builtin / receive-pack.con commit refs.c: kill register_ref_store(), add register_submodule_ref_store() (378dc91)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23#include "tmp-objdir.h"
  24#include "oidset.h"
  25
  26static const char * const receive_pack_usage[] = {
  27        N_("git receive-pack <git-dir>"),
  28        NULL
  29};
  30
  31enum deny_action {
  32        DENY_UNCONFIGURED,
  33        DENY_IGNORE,
  34        DENY_WARN,
  35        DENY_REFUSE,
  36        DENY_UPDATE_INSTEAD
  37};
  38
  39static int deny_deletes;
  40static int deny_non_fast_forwards;
  41static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  42static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  43static int receive_fsck_objects = -1;
  44static int transfer_fsck_objects = -1;
  45static struct strbuf fsck_msg_types = STRBUF_INIT;
  46static int receive_unpack_limit = -1;
  47static int transfer_unpack_limit = -1;
  48static int advertise_atomic_push = 1;
  49static int advertise_push_options;
  50static int unpack_limit = 100;
  51static off_t max_input_size;
  52static int report_status;
  53static int use_sideband;
  54static int use_atomic;
  55static int use_push_options;
  56static int quiet;
  57static int prefer_ofs_delta = 1;
  58static int auto_update_server_info;
  59static int auto_gc = 1;
  60static int reject_thin;
  61static int stateless_rpc;
  62static const char *service_dir;
  63static const char *head_name;
  64static void *head_name_to_free;
  65static int sent_capabilities;
  66static int shallow_update;
  67static const char *alt_shallow_file;
  68static struct strbuf push_cert = STRBUF_INIT;
  69static unsigned char push_cert_sha1[20];
  70static struct signature_check sigcheck;
  71static const char *push_cert_nonce;
  72static const char *cert_nonce_seed;
  73
  74static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  75static const char *NONCE_BAD = "BAD";
  76static const char *NONCE_MISSING = "MISSING";
  77static const char *NONCE_OK = "OK";
  78static const char *NONCE_SLOP = "SLOP";
  79static const char *nonce_status;
  80static long nonce_stamp_slop;
  81static unsigned long nonce_stamp_slop_limit;
  82static struct ref_transaction *transaction;
  83
  84static enum {
  85        KEEPALIVE_NEVER = 0,
  86        KEEPALIVE_AFTER_NUL,
  87        KEEPALIVE_ALWAYS
  88} use_keepalive;
  89static int keepalive_in_sec = 5;
  90
  91static struct tmp_objdir *tmp_objdir;
  92
  93static enum deny_action parse_deny_action(const char *var, const char *value)
  94{
  95        if (value) {
  96                if (!strcasecmp(value, "ignore"))
  97                        return DENY_IGNORE;
  98                if (!strcasecmp(value, "warn"))
  99                        return DENY_WARN;
 100                if (!strcasecmp(value, "refuse"))
 101                        return DENY_REFUSE;
 102                if (!strcasecmp(value, "updateinstead"))
 103                        return DENY_UPDATE_INSTEAD;
 104        }
 105        if (git_config_bool(var, value))
 106                return DENY_REFUSE;
 107        return DENY_IGNORE;
 108}
 109
 110static int receive_pack_config(const char *var, const char *value, void *cb)
 111{
 112        int status = parse_hide_refs_config(var, value, "receive");
 113
 114        if (status)
 115                return status;
 116
 117        if (strcmp(var, "receive.denydeletes") == 0) {
 118                deny_deletes = git_config_bool(var, value);
 119                return 0;
 120        }
 121
 122        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 123                deny_non_fast_forwards = git_config_bool(var, value);
 124                return 0;
 125        }
 126
 127        if (strcmp(var, "receive.unpacklimit") == 0) {
 128                receive_unpack_limit = git_config_int(var, value);
 129                return 0;
 130        }
 131
 132        if (strcmp(var, "transfer.unpacklimit") == 0) {
 133                transfer_unpack_limit = git_config_int(var, value);
 134                return 0;
 135        }
 136
 137        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 138                const char *path;
 139
 140                if (git_config_pathname(&path, var, value))
 141                        return 1;
 142                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 143                        fsck_msg_types.len ? ',' : '=', path);
 144                free((char *)path);
 145                return 0;
 146        }
 147
 148        if (skip_prefix(var, "receive.fsck.", &var)) {
