builtin / receive-pack.con commit improve error page/httpd logging and file permissions (257c23d)
   1#include "builtin.h"
   2#include "repository.h"
   3#include "config.h"
   4#include "lockfile.h"
   5#include "pack.h"
   6#include "refs.h"
   7#include "pkt-line.h"
   8#include "sideband.h"
   9#include "run-command.h"
  10#include "exec-cmd.h"
  11#include "commit.h"
  12#include "object.h"
  13#include "remote.h"
  14#include "connect.h"
  15#include "string-list.h"
  16#include "sha1-array.h"
  17#include "connected.h"
  18#include "argv-array.h"
  19#include "version.h"
  20#include "tag.h"
  21#include "gpg-interface.h"
  22#include "sigchain.h"
  23#include "fsck.h"
  24#include "tmp-objdir.h"
  25#include "oidset.h"
  26#include "packfile.h"
  27#include "object-store.h"
  28#include "protocol.h"
  29#include "commit-reach.h"
  30
  31static const char * const receive_pack_usage[] = {
  32        N_("git receive-pack <git-dir>"),
  33        NULL
  34};
  35
  36enum deny_action {
  37        DENY_UNCONFIGURED,
  38        DENY_IGNORE,
  39        DENY_WARN,
  40        DENY_REFUSE,
  41        DENY_UPDATE_INSTEAD
  42};
  43
  44static int deny_deletes;
  45static int deny_non_fast_forwards;
  46static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  47static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  48static int receive_fsck_objects = -1;
  49static int transfer_fsck_objects = -1;
  50static struct strbuf fsck_msg_types = STRBUF_INIT;
  51static int receive_unpack_limit = -1;
  52static int transfer_unpack_limit = -1;
  53static int advertise_atomic_push = 1;
  54static int advertise_push_options;
  55static int unpack_limit = 100;
  56static off_t max_input_size;
  57static int report_status;
  58static int use_sideband;
  59static int use_atomic;
  60static int use_push_options;
  61static int quiet;
  62static int prefer_ofs_delta = 1;
  63static int auto_update_server_info;
  64static int auto_gc = 1;
  65static int reject_thin;
  66static int stateless_rpc;
  67static const char *service_dir;
  68static const char *head_name;
  69static void *head_name_to_free;
  70static int sent_capabilities;
  71static int shallow_update;
  72static const char *alt_shallow_file;
  73static struct strbuf push_cert = STRBUF_INIT;
  74static struct object_id push_cert_oid;
  75static struct signature_check sigcheck;
  76static const char *push_cert_nonce;
  77static const char *cert_nonce_seed;
  78
  79static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  80static const char *NONCE_BAD = "BAD";
  81static const char *NONCE_MISSING = "MISSING";
  82static const char *NONCE_OK = "OK";
  83static const char *NONCE_SLOP = "SLOP";
  84static const char *nonce_status;
  85static long nonce_stamp_slop;
  86static timestamp_t nonce_stamp_slop_limit;
  87static struct ref_transaction *transaction;
  88
  89static enum {
  90        KEEPALIVE_NEVER = 0,
  91        KEEPALIVE_AFTER_NUL,
  92        KEEPALIVE_ALWAYS
  93} use_keepalive;
  94static int keepalive_in_sec = 5;
  95
  96static struct tmp_objdir *tmp_objdir;
  97
  98static enum deny_action parse_deny_action(const char *var, const char *value)
  99{
 100        if (value) {
 101                if (!strcasecmp(value, "ignore"))
 102                        return DENY_IGNORE;
 103                if (!strcasecmp(value, "warn"))
 104                        return DENY_WARN;
 105                if (!strcasecmp(value, "refuse"))
 106                        return DENY_REFUSE;
 107                if (!strcasecmp(value, "updateinstead"))
 108                        return DENY_UPDATE_INSTEAD;
 109        }
 110        if (git_config_bool(var, value))
 111                return DENY_REFUSE;
 112        return DENY_IGNORE;
 113}
 114
 115static int receive_pack_config(const char *var, const char *value, void *cb)
 116{
 117        int status = parse_hide_refs_config(var, value, "receive");
 118
 119        if (status)
 120                return status;
 121
 122        if (strcmp(var, "receive.denydeletes") == 0) {
 123                deny_deletes = git_config_bool(var, value);
 124                return 0;
 125        }
 126
 127        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 128                deny_non_fast_forwards = git_config_bool(var, value);
 129                return 0;
 130        }
 131
 132        if (strcmp(var, "receive.unpacklimit") == 0) {
 133                receive_unpack_limit = git_config_int(var, value);
 134                return 0;
 135        }
 136
 137        if (strcmp(var, "transfer.unpacklimit") == 0) {
 138                transfer_unpack_limit = git_config_int(var, value);
 139                return 0;
 140        }
 141
 142        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 143                const char *path;
 144
 145                if (git_config_pathname(&path, var, value))
 146                        return 1;
 147                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 148                        fsck_msg_types.len ? ',' : '=', path);
 149                free((char *)path);
 150                return 0;
 151        }
 152
 153        if (skip_prefix(var, "receive.fsck.", &var)) {
 154                if (is_valid_msg_type(var, value))
 155                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 156                                fsck_msg_types.len ? ',' : '=', var, value);
 157                else
 158                        warning("Skipping unknown msg id '%s'", var);
 159                return 0;
 160        }
 161
 162        if (strcmp(var, "receive.fsckobjects") == 0) {
 163                receive_fsck_objects = git_config_bool(var, value);
 164                return 0;
 165        }
 166
 167        if (strcmp(var, "transfer.fsckobjects") == 0) {
 168                transfer_fsck_objects = git_config_bool(var, value);
 169                return 0;
 170        }
 171
 172        if (!strcmp(var, "receive.denycurrentbranch")) {
 173                deny_current_branch = parse_deny_action(var, value);
 174                return 0;
 175        }
 176
 177        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 178                deny_delete_current = parse_deny_action(var, value);
 179                return 0;
 180        }
 181
 182        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 183                prefer_ofs_delta = git_config_bool(var, value);
 184                return 0;
 185        }
 186
 187        if (strcmp(var, "receive.updateserverinfo") == 0) {
 188                auto_update_server_info = git_config_bool(var, value);
 189                return 0;
 190        }
 191
 192        if (strcmp(var, "receive.autogc") == 0) {
 193                auto_gc = git_config_bool(var, value);
 194                return 0;
 195        }
 196
 197        if (strcmp(var, "receive.shallowupdate") == 0) {
 198                shallow_update = git_config_bool(var, value);
 199                return 0;
 200        }
 201
 202        if (strcmp(var, "receive.certnonceseed") == 0)
 203                return git_config_string(&cert_nonce_seed, var, value);
 204
 205        if (strcmp(var, "receive.certnonceslop") == 0) {
 206                nonce_stamp_slop_limit = git_config_ulong(var, value);
 207                return 0;
 208        }
 209
 210        if (strcmp(var, "receive.advertiseatomic") == 0) {
 211                advertise_atomic_push = git_config_bool(var, value);
 212                return 0;
 213        }
 214
 215        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 216                advertise_push_options = git_config_bool(var, value);
 217                return 0;
 218        }
 219
 220        if (strcmp(var, "receive.keepalive") == 0) {
 221                keepalive_in_sec = git_config_int(var, value);
 222                return 0;
 223        }
 224
 225        if (strcmp(var, "receive.maxinputsize") == 0) {
 226                max_input_size = git_config_int64(var, value);
 227                return 0;
 228        }
 229
 230        return git_default_config(var, value, cb);
 231}
 232
 233static void show_ref(const char *path, const struct object_id *oid)
 234{
 235        if (sent_capabilities) {
 236                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 237        } else {
 238                struct strbuf cap = STRBUF_INIT;
 239
 240                strbuf_addstr(&cap,
 241                              "report-status delete-refs side-band-64k quiet");
 242                if (advertise_atomic_push)
 243                        strbuf_addstr(&cap, " atomic");
 244                if (prefer_ofs_delta)
 245                        strbuf_addstr(&cap, " ofs-delta");
 246                if (push_cert_nonce)
 247                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 248                if (advertise_push_options)
 249                        strbuf_addstr(&cap, " push-options");
 250                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 251                packet_write_fmt(1, "%s %s%c%s\n",
 252                             oid_to_hex(oid), path, 0, cap.buf);
 253                strbuf_release(&cap);
 254                sent_capabilities = 1;
 255        }
 256}
 257
 258static int show_ref_cb(const char *path_full, const struct object_id *oid,
 259                       int flag, void *data)
 260{
 261        struct oidset *seen = data;
 262        const char *path = strip_namespace(path_full);
 263
 264        if (ref_is_hidden(path, path_full))
 265                return 0;
 266
 267        /*
 268         * Advertise refs outside our current namespace as ".have"
 269         * refs, so that the client can use them to minimize data
 270         * transfer but will otherwise ignore them.
