builtin / receive-pack.con commit t3600: clean up permissions test properly (23739aa)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23#include "tmp-objdir.h"
  24#include "oidset.h"
  25
  26static const char * const receive_pack_usage[] = {
  27        N_("git receive-pack <git-dir>"),
  28        NULL
  29};
  30
  31enum deny_action {
  32        DENY_UNCONFIGURED,
  33        DENY_IGNORE,
  34        DENY_WARN,
  35        DENY_REFUSE,
  36        DENY_UPDATE_INSTEAD
  37};
  38
  39static int deny_deletes;
  40static int deny_non_fast_forwards;
  41static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  42static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  43static int receive_fsck_objects = -1;
  44static int transfer_fsck_objects = -1;
  45static struct strbuf fsck_msg_types = STRBUF_INIT;
  46static int receive_unpack_limit = -1;
  47static int transfer_unpack_limit = -1;
  48static int advertise_atomic_push = 1;
  49static int advertise_push_options;
  50static int unpack_limit = 100;
  51static off_t max_input_size;
  52static int report_status;
  53static int use_sideband;
  54static int use_atomic;
  55static int use_push_options;
  56static int quiet;
  57static int prefer_ofs_delta = 1;
  58static int auto_update_server_info;
  59static int auto_gc = 1;
  60static int reject_thin;
  61static int stateless_rpc;
  62static const char *service_dir;
  63static const char *head_name;
  64static void *head_name_to_free;
  65static int sent_capabilities;
  66static int shallow_update;
  67static const char *alt_shallow_file;
  68static struct strbuf push_cert = STRBUF_INIT;
  69static unsigned char push_cert_sha1[20];
  70static struct signature_check sigcheck;
  71static const char *push_cert_nonce;
  72static const char *cert_nonce_seed;
  73
  74static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  75static const char *NONCE_BAD = "BAD";
  76static const char *NONCE_MISSING = "MISSING";
  77static const char *NONCE_OK = "OK";
  78static const char *NONCE_SLOP = "SLOP";
  79static const char *nonce_status;
  80static long nonce_stamp_slop;
  81static timestamp_t nonce_stamp_slop_limit;
  82static struct ref_transaction *transaction;
  83
  84static enum {
  85        KEEPALIVE_NEVER = 0,
  86        KEEPALIVE_AFTER_NUL,
  87        KEEPALIVE_ALWAYS
  88} use_keepalive;
  89static int keepalive_in_sec = 5;
  90
  91static struct tmp_objdir *tmp_objdir;
  92
  93static enum deny_action parse_deny_action(const char *var, const char *value)
  94{
  95        if (value) {
  96                if (!strcasecmp(value, "ignore"))
  97                        return DENY_IGNORE;
  98                if (!strcasecmp(value, "warn"))
  99                        return DENY_WARN;
 100                if (!strcasecmp(value, "refuse"))
 101                        return DENY_REFUSE;
 102                if (!strcasecmp(value, "updateinstead"))
 103                        return DENY_UPDATE_INSTEAD;
 104        }
 105        if (git_config_bool(var, value))
 106                return DENY_REFUSE;
 107        return DENY_IGNORE;
 108}
 109
 110static int receive_pack_config(const char *var, const char *value, void *cb)
 111{
 112        int status = parse_hide_refs_config(var, value, "receive");
 113
 114        if (status)
 115                return status;
 116
 117        if (strcmp(var, "receive.denydeletes") == 0) {
 118                deny_deletes = git_config_bool(var, value);
 119                return 0;
 120        }
 121
 122        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 123                deny_non_fast_forwards = git_config_bool(var, value);
 124                return 0;
 125        }
 126
 127        if (strcmp(var, "receive.unpacklimit") == 0) {
 128                receive_unpack_limit = git_config_int(var, value);
 129                return 0;
 130        }
 131
 132        if (strcmp(var, "transfer.unpacklimit") == 0) {
 133                transfer_unpack_limit = git_config_int(var, value);
 134                return 0;
 135        }
 136
 137        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 138                const char *path;
 139
 140                if (git_config_pathname(&path, var, value))
 141                        return 1;
 142                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 143                        fsck_msg_types.len ? ',' : '=', path);
 144                free((char *)path);
 145                return 0;
 146        }
 147
 148        if (skip_prefix(var, "receive.fsck.", &var)) {
 149                if (is_valid_msg_type(var, value))
 150                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 151                                fsck_msg_types.len ? ',' : '=', var, value);
 152                else
 153                        warning("Skipping unknown msg id '%s'", var);
 154                return 0;
 155        }
 156
 157        if (strcmp(var, "receive.fsckobjects") == 0) {
 158                receive_fsck_objects = git_config_bool(var, value);
 159                return 0;
 160        }
 161
 162        if (strcmp(var, "transfer.fsckobjects") == 0) {
 163                transfer_fsck_objects = git_config_bool(var, value);
 164                return 0;
 165        }
 166
 167        if (!strcmp(var, "receive.denycurrentbranch")) {
 168                deny_current_branch = parse_deny_action(var, value);
 169                return 0;
 170        }
 171
 172        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 173                deny_delete_current = parse_deny_action(var, value);
 174                return 0;
 175        }
 176
 177        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 178                prefer_ofs_delta = git_config_bool(var, value);
 179                return 0;
 180        }
 181
 182        if (strcmp(var, "receive.updateserverinfo") == 0) {
 183                auto_update_server_info = git_config_bool(var, value);
 184                return 0;
 185        }
 186
 187        if (strcmp(var, "receive.autogc") == 0) {
 188                auto_gc = git_config_bool(var, value);
 189                return 0;
 190        }
 191
 192        if (strcmp(var, "receive.shallowupdate") == 0) {
 193                shallow_update = git_config_bool(var, value);
 194                return 0;
 195        }
 196
 197        if (strcmp(var, "receive.certnonceseed") == 0)
 198                return git_config_string(&cert_nonce_seed, var, value);
 199
 200        if (strcmp(var, "receive.certnonceslop") == 0) {
 201                nonce_stamp_slop_limit = git_config_ulong(var, value);
 202                return 0;
 203        }
 204
 205        if (strcmp(var, "receive.advertiseatomic") == 0) {
 206                advertise_atomic_push = git_config_bool(var, value);
 207                return 0;
 208        }
 209
 210        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 211                advertise_push_options = git_config_bool(var, value);
 212                return 0;
 213        }
 214
 215        if (strcmp(var, "receive.keepalive") == 0) {
 216                keepalive_in_sec = git_config_int(var, value);
 217                return 0;
 218        }
 219
 220        if (strcmp(var, "receive.maxinputsize") == 0) {
 221                max_input_size = git_config_int64(var, value);
 222                return 0;
 223        }
 224
 225        return git_default_config(var, value, cb);
 226}
 227
 228static void show_ref(const char *path, const struct object_id *oid)
 229{
 230        if (sent_capabilities) {
 231                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 232        } else {
 233                struct strbuf cap = STRBUF_INIT;
 234
 235                strbuf_addstr(&cap,
 236                              "report-status delete-refs side-band-64k quiet");
 237                if (advertise_atomic_push)
 238                        strbuf_addstr(&cap, " atomic");
 239                if (prefer_ofs_delta)
 240                        strbuf_addstr(&cap, " ofs-delta");
 241                if (push_cert_nonce)
 242                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 243                if (advertise_push_options)
 244                        strbuf_addstr(&cap, " push-options");
 245                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 246                packet_write_fmt(1, "%s %s%c%s\n",
 247                             oid_to_hex(oid), path, 0, cap.buf);
 248                strbuf_release(&cap);
 249                sent_capabilities = 1;
 250        }
 251}
 252
 253static int show_ref_cb(const char *path_full, const struct object_id *oid,
 254                       int flag, void *data)
 255{
 256        struct oidset *seen = data;
 257        const char *path = strip_namespace(path_full);
 258
 259        if (ref_is_hidden(path, path_full))
 260                return 0;
 261
 262        /*
 263         * Advertise refs outside our current namespace as ".have"
 264         * refs, so that the client can use them to minimize data
 265         * transfer but will otherwise ignore them.