 149                if (is_valid_msg_type(var, value))
 150                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 151                                fsck_msg_types.len ? ',' : '=', var, value);
 152                else
 153                        warning("Skipping unknown msg id '%s'", var);
 154                return 0;
 155        }
 156
 157        if (strcmp(var, "receive.fsckobjects") == 0) {
 158                receive_fsck_objects = git_config_bool(var, value);
 159                return 0;
 160        }
 161
 162        if (strcmp(var, "transfer.fsckobjects") == 0) {
 163                transfer_fsck_objects = git_config_bool(var, value);
 164                return 0;
 165        }
 166
 167        if (!strcmp(var, "receive.denycurrentbranch")) {
 168                deny_current_branch = parse_deny_action(var, value);
 169                return 0;
 170        }
 171
 172        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 173                deny_delete_current = parse_deny_action(var, value);
 174                return 0;
 175        }
 176
 177        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 178                prefer_ofs_delta = git_config_bool(var, value);
 179                return 0;
 180        }
 181
 182        if (strcmp(var, "receive.updateserverinfo") == 0) {
 183                auto_update_server_info = git_config_bool(var, value);
 184                return 0;
 185        }
 186
 187        if (strcmp(var, "receive.autogc") == 0) {
 188                auto_gc = git_config_bool(var, value);
 189                return 0;
 190        }
 191
 192        if (strcmp(var, "receive.shallowupdate") == 0) {
 193                shallow_update = git_config_bool(var, value);
 194                return 0;
 195        }
 196
 197        if (strcmp(var, "receive.certnonceseed") == 0)
 198                return git_config_string(&cert_nonce_seed, var, value);
 199
 200        if (strcmp(var, "receive.certnonceslop") == 0) {
 201                nonce_stamp_slop_limit = git_config_ulong(var, value);
 202                return 0;
 203        }
 204
 205        if (strcmp(var, "receive.advertiseatomic") == 0) {
 206                advertise_atomic_push = git_config_bool(var, value);
 207                return 0;
 208        }
 209
 210        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 211                advertise_push_options = git_config_bool(var, value);
 212                return 0;
 213        }
 214
 215        if (strcmp(var, "receive.keepalive") == 0) {
 216                keepalive_in_sec = git_config_int(var, value);
 217                return 0;
 218        }
 219
 220        if (strcmp(var, "receive.maxinputsize") == 0) {
 221                max_input_size = git_config_int64(var, value);
 222                return 0;
 223        }
 224
 225        return git_default_config(var, value, cb);
 226}
 227
 228static void show_ref(const char *path, const unsigned char *sha1)
 229{
 230        if (sent_capabilities) {
 231                packet_write_fmt(1, "%s %s\n", sha1_to_hex(sha1), path);
 232        } else {
 233                struct strbuf cap = STRBUF_INIT;
 234
 235                strbuf_addstr(&cap,
 236                              "report-status delete-refs side-band-64k quiet");
 237                if (advertise_atomic_push)
 238                        strbuf_addstr(&cap, " atomic");
 239                if (prefer_ofs_delta)
 240                        strbuf_addstr(&cap, " ofs-delta");
 241                if (push_cert_nonce)
 242                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 243                if (advertise_push_options)
 244                        strbuf_addstr(&cap, " push-options");
 245                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 246                packet_write_fmt(1, "%s %s%c%s\n",
 247                             sha1_to_hex(sha1), path, 0, cap.buf);
 248                strbuf_release(&cap);
 249                sent_capabilities = 1;
 250        }
 251}
 252
 253static int show_ref_cb(const char *path_full, const struct object_id *oid,
 254                       int flag, void *data)
 255{
 256        struct oidset *seen = data;
 257        const char *path = strip_namespace(path_full);
 258
 259        if (ref_is_hidden(path, path_full))
 260                return 0;
 261
 262        /*
 263         * Advertise refs outside our current namespace as ".have"
 264         * refs, so that the client can use them to minimize data
 265         * transfer but will otherwise ignore them.