 271         */
 272        if (!path) {
 273                if (oidset_insert(seen, oid))
 274                        return 0;
 275                path = ".have";
 276        } else {
 277                oidset_insert(seen, oid);
 278        }
 279        show_ref(path, oid);
 280        return 0;
 281}
 282
 283static void show_one_alternate_ref(const struct object_id *oid,
 284                                   void *data)
 285{
 286        struct oidset *seen = data;
 287
 288        if (oidset_insert(seen, oid))
 289                return;
 290
 291        show_ref(".have", oid);
 292}
 293
 294static void write_head_info(void)
 295{
 296        static struct oidset seen = OIDSET_INIT;
 297
 298        for_each_ref(show_ref_cb, &seen);
 299        for_each_alternate_ref(show_one_alternate_ref, &seen);
 300        oidset_clear(&seen);
 301        if (!sent_capabilities)
 302                show_ref("capabilities^{}", &null_oid);
 303
 304        advertise_shallow_grafts(1);
 305
 306        /* EOF */
 307        packet_flush(1);
 308}
 309
 310struct command {
 311        struct command *next;
 312        const char *error_string;
 313        unsigned int skip_update:1,
 314                     did_not_exist:1;
 315        int index;
 316        struct object_id old_oid;
 317        struct object_id new_oid;
 318        char ref_name[FLEX_ARRAY]; /* more */
 319};
 320
 321static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 322static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 323
 324static void report_message(const char *prefix, const char *err, va_list params)
 325{
 326        int sz;
 327        char msg[4096];
 328
 329        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 330        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 331        if (sz > (sizeof(msg) - 1))
 332                sz = sizeof(msg) - 1;
 333        msg[sz++] = '\n';
 334
 335        if (use_sideband)
 336                send_sideband(1, 2, msg, sz, use_sideband);
 337        else
 338                xwrite(2, msg, sz);
 339}
 340
 341static void rp_warning(const char *err, ...)
 342{
 343        va_list params;
 344        va_start(params, err);
 345        report_message("warning: ", err, params);
 346        va_end(params);
 347}
 348
 349static void rp_error(const char *err, ...)
 350{
 351        va_list params;
 352        va_start(params, err);
 353        report_message("error: ", err, params);
 354        va_end(params);
 355}
 356
 357static int copy_to_sideband(int in, int out, void *arg)
 358{
 359        char data[128];
 360        int keepalive_active = 0;
 361
 362        if (keepalive_in_sec <= 0)
 363                use_keepalive = KEEPALIVE_NEVER;
 364        if (use_keepalive == KEEPALIVE_ALWAYS)
 365                keepalive_active = 1;
 366
 367        while (1) {
 368                ssize_t sz;
 369
 370                if (keepalive_active) {
 371                        struct pollfd pfd;
 372                        int ret;
 373
 374                        pfd.fd = in;
 375                        pfd.events = POLLIN;
 376                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 377
 378                        if (ret < 0) {
 379                                if (errno == EINTR)
 380                                        continue;
 381                                else
 382                                        break;
 383                        } else if (ret == 0) {
 384                                /* no data; send a keepalive packet */
 385                                static const char buf[] = "0005\1";
 386                                write_or_die(1, buf, sizeof(buf) - 1);
 387                                continue;
 388                        } /* else there is actual data to read */
 389                }
 390
 391                sz = xread(in, data, sizeof(data));
 392                if (sz <= 0)
 393                        break;
 394
 395                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 396                        const char *p = memchr(data, '\0', sz);
 397                        if (p) {
 398                                /*
 399                                 * The NUL tells us to start sending keepalives. Make
 400                                 * sure we send any other data we read along
 401                                 * with it.
 402                                 */
 403                                keepalive_active = 1;
 404                                send_sideband(1, 2, data, p - data, use_sideband);
 405                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 406                                continue;
 407                        }
 408                }
 409
 410                /*
 411                 * Either we're not looking for a NUL signal, or we didn't see
 412                 * it yet; just pass along the data.
 413                 */
 414                send_sideband(1, 2, data, sz, use_sideband);
 415        }
 416        close(in);
 417        return 0;
 418}
 419
 420#define HMAC_BLOCK_SIZE 64
 421
 422static void hmac_sha1(unsigned char *out,
 423                      const char *key_in, size_t key_len,
 424                      const char *text, size_t text_len)
 425{
 426        unsigned char key[HMAC_BLOCK_SIZE];
 427        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 428        unsigned char k_opad[HMAC_BLOCK_SIZE];
 429        int i;
 430        git_SHA_CTX ctx;
 431
 432        /* RFC 2104 2. (1) */
 433        memset(key, '\0', HMAC_BLOCK_SIZE);
 434        if (HMAC_BLOCK_SIZE < key_len) {
 435                git_SHA1_Init(&ctx);
 436                git_SHA1_Update(&ctx, key_in, key_len);
 437                git_SHA1_Final(key, &ctx);
 438        } else {
 439                memcpy(key, key_in, key_len);
 440        }
 441
 442        /* RFC 2104 2. (2) & (5) */
 443        for (i = 0; i < sizeof(key); i++) {
 444                k_ipad[i] = key[i] ^ 0x36;
 445                k_opad[i] = key[i] ^ 0x5c;
 446        }
 447
 448        /* RFC 2104 2. (3) & (4) */
 449        git_SHA1_Init(&ctx);
 450        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 451        git_SHA1_Update(&ctx, text, text_len);
 452        git_SHA1_Final(out, &ctx);
 453
 454        /* RFC 2104 2. (6) & (7) */
 455        git_SHA1_Init(&ctx);
 456        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 457        git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
 458        git_SHA1_Final(out, &ctx);
 459}
 460
 461static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 462{
 463        struct strbuf buf = STRBUF_INIT;
 464        unsigned char sha1[GIT_SHA1_RAWSZ];
 465
 466        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 467        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
 468        strbuf_release(&buf);
 469
 470        /* RFC 2104 5. HMAC-SHA1-80 */
 471        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
 472        return strbuf_detach(&buf, NULL);
 473}
 474
 475/*
 476 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 477 * after dropping "_commit" from its name and possibly moving it out
 478 * of commit.c
 479 */
 480static char *find_header(const char *msg, size_t len, const char *key,
 481                         const char **next_line)
 482{
 483        int key_len = strlen(key);
 484        const char *line = msg;
 485
 486        while (line && line < msg + len) {
 487                const char *eol = strchrnul(line, '\n');
 488
 489                if ((msg + len <= eol) || line == eol)
 490                        return NULL;
 491                if (line + key_len < eol &&
 492                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 493                        int offset = key_len + 1;
 494                        if (next_line)
 495                                *next_line = *eol ? eol + 1 : eol;
 496                        return xmemdupz(line + offset, (eol - line) - offset);
 497                }
 498                line = *eol ? eol + 1 : NULL;
 499        }
 500        return NULL;
 501}
 502
 503static const char *check_nonce(const char *buf, size_t len)
 504{
 505        char *nonce = find_header(buf, len, "nonce", NULL);
 506        timestamp_t stamp, ostamp;
 507        char *bohmac, *expect = NULL;
 508        const char *retval = NONCE_BAD;
 509
 510        if (!nonce) {
 511                retval = NONCE_MISSING;
 512                goto leave;
 513        } else if (!push_cert_nonce) {
 514                retval = NONCE_UNSOLICITED;
 515                goto leave;
 516        } else if (!strcmp(push_cert_nonce, nonce)) {
 517                retval = NONCE_OK;
 518                goto leave;
 519        }
 520
 521        if (!stateless_rpc) {
 522                /* returned nonce MUST match what we gave out earlier */
 523                retval = NONCE_BAD;
 524                goto leave;
 525        }
 526
 527        /*
 528         * In stateless mode, we may be receiving a nonce issued by
 529         * another instance of the server that serving the same
 530         * repository, and the timestamps may not match, but the
 531         * nonce-seed and dir should match, so we can recompute and
 532         * report the time slop.