 266         */
 267        if (!path) {
 268                if (oidset_insert(seen, oid))
 269                        return 0;
 270                path = ".have";
 271        } else {
 272                oidset_insert(seen, oid);
 273        }
 274        show_ref(path, oid);
 275        return 0;
 276}
 277
 278static void show_one_alternate_ref(const char *refname,
 279                                   const struct object_id *oid,
 280                                   void *data)
 281{
 282        struct oidset *seen = data;
 283
 284        if (oidset_insert(seen, oid))
 285                return;
 286
 287        show_ref(".have", oid);
 288}
 289
 290static void write_head_info(void)
 291{
 292        static struct oidset seen = OIDSET_INIT;
 293
 294        for_each_ref(show_ref_cb, &seen);
 295        for_each_alternate_ref(show_one_alternate_ref, &seen);
 296        oidset_clear(&seen);
 297        if (!sent_capabilities)
 298                show_ref("capabilities^{}", &null_oid);
 299
 300        advertise_shallow_grafts(1);
 301
 302        /* EOF */
 303        packet_flush(1);
 304}
 305
 306struct command {
 307        struct command *next;
 308        const char *error_string;
 309        unsigned int skip_update:1,
 310                     did_not_exist:1;
 311        int index;
 312        struct object_id old_oid;
 313        struct object_id new_oid;
 314        char ref_name[FLEX_ARRAY]; /* more */
 315};
 316
 317static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 318static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 319
 320static void report_message(const char *prefix, const char *err, va_list params)
 321{
 322        int sz;
 323        char msg[4096];
 324
 325        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 326        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 327        if (sz > (sizeof(msg) - 1))
 328                sz = sizeof(msg) - 1;
 329        msg[sz++] = '\n';
 330
 331        if (use_sideband)
 332                send_sideband(1, 2, msg, sz, use_sideband);
 333        else
 334                xwrite(2, msg, sz);
 335}
 336
 337static void rp_warning(const char *err, ...)
 338{
 339        va_list params;
 340        va_start(params, err);
 341        report_message("warning: ", err, params);
 342        va_end(params);
 343}
 344
 345static void rp_error(const char *err, ...)
 346{
 347        va_list params;
 348        va_start(params, err);
 349        report_message("error: ", err, params);
 350        va_end(params);
 351}
 352
 353static int copy_to_sideband(int in, int out, void *arg)
 354{
 355        char data[128];
 356        int keepalive_active = 0;
 357
 358        if (keepalive_in_sec <= 0)
 359                use_keepalive = KEEPALIVE_NEVER;
 360        if (use_keepalive == KEEPALIVE_ALWAYS)
 361                keepalive_active = 1;
 362
 363        while (1) {
 364                ssize_t sz;
 365
 366                if (keepalive_active) {
 367                        struct pollfd pfd;
 368                        int ret;
 369
 370                        pfd.fd = in;
 371                        pfd.events = POLLIN;
 372                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 373
 374                        if (ret < 0) {
 375                                if (errno == EINTR)
 376                                        continue;
 377                                else
 378                                        break;
 379                        } else if (ret == 0) {
 380                                /* no data; send a keepalive packet */
 381                                static const char buf[] = "0005\1";
 382                                write_or_die(1, buf, sizeof(buf) - 1);
 383                                continue;
 384                        } /* else there is actual data to read */
 385                }
 386
 387                sz = xread(in, data, sizeof(data));
 388                if (sz <= 0)
 389                        break;
 390
 391                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 392                        const char *p = memchr(data, '\0', sz);
 393                        if (p) {
 394                                /*
 395                                 * The NUL tells us to start sending keepalives. Make
 396                                 * sure we send any other data we read along
 397                                 * with it.
 398                                 */
 399                                keepalive_active = 1;
 400                                send_sideband(1, 2, data, p - data, use_sideband);
 401                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 402                                continue;
 403                        }
 404                }
 405
 406                /*
 407                 * Either we're not looking for a NUL signal, or we didn't see
 408                 * it yet; just pass along the data.
 409                 */
 410                send_sideband(1, 2, data, sz, use_sideband);
 411        }
 412        close(in);
 413        return 0;
 414}
 415
 416#define HMAC_BLOCK_SIZE 64
 417
 418static void hmac_sha1(unsigned char *out,
 419                      const char *key_in, size_t key_len,
 420                      const char *text, size_t text_len)
 421{
 422        unsigned char key[HMAC_BLOCK_SIZE];
 423        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 424        unsigned char k_opad[HMAC_BLOCK_SIZE];
 425        int i;
 426        git_SHA_CTX ctx;
 427
 428        /* RFC 2104 2. (1) */
 429        memset(key, '\0', HMAC_BLOCK_SIZE);
 430        if (HMAC_BLOCK_SIZE < key_len) {
 431                git_SHA1_Init(&ctx);
 432                git_SHA1_Update(&ctx, key_in, key_len);
 433                git_SHA1_Final(key, &ctx);
 434        } else {
 435                memcpy(key, key_in, key_len);
 436        }
 437
 438        /* RFC 2104 2. (2) & (5) */
 439        for (i = 0; i < sizeof(key); i++) {
 440                k_ipad[i] = key[i] ^ 0x36;
 441                k_opad[i] = key[i] ^ 0x5c;
 442        }
 443
 444        /* RFC 2104 2. (3) & (4) */
 445        git_SHA1_Init(&ctx);
 446        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 447        git_SHA1_Update(&ctx, text, text_len);
 448        git_SHA1_Final(out, &ctx);
 449
 450        /* RFC 2104 2. (6) & (7) */
 451        git_SHA1_Init(&ctx);
 452        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 453        git_SHA1_Update(&ctx, out, 20);
 454        git_SHA1_Final(out, &ctx);
 455}
 456
 457static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 458{
 459        struct strbuf buf = STRBUF_INIT;
 460        unsigned char sha1[20];
 461
 462        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 463        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 464        strbuf_release(&buf);
 465
 466        /* RFC 2104 5. HMAC-SHA1-80 */
 467        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
 468        return strbuf_detach(&buf, NULL);
 469}
 470
 471/*
 472 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 473 * after dropping "_commit" from its name and possibly moving it out
 474 * of commit.c
 475 */
 476static char *find_header(const char *msg, size_t len, const char *key,
 477                         const char **next_line)
 478{
 479        int key_len = strlen(key);
 480        const char *line = msg;
 481
 482        while (line && line < msg + len) {
 483                const char *eol = strchrnul(line, '\n');
 484
 485                if ((msg + len <= eol) || line == eol)
 486                        return NULL;
 487                if (line + key_len < eol &&
 488                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 489                        int offset = key_len + 1;
 490                        if (next_line)
 491                                *next_line = *eol ? eol + 1 : eol;
 492                        return xmemdupz(line + offset, (eol - line) - offset);
 493                }
 494                line = *eol ? eol + 1 : NULL;
 495        }
 496        return NULL;
 497}
 498
 499static const char *check_nonce(const char *buf, size_t len)
 500{
 501        char *nonce = find_header(buf, len, "nonce", NULL);
 502        timestamp_t stamp, ostamp;
 503        char *bohmac, *expect = NULL;
 504        const char *retval = NONCE_BAD;
 505
 506        if (!nonce) {
 507                retval = NONCE_MISSING;
 508                goto leave;
 509        } else if (!push_cert_nonce) {
 510                retval = NONCE_UNSOLICITED;
 511                goto leave;
 512        } else if (!strcmp(push_cert_nonce, nonce)) {
 513                retval = NONCE_OK;
 514                goto leave;
 515        }
 516
 517        if (!stateless_rpc) {
 518                /* returned nonce MUST match what we gave out earlier */
 519                retval = NONCE_BAD;
 520                goto leave;
 521        }
 522
 523        /*
 524         * In stateless mode, we may be receiving a nonce issued by
 525         * another instance of the server that serving the same
 526         * repository, and the timestamps may not match, but the
 527         * nonce-seed and dir should match, so we can recompute and
 528         * report the time slop.