 266         */
 267        if (!path) {
 268                if (oidset_insert(seen, oid))
 269                        return 0;
 270                path = ".have";
 271        } else {
 272                oidset_insert(seen, oid);
 273        }
 274        show_ref(path, oid->hash);
 275        return 0;
 276}
 277
 278static void show_one_alternate_ref(const char *refname,
 279                                   const struct object_id *oid,
 280                                   void *data)
 281{
 282        struct oidset *seen = data;
 283
 284        if (oidset_insert(seen, oid))
 285                return;
 286
 287        show_ref(".have", oid->hash);
 288}
 289
 290static void write_head_info(void)
 291{
 292        static struct oidset seen = OIDSET_INIT;
 293
 294        for_each_ref(show_ref_cb, &seen);
 295        for_each_alternate_ref(show_one_alternate_ref, &seen);
 296        oidset_clear(&seen);
 297        if (!sent_capabilities)
 298                show_ref("capabilities^{}", null_sha1);
 299
 300        advertise_shallow_grafts(1);
 301
 302        /* EOF */
 303        packet_flush(1);
 304}
 305
 306struct command {
 307        struct command *next;
 308        const char *error_string;
 309        unsigned int skip_update:1,
 310                     did_not_exist:1;
 311        int index;
 312        unsigned char old_sha1[20];
 313        unsigned char new_sha1[20];
 314        char ref_name[FLEX_ARRAY]; /* more */
 315};
 316
 317static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 318static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 319
 320static void report_message(const char *prefix, const char *err, va_list params)
 321{
 322        int sz;
 323        char msg[4096];
 324
 325        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 326        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 327        if (sz > (sizeof(msg) - 1))
 328                sz = sizeof(msg) - 1;
 329        msg[sz++] = '\n';
 330
 331        if (use_sideband)
 332                send_sideband(1, 2, msg, sz, use_sideband);
 333        else
 334                xwrite(2, msg, sz);
 335}
 336
 337static void rp_warning(const char *err, ...)
 338{
 339        va_list params;
 340        va_start(params, err);
 341        report_message("warning: ", err, params);
 342        va_end(params);
 343}
 344
 345static void rp_error(const char *err, ...)
 346{
 347        va_list params;
 348        va_start(params, err);
 349        report_message("error: ", err, params);
 350        va_end(params);
 351}
 352
 353static int copy_to_sideband(int in, int out, void *arg)
 354{
 355        char data[128];
 356        int keepalive_active = 0;
 357
 358        if (keepalive_in_sec <= 0)
 359                use_keepalive = KEEPALIVE_NEVER;
 360        if (use_keepalive == KEEPALIVE_ALWAYS)
 361                keepalive_active = 1;
 362
 363        while (1) {
 364                ssize_t sz;
 365
 366                if (keepalive_active) {
 367                        struct pollfd pfd;
 368                        int ret;
 369
 370                        pfd.fd = in;
 371                        pfd.events = POLLIN;
 372                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 373
 374                        if (ret < 0) {
 375                                if (errno == EINTR)
 376                                        continue;
 377                                else
 378                                        break;
 379                        } else if (ret == 0) {
 380                                /* no data; send a keepalive packet */
 381                                static const char buf[] = "0005\1";
 382                                write_or_die(1, buf, sizeof(buf) - 1);
 383                                continue;
 384                        } /* else there is actual data to read */
 385                }
 386
 387                sz = xread(in, data, sizeof(data));
 388                if (sz <= 0)
 389                        break;
 390
 391                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 392                        const char *p = memchr(data, '\0', sz);
 393                        if (p) {
 394                                /*
 395                                 * The NUL tells us to start sending keepalives. Make
 396                                 * sure we send any other data we read along
 397                                 * with it.
 398                                 */
 399                                keepalive_active = 1;
 400                                send_sideband(1, 2, data, p - data, use_sideband);
 401                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 402                                continue;
 403                        }
 404                }
 405
 406                /*
 407                 * Either we're not looking for a NUL signal, or we didn't see
 408                 * it yet; just pass along the data.