 533         *
 534         * In addition, when a nonce issued by another instance has
 535         * timestamp within receive.certnonceslop seconds, we pretend
 536         * as if we issued that nonce when reporting to the hook.
 537         */
 538
 539        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 540        if (*nonce <= '0' || '9' < *nonce) {
 541                retval = NONCE_BAD;
 542                goto leave;
 543        }
 544        stamp = parse_timestamp(nonce, &bohmac, 10);
 545        if (bohmac == nonce || bohmac[0] != '-') {
 546                retval = NONCE_BAD;
 547                goto leave;
 548        }
 549
 550        expect = prepare_push_cert_nonce(service_dir, stamp);
 551        if (strcmp(expect, nonce)) {
 552                /* Not what we would have signed earlier */
 553                retval = NONCE_BAD;
 554                goto leave;
 555        }
 556
 557        /*
 558         * By how many seconds is this nonce stale?  Negative value
 559         * would mean it was issued by another server with its clock
 560         * skewed in the future.
 561         */
 562        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 563        nonce_stamp_slop = (long)ostamp - (long)stamp;
 564
 565        if (nonce_stamp_slop_limit &&
 566            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 567                /*
 568                 * Pretend as if the received nonce (which passes the
 569                 * HMAC check, so it is not a forged by third-party)
 570                 * is what we issued.
 571                 */
 572                free((void *)push_cert_nonce);
 573                push_cert_nonce = xstrdup(nonce);
 574                retval = NONCE_OK;
 575        } else {
 576                retval = NONCE_SLOP;
 577        }
 578
 579leave:
 580        free(nonce);
 581        free(expect);
 582        return retval;
 583}
 584
 585/*
 586 * Return 1 if there is no push_cert or if the push options in push_cert are
 587 * the same as those in the argument; 0 otherwise.
 588 */
 589static int check_cert_push_options(const struct string_list *push_options)
 590{
 591        const char *buf = push_cert.buf;
 592        int len = push_cert.len;
 593
 594        char *option;
 595        const char *next_line;
 596        int options_seen = 0;
 597
 598        int retval = 1;
 599
 600        if (!len)
 601                return 1;
 602
 603        while ((option = find_header(buf, len, "push-option", &next_line))) {
 604                len -= (next_line - buf);
 605                buf = next_line;
 606                options_seen++;
 607                if (options_seen > push_options->nr
 608                    || strcmp(option,
 609                              push_options->items[options_seen - 1].string)) {
 610                        retval = 0;
 611                        goto leave;
 612                }
 613                free(option);
 614        }
 615
 616        if (options_seen != push_options->nr)
 617                retval = 0;
 618
 619leave:
 620        free(option);
 621        return retval;
 622}
 623
 624static void prepare_push_cert_sha1(struct child_process *proc)
 625{
 626        static int already_done;
 627
 628        if (!push_cert.len)
 629                return;
 630
 631        if (!already_done) {
 632                int bogs /* beginning_of_gpg_sig */;
 633
 634                already_done = 1;
 635                if (write_object_file(push_cert.buf, push_cert.len, "blob",
 636                                      &push_cert_oid))
 637                        oidclr(&push_cert_oid);
 638
 639                memset(&sigcheck, '\0', sizeof(sigcheck));
 640
 641                bogs = parse_signature(push_cert.buf, push_cert.len);
 642                check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
 643                                push_cert.len - bogs, &sigcheck);
 644
 645                nonce_status = check_nonce(push_cert.buf, bogs);
 646        }
 647        if (!is_null_oid(&push_cert_oid)) {
 648                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 649                                 oid_to_hex(&push_cert_oid));
 650                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 651                                 sigcheck.signer ? sigcheck.signer : "");
 652                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 653                                 sigcheck.key ? sigcheck.key : "");
 654                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 655                                 sigcheck.result);
 656                if (push_cert_nonce) {
 657                        argv_array_pushf(&proc->env_array,
 658                                         "GIT_PUSH_CERT_NONCE=%s",
 659                                         push_cert_nonce);
 660                        argv_array_pushf(&proc->env_array,
 661                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 662                                         nonce_status);
 663                        if (nonce_status == NONCE_SLOP)
 664                                argv_array_pushf(&proc->env_array,
 665                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 666                                                 nonce_stamp_slop);
 667                }
 668        }
 669}
 670
 671struct receive_hook_feed_state {
 672        struct command *cmd;
 673        int skip_broken;
 674        struct strbuf buf;
 675        const struct string_list *push_options;
 676};
 677
 678typedef int (*feed_fn)(void *, const char **, size_t *);
 679static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 680                             struct receive_hook_feed_state *feed_state)
 681{
 682        struct child_process proc = CHILD_PROCESS_INIT;
 683        struct async muxer;
 684        const char *argv[2];
 685        int code;
 686
 687        argv[0] = find_hook(hook_name);
 688        if (!argv[0])
 689                return 0;
 690
 691        argv[1] = NULL;
 692
 693        proc.argv = argv;
 694        proc.in = -1;
 695        proc.stdout_to_stderr = 1;
 696        proc.trace2_hook_name = hook_name;
 697
 698        if (feed_state->push_options) {
 699                int i;
 700                for (i = 0; i < feed_state->push_options->nr; i++)
 701                        argv_array_pushf(&proc.env_array,
 702                                "GIT_PUSH_OPTION_%d=%s", i,
 703                                feed_state->push_options->items[i].string);
 704                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 705                                 feed_state->push_options->nr);
 706        } else
 707                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 708
 709        if (tmp_objdir)
 710                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 711
 712        if (use_sideband) {
 713                memset(&muxer, 0, sizeof(muxer));
 714                muxer.proc = copy_to_sideband;
 715                muxer.in = -1;
 716                code = start_async(&muxer);
 717                if (code)
 718                        return code;
 719                proc.err = muxer.in;
 720        }
 721
 722        prepare_push_cert_sha1(&proc);
 723
 724        code = start_command(&proc);
 725        if (code) {
 726                if (use_sideband)
 727                        finish_async(&muxer);
 728                return code;
 729        }
 730
 731        sigchain_push(SIGPIPE, SIG_IGN);
 732
 733        while (1) {
 734                const char *buf;
 735                size_t n;
 736                if (feed(feed_state, &buf, &n))
 737                        break;
 738                if (write_in_full(proc.in, buf, n) < 0)
 739                        break;
 740        }
 741        close(proc.in);
 742        if (use_sideband)
 743                finish_async(&muxer);
 744
 745        sigchain_pop(SIGPIPE);
 746
 747        return finish_command(&proc);
 748}
 749
 750static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 751{
 752        struct receive_hook_feed_state *state = state_;
 753        struct command *cmd = state->cmd;
 754
 755        while (cmd &&
 756               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 757                cmd = cmd->next;
 758        if (!cmd)
 759                return -1; /* EOF */
 760        strbuf_reset(&state->buf);
 761        strbuf_addf(&state->buf, "%s %s %s\n",
 762                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 763                    cmd->ref_name);
 764        state->cmd = cmd->next;
 765        if (bufp) {
 766                *bufp = state->buf.buf;
 767                *sizep = state->buf.len;
 768        }
 769        return 0;
 770}
 771
 772static int run_receive_hook(struct command *commands,
 773                            const char *hook_name,
 774                            int skip_broken,
 775                            const struct string_list *push_options)
 776{
 777        struct receive_hook_feed_state state;
 778        int status;
 779
 780        strbuf_init(&state.buf, 0);
 781        state.cmd = commands;
 782        state.skip_broken = skip_broken;
 783        if (feed_receive_hook(&state, NULL, NULL))
 784                return 0;
 785        state.cmd = commands;
 786        state.push_options = push_options;