 529         *
 530         * In addition, when a nonce issued by another instance has
 531         * timestamp within receive.certnonceslop seconds, we pretend
 532         * as if we issued that nonce when reporting to the hook.
 533         */
 534
 535        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 536        if (*nonce <= '0' || '9' < *nonce) {
 537                retval = NONCE_BAD;
 538                goto leave;
 539        }
 540        stamp = parse_timestamp(nonce, &bohmac, 10);
 541        if (bohmac == nonce || bohmac[0] != '-') {
 542                retval = NONCE_BAD;
 543                goto leave;
 544        }
 545
 546        expect = prepare_push_cert_nonce(service_dir, stamp);
 547        if (strcmp(expect, nonce)) {
 548                /* Not what we would have signed earlier */
 549                retval = NONCE_BAD;
 550                goto leave;
 551        }
 552
 553        /*
 554         * By how many seconds is this nonce stale?  Negative value
 555         * would mean it was issued by another server with its clock
 556         * skewed in the future.
 557         */
 558        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 559        nonce_stamp_slop = (long)ostamp - (long)stamp;
 560
 561        if (nonce_stamp_slop_limit &&
 562            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 563                /*
 564                 * Pretend as if the received nonce (which passes the
 565                 * HMAC check, so it is not a forged by third-party)
 566                 * is what we issued.
 567                 */
 568                free((void *)push_cert_nonce);
 569                push_cert_nonce = xstrdup(nonce);
 570                retval = NONCE_OK;
 571        } else {
 572                retval = NONCE_SLOP;
 573        }
 574
 575leave:
 576        free(nonce);
 577        free(expect);
 578        return retval;
 579}
 580
 581/*
 582 * Return 1 if there is no push_cert or if the push options in push_cert are
 583 * the same as those in the argument; 0 otherwise.
 584 */
 585static int check_cert_push_options(const struct string_list *push_options)
 586{
 587        const char *buf = push_cert.buf;
 588        int len = push_cert.len;
 589
 590        char *option;
 591        const char *next_line;
 592        int options_seen = 0;
 593
 594        int retval = 1;
 595
 596        if (!len)
 597                return 1;
 598
 599        while ((option = find_header(buf, len, "push-option", &next_line))) {
 600                len -= (next_line - buf);
 601                buf = next_line;
 602                options_seen++;
 603                if (options_seen > push_options->nr
 604                    || strcmp(option,
 605                              push_options->items[options_seen - 1].string)) {
 606                        retval = 0;
 607                        goto leave;
 608                }
 609                free(option);
 610        }
 611
 612        if (options_seen != push_options->nr)
 613                retval = 0;
 614
 615leave:
 616        free(option);
 617        return retval;
 618}
 619
 620static void prepare_push_cert_sha1(struct child_process *proc)
 621{
 622        static int already_done;
 623
 624        if (!push_cert.len)
 625                return;
 626
 627        if (!already_done) {
 628                struct strbuf gpg_output = STRBUF_INIT;
 629                struct strbuf gpg_status = STRBUF_INIT;
 630                int bogs /* beginning_of_gpg_sig */;
 631
 632                already_done = 1;
 633                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 634                        hashclr(push_cert_sha1);
 635
 636                memset(&sigcheck, '\0', sizeof(sigcheck));
 637                sigcheck.result = 'N';
 638
 639                bogs = parse_signature(push_cert.buf, push_cert.len);
 640                if (verify_signed_buffer(push_cert.buf, bogs,
 641                                         push_cert.buf + bogs, push_cert.len - bogs,
 642                                         &gpg_output, &gpg_status) < 0) {
 643                        ; /* error running gpg */
 644                } else {
 645                        sigcheck.payload = push_cert.buf;
 646                        sigcheck.gpg_output = gpg_output.buf;
 647                        sigcheck.gpg_status = gpg_status.buf;
 648                        parse_gpg_output(&sigcheck);
 649                }
 650
 651                strbuf_release(&gpg_output);
 652                strbuf_release(&gpg_status);
 653                nonce_status = check_nonce(push_cert.buf, bogs);
 654        }
 655        if (!is_null_sha1(push_cert_sha1)) {
 656                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 657                                 sha1_to_hex(push_cert_sha1));
 658                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 659                                 sigcheck.signer ? sigcheck.signer : "");
 660                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 661                                 sigcheck.key ? sigcheck.key : "");
 662                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 663                                 sigcheck.result);
 664                if (push_cert_nonce) {
 665                        argv_array_pushf(&proc->env_array,
 666                                         "GIT_PUSH_CERT_NONCE=%s",
 667                                         push_cert_nonce);
 668                        argv_array_pushf(&proc->env_array,
 669                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 670                                         nonce_status);
 671                        if (nonce_status == NONCE_SLOP)
 672                                argv_array_pushf(&proc->env_array,
 673                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 674                                                 nonce_stamp_slop);
 675                }
 676        }
 677}
 678
 679struct receive_hook_feed_state {
 680        struct command *cmd;
 681        int skip_broken;
 682        struct strbuf buf;
 683        const struct string_list *push_options;
 684};
 685
 686typedef int (*feed_fn)(void *, const char **, size_t *);
 687static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 688                             struct receive_hook_feed_state *feed_state)
 689{
 690        struct child_process proc = CHILD_PROCESS_INIT;
 691        struct async muxer;
 692        const char *argv[2];
 693        int code;
 694
 695        argv[0] = find_hook(hook_name);
 696        if (!argv[0])
 697                return 0;
 698
 699        argv[1] = NULL;
 700
 701        proc.argv = argv;
 702        proc.in = -1;
 703        proc.stdout_to_stderr = 1;
 704        if (feed_state->push_options) {
 705                int i;
 706                for (i = 0; i < feed_state->push_options->nr; i++)
 707                        argv_array_pushf(&proc.env_array,
 708                                "GIT_PUSH_OPTION_%d=%s", i,
 709                                feed_state->push_options->items[i].string);
 710                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 711                                 feed_state->push_options->nr);
 712        } else
 713                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 714
 715        if (tmp_objdir)
 716                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 717
 718        if (use_sideband) {
 719                memset(&muxer, 0, sizeof(muxer));
 720                muxer.proc = copy_to_sideband;
 721                muxer.in = -1;
 722                code = start_async(&muxer);
 723                if (code)
 724                        return code;
 725                proc.err = muxer.in;
 726        }
 727
 728        prepare_push_cert_sha1(&proc);
 729
 730        code = start_command(&proc);
 731        if (code) {
 732                if (use_sideband)
 733                        finish_async(&muxer);
 734                return code;
 735        }
 736
 737        sigchain_push(SIGPIPE, SIG_IGN);
 738
 739        while (1) {
 740                const char *buf;
 741                size_t n;
 742                if (feed(feed_state, &buf, &n))
 743                        break;
 744                if (write_in_full(proc.in, buf, n) != n)
 745                        break;
 746        }
 747        close(proc.in);
 748        if (use_sideband)
 749                finish_async(&muxer);
 750
 751        sigchain_pop(SIGPIPE);
 752
 753        return finish_command(&proc);
 754}
 755
 756static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 757{
 758        struct receive_hook_feed_state *state = state_;
 759        struct command *cmd = state->cmd;
 760
 761        while (cmd &&
 762               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 763                cmd = cmd->next;
 764        if (!cmd)
 765                return -1; /* EOF */
 766        strbuf_reset(&state->buf);
 767        strbuf_addf(&state->buf, "%s %s %s\n",
 768                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 769                    cmd->ref_name);
 770        state->cmd = cmd->next;
 771        if (bufp) {
 772                *bufp = state->buf.buf;
 773                *sizep = state->buf.len;
 774        }
 775        return 0;
 776}
 777