 409                 */
 410                send_sideband(1, 2, data, sz, use_sideband);
 411        }
 412        close(in);
 413        return 0;
 414}
 415
 416#define HMAC_BLOCK_SIZE 64
 417
 418static void hmac_sha1(unsigned char *out,
 419                      const char *key_in, size_t key_len,
 420                      const char *text, size_t text_len)
 421{
 422        unsigned char key[HMAC_BLOCK_SIZE];
 423        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 424        unsigned char k_opad[HMAC_BLOCK_SIZE];
 425        int i;
 426        git_SHA_CTX ctx;
 427
 428        /* RFC 2104 2. (1) */
 429        memset(key, '\0', HMAC_BLOCK_SIZE);
 430        if (HMAC_BLOCK_SIZE < key_len) {
 431                git_SHA1_Init(&ctx);
 432                git_SHA1_Update(&ctx, key_in, key_len);
 433                git_SHA1_Final(key, &ctx);
 434        } else {
 435                memcpy(key, key_in, key_len);
 436        }
 437
 438        /* RFC 2104 2. (2) & (5) */
 439        for (i = 0; i < sizeof(key); i++) {
 440                k_ipad[i] = key[i] ^ 0x36;
 441                k_opad[i] = key[i] ^ 0x5c;
 442        }
 443
 444        /* RFC 2104 2. (3) & (4) */
 445        git_SHA1_Init(&ctx);
 446        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 447        git_SHA1_Update(&ctx, text, text_len);
 448        git_SHA1_Final(out, &ctx);
 449
 450        /* RFC 2104 2. (6) & (7) */
 451        git_SHA1_Init(&ctx);
 452        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 453        git_SHA1_Update(&ctx, out, 20);
 454        git_SHA1_Final(out, &ctx);
 455}
 456
 457static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 458{
 459        struct strbuf buf = STRBUF_INIT;
 460        unsigned char sha1[20];
 461
 462        strbuf_addf(&buf, "%s:%lu", path, stamp);
 463        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 464        strbuf_release(&buf);
 465
 466        /* RFC 2104 5. HMAC-SHA1-80 */
 467        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 468        return strbuf_detach(&buf, NULL);
 469}
 470
 471/*
 472 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 473 * after dropping "_commit" from its name and possibly moving it out
 474 * of commit.c
 475 */
 476static char *find_header(const char *msg, size_t len, const char *key)
 477{
 478        int key_len = strlen(key);
 479        const char *line = msg;
 480
 481        while (line && line < msg + len) {
 482                const char *eol = strchrnul(line, '\n');
 483
 484                if ((msg + len <= eol) || line == eol)
 485                        return NULL;
 486                if (line + key_len < eol &&
 487                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 488                        int offset = key_len + 1;
 489                        return xmemdupz(line + offset, (eol - line) - offset);
 490                }
 491                line = *eol ? eol + 1 : NULL;
 492        }
 493        return NULL;
 494}
 495
 496static const char *check_nonce(const char *buf, size_t len)
 497{
 498        char *nonce = find_header(buf, len, "nonce");
 499        unsigned long stamp, ostamp;
 500        char *bohmac, *expect = NULL;
 501        const char *retval = NONCE_BAD;
 502
 503        if (!nonce) {
 504                retval = NONCE_MISSING;
 505                goto leave;
 506        } else if (!push_cert_nonce) {
 507                retval = NONCE_UNSOLICITED;
 508                goto leave;
 509        } else if (!strcmp(push_cert_nonce, nonce)) {
 510                retval = NONCE_OK;
 511                goto leave;
 512        }
 513
 514        if (!stateless_rpc) {
 515                /* returned nonce MUST match what we gave out earlier */
 516                retval = NONCE_BAD;
 517                goto leave;
 518        }
 519
 520        /*
 521         * In stateless mode, we may be receiving a nonce issued by
 522         * another instance of the server that serving the same
 523         * repository, and the timestamps may not match, but the
 524         * nonce-seed and dir should match, so we can recompute and
 525         * report the time slop.
 526         *
 527         * In addition, when a nonce issued by another instance has
 528         * timestamp within receive.certnonceslop seconds, we pretend
 529         * as if we issued that nonce when reporting to the hook.