 787        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 788        strbuf_release(&state.buf);
 789        return status;
 790}
 791
 792static int run_update_hook(struct command *cmd)
 793{
 794        const char *argv[5];
 795        struct child_process proc = CHILD_PROCESS_INIT;
 796        int code;
 797
 798        argv[0] = find_hook("update");
 799        if (!argv[0])
 800                return 0;
 801
 802        argv[1] = cmd->ref_name;
 803        argv[2] = oid_to_hex(&cmd->old_oid);
 804        argv[3] = oid_to_hex(&cmd->new_oid);
 805        argv[4] = NULL;
 806
 807        proc.no_stdin = 1;
 808        proc.stdout_to_stderr = 1;
 809        proc.err = use_sideband ? -1 : 0;
 810        proc.argv = argv;
 811        proc.trace2_hook_name = "update";
 812
 813        code = start_command(&proc);
 814        if (code)
 815                return code;
 816        if (use_sideband)
 817                copy_to_sideband(proc.err, -1, NULL);
 818        return finish_command(&proc);
 819}
 820
 821static int is_ref_checked_out(const char *ref)
 822{
 823        if (is_bare_repository())
 824                return 0;
 825
 826        if (!head_name)
 827                return 0;
 828        return !strcmp(head_name, ref);
 829}
 830
 831static char *refuse_unconfigured_deny_msg =
 832        N_("By default, updating the current branch in a non-bare repository\n"
 833           "is denied, because it will make the index and work tree inconsistent\n"
 834           "with what you pushed, and will require 'git reset --hard' to match\n"
 835           "the work tree to HEAD.\n"
 836           "\n"
 837           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 838           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 839           "its current branch; however, this is not recommended unless you\n"
 840           "arranged to update its work tree to match what you pushed in some\n"
 841           "other way.\n"
 842           "\n"
 843           "To squelch this message and still keep the default behaviour, set\n"
 844           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 845
 846static void refuse_unconfigured_deny(void)
 847{
 848        rp_error("%s", _(refuse_unconfigured_deny_msg));
 849}
 850
 851static char *refuse_unconfigured_deny_delete_current_msg =
 852        N_("By default, deleting the current branch is denied, because the next\n"
 853           "'git clone' won't result in any file checked out, causing confusion.\n"
 854           "\n"
 855           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 856           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 857           "current branch, with or without a warning message.\n"
 858           "\n"
 859           "To squelch this message, you can set it to 'refuse'.");
 860
 861static void refuse_unconfigured_deny_delete_current(void)
 862{
 863        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 864}
 865
 866static int command_singleton_iterator(void *cb_data, struct object_id *oid);
 867static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 868{
 869        struct lock_file shallow_lock = LOCK_INIT;
 870        struct oid_array extra = OID_ARRAY_INIT;
 871        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 872        uint32_t mask = 1 << (cmd->index % 32);
 873        int i;
 874
 875        trace_printf_key(&trace_shallow,
 876                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 877        for (i = 0; i < si->shallow->nr; i++)
 878                if (si->used_shallow[i] &&
 879                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 880                    !delayed_reachability_test(si, i))
 881                        oid_array_append(&extra, &si->shallow->oid[i]);
 882
 883        opt.env = tmp_objdir_env(tmp_objdir);
 884        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 885        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 886                rollback_lock_file(&shallow_lock);
 887                oid_array_clear(&extra);
 888                return -1;
 889        }
 890
 891        commit_lock_file(&shallow_lock);
 892
 893        /*
 894         * Make sure setup_alternate_shallow() for the next ref does
 895         * not lose these new roots..
 896         */
 897        for (i = 0; i < extra.nr; i++)
 898                register_shallow(the_repository, &extra.oid[i]);
 899
 900        si->shallow_ref[cmd->index] = 0;
 901        oid_array_clear(&extra);
 902        return 0;
 903}
 904
 905/*
 906 * NEEDSWORK: we should consolidate various implementions of "are we
 907 * on an unborn branch?" test into one, and make the unified one more
 908 * robust. !get_sha1() based check used here and elsewhere would not
 909 * allow us to tell an unborn branch from corrupt ref, for example.
 910 * For the purpose of fixing "deploy-to-update does not work when
 911 * pushing into an empty repository" issue, this should suffice for
 912 * now.
 913 */
 914static int head_has_history(void)
 915{
 916        struct object_id oid;
 917
 918        return !get_oid("HEAD", &oid);
 919}
 920
 921static const char *push_to_deploy(unsigned char *sha1,
 922                                  struct argv_array *env,
 923                                  const char *work_tree)
 924{
 925        const char *update_refresh[] = {
 926                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 927        };
 928        const char *diff_files[] = {
 929                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 930        };
 931        const char *diff_index[] = {
 932                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 933                NULL, "--", NULL
 934        };
 935        const char *read_tree[] = {
 936                "read-tree", "-u", "-m", NULL, NULL
 937        };
 938        struct child_process child = CHILD_PROCESS_INIT;
 939
 940        child.argv = update_refresh;
 941        child.env = env->argv;
 942        child.dir = work_tree;
 943        child.no_stdin = 1;
 944        child.stdout_to_stderr = 1;
 945        child.git_cmd = 1;
 946        if (run_command(&child))
 947                return "Up-to-date check failed";
 948
 949        /* run_command() does not clean up completely; reinitialize */
 950        child_process_init(&child);
 951        child.argv = diff_files;
 952        child.env = env->argv;
 953        child.dir = work_tree;
 954        child.no_stdin = 1;
 955        child.stdout_to_stderr = 1;
 956        child.git_cmd = 1;
 957        if (run_command(&child))
 958                return "Working directory has unstaged changes";
 959
 960        /* diff-index with either HEAD or an empty tree */
 961        diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
 962
 963        child_process_init(&child);
 964        child.argv = diff_index;
 965        child.env = env->argv;
 966        child.no_stdin = 1;
 967        child.no_stdout = 1;
 968        child.stdout_to_stderr = 0;
 969        child.git_cmd = 1;
 970        if (run_command(&child))
 971                return "Working directory has staged changes";
 972
 973        read_tree[3] = sha1_to_hex(sha1);
 974        child_process_init(&child);
 975        child.argv = read_tree;
 976        child.env = env->argv;
 977        child.dir = work_tree;
 978        child.no_stdin = 1;
 979        child.no_stdout = 1;
 980        child.stdout_to_stderr = 0;
 981        child.git_cmd = 1;
 982        if (run_command(&child))
 983                return "Could not update working tree to new HEAD";
 984
 985        return NULL;
 986}
 987
 988static const char *push_to_checkout_hook = "push-to-checkout";
 989
 990static const char *push_to_checkout(unsigned char *sha1,
 991                                    struct argv_array *env,
 992                                    const char *work_tree)
 993{
 994        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 995        if (run_hook_le(env->argv, push_to_checkout_hook,
 996                        sha1_to_hex(sha1), NULL))
 997                return "push-to-checkout hook declined";
 998        else
 999                return NULL;
1000}
1001
1002static const char *update_worktree(unsigned char *sha1)
1003{
1004        const char *retval;
1005        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1006        struct argv_array env = ARGV_ARRAY_INIT;
1007
1008        if (is_bare_repository())
1009                return "denyCurrentBranch = updateInstead needs a worktree";
1010
1011        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1012
1013        if (!find_hook(push_to_checkout_hook))
1014                retval = push_to_deploy(sha1, &env, work_tree);
1015        else
1016                retval = push_to_checkout(sha1, &env, work_tree);
1017
1018        argv_array_clear(&env);
1019        return retval;
1020}
1021
1022static const char *update(struct command *cmd, struct shallow_info *si)
1023{
1024        const char *name = cmd->ref_name;
1025        struct strbuf namespaced_name_buf = STRBUF_INIT;
1026        static char *namespaced_name;
1027        const char *ret;
1028        struct object_id *old_oid = &cmd->old_oid;
1029        struct object_id *new_oid = &cmd->new_oid;
1030        int do_update_worktree = 0;
1031
1032        /* only refs/... are allowed */
1033        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1034                rp_error("refusing to create funny ref '%s' remotely", name);