 778static int run_receive_hook(struct command *commands,
 779                            const char *hook_name,
 780                            int skip_broken,
 781                            const struct string_list *push_options)
 782{
 783        struct receive_hook_feed_state state;
 784        int status;
 785
 786        strbuf_init(&state.buf, 0);
 787        state.cmd = commands;
 788        state.skip_broken = skip_broken;
 789        if (feed_receive_hook(&state, NULL, NULL))
 790                return 0;
 791        state.cmd = commands;
 792        state.push_options = push_options;
 793        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 794        strbuf_release(&state.buf);
 795        return status;
 796}
 797
 798static int run_update_hook(struct command *cmd)
 799{
 800        const char *argv[5];
 801        struct child_process proc = CHILD_PROCESS_INIT;
 802        int code;
 803
 804        argv[0] = find_hook("update");
 805        if (!argv[0])
 806                return 0;
 807
 808        argv[1] = cmd->ref_name;
 809        argv[2] = oid_to_hex(&cmd->old_oid);
 810        argv[3] = oid_to_hex(&cmd->new_oid);
 811        argv[4] = NULL;
 812
 813        proc.no_stdin = 1;
 814        proc.stdout_to_stderr = 1;
 815        proc.err = use_sideband ? -1 : 0;
 816        proc.argv = argv;
 817
 818        code = start_command(&proc);
 819        if (code)
 820                return code;
 821        if (use_sideband)
 822                copy_to_sideband(proc.err, -1, NULL);
 823        return finish_command(&proc);
 824}
 825
 826static int is_ref_checked_out(const char *ref)
 827{
 828        if (is_bare_repository())
 829                return 0;
 830
 831        if (!head_name)
 832                return 0;
 833        return !strcmp(head_name, ref);
 834}
 835
 836static char *refuse_unconfigured_deny_msg =
 837        N_("By default, updating the current branch in a non-bare repository\n"
 838           "is denied, because it will make the index and work tree inconsistent\n"
 839           "with what you pushed, and will require 'git reset --hard' to match\n"
 840           "the work tree to HEAD.\n"
 841           "\n"
 842           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 843           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 844           "its current branch; however, this is not recommended unless you\n"
 845           "arranged to update its work tree to match what you pushed in some\n"
 846           "other way.\n"
 847           "\n"
 848           "To squelch this message and still keep the default behaviour, set\n"
 849           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 850
 851static void refuse_unconfigured_deny(void)
 852{
 853        rp_error("%s", _(refuse_unconfigured_deny_msg));
 854}
 855
 856static char *refuse_unconfigured_deny_delete_current_msg =
 857        N_("By default, deleting the current branch is denied, because the next\n"
 858           "'git clone' won't result in any file checked out, causing confusion.\n"
 859           "\n"
 860           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 861           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 862           "current branch, with or without a warning message.\n"
 863           "\n"
 864           "To squelch this message, you can set it to 'refuse'.");
 865
 866static void refuse_unconfigured_deny_delete_current(void)
 867{
 868        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 869}
 870
 871static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 872static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 873{
 874        static struct lock_file shallow_lock;
 875        struct oid_array extra = OID_ARRAY_INIT;
 876        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 877        uint32_t mask = 1 << (cmd->index % 32);
 878        int i;
 879
 880        trace_printf_key(&trace_shallow,
 881                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 882        for (i = 0; i < si->shallow->nr; i++)
 883                if (si->used_shallow[i] &&
 884                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 885                    !delayed_reachability_test(si, i))
 886                        oid_array_append(&extra, &si->shallow->oid[i]);
 887
 888        opt.env = tmp_objdir_env(tmp_objdir);
 889        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 890        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 891                rollback_lock_file(&shallow_lock);
 892                oid_array_clear(&extra);
 893                return -1;
 894        }
 895
 896        commit_lock_file(&shallow_lock);
 897
 898        /*
 899         * Make sure setup_alternate_shallow() for the next ref does
 900         * not lose these new roots..
 901         */
 902        for (i = 0; i < extra.nr; i++)
 903                register_shallow(&extra.oid[i]);
 904
 905        si->shallow_ref[cmd->index] = 0;
 906        oid_array_clear(&extra);
 907        return 0;
 908}
 909
 910/*
 911 * NEEDSWORK: we should consolidate various implementions of "are we
 912 * on an unborn branch?" test into one, and make the unified one more
 913 * robust. !get_sha1() based check used here and elsewhere would not
 914 * allow us to tell an unborn branch from corrupt ref, for example.
 915 * For the purpose of fixing "deploy-to-update does not work when
 916 * pushing into an empty repository" issue, this should suffice for
 917 * now.
 918 */
 919static int head_has_history(void)
 920{
 921        unsigned char sha1[20];
 922
 923        return !get_sha1("HEAD", sha1);
 924}
 925
 926static const char *push_to_deploy(unsigned char *sha1,
 927                                  struct argv_array *env,
 928                                  const char *work_tree)
 929{
 930        const char *update_refresh[] = {
 931                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 932        };
 933        const char *diff_files[] = {
 934                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 935        };
 936        const char *diff_index[] = {
 937                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 938                NULL, "--", NULL
 939        };
 940        const char *read_tree[] = {
 941                "read-tree", "-u", "-m", NULL, NULL
 942        };
 943        struct child_process child = CHILD_PROCESS_INIT;
 944
 945        child.argv = update_refresh;
 946        child.env = env->argv;
 947        child.dir = work_tree;
 948        child.no_stdin = 1;
 949        child.stdout_to_stderr = 1;
 950        child.git_cmd = 1;
 951        if (run_command(&child))
 952                return "Up-to-date check failed";
 953
 954        /* run_command() does not clean up completely; reinitialize */
 955        child_process_init(&child);
 956        child.argv = diff_files;
 957        child.env = env->argv;
 958        child.dir = work_tree;
 959        child.no_stdin = 1;
 960        child.stdout_to_stderr = 1;
 961        child.git_cmd = 1;
 962        if (run_command(&child))
 963                return "Working directory has unstaged changes";
 964
 965        /* diff-index with either HEAD or an empty tree */
 966        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 967
 968        child_process_init(&child);
 969        child.argv = diff_index;
 970        child.env = env->argv;
 971        child.no_stdin = 1;
 972        child.no_stdout = 1;
 973        child.stdout_to_stderr = 0;
 974        child.git_cmd = 1;
 975        if (run_command(&child))
 976                return "Working directory has staged changes";
 977
 978        read_tree[3] = sha1_to_hex(sha1);
 979        child_process_init(&child);
 980        child.argv = read_tree;
 981        child.env = env->argv;
 982        child.dir = work_tree;
 983        child.no_stdin = 1;
 984        child.no_stdout = 1;
 985        child.stdout_to_stderr = 0;
 986        child.git_cmd = 1;
 987        if (run_command(&child))
 988                return "Could not update working tree to new HEAD";
 989
 990        return NULL;
 991}
 992
 993static const char *push_to_checkout_hook = "push-to-checkout";
 994
 995static const char *push_to_checkout(unsigned char *sha1,
 996                                    struct argv_array *env,
 997                                    const char *work_tree)
 998{
 999        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1000        if (run_hook_le(env->argv, push_to_checkout_hook,
1001                        sha1_to_hex(sha1), NULL))
1002                return "push-to-checkout hook declined";
1003        else
1004                return NULL;
1005}
1006
1007static const char *update_worktree(unsigned char *sha1)
1008{
1009        const char *retval;
1010        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1011        struct argv_array env = ARGV_ARRAY_INIT;
1012
1013        if (is_bare_repository())
1014                return "denyCurrentBranch = updateInstead needs a worktree";
1015
1016        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1017
1018        if (!find_hook(push_to_checkout_hook))
1019                retval = push_to_deploy(sha1, &env, work_tree);
1020        else
1021                retval = push_to_checkout(sha1, &env, work_tree);
1022
1023        argv_array_clear(&env);
1024        return retval;
1025}
1026