 530         */
 531
 532        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 533        if (*nonce <= '0' || '9' < *nonce) {
 534                retval = NONCE_BAD;
 535                goto leave;
 536        }
 537        stamp = strtoul(nonce, &bohmac, 10);
 538        if (bohmac == nonce || bohmac[0] != '-') {
 539                retval = NONCE_BAD;
 540                goto leave;
 541        }
 542
 543        expect = prepare_push_cert_nonce(service_dir, stamp);
 544        if (strcmp(expect, nonce)) {
 545                /* Not what we would have signed earlier */
 546                retval = NONCE_BAD;
 547                goto leave;
 548        }
 549
 550        /*
 551         * By how many seconds is this nonce stale?  Negative value
 552         * would mean it was issued by another server with its clock
 553         * skewed in the future.
 554         */
 555        ostamp = strtoul(push_cert_nonce, NULL, 10);
 556        nonce_stamp_slop = (long)ostamp - (long)stamp;
 557
 558        if (nonce_stamp_slop_limit &&
 559            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 560                /*
 561                 * Pretend as if the received nonce (which passes the
 562                 * HMAC check, so it is not a forged by third-party)
 563                 * is what we issued.
 564                 */
 565                free((void *)push_cert_nonce);
 566                push_cert_nonce = xstrdup(nonce);
 567                retval = NONCE_OK;
 568        } else {
 569                retval = NONCE_SLOP;
 570        }
 571
 572leave:
 573        free(nonce);
 574        free(expect);
 575        return retval;
 576}
 577
 578static void prepare_push_cert_sha1(struct child_process *proc)
 579{
 580        static int already_done;
 581
 582        if (!push_cert.len)
 583                return;
 584
 585        if (!already_done) {
 586                struct strbuf gpg_output = STRBUF_INIT;
 587                struct strbuf gpg_status = STRBUF_INIT;
 588                int bogs /* beginning_of_gpg_sig */;
 589
 590                already_done = 1;
 591                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 592                        hashclr(push_cert_sha1);
 593
 594                memset(&sigcheck, '\0', sizeof(sigcheck));
 595                sigcheck.result = 'N';
 596
 597                bogs = parse_signature(push_cert.buf, push_cert.len);
 598                if (verify_signed_buffer(push_cert.buf, bogs,
 599                                         push_cert.buf + bogs, push_cert.len - bogs,
 600                                         &gpg_output, &gpg_status) < 0) {
 601                        ; /* error running gpg */
 602                } else {
 603                        sigcheck.payload = push_cert.buf;
 604                        sigcheck.gpg_output = gpg_output.buf;
 605                        sigcheck.gpg_status = gpg_status.buf;
 606                        parse_gpg_output(&sigcheck);
 607                }
 608
 609                strbuf_release(&gpg_output);
 610                strbuf_release(&gpg_status);
 611                nonce_status = check_nonce(push_cert.buf, bogs);
 612        }
 613        if (!is_null_sha1(push_cert_sha1)) {
 614                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 615                                 sha1_to_hex(push_cert_sha1));
 616                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 617                                 sigcheck.signer ? sigcheck.signer : "");
 618                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 619                                 sigcheck.key ? sigcheck.key : "");
 620                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 621                                 sigcheck.result);
 622                if (push_cert_nonce) {
 623                        argv_array_pushf(&proc->env_array,
 624                                         "GIT_PUSH_CERT_NONCE=%s",
 625                                         push_cert_nonce);
 626                        argv_array_pushf(&proc->env_array,
 627                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 628                                         nonce_status);
 629                        if (nonce_status == NONCE_SLOP)
 630                                argv_array_pushf(&proc->env_array,
 631                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 632                                                 nonce_stamp_slop);