1035                return "funny refname";
1036        }
1037
1038        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1039        free(namespaced_name);
1040        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1041
1042        if (is_ref_checked_out(namespaced_name)) {
1043                switch (deny_current_branch) {
1044                case DENY_IGNORE:
1045                        break;
1046                case DENY_WARN:
1047                        rp_warning("updating the current branch");
1048                        break;
1049                case DENY_REFUSE:
1050                case DENY_UNCONFIGURED:
1051                        rp_error("refusing to update checked out branch: %s", name);
1052                        if (deny_current_branch == DENY_UNCONFIGURED)
1053                                refuse_unconfigured_deny();
1054                        return "branch is currently checked out";
1055                case DENY_UPDATE_INSTEAD:
1056                        /* pass -- let other checks intervene first */
1057                        do_update_worktree = 1;
1058                        break;
1059                }
1060        }
1061
1062        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1063                error("unpack should have generated %s, "
1064                      "but I can't find it!", oid_to_hex(new_oid));
1065                return "bad pack";
1066        }
1067
1068        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1069                if (deny_deletes && starts_with(name, "refs/heads/")) {
1070                        rp_error("denying ref deletion for %s", name);
1071                        return "deletion prohibited";
1072                }
1073
1074                if (head_name && !strcmp(namespaced_name, head_name)) {
1075                        switch (deny_delete_current) {
1076                        case DENY_IGNORE:
1077                                break;
1078                        case DENY_WARN:
1079                                rp_warning("deleting the current branch");
1080                                break;
1081                        case DENY_REFUSE:
1082                        case DENY_UNCONFIGURED:
1083                        case DENY_UPDATE_INSTEAD:
1084                                if (deny_delete_current == DENY_UNCONFIGURED)
1085                                        refuse_unconfigured_deny_delete_current();
1086                                rp_error("refusing to delete the current branch: %s", name);
1087                                return "deletion of the current branch prohibited";
1088                        default:
1089                                return "Invalid denyDeleteCurrent setting";
1090                        }
1091                }
1092        }
1093
1094        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1095            !is_null_oid(old_oid) &&
1096            starts_with(name, "refs/heads/")) {
1097                struct object *old_object, *new_object;
1098                struct commit *old_commit, *new_commit;
1099
1100                old_object = parse_object(the_repository, old_oid);
1101                new_object = parse_object(the_repository, new_oid);
1102
1103                if (!old_object || !new_object ||
1104                    old_object->type != OBJ_COMMIT ||
1105                    new_object->type != OBJ_COMMIT) {
1106                        error("bad sha1 objects for %s", name);
1107                        return "bad ref";
1108                }
1109                old_commit = (struct commit *)old_object;
1110                new_commit = (struct commit *)new_object;
1111                if (!in_merge_bases(old_commit, new_commit)) {
1112                        rp_error("denying non-fast-forward %s"
1113                                 " (you should pull first)", name);
1114                        return "non-fast-forward";
1115                }
1116        }
1117        if (run_update_hook(cmd)) {
1118                rp_error("hook declined to update %s", name);
1119                return "hook declined";
1120        }
1121
1122        if (do_update_worktree) {
1123                ret = update_worktree(new_oid->hash);
1124                if (ret)
1125                        return ret;
1126        }
1127
1128        if (is_null_oid(new_oid)) {
1129                struct strbuf err = STRBUF_INIT;
1130                if (!parse_object(the_repository, old_oid)) {
1131                        old_oid = NULL;
1132                        if (ref_exists(name)) {
1133                                rp_warning("Allowing deletion of corrupt ref.");
1134                        } else {
1135                                rp_warning("Deleting a non-existent ref.");
1136                                cmd->did_not_exist = 1;
1137                        }
1138                }
1139                if (ref_transaction_delete(transaction,
1140                                           namespaced_name,
1141                                           old_oid,
1142                                           0, "push", &err)) {
1143                        rp_error("%s", err.buf);
1144                        strbuf_release(&err);
1145                        return "failed to delete";
1146                }
1147                strbuf_release(&err);
1148                return NULL; /* good */
1149        }
1150        else {
1151                struct strbuf err = STRBUF_INIT;
1152                if (shallow_update && si->shallow_ref[cmd->index] &&
1153                    update_shallow_ref(cmd, si))
1154                        return "shallow error";
1155
1156                if (ref_transaction_update(transaction,
1157                                           namespaced_name,
1158                                           new_oid, old_oid,
1159                                           0, "push",
1160                                           &err)) {
1161                        rp_error("%s", err.buf);
1162                        strbuf_release(&err);
1163
1164                        return "failed to update ref";
1165                }
1166                strbuf_release(&err);
1167
1168                return NULL; /* good */
1169        }
1170}
1171
1172static void run_update_post_hook(struct command *commands)
1173{
1174        struct command *cmd;
1175        struct child_process proc = CHILD_PROCESS_INIT;
1176        const char *hook;
1177
1178        hook = find_hook("post-update");
1179        if (!hook)
1180                return;
1181
1182        for (cmd = commands; cmd; cmd = cmd->next) {
1183                if (cmd->error_string || cmd->did_not_exist)
1184                        continue;
1185                if (!proc.args.argc)
1186                        argv_array_push(&proc.args, hook);
1187                argv_array_push(&proc.args, cmd->ref_name);
1188        }
1189        if (!proc.args.argc)
1190                return;
1191
1192        proc.no_stdin = 1;
1193        proc.stdout_to_stderr = 1;
1194        proc.err = use_sideband ? -1 : 0;
1195        proc.trace2_hook_name = "post-update";
1196
1197        if (!start_command(&proc)) {
1198                if (use_sideband)
1199                        copy_to_sideband(proc.err, -1, NULL);
1200                finish_command(&proc);
1201        }
1202}
1203
1204static void check_aliased_update_internal(struct command *cmd,
1205                                          struct string_list *list,
1206                                          const char *dst_name, int flag)
1207{
1208        struct string_list_item *item;
1209        struct command *dst_cmd;
1210
1211        if (!(flag & REF_ISSYMREF))
1212                return;
1213
1214        if (!dst_name) {
1215                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1216                cmd->skip_update = 1;
1217                cmd->error_string = "broken symref";
1218                return;
1219        }
1220        dst_name = strip_namespace(dst_name);
1221
1222        if ((item = string_list_lookup(list, dst_name)) == NULL)
1223                return;
1224
1225        cmd->skip_update = 1;
1226
1227        dst_cmd = (struct command *) item->util;
1228
1229        if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1230            oideq(&cmd->new_oid, &dst_cmd->new_oid))
1231                return;
1232
1233        dst_cmd->skip_update = 1;
1234
1235        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1236                 " its target '%s' (%s..%s)",
1237                 cmd->ref_name,
1238                 find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1239                 find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1240                 dst_cmd->ref_name,
1241                 find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1242                 find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1243
1244        cmd->error_string = dst_cmd->error_string =
1245                "inconsistent aliased update";
1246}
1247
1248static void check_aliased_update(struct command *cmd, struct string_list *list)
1249{
1250        struct strbuf buf = STRBUF_INIT;
1251        const char *dst_name;
1252        int flag;
1253
1254        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1255        dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1256        check_aliased_update_internal(cmd, list, dst_name, flag);