1027static const char *update(struct command *cmd, struct shallow_info *si)
1028{
1029        const char *name = cmd->ref_name;
1030        struct strbuf namespaced_name_buf = STRBUF_INIT;
1031        const char *namespaced_name, *ret;
1032        struct object_id *old_oid = &cmd->old_oid;
1033        struct object_id *new_oid = &cmd->new_oid;
1034
1035        /* only refs/... are allowed */
1036        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1037                rp_error("refusing to create funny ref '%s' remotely", name);
1038                return "funny refname";
1039        }
1040
1041        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1042        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1043
1044        if (is_ref_checked_out(namespaced_name)) {
1045                switch (deny_current_branch) {
1046                case DENY_IGNORE:
1047                        break;
1048                case DENY_WARN:
1049                        rp_warning("updating the current branch");
1050                        break;
1051                case DENY_REFUSE:
1052                case DENY_UNCONFIGURED:
1053                        rp_error("refusing to update checked out branch: %s", name);
1054                        if (deny_current_branch == DENY_UNCONFIGURED)
1055                                refuse_unconfigured_deny();
1056                        return "branch is currently checked out";
1057                case DENY_UPDATE_INSTEAD:
1058                        ret = update_worktree(new_oid->hash);
1059                        if (ret)
1060                                return ret;
1061                        break;
1062                }
1063        }
1064
1065        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1066                error("unpack should have generated %s, "
1067                      "but I can't find it!", oid_to_hex(new_oid));
1068                return "bad pack";
1069        }
1070
1071        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1072                if (deny_deletes && starts_with(name, "refs/heads/")) {
1073                        rp_error("denying ref deletion for %s", name);
1074                        return "deletion prohibited";
1075                }
1076
1077                if (head_name && !strcmp(namespaced_name, head_name)) {
1078                        switch (deny_delete_current) {
1079                        case DENY_IGNORE:
1080                                break;
1081                        case DENY_WARN:
1082                                rp_warning("deleting the current branch");
1083                                break;
1084                        case DENY_REFUSE:
1085                        case DENY_UNCONFIGURED:
1086                        case DENY_UPDATE_INSTEAD:
1087                                if (deny_delete_current == DENY_UNCONFIGURED)
1088                                        refuse_unconfigured_deny_delete_current();
1089                                rp_error("refusing to delete the current branch: %s", name);
1090                                return "deletion of the current branch prohibited";
1091                        default:
1092                                return "Invalid denyDeleteCurrent setting";
1093                        }
1094                }
1095        }
1096
1097        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1098            !is_null_oid(old_oid) &&
1099            starts_with(name, "refs/heads/")) {
1100                struct object *old_object, *new_object;
1101                struct commit *old_commit, *new_commit;
1102
1103                old_object = parse_object(old_oid);
1104                new_object = parse_object(new_oid);
1105
1106                if (!old_object || !new_object ||
1107                    old_object->type != OBJ_COMMIT ||
1108                    new_object->type != OBJ_COMMIT) {
1109                        error("bad sha1 objects for %s", name);
1110                        return "bad ref";
1111                }
1112                old_commit = (struct commit *)old_object;
1113                new_commit = (struct commit *)new_object;
1114                if (!in_merge_bases(old_commit, new_commit)) {
1115                        rp_error("denying non-fast-forward %s"
1116                                 " (you should pull first)", name);
1117                        return "non-fast-forward";
1118                }
1119        }
1120        if (run_update_hook(cmd)) {
1121                rp_error("hook declined to update %s", name);
1122                return "hook declined";
1123        }
1124
1125        if (is_null_oid(new_oid)) {
1126                struct strbuf err = STRBUF_INIT;
1127                if (!parse_object(old_oid)) {
1128                        old_oid = NULL;
1129                        if (ref_exists(name)) {
1130                                rp_warning("Allowing deletion of corrupt ref.");
1131                        } else {
1132                                rp_warning("Deleting a non-existent ref.");
1133                                cmd->did_not_exist = 1;
1134                        }
1135                }
1136                if (ref_transaction_delete(transaction,
1137                                           namespaced_name,
1138                                           old_oid->hash,
1139                                           0, "push", &err)) {
1140                        rp_error("%s", err.buf);
1141                        strbuf_release(&err);
1142                        return "failed to delete";
1143                }
1144                strbuf_release(&err);
1145                return NULL; /* good */
1146        }
1147        else {
1148                struct strbuf err = STRBUF_INIT;
1149                if (shallow_update && si->shallow_ref[cmd->index] &&
1150                    update_shallow_ref(cmd, si))
1151                        return "shallow error";
1152
1153                if (ref_transaction_update(transaction,
1154                                           namespaced_name,
1155                                           new_oid->hash, old_oid->hash,
1156                                           0, "push",
1157                                           &err)) {
1158                        rp_error("%s", err.buf);
1159                        strbuf_release(&err);
1160
1161                        return "failed to update ref";
1162                }
1163                strbuf_release(&err);
1164
1165                return NULL; /* good */
1166        }
1167}
1168
1169static void run_update_post_hook(struct command *commands)
1170{
1171        struct command *cmd;
1172        struct child_process proc = CHILD_PROCESS_INIT;
1173        const char *hook;
1174
1175        hook = find_hook("post-update");
1176        if (!hook)
1177                return;
1178
1179        for (cmd = commands; cmd; cmd = cmd->next) {
1180                if (cmd->error_string || cmd->did_not_exist)
1181                        continue;
1182                if (!proc.args.argc)
1183                        argv_array_push(&proc.args, hook);
1184                argv_array_push(&proc.args, cmd->ref_name);
1185        }
1186        if (!proc.args.argc)
1187                return;
1188
1189        proc.no_stdin = 1;
1190        proc.stdout_to_stderr = 1;
1191        proc.err = use_sideband ? -1 : 0;
1192
1193        if (!start_command(&proc)) {
1194                if (use_sideband)
1195                        copy_to_sideband(proc.err, -1, NULL);
1196                finish_command(&proc);
1197        }
1198}
1199
1200static void check_aliased_update(struct command *cmd, struct string_list *list)
1201{
1202        struct strbuf buf = STRBUF_INIT;
1203        const char *dst_name;
1204        struct string_list_item *item;
1205        struct command *dst_cmd;
1206        unsigned char sha1[GIT_MAX_RAWSZ];
1207        int flag;
1208
1209        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1210        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1211        strbuf_release(&buf);
1212
1213        if (!(flag & REF_ISSYMREF))
1214                return;
1215
1216        if (!dst_name) {
1217                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1218                cmd->skip_update = 1;
1219                cmd->error_string = "broken symref";
1220                return;
1221        }
1222        dst_name = strip_namespace(dst_name);
1223
1224        if ((item = string_list_lookup(list, dst_name)) == NULL)
1225                return;
1226
1227        cmd->skip_update = 1;
1228
1229        dst_cmd = (struct command *) item->util;
1230
1231        if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1232            !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1233                return;
1234
1235        dst_cmd->skip_update = 1;
1236
1237        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1238                 " its target '%s' (%s..%s)",
1239                 cmd->ref_name,
1240                 find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1241                 find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1242                 dst_cmd->ref_name,
1243                 find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1244                 find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1245
1246        cmd->error_string = dst_cmd->error_string =