 633                }
 634        }
 635}
 636
 637struct receive_hook_feed_state {
 638        struct command *cmd;
 639        int skip_broken;
 640        struct strbuf buf;
 641        const struct string_list *push_options;
 642};
 643
 644typedef int (*feed_fn)(void *, const char **, size_t *);
 645static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 646                             struct receive_hook_feed_state *feed_state)
 647{
 648        struct child_process proc = CHILD_PROCESS_INIT;
 649        struct async muxer;
 650        const char *argv[2];
 651        int code;
 652
 653        argv[0] = find_hook(hook_name);
 654        if (!argv[0])
 655                return 0;
 656
 657        argv[1] = NULL;
 658
 659        proc.argv = argv;
 660        proc.in = -1;
 661        proc.stdout_to_stderr = 1;
 662        if (feed_state->push_options) {
 663                int i;
 664                for (i = 0; i < feed_state->push_options->nr; i++)
 665                        argv_array_pushf(&proc.env_array,
 666                                "GIT_PUSH_OPTION_%d=%s", i,
 667                                feed_state->push_options->items[i].string);
 668                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 669                                 feed_state->push_options->nr);
 670        } else
 671                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 672
 673        if (tmp_objdir)
 674                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 675
 676        if (use_sideband) {
 677                memset(&muxer, 0, sizeof(muxer));
 678                muxer.proc = copy_to_sideband;
 679                muxer.in = -1;
 680                code = start_async(&muxer);
 681                if (code)
 682                        return code;
 683                proc.err = muxer.in;
 684        }
 685
 686        prepare_push_cert_sha1(&proc);
 687
 688        code = start_command(&proc);
 689        if (code) {
 690                if (use_sideband)
 691                        finish_async(&muxer);
 692                return code;
 693        }
 694
 695        sigchain_push(SIGPIPE, SIG_IGN);
 696
 697        while (1) {
 698                const char *buf;
 699                size_t n;
 700                if (feed(feed_state, &buf, &n))
 701                        break;
 702                if (write_in_full(proc.in, buf, n) != n)
 703                        break;
 704        }
 705        close(proc.in);
 706        if (use_sideband)
 707                finish_async(&muxer);
 708
 709        sigchain_pop(SIGPIPE);
 710
 711        return finish_command(&proc);
 712}
 713
 714static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 715{
 716        struct receive_hook_feed_state *state = state_;
 717        struct command *cmd = state->cmd;
 718
 719        while (cmd &&
 720               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 721                cmd = cmd->next;
 722        if (!cmd)
 723                return -1; /* EOF */
 724        strbuf_reset(&state->buf);
 725        strbuf_addf(&state->buf, "%s %s %s\n",
 726                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 727                    cmd->ref_name);
 728        state->cmd = cmd->next;
 729        if (bufp) {
 730                *bufp = state->buf.buf;
 731                *sizep = state->buf.len;
 732        }
 733        return 0;
 734}
 735
 736static int run_receive_hook(struct command *commands,
 737                            const char *hook_name,
 738                            int skip_broken,
 739                            const struct string_list *push_options)
 740{
 741        struct receive_hook_feed_state state;
 742        int status;
 743
 744        strbuf_init(&state.buf, 0);
 745        state.cmd = commands;
 746        state.skip_broken = skip_broken;
 747        if (feed_receive_hook(&state, NULL, NULL))
 748                return 0;
 749        state.cmd = commands;
 750        state.push_options = push_options;
 751        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 752        strbuf_release(&state.buf);
 753        return status;
 754}
 755
 756static int run_update_hook(struct command *cmd)
 757{
 758        const char *argv[5];
 759        struct child_process proc = CHILD_PROCESS_INIT;
 760        int code;
 761
 762        argv[0] = find_hook("update");
 763        if (!argv[0])
 764                return 0;
 765
 766        argv[1] = cmd->ref_name;
