
1749                if (auto_gc) {
1750                        const char *argv_gc_auto[] = {
1751                                "gc", "--auto", "--quiet", NULL,
1752                        };
1753                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1754                        run_command_v_opt(argv_gc_auto, opt);
1755                }
1756                if (auto_update_server_info)
1757                        update_server_info(0);
1758                clear_shallow_info(&si);
1759        }
1760        if (use_sideband)
1761                packet_flush(1);
1762        sha1_array_clear(&shallow);
1763        sha1_array_clear(&ref);
1764        free((void *)push_cert_nonce);
1765        return 0;
1766}