1247                "inconsistent aliased update";
1248}
1249
1250static void check_aliased_updates(struct command *commands)
1251{
1252        struct command *cmd;
1253        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1254
1255        for (cmd = commands; cmd; cmd = cmd->next) {
1256                struct string_list_item *item =
1257                        string_list_append(&ref_list, cmd->ref_name);
1258                item->util = (void *)cmd;
1259        }
1260        string_list_sort(&ref_list);
1261
1262        for (cmd = commands; cmd; cmd = cmd->next) {
1263                if (!cmd->error_string)
1264                        check_aliased_update(cmd, &ref_list);
1265        }
1266
1267        string_list_clear(&ref_list, 0);
1268}
1269
1270static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1271{
1272        struct command **cmd_list = cb_data;
1273        struct command *cmd = *cmd_list;
1274
1275        if (!cmd || is_null_oid(&cmd->new_oid))
1276                return -1; /* end of list */
1277        *cmd_list = NULL; /* this returns only one */
1278        hashcpy(sha1, cmd->new_oid.hash);
1279        return 0;
1280}
1281
1282static void set_connectivity_errors(struct command *commands,
1283                                    struct shallow_info *si)
1284{
1285        struct command *cmd;
1286
1287        for (cmd = commands; cmd; cmd = cmd->next) {
1288                struct command *singleton = cmd;
1289                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1290
1291                if (shallow_update && si->shallow_ref[cmd->index])
1292                        /* to be checked in update_shallow_ref() */
1293                        continue;
1294
1295                opt.env = tmp_objdir_env(tmp_objdir);
1296                if (!check_connected(command_singleton_iterator, &singleton,
1297                                     &opt))
1298                        continue;
1299
1300                cmd->error_string = "missing necessary objects";
1301        }
1302}
1303
1304struct iterate_data {
1305        struct command *cmds;
1306        struct shallow_info *si;
1307};
1308
1309static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1310{
1311        struct iterate_data *data = cb_data;
1312        struct command **cmd_list = &data->cmds;
1313        struct command *cmd = *cmd_list;
1314
1315        for (; cmd; cmd = cmd->next) {
1316                if (shallow_update && data->si->shallow_ref[cmd->index])
1317                        /* to be checked in update_shallow_ref() */
1318                        continue;
1319                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1320                        hashcpy(sha1, cmd->new_oid.hash);
1321                        *cmd_list = cmd->next;
1322                        return 0;
1323                }
1324        }
1325        *cmd_list = NULL;
1326        return -1; /* end of list */
1327}
1328
1329static void reject_updates_to_hidden(struct command *commands)
1330{
1331        struct strbuf refname_full = STRBUF_INIT;
1332        size_t prefix_len;
1333        struct command *cmd;
1334
1335        strbuf_addstr(&refname_full, get_git_namespace());
1336        prefix_len = refname_full.len;
1337
1338        for (cmd = commands; cmd; cmd = cmd->next) {
1339                if (cmd->error_string)
1340                        continue;
1341
1342                strbuf_setlen(&refname_full, prefix_len);
1343                strbuf_addstr(&refname_full, cmd->ref_name);
1344
1345                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1346                        continue;
1347                if (is_null_oid(&cmd->new_oid))
1348                        cmd->error_string = "deny deleting a hidden ref";
1349                else
1350                        cmd->error_string = "deny updating a hidden ref";
1351        }
1352
1353        strbuf_release(&refname_full);
1354}
1355
1356static int should_process_cmd(struct command *cmd)
1357{
1358        return !cmd->error_string && !cmd->skip_update;
1359}
1360
1361static void warn_if_skipped_connectivity_check(struct command *commands,
1362                                               struct shallow_info *si)
1363{
1364        struct command *cmd;
1365        int checked_connectivity = 1;
1366
1367        for (cmd = commands; cmd; cmd = cmd->next) {
1368                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1369                        error("BUG: connectivity check has not been run on ref %s",
1370                              cmd->ref_name);
1371                        checked_connectivity = 0;
1372                }
1373        }
1374        if (!checked_connectivity)
1375                die("BUG: connectivity check skipped???");
1376}
1377
1378static void execute_commands_non_atomic(struct command *commands,
1379                                        struct shallow_info *si)
1380{
1381        struct command *cmd;
1382        struct strbuf err = STRBUF_INIT;
1383
1384        for (cmd = commands; cmd; cmd = cmd->next) {
1385                if (!should_process_cmd(cmd))
1386                        continue;
1387
1388                transaction = ref_transaction_begin(&err);
1389                if (!transaction) {
1390                        rp_error("%s", err.buf);
1391                        strbuf_reset(&err);
1392                        cmd->error_string = "transaction failed to start";
1393                        continue;
1394                }
1395
1396                cmd->error_string = update(cmd, si);
1397
1398                if (!cmd->error_string
1399                    && ref_transaction_commit(transaction, &err)) {
1400                        rp_error("%s", err.buf);
1401                        strbuf_reset(&err);
1402                        cmd->error_string = "failed to update ref";
1403                }
1404                ref_transaction_free(transaction);
1405        }
1406        strbuf_release(&err);
1407}
1408
1409static void execute_commands_atomic(struct command *commands,
1410                                        struct shallow_info *si)
1411{
1412        struct command *cmd;
1413        struct strbuf err = STRBUF_INIT;
1414        const char *reported_error = "atomic push failure";
1415
1416        transaction = ref_transaction_begin(&err);
1417        if (!transaction) {
1418                rp_error("%s", err.buf);
1419                strbuf_reset(&err);
1420                reported_error = "transaction failed to start";
1421                goto failure;
1422        }
1423
1424        for (cmd = commands; cmd; cmd = cmd->next) {
1425                if (!should_process_cmd(cmd))
1426                        continue;
1427
1428                cmd->error_string = update(cmd, si);
1429
1430                if (cmd->error_string)
1431                        goto failure;
1432        }
1433
1434        if (ref_transaction_commit(transaction, &err)) {
1435                rp_error("%s", err.buf);
1436                reported_error = "atomic transaction failed";
1437                goto failure;
1438        }
1439        goto cleanup;
1440
1441failure:
1442        for (cmd = commands; cmd; cmd = cmd->next)
1443                if (!cmd->error_string)
1444                        cmd->error_string = reported_error;
1445
1446cleanup:
1447        ref_transaction_free(transaction);
1448        strbuf_release(&err);
1449}
1450
1451static void execute_commands(struct command *commands,
1452                             const char *unpacker_error,
1453                             struct shallow_info *si,
1454                             const struct string_list *push_options)
1455{
1456        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1457        struct command *cmd;
1458        struct object_id oid;
1459        struct iterate_data data;
1460        struct async muxer;
1461        int err_fd = 0;
1462
1463        if (unpacker_error) {
1464                for (cmd = commands; cmd; cmd = cmd->next)
1465                        cmd->error_string = "unpacker error";
1466                return;
1467        }
1468
1469        if (use_sideband) {
1470                memset(&muxer, 0, sizeof(muxer));
1471                muxer.proc = copy_to_sideband;
1472                muxer.in = -1;
1473                if (!start_async(&muxer))
1474                        err_fd = muxer.in;
1475                /* ...else, continue without relaying sideband */
1476        }
1477
1478        data.cmds = commands;
1479        data.si = si;
1480        opt.err_fd = err_fd;
1481        opt.progress = err_fd && !quiet;
1482        opt.env = tmp_objdir_env(tmp_objdir);
1483        if (check_connected(iterate_receive_command_list, &data, &opt))
1484                set_connectivity_errors(commands, si);
1485
1486        if (use_sideband)
1487                finish_async(&muxer);
1488
1489        reject_updates_to_hidden(commands);
1490
1491        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1492                for (cmd = commands; cmd; cmd = cmd->next) {
1493                        if (!cmd->error_string)
1494                                cmd->error_string = "pre-receive hook declined";
1495                }
1496                return;
1497        }
1498
1499        /*
1500         * Now we'll start writing out refs, which means the objects need
1501         * to be in their final positions so that other processes can see them.