 767        argv[2] = sha1_to_hex(cmd->old_sha1);
 768        argv[3] = sha1_to_hex(cmd->new_sha1);
 769        argv[4] = NULL;
 770
 771        proc.no_stdin = 1;
 772        proc.stdout_to_stderr = 1;
 773        proc.err = use_sideband ? -1 : 0;
 774        proc.argv = argv;
 775        proc.env = tmp_objdir_env(tmp_objdir);
 776
 777        code = start_command(&proc);
 778        if (code)
 779                return code;
 780        if (use_sideband)
 781                copy_to_sideband(proc.err, -1, NULL);
 782        return finish_command(&proc);
 783}
 784
 785static int is_ref_checked_out(const char *ref)
 786{
 787        if (is_bare_repository())
 788                return 0;
 789
 790        if (!head_name)
 791                return 0;
 792        return !strcmp(head_name, ref);
 793}
 794
 795static char *refuse_unconfigured_deny_msg =
 796        N_("By default, updating the current branch in a non-bare repository\n"
 797           "is denied, because it will make the index and work tree inconsistent\n"
 798           "with what you pushed, and will require 'git reset --hard' to match\n"
 799           "the work tree to HEAD.\n"
 800           "\n"
 801           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 802           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 803           "its current branch; however, this is not recommended unless you\n"
 804           "arranged to update its work tree to match what you pushed in some\n"
 805           "other way.\n"
 806           "\n"
 807           "To squelch this message and still keep the default behaviour, set\n"
 808           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 809
 810static void refuse_unconfigured_deny(void)
 811{
 812        rp_error("%s", _(refuse_unconfigured_deny_msg));
 813}
 814
 815static char *refuse_unconfigured_deny_delete_current_msg =
 816        N_("By default, deleting the current branch is denied, because the next\n"
 817           "'git clone' won't result in any file checked out, causing confusion.\n"
 818           "\n"
 819           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 820           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 821           "current branch, with or without a warning message.\n"
 822           "\n"
 823           "To squelch this message, you can set it to 'refuse'.");
 824
 825static void refuse_unconfigured_deny_delete_current(void)
 826{
 827        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 828}
 829
 830static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 831static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 832{
 833        static struct lock_file shallow_lock;
 834        struct sha1_array extra = SHA1_ARRAY_INIT;
 835        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 836        uint32_t mask = 1 << (cmd->index % 32);
 837        int i;
 838
 839        trace_printf_key(&trace_shallow,
 840                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 841        for (i = 0; i < si->shallow->nr; i++)
 842                if (si->used_shallow[i] &&
 843                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 844                    !delayed_reachability_test(si, i))
 845                        sha1_array_append(&extra, si->shallow->sha1[i]);
 846
 847        opt.env = tmp_objdir_env(tmp_objdir);
 848        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 849        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 850                rollback_lock_file(&shallow_lock);
 851                sha1_array_clear(&extra);
 852                return -1;
 853        }
 854
 855        commit_lock_file(&shallow_lock);
 856
 857        /*
 858         * Make sure setup_alternate_shallow() for the next ref does
 859         * not lose these new roots..
 860         */
 861        for (i = 0; i < extra.nr; i++)
 862                register_shallow(extra.sha1[i]);
 863
 864        si->shallow_ref[cmd->index] = 0;
 865        sha1_array_clear(&extra);
 866        return 0;
 867}
 868
 869/*
 870 * NEEDSWORK: we should consolidate various implementions of "are we
 871 * on an unborn branch?" test into one, and make the unified one more
 872 * robust. !get_sha1() based check used here and elsewhere would not
 873 * allow us to tell an unborn branch from corrupt ref, for example.
 874 * For the purpose of fixing "deploy-to-update does not work when
 875 * pushing into an empty repository" issue, this should suffice for
 876 * now.