1257        strbuf_release(&buf);
1258}
1259
1260static void check_aliased_updates(struct command *commands)
1261{
1262        struct command *cmd;
1263        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1264
1265        for (cmd = commands; cmd; cmd = cmd->next) {
1266                struct string_list_item *item =
1267                        string_list_append(&ref_list, cmd->ref_name);
1268                item->util = (void *)cmd;
1269        }
1270        string_list_sort(&ref_list);
1271
1272        for (cmd = commands; cmd; cmd = cmd->next) {
1273                if (!cmd->error_string)
1274                        check_aliased_update(cmd, &ref_list);
1275        }
1276
1277        string_list_clear(&ref_list, 0);
1278}
1279
1280static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1281{
1282        struct command **cmd_list = cb_data;
1283        struct command *cmd = *cmd_list;
1284
1285        if (!cmd || is_null_oid(&cmd->new_oid))
1286                return -1; /* end of list */
1287        *cmd_list = NULL; /* this returns only one */
1288        oidcpy(oid, &cmd->new_oid);
1289        return 0;
1290}
1291
1292static void set_connectivity_errors(struct command *commands,
1293                                    struct shallow_info *si)
1294{
1295        struct command *cmd;
1296
1297        for (cmd = commands; cmd; cmd = cmd->next) {
1298                struct command *singleton = cmd;
1299                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1300
1301                if (shallow_update && si->shallow_ref[cmd->index])
1302                        /* to be checked in update_shallow_ref() */
1303                        continue;
1304
1305                opt.env = tmp_objdir_env(tmp_objdir);
1306                if (!check_connected(command_singleton_iterator, &singleton,
1307                                     &opt))
1308                        continue;
1309
1310                cmd->error_string = "missing necessary objects";
1311        }
1312}
1313
1314struct iterate_data {
1315        struct command *cmds;
1316        struct shallow_info *si;
1317};
1318
1319static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1320{
1321        struct iterate_data *data = cb_data;
1322        struct command **cmd_list = &data->cmds;
1323        struct command *cmd = *cmd_list;
1324
1325        for (; cmd; cmd = cmd->next) {
1326                if (shallow_update && data->si->shallow_ref[cmd->index])
1327                        /* to be checked in update_shallow_ref() */
1328                        continue;
1329                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1330                        oidcpy(oid, &cmd->new_oid);
1331                        *cmd_list = cmd->next;
1332                        return 0;
1333                }
1334        }
1335        *cmd_list = NULL;
1336        return -1; /* end of list */
1337}
1338
1339static void reject_updates_to_hidden(struct command *commands)
1340{
1341        struct strbuf refname_full = STRBUF_INIT;
1342        size_t prefix_len;
1343        struct command *cmd;
1344
1345        strbuf_addstr(&refname_full, get_git_namespace());
1346        prefix_len = refname_full.len;
1347
1348        for (cmd = commands; cmd; cmd = cmd->next) {
1349                if (cmd->error_string)
1350                        continue;
1351
1352                strbuf_setlen(&refname_full, prefix_len);
1353                strbuf_addstr(&refname_full, cmd->ref_name);
1354
1355                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1356                        continue;
1357                if (is_null_oid(&cmd->new_oid))
1358                        cmd->error_string = "deny deleting a hidden ref";
1359                else
1360                        cmd->error_string = "deny updating a hidden ref";
1361        }
1362
1363        strbuf_release(&refname_full);
1364}
1365
1366static int should_process_cmd(struct command *cmd)
1367{
1368        return !cmd->error_string && !cmd->skip_update;
1369}
1370
1371static void warn_if_skipped_connectivity_check(struct command *commands,
1372                                               struct shallow_info *si)
1373{
1374        struct command *cmd;
1375        int checked_connectivity = 1;
1376
1377        for (cmd = commands; cmd; cmd = cmd->next) {
1378                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1379                        error("BUG: connectivity check has not been run on ref %s",
1380                              cmd->ref_name);
1381                        checked_connectivity = 0;
1382                }
1383        }
1384        if (!checked_connectivity)
1385                BUG("connectivity check skipped???");
1386}
1387
1388static void execute_commands_non_atomic(struct command *commands,
1389                                        struct shallow_info *si)
1390{
1391        struct command *cmd;
1392        struct strbuf err = STRBUF_INIT;
1393
1394        for (cmd = commands; cmd; cmd = cmd->next) {
1395                if (!should_process_cmd(cmd))
1396                        continue;
1397
1398                transaction = ref_transaction_begin(&err);
1399                if (!transaction) {
1400                        rp_error("%s", err.buf);
1401                        strbuf_reset(&err);
1402                        cmd->error_string = "transaction failed to start";
1403                        continue;
1404                }
1405
1406                cmd->error_string = update(cmd, si);
1407
1408                if (!cmd->error_string
1409                    && ref_transaction_commit(transaction, &err)) {
1410                        rp_error("%s", err.buf);
1411                        strbuf_reset(&err);
1412                        cmd->error_string = "failed to update ref";
1413                }
1414                ref_transaction_free(transaction);
1415        }
1416        strbuf_release(&err);
1417}
1418
1419static void execute_commands_atomic(struct command *commands,
1420                                        struct shallow_info *si)
1421{
1422        struct command *cmd;
1423        struct strbuf err = STRBUF_INIT;
1424        const char *reported_error = "atomic push failure";
1425
1426        transaction = ref_transaction_begin(&err);
1427        if (!transaction) {
1428                rp_error("%s", err.buf);
1429                strbuf_reset(&err);
1430                reported_error = "transaction failed to start";
1431                goto failure;
1432        }
1433
1434        for (cmd = commands; cmd; cmd = cmd->next) {
1435                if (!should_process_cmd(cmd))
1436                        continue;
1437
1438                cmd->error_string = update(cmd, si);
1439
1440                if (cmd->error_string)
1441                        goto failure;
1442        }
1443
1444        if (ref_transaction_commit(transaction, &err)) {
1445                rp_error("%s", err.buf);
1446                reported_error = "atomic transaction failed";
1447                goto failure;
1448        }
1449        goto cleanup;
1450
1451failure:
1452        for (cmd = commands; cmd; cmd = cmd->next)
1453                if (!cmd->error_string)
1454                        cmd->error_string = reported_error;
1455
1456cleanup:
1457        ref_transaction_free(transaction);
1458        strbuf_release(&err);
1459}
1460
1461static void execute_commands(struct command *commands,
1462                             const char *unpacker_error,
1463                             struct shallow_info *si,
1464                             const struct string_list *push_options)
1465{
1466        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1467        struct command *cmd;
1468        struct iterate_data data;
1469        struct async muxer;
1470        int err_fd = 0;
1471
1472        if (unpacker_error) {
1473                for (cmd = commands; cmd; cmd = cmd->next)
1474                        cmd->error_string = "unpacker error";
1475                return;
1476        }
1477
1478        if (use_sideband) {
1479                memset(&muxer, 0, sizeof(muxer));
1480                muxer.proc = copy_to_sideband;
1481                muxer.in = -1;
1482                if (!start_async(&muxer))
1483                        err_fd = muxer.in;
1484                /* ...else, continue without relaying sideband */
1485        }
1486
1487        data.cmds = commands;
1488        data.si = si;
1489        opt.err_fd = err_fd;
1490        opt.progress = err_fd && !quiet;
1491        opt.env = tmp_objdir_env(tmp_objdir);
1492        if (check_connected(iterate_receive_command_list, &data, &opt))
1493                set_connectivity_errors(commands, si);
1494
1495        if (use_sideband)
1496                finish_async(&muxer);
1497
1498        reject_updates_to_hidden(commands);
1499
1500        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1501                for (cmd = commands; cmd; cmd = cmd->next) {
1502                        if (!cmd->error_string)
1503                                cmd->error_string = "pre-receive hook declined";
1504                }
1505                return;
1506        }
1507
1508        /*
1509         * Now we'll start writing out refs, which means the objects need
1510         * to be in their final positions so that other processes can see them.