1502         */
1503        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1504                for (cmd = commands; cmd; cmd = cmd->next) {
1505                        if (!cmd->error_string)
1506                                cmd->error_string = "unable to migrate objects to permanent storage";
1507                }
1508                return;
1509        }
1510        tmp_objdir = NULL;
1511
1512        check_aliased_updates(commands);
1513
1514        free(head_name_to_free);
1515        head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1516
1517        if (use_atomic)
1518                execute_commands_atomic(commands, si);
1519        else
1520                execute_commands_non_atomic(commands, si);
1521
1522        if (shallow_update)
1523                warn_if_skipped_connectivity_check(commands, si);
1524}
1525
1526static struct command **queue_command(struct command **tail,
1527                                      const char *line,
1528                                      int linelen)
1529{
1530        struct object_id old_oid, new_oid;
1531        struct command *cmd;
1532        const char *refname;
1533        int reflen;
1534        const char *p;
1535
1536        if (parse_oid_hex(line, &old_oid, &p) ||
1537            *p++ != ' ' ||
1538            parse_oid_hex(p, &new_oid, &p) ||
1539            *p++ != ' ')
1540                die("protocol error: expected old/new/ref, got '%s'", line);
1541
1542        refname = p;
1543        reflen = linelen - (p - line);
1544        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1545        oidcpy(&cmd->old_oid, &old_oid);
1546        oidcpy(&cmd->new_oid, &new_oid);
1547        *tail = cmd;
1548        return &cmd->next;
1549}
1550
1551static void queue_commands_from_cert(struct command **tail,
1552                                     struct strbuf *push_cert)
1553{
1554        const char *boc, *eoc;
1555
1556        if (*tail)
1557                die("protocol error: got both push certificate and unsigned commands");
1558
1559        boc = strstr(push_cert->buf, "\n\n");
1560        if (!boc)
1561                die("malformed push certificate %.*s", 100, push_cert->buf);
1562        else
1563                boc += 2;
1564        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1565
1566        while (boc < eoc) {
1567                const char *eol = memchr(boc, '\n', eoc - boc);
1568                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1569                boc = eol ? eol + 1 : eoc;
1570        }
1571}
1572
1573static struct command *read_head_info(struct oid_array *shallow)
1574{
1575        struct command *commands = NULL;
1576        struct command **p = &commands;
1577        for (;;) {
1578                char *line;
1579                int len, linelen;
1580
1581                line = packet_read_line(0, &len);
1582                if (!line)
1583                        break;
1584
1585                if (len > 8 && starts_with(line, "shallow ")) {
1586                        struct object_id oid;
1587                        if (get_oid_hex(line + 8, &oid))
1588                                die("protocol error: expected shallow sha, got '%s'",
1589                                    line + 8);
1590                        oid_array_append(shallow, &oid);
1591                        continue;
1592                }
1593
1594                linelen = strlen(line);
1595                if (linelen < len) {
1596                        const char *feature_list = line + linelen + 1;
1597                        if (parse_feature_request(feature_list, "report-status"))
1598                                report_status = 1;
1599                        if (parse_feature_request(feature_list, "side-band-64k"))
1600                                use_sideband = LARGE_PACKET_MAX;
1601                        if (parse_feature_request(feature_list, "quiet"))
1602                                quiet = 1;
1603                        if (advertise_atomic_push
1604                            && parse_feature_request(feature_list, "atomic"))
1605                                use_atomic = 1;
1606                        if (advertise_push_options
1607                            && parse_feature_request(feature_list, "push-options"))
1608                                use_push_options = 1;
1609                }
1610
1611                if (!strcmp(line, "push-cert")) {
1612                        int true_flush = 0;
1613                        char certbuf[1024];
1614
1615                        for (;;) {
1616                                len = packet_read(0, NULL, NULL,
1617                                                  certbuf, sizeof(certbuf), 0);
1618                                if (!len) {
1619                                        true_flush = 1;
1620                                        break;
1621                                }
1622                                if (!strcmp(certbuf, "push-cert-end\n"))
1623                                        break; /* end of cert */
1624                                strbuf_addstr(&push_cert, certbuf);
1625                        }
1626
1627                        if (true_flush)
1628                                break;
1629                        continue;
1630                }
1631
1632                p = queue_command(p, line, linelen);
1633        }
1634
1635        if (push_cert.len)
1636                queue_commands_from_cert(p, &push_cert);
1637
1638        return commands;
1639}
1640
1641static void read_push_options(struct string_list *options)
1642{
1643        while (1) {
1644                char *line;
1645                int len;
1646
1647                line = packet_read_line(0, &len);
1648
1649                if (!line)
1650                        break;
1651
1652                string_list_append(options, line);
1653        }
1654}
1655
1656static const char *parse_pack_header(struct pack_header *hdr)
1657{
1658        switch (read_pack_header(0, hdr)) {
1659        case PH_ERROR_EOF:
1660                return "eof before pack header was fully read";
1661
1662        case PH_ERROR_PACK_SIGNATURE:
1663                return "protocol error (pack signature mismatch detected)";
1664
1665        case PH_ERROR_PROTOCOL:
1666                return "protocol error (pack version unsupported)";
1667
1668        default:
1669                return "unknown error in parse_pack_header";
1670
1671        case 0:
1672                return NULL;
1673        }
1674}
1675
1676static const char *pack_lockfile;
1677
1678static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1679{
1680        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1681                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1682}
1683
1684static const char *unpack(int err_fd, struct shallow_info *si)
1685{
1686        struct pack_header hdr;
1687        const char *hdr_err;
1688        int status;
1689        struct child_process child = CHILD_PROCESS_INIT;
1690        int fsck_objects = (receive_fsck_objects >= 0
1691                            ? receive_fsck_objects
1692                            : transfer_fsck_objects >= 0
1693                            ? transfer_fsck_objects
1694                            : 0);
1695
1696        hdr_err = parse_pack_header(&hdr);
1697        if (hdr_err) {
1698                if (err_fd > 0)
1699                        close(err_fd);
1700                return hdr_err;
1701        }
1702
1703        if (si->nr_ours || si->nr_theirs) {
1704                alt_shallow_file = setup_temporary_shallow(si->shallow);
1705                argv_array_push(&child.args, "--shallow-file");
1706                argv_array_push(&child.args, alt_shallow_file);
1707        }
1708
1709        tmp_objdir = tmp_objdir_create();
1710        if (!tmp_objdir) {
1711                if (err_fd > 0)
1712                        close(err_fd);
1713                return "unable to create temporary object directory";
1714        }
1715        child.env = tmp_objdir_env(tmp_objdir);
1716
1717        /*
1718         * Normally we just pass the tmp_objdir environment to the child
1719         * processes that do the heavy lifting, but we may need to see these
1720         * objects ourselves to set up shallow information.
1721         */
1722        tmp_objdir_add_as_alternate(tmp_objdir);
1723
1724        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1725                argv_array_push(&child.args, "unpack-objects");
1726                push_header_arg(&child.args, &hdr);
1727                if (quiet)
1728                        argv_array_push(&child.args, "-q");
1729                if (fsck_objects)
1730                        argv_array_pushf(&child.args, "--strict%s",
1731                                fsck_msg_types.buf);
1732                if (max_input_size)
1733                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1734                                (uintmax_t)max_input_size);
1735                child.no_stdout = 1;
1736                child.err = err_fd;
1737                child.git_cmd = 1;
1738                status = run_command(&child);
1739                if (status)
1740                        return "unpack-objects abnormal exit";
1741        } else {
1742                char hostname[HOST_NAME_MAX + 1];
1743
1744                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1745                push_header_arg(&child.args, &hdr);
1746
1747                if (xgethostname(hostname, sizeof(hostname)))
1748                        xsnprintf(hostname, sizeof(hostname), "localhost");
1749                argv_array_pushf(&child.args,
1750                                 "--keep=receive-pack %"PRIuMAX" on %s",
1751                                 (uintmax_t)getpid(),
1752                                 hostname);
1753
1754                if (!quiet && err_fd)
1755                        argv_array_push(&child.args, "--show-resolving-progress");
1756                if (use_sideband)
1757                        argv_array_push(&child.args, "--report-end-of-input");
1758                if (fsck_objects)
1759                        argv_array_pushf(&child.args, "--strict%s",
1760                                fsck_msg_types.buf);
1761                if (!reject_thin)
1762                        argv_array_push(&child.args, "--fix-thin");
1763                if (max_input_size)
1764                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1765                                (uintmax_t)max_input_size);
1766                child.out = -1;
1767                child.err = err_fd;
1768                child.git_cmd = 1;
1769                status = start_command(&child);
1770                if (status)
1771                        return "index-pack fork failed";
1772                pack_lockfile = index_pack_lockfile(child.out);
1773                close(child.out);
1774                status = finish_command(&child);
1775                if (status)
1776                        return "index-pack abnormal exit";
1777                reprepare_packed_git();
1778        }
1779        return NULL;
1780}
1781
1782static const char *unpack_with_sideband(struct shallow_info *si)
1783{
1784        struct async muxer;
1785        const char *ret;
1786
1787        if (!use_sideband)
1788                return unpack(0, si);
1789
1790        use_keepalive = KEEPALIVE_AFTER_NUL;
1791        memset(&muxer, 0, sizeof(muxer));
1792        muxer.proc = copy_to_sideband;
1793        muxer.in = -1;
1794        if (start_async(&muxer))
1795                return NULL;
1796
1797        ret = unpack(muxer.in, si);
1798
1799        finish_async(&muxer);
1800        return ret;
1801}
1802
1803static void prepare_shallow_update(struct command *commands,
1804                                   struct shallow_info *si)
1805{
1806        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1807
1808        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1809        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1810
1811        si->need_reachability_test =
1812                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1813        si->reachable =
1814                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1815        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1816
1817        for (i = 0; i < si->nr_ours; i++)
1818                si->need_reachability_test[si->ours[i]] = 1;
1819
1820        for (i = 0; i < si->shallow->nr; i++) {
1821                if (!si->used_shallow[i])
1822                        continue;
1823                for (j = 0; j < bitmap_size; j++) {
1824                        if (!si->used_shallow[i][j])
1825                                continue;
1826                        si->need_reachability_test[i]++;
1827                        for (k = 0; k < 32; k++)
1828                                if (si->used_shallow[i][j] & (1U << k))
1829                                        si->shallow_ref[j * 32 + k]++;
1830                }
1831
1832                /*
1833                 * true for those associated with some refs and belong
1834                 * in "ours" list aka "step 7 not done yet"
1835                 */
1836                si->need_reachability_test[i] =
1837                        si->need_reachability_test[i] > 1;
1838        }
1839
1840        /*
1841         * keep hooks happy by forcing a temporary shallow file via
1842         * env variable because we can't add --shallow-file to every
1843         * command. check_everything_connected() will be done with
1844         * true .git/shallow though.