1511         */
1512        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1513                for (cmd = commands; cmd; cmd = cmd->next) {
1514                        if (!cmd->error_string)
1515                                cmd->error_string = "unable to migrate objects to permanent storage";
1516                }
1517                return;
1518        }
1519        tmp_objdir = NULL;
1520
1521        check_aliased_updates(commands);
1522
1523        free(head_name_to_free);
1524        head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1525
1526        if (use_atomic)
1527                execute_commands_atomic(commands, si);
1528        else
1529                execute_commands_non_atomic(commands, si);
1530
1531        if (shallow_update)
1532                warn_if_skipped_connectivity_check(commands, si);
1533}
1534
1535static struct command **queue_command(struct command **tail,
1536                                      const char *line,
1537                                      int linelen)
1538{
1539        struct object_id old_oid, new_oid;
1540        struct command *cmd;
1541        const char *refname;
1542        int reflen;
1543        const char *p;
1544
1545        if (parse_oid_hex(line, &old_oid, &p) ||
1546            *p++ != ' ' ||
1547            parse_oid_hex(p, &new_oid, &p) ||
1548            *p++ != ' ')
1549                die("protocol error: expected old/new/ref, got '%s'", line);
1550
1551        refname = p;
1552        reflen = linelen - (p - line);
1553        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1554        oidcpy(&cmd->old_oid, &old_oid);
1555        oidcpy(&cmd->new_oid, &new_oid);
1556        *tail = cmd;
1557        return &cmd->next;
1558}
1559
1560static void queue_commands_from_cert(struct command **tail,
1561                                     struct strbuf *push_cert)
1562{
1563        const char *boc, *eoc;
1564
1565        if (*tail)
1566                die("protocol error: got both push certificate and unsigned commands");
1567
1568        boc = strstr(push_cert->buf, "\n\n");
1569        if (!boc)
1570                die("malformed push certificate %.*s", 100, push_cert->buf);
1571        else
1572                boc += 2;
1573        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1574
1575        while (boc < eoc) {
1576                const char *eol = memchr(boc, '\n', eoc - boc);
1577                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1578                boc = eol ? eol + 1 : eoc;
1579        }
1580}
1581
1582static struct command *read_head_info(struct packet_reader *reader,
1583                                      struct oid_array *shallow)
1584{
1585        struct command *commands = NULL;
1586        struct command **p = &commands;
1587        for (;;) {
1588                int linelen;
1589
1590                if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1591                        break;
1592
1593                if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1594                        struct object_id oid;
1595                        if (get_oid_hex(reader->line + 8, &oid))
1596                                die("protocol error: expected shallow sha, got '%s'",
1597                                    reader->line + 8);
1598                        oid_array_append(shallow, &oid);
1599                        continue;
1600                }
1601
1602                linelen = strlen(reader->line);
1603                if (linelen < reader->pktlen) {
1604                        const char *feature_list = reader->line + linelen + 1;
1605                        if (parse_feature_request(feature_list, "report-status"))
1606                                report_status = 1;
1607                        if (parse_feature_request(feature_list, "side-band-64k"))
1608                                use_sideband = LARGE_PACKET_MAX;
1609                        if (parse_feature_request(feature_list, "quiet"))
1610                                quiet = 1;
1611                        if (advertise_atomic_push
1612                            && parse_feature_request(feature_list, "atomic"))
1613                                use_atomic = 1;
1614                        if (advertise_push_options
1615                            && parse_feature_request(feature_list, "push-options"))
1616                                use_push_options = 1;
1617                }
1618
1619                if (!strcmp(reader->line, "push-cert")) {
1620                        int true_flush = 0;
1621                        int saved_options = reader->options;
1622                        reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1623
1624                        for (;;) {
1625                                packet_reader_read(reader);
1626                                if (reader->status == PACKET_READ_FLUSH) {
1627                                        true_flush = 1;
1628                                        break;
1629                                }
1630                                if (reader->status != PACKET_READ_NORMAL) {
1631                                        die("protocol error: got an unexpected packet");
1632                                }
1633                                if (!strcmp(reader->line, "push-cert-end\n"))
1634                                        break; /* end of cert */
1635                                strbuf_addstr(&push_cert, reader->line);
1636                        }
1637                        reader->options = saved_options;
1638
1639                        if (true_flush)
1640                                break;
1641                        continue;
1642                }
1643
1644                p = queue_command(p, reader->line, linelen);
1645        }
1646
1647        if (push_cert.len)
1648                queue_commands_from_cert(p, &push_cert);
1649
1650        return commands;
1651}
1652
1653static void read_push_options(struct packet_reader *reader,
1654                              struct string_list *options)
1655{
1656        while (1) {
1657                if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1658                        break;
1659
1660                string_list_append(options, reader->line);
1661        }
1662}
1663
1664static const char *parse_pack_header(struct pack_header *hdr)
1665{
1666        switch (read_pack_header(0, hdr)) {
1667        case PH_ERROR_EOF:
1668                return "eof before pack header was fully read";
1669
1670        case PH_ERROR_PACK_SIGNATURE:
1671                return "protocol error (pack signature mismatch detected)";
1672
1673        case PH_ERROR_PROTOCOL:
1674                return "protocol error (pack version unsupported)";
1675
1676        default:
1677                return "unknown error in parse_pack_header";
1678
1679        case 0:
1680                return NULL;
1681        }
1682}
1683
1684static const char *pack_lockfile;
1685
1686static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1687{
1688        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1689                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1690}
1691
1692static const char *unpack(int err_fd, struct shallow_info *si)
1693{
1694        struct pack_header hdr;
1695        const char *hdr_err;
1696        int status;
1697        struct child_process child = CHILD_PROCESS_INIT;
1698        int fsck_objects = (receive_fsck_objects >= 0
1699                            ? receive_fsck_objects
1700                            : transfer_fsck_objects >= 0
1701                            ? transfer_fsck_objects
1702                            : 0);
1703
1704        hdr_err = parse_pack_header(&hdr);
1705        if (hdr_err) {
1706                if (err_fd > 0)
1707                        close(err_fd);
1708                return hdr_err;
1709        }
1710
1711        if (si->nr_ours || si->nr_theirs) {
1712                alt_shallow_file = setup_temporary_shallow(si->shallow);
1713                argv_array_push(&child.args, "--shallow-file");
1714                argv_array_push(&child.args, alt_shallow_file);
1715        }
1716
1717        tmp_objdir = tmp_objdir_create();
1718        if (!tmp_objdir) {
1719                if (err_fd > 0)
1720                        close(err_fd);
1721                return "unable to create temporary object directory";
1722        }
1723        child.env = tmp_objdir_env(tmp_objdir);
1724
1725        /*
1726         * Normally we just pass the tmp_objdir environment to the child
1727         * processes that do the heavy lifting, but we may need to see these
1728         * objects ourselves to set up shallow information.
1729         */
1730        tmp_objdir_add_as_alternate(tmp_objdir);
1731
1732        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1733                argv_array_push(&child.args, "unpack-objects");
1734                push_header_arg(&child.args, &hdr);
1735                if (quiet)
1736                        argv_array_push(&child.args, "-q");
1737                if (fsck_objects)
1738                        argv_array_pushf(&child.args, "--strict%s",
1739                                fsck_msg_types.buf);
1740                if (max_input_size)
1741                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1742                                (uintmax_t)max_input_size);
1743                child.no_stdout = 1;
1744                child.err = err_fd;
1745                child.git_cmd = 1;
1746                status = run_command(&child);
1747                if (status)
1748                        return "unpack-objects abnormal exit";
1749        } else {
1750                char hostname[HOST_NAME_MAX + 1];
1751
1752                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1753                push_header_arg(&child.args, &hdr);
1754
1755                if (xgethostname(hostname, sizeof(hostname)))
1756                        xsnprintf(hostname, sizeof(hostname), "localhost");
1757                argv_array_pushf(&child.args,
1758                                 "--keep=receive-pack %"PRIuMAX" on %s",
1759                                 (uintmax_t)getpid(),
1760                                 hostname);
1761
1762                if (!quiet && err_fd)
1763                        argv_array_push(&child.args, "--show-resolving-progress");
1764                if (use_sideband)
1765                        argv_array_push(&child.args, "--report-end-of-input");
1766                if (fsck_objects)
1767                        argv_array_pushf(&child.args, "--strict%s",
1768                                fsck_msg_types.buf);
1769                if (!reject_thin)
1770                        argv_array_push(&child.args, "--fix-thin");
1771                if (max_input_size)
1772                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1773                                (uintmax_t)max_input_size);
1774                child.out = -1;
1775                child.err = err_fd;
1776                child.git_cmd = 1;
1777                status = start_command(&child);
1778                if (status)
1779                        return "index-pack fork failed";
1780                pack_lockfile = index_pack_lockfile(child.out);
1781                close(child.out);
1782                status = finish_command(&child);
1783                if (status)
1784                        return "index-pack abnormal exit";
1785                reprepare_packed_git(the_repository);
1786        }
1787        return NULL;
1788}
1789
1790static const char *unpack_with_sideband(struct shallow_info *si)
1791{
1792        struct async muxer;
1793        const char *ret;
1794
1795        if (!use_sideband)
1796                return unpack(0, si);
1797
1798        use_keepalive = KEEPALIVE_AFTER_NUL;
1799        memset(&muxer, 0, sizeof(muxer));
1800        muxer.proc = copy_to_sideband;
1801        muxer.in = -1;
1802        if (start_async(&muxer))
1803                return NULL;
1804
1805        ret = unpack(muxer.in, si);
1806
1807        finish_async(&muxer);
1808        return ret;
1809}
1810
1811static void prepare_shallow_update(struct shallow_info *si)
1812{
1813        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1814
1815        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1816        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1817
1818        si->need_reachability_test =
1819                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1820        si->reachable =
1821                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1822        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1823
1824        for (i = 0; i < si->nr_ours; i++)
1825                si->need_reachability_test[si->ours[i]] = 1;
1826
1827        for (i = 0; i < si->shallow->nr; i++) {
1828                if (!si->used_shallow[i])
1829                        continue;
1830                for (j = 0; j < bitmap_size; j++) {
1831                        if (!si->used_shallow[i][j])
1832                                continue;
1833                        si->need_reachability_test[i]++;
1834                        for (k = 0; k < 32; k++)
1835                                if (si->used_shallow[i][j] & (1U << k))
1836                                        si->shallow_ref[j * 32 + k]++;
1837                }
1838
1839                /*
1840                 * true for those associated with some refs and belong
1841                 * in "ours" list aka "step 7 not done yet"
1842                 */
1843                si->need_reachability_test[i] =
1844                        si->need_reachability_test[i] > 1;
1845        }
1846
1847        /*
1848         * keep hooks happy by forcing a temporary shallow file via
1849         * env variable because we can't add --shallow-file to every
1850         * command. check_connected() will be done with
1851         * true .git/shallow though.