1845         */
1846        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1847}
1848
1849static void update_shallow_info(struct command *commands,
1850                                struct shallow_info *si,
1851                                struct oid_array *ref)
1852{
1853        struct command *cmd;
1854        int *ref_status;
1855        remove_nonexistent_theirs_shallow(si);
1856        if (!si->nr_ours && !si->nr_theirs) {
1857                shallow_update = 0;
1858                return;
1859        }
1860
1861        for (cmd = commands; cmd; cmd = cmd->next) {
1862                if (is_null_oid(&cmd->new_oid))
1863                        continue;
1864                oid_array_append(ref, &cmd->new_oid);
1865                cmd->index = ref->nr - 1;
1866        }
1867        si->ref = ref;
1868
1869        if (shallow_update) {
1870                prepare_shallow_update(commands, si);
1871                return;
1872        }
1873
1874        ALLOC_ARRAY(ref_status, ref->nr);
1875        assign_shallow_commits_to_refs(si, NULL, ref_status);
1876        for (cmd = commands; cmd; cmd = cmd->next) {
1877                if (is_null_oid(&cmd->new_oid))
1878                        continue;
1879                if (ref_status[cmd->index]) {
1880                        cmd->error_string = "shallow update not allowed";
1881                        cmd->skip_update = 1;
1882                }
1883        }
1884        free(ref_status);
1885}
1886
1887static void report(struct command *commands, const char *unpack_status)
1888{
1889        struct command *cmd;
1890        struct strbuf buf = STRBUF_INIT;
1891
1892        packet_buf_write(&buf, "unpack %s\n",
1893                         unpack_status ? unpack_status : "ok");
1894        for (cmd = commands; cmd; cmd = cmd->next) {
1895                if (!cmd->error_string)
1896                        packet_buf_write(&buf, "ok %s\n",
1897                                         cmd->ref_name);
1898                else
1899                        packet_buf_write(&buf, "ng %s %s\n",
1900                                         cmd->ref_name, cmd->error_string);
1901        }
1902        packet_buf_flush(&buf);
1903
1904        if (use_sideband)
1905                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1906        else
1907                write_or_die(1, buf.buf, buf.len);
1908        strbuf_release(&buf);
1909}
1910
1911static int delete_only(struct command *commands)
1912{
1913        struct command *cmd;
1914        for (cmd = commands; cmd; cmd = cmd->next) {
1915                if (!is_null_oid(&cmd->new_oid))
1916                        return 0;
1917        }
1918        return 1;
1919}
1920
1921int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1922{
1923        int advertise_refs = 0;
1924        struct command *commands;
1925        struct oid_array shallow = OID_ARRAY_INIT;
1926        struct oid_array ref = OID_ARRAY_INIT;
1927        struct shallow_info si;
1928
1929        struct option options[] = {
1930                OPT__QUIET(&quiet, N_("quiet")),
1931                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1932                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1933                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1934                OPT_END()
1935        };
1936
1937        packet_trace_identity("receive-pack");
1938
1939        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1940
1941        if (argc > 1)
1942                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1943        if (argc == 0)
1944                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1945
1946        service_dir = argv[0];
1947
1948        setup_path();
1949
1950        if (!enter_repo(service_dir, 0))
1951                die("'%s' does not appear to be a git repository", service_dir);
1952
1953        git_config(receive_pack_config, NULL);
1954        if (cert_nonce_seed)
1955                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1956
1957        if (0 <= transfer_unpack_limit)
1958                unpack_limit = transfer_unpack_limit;
1959        else if (0 <= receive_unpack_limit)
1960                unpack_limit = receive_unpack_limit;
1961
1962        if (advertise_refs || !stateless_rpc) {
1963                write_head_info();
1964        }
1965        if (advertise_refs)
1966                return 0;
1967
1968        if ((commands = read_head_info(&shallow)) != NULL) {
1969                const char *unpack_status = NULL;
1970                struct string_list push_options = STRING_LIST_INIT_DUP;
1971
1972                if (use_push_options)
1973                        read_push_options(&push_options);
1974                if (!check_cert_push_options(&push_options)) {
1975                        struct command *cmd;
1976                        for (cmd = commands; cmd; cmd = cmd->next)
1977                                cmd->error_string = "inconsistent push options";
1978                }
1979
1980                prepare_shallow_info(&si, &shallow);
1981                if (!si.nr_ours && !si.nr_theirs)
1982                        shallow_update = 0;
1983                if (!delete_only(commands)) {
1984                        unpack_status = unpack_with_sideband(&si);
1985                        update_shallow_info(commands, &si, &ref);
1986                }
1987                use_keepalive = KEEPALIVE_ALWAYS;
1988                execute_commands(commands, unpack_status, &si,
1989                                 &push_options);
1990                if (pack_lockfile)
1991                        unlink_or_warn(pack_lockfile);
1992                if (report_status)
1993                        report(commands, unpack_status);
1994                run_receive_hook(commands, "post-receive", 1,
1995                                 &push_options);
1996                run_update_post_hook(commands);
1997                string_list_clear(&push_options, 0);
1998                if (auto_gc) {
1999                        const char *argv_gc_auto[] = {
2000                                "gc", "--auto", "--quiet", NULL,
2001                        };
2002                        struct child_process proc = CHILD_PROCESS_INIT;
2003
2004                        proc.no_stdin = 1;
2005                        proc.stdout_to_stderr = 1;
2006                        proc.err = use_sideband ? -1 : 0;
2007                        proc.git_cmd = 1;
2008                        proc.argv = argv_gc_auto;
2009
2010                        close_all_packs();
2011                        if (!start_command(&proc)) {
2012                                if (use_sideband)
2013                                        copy_to_sideband(proc.err, -1, NULL);
2014                                finish_command(&proc);
2015                        }
2016                }
2017                if (auto_update_server_info)
2018                        update_server_info(0);
2019                clear_shallow_info(&si);
2020        }
2021        if (use_sideband)
2022                packet_flush(1);
2023        oid_array_clear(&shallow);
2024        oid_array_clear(&ref);
2025        free((void *)push_cert_nonce);
2026        return 0;
2027}