1852         */
1853        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1854}
1855
1856static void update_shallow_info(struct command *commands,
1857                                struct shallow_info *si,
1858                                struct oid_array *ref)
1859{
1860        struct command *cmd;
1861        int *ref_status;
1862        remove_nonexistent_theirs_shallow(si);
1863        if (!si->nr_ours && !si->nr_theirs) {
1864                shallow_update = 0;
1865                return;
1866        }
1867
1868        for (cmd = commands; cmd; cmd = cmd->next) {
1869                if (is_null_oid(&cmd->new_oid))
1870                        continue;
1871                oid_array_append(ref, &cmd->new_oid);
1872                cmd->index = ref->nr - 1;
1873        }
1874        si->ref = ref;
1875
1876        if (shallow_update) {
1877                prepare_shallow_update(si);
1878                return;
1879        }
1880
1881        ALLOC_ARRAY(ref_status, ref->nr);
1882        assign_shallow_commits_to_refs(si, NULL, ref_status);
1883        for (cmd = commands; cmd; cmd = cmd->next) {
1884                if (is_null_oid(&cmd->new_oid))
1885                        continue;
1886                if (ref_status[cmd->index]) {
1887                        cmd->error_string = "shallow update not allowed";
1888                        cmd->skip_update = 1;
1889                }
1890        }
1891        free(ref_status);
1892}
1893
1894static void report(struct command *commands, const char *unpack_status)
1895{
1896        struct command *cmd;
1897        struct strbuf buf = STRBUF_INIT;
1898
1899        packet_buf_write(&buf, "unpack %s\n",
1900                         unpack_status ? unpack_status : "ok");
1901        for (cmd = commands; cmd; cmd = cmd->next) {
1902                if (!cmd->error_string)
1903                        packet_buf_write(&buf, "ok %s\n",
1904                                         cmd->ref_name);
1905                else
1906                        packet_buf_write(&buf, "ng %s %s\n",
1907                                         cmd->ref_name, cmd->error_string);
1908        }
1909        packet_buf_flush(&buf);
1910
1911        if (use_sideband)
1912                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1913        else
1914                write_or_die(1, buf.buf, buf.len);
1915        strbuf_release(&buf);
1916}
1917
1918static int delete_only(struct command *commands)
1919{
1920        struct command *cmd;
1921        for (cmd = commands; cmd; cmd = cmd->next) {
1922                if (!is_null_oid(&cmd->new_oid))
1923                        return 0;
1924        }
1925        return 1;
1926}
1927
1928int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1929{
1930        int advertise_refs = 0;
1931        struct command *commands;
1932        struct oid_array shallow = OID_ARRAY_INIT;
1933        struct oid_array ref = OID_ARRAY_INIT;
1934        struct shallow_info si;
1935        struct packet_reader reader;
1936
1937        struct option options[] = {
1938                OPT__QUIET(&quiet, N_("quiet")),
1939                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1940                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1941                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1942                OPT_END()
1943        };
1944
1945        packet_trace_identity("receive-pack");
1946
1947        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1948
1949        if (argc > 1)
1950                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1951        if (argc == 0)
1952                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1953
1954        service_dir = argv[0];
1955
1956        setup_path();
1957
1958        if (!enter_repo(service_dir, 0))
1959                die("'%s' does not appear to be a git repository", service_dir);
1960
1961        git_config(receive_pack_config, NULL);
1962        if (cert_nonce_seed)
1963                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1964
1965        if (0 <= transfer_unpack_limit)
1966                unpack_limit = transfer_unpack_limit;
1967        else if (0 <= receive_unpack_limit)
1968                unpack_limit = receive_unpack_limit;
1969
1970        switch (determine_protocol_version_server()) {
1971        case protocol_v2:
1972                /*
1973                 * push support for protocol v2 has not been implemented yet,
1974                 * so ignore the request to use v2 and fallback to using v0.
1975                 */
1976                break;
1977        case protocol_v1:
1978                /*
1979                 * v1 is just the original protocol with a version string,
1980                 * so just fall through after writing the version string.
1981                 */
1982                if (advertise_refs || !stateless_rpc)
1983                        packet_write_fmt(1, "version 1\n");
1984
1985                /* fallthrough */
1986        case protocol_v0:
1987                break;
1988        case protocol_unknown_version:
1989                BUG("unknown protocol version");
1990        }
1991
1992        if (advertise_refs || !stateless_rpc) {
1993                write_head_info();
1994        }
1995        if (advertise_refs)
1996                return 0;
1997
1998        packet_reader_init(&reader, 0, NULL, 0,
1999                           PACKET_READ_CHOMP_NEWLINE |
2000                           PACKET_READ_DIE_ON_ERR_PACKET);
2001
2002        if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2003                const char *unpack_status = NULL;
2004                struct string_list push_options = STRING_LIST_INIT_DUP;
2005
2006                if (use_push_options)
2007                        read_push_options(&reader, &push_options);
2008                if (!check_cert_push_options(&push_options)) {
2009                        struct command *cmd;
2010                        for (cmd = commands; cmd; cmd = cmd->next)
2011                                cmd->error_string = "inconsistent push options";
2012                }
2013
2014                prepare_shallow_info(&si, &shallow);
2015                if (!si.nr_ours && !si.nr_theirs)
2016                        shallow_update = 0;
2017                if (!delete_only(commands)) {
2018                        unpack_status = unpack_with_sideband(&si);
2019                        update_shallow_info(commands, &si, &ref);
2020                }
2021                use_keepalive = KEEPALIVE_ALWAYS;
2022                execute_commands(commands, unpack_status, &si,
2023                                 &push_options);
2024                if (pack_lockfile)
2025                        unlink_or_warn(pack_lockfile);
2026                if (report_status)
2027                        report(commands, unpack_status);
2028                run_receive_hook(commands, "post-receive", 1,
2029                                 &push_options);
2030                run_update_post_hook(commands);
2031                string_list_clear(&push_options, 0);
2032                if (auto_gc) {
2033                        const char *argv_gc_auto[] = {
2034                                "gc", "--auto", "--quiet", NULL,
2035                        };
2036                        struct child_process proc = CHILD_PROCESS_INIT;
2037
2038                        proc.no_stdin = 1;
2039                        proc.stdout_to_stderr = 1;
2040                        proc.err = use_sideband ? -1 : 0;
2041                        proc.git_cmd = 1;
2042                        proc.argv = argv_gc_auto;
2043
2044                        close_object_store(the_repository->objects);
2045                        if (!start_command(&proc)) {
2046                                if (use_sideband)
2047                                        copy_to_sideband(proc.err, -1, NULL);
2048                                finish_command(&proc);
2049                        }
2050                }
2051                if (auto_update_server_info)
2052                        update_server_info(0);
2053                clear_shallow_info(&si);
2054        }
2055        if (use_sideband)
2056                packet_flush(1);
2057        oid_array_clear(&shallow);
2058        oid_array_clear(&ref);
2059        free((void *)push_cert_nonce);
2060        return 0;
2061}