 877 */
 878static int head_has_history(void)
 879{
 880        unsigned char sha1[20];
 881
 882        return !get_sha1("HEAD", sha1);
 883}
 884
 885static const char *push_to_deploy(unsigned char *sha1,
 886                                  struct argv_array *env,
 887                                  const char *work_tree)
 888{
 889        const char *update_refresh[] = {
 890                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 891        };
 892        const char *diff_files[] = {
 893                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 894        };
 895        const char *diff_index[] = {
 896                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 897                NULL, "--", NULL
 898        };
 899        const char *read_tree[] = {
 900                "read-tree", "-u", "-m", NULL, NULL
 901        };
 902        struct child_process child = CHILD_PROCESS_INIT;
 903
 904        child.argv = update_refresh;
 905        child.env = env->argv;
 906        child.dir = work_tree;
 907        child.no_stdin = 1;
 908        child.stdout_to_stderr = 1;
 909        child.git_cmd = 1;
 910        if (run_command(&child))
 911                return "Up-to-date check failed";
 912
 913        /* run_command() does not clean up completely; reinitialize */
 914        child_process_init(&child);
 915        child.argv = diff_files;
 916        child.env = env->argv;
 917        child.dir = work_tree;
 918        child.no_stdin = 1;
 919        child.stdout_to_stderr = 1;
 920        child.git_cmd = 1;
 921        if (run_command(&child))
 922                return "Working directory has unstaged changes";
 923
 924        /* diff-index with either HEAD or an empty tree */
 925        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 926
 927        child_process_init(&child);
 928        child.argv = diff_index;
 929        child.env = env->argv;
 930        child.no_stdin = 1;
 931        child.no_stdout = 1;
 932        child.stdout_to_stderr = 0;
 933        child.git_cmd = 1;
 934        if (run_command(&child))
 935                return "Working directory has staged changes";
 936
 937        read_tree[3] = sha1_to_hex(sha1);
 938        child_process_init(&child);
 939        child.argv = read_tree;
 940        child.env = env->argv;
 941        child.dir = work_tree;
 942        child.no_stdin = 1;
 943        child.no_stdout = 1;
 944        child.stdout_to_stderr = 0;
 945        child.git_cmd = 1;
 946        if (run_command(&child))
 947                return "Could not update working tree to new HEAD";
 948
 949        return NULL;
 950}
 951
 952static const char *push_to_checkout_hook = "push-to-checkout";
 953
 954static const char *push_to_checkout(unsigned char *sha1,
 955                                    struct argv_array *env,
 956                                    const char *work_tree)
 957{
 958        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 959        if (run_hook_le(env->argv, push_to_checkout_hook,
 960                        sha1_to_hex(sha1), NULL))
 961                return "push-to-checkout hook declined";
 962        else
 963                return NULL;
 964}
 965
 966static const char *update_worktree(unsigned char *sha1)
 967{
 968        const char *retval;
 969        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 970        struct argv_array env = ARGV_ARRAY_INIT;
 971
 972        if (is_bare_repository())
 973                return "denyCurrentBranch = updateInstead needs a worktree";
 974
 975        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 976
 977        if (!find_hook(push_to_checkout_hook))
 978                retval = push_to_deploy(sha1, &env, work_tree);
 979        else
 980                retval = push_to_checkout(sha1, &env, work_tree);
 981
 982        argv_array_clear(&env);
 983        return retval;
 984}
 985
 986static const char *update(struct command *cmd, struct shallow_info *si)
 987{
 988        const char *name = cmd->ref_name;
 989        struct strbuf namespaced_name_buf = STRBUF_INIT;
 990        const char *namespaced_name, *ret;
 991        unsigned char *old_sha1 = cmd->old_sha1;
 992        unsigned char *new_sha1 = cmd->new_sha1;
 993
 994        /* only refs/... are allowed */
 995        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 996                rp_error("refusing to create funny ref '%s' remotely", name);
 997                return "funny refname";
 998        }
 999
1000        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1001        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1002
1003        if (is_ref_checked_out(namespaced_name)) {
1004                switch (deny_current_branch) {
1005                case DENY_IGNORE:
1006                        break;
1007                case DENY_WARN:
1008                        rp_warning("updating the current branch");
1009                        break;
1010                case DENY_REFUSE:
1011                case DENY_UNCONFIGURED:
1012                        rp_error("refusing to update checked out branch: %s", name);
1013                        if (deny_current_branch == DENY_UNCONFIGURED)
1014                                refuse_unconfigured_deny();
1015                        return "branch is currently checked out";
1016                case DENY_UPDATE_INSTEAD:
1017                        ret = update_worktree(new_sha1);
1018                        if (ret)
1019                                return ret;
1020                        break;
1021                }
1022        }
1023
1024        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
1025                error("unpack should have generated %s, "
1026                      "but I can't find it!", sha1_to_hex(new_sha1));
1027                return "bad pack";
1028        }
1029
1030        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
1031                if (deny_deletes && starts_with(name, "refs/heads/")) {
1032                        rp_error("denying ref deletion for %s", name);
1033                        return "deletion prohibited";
1034                }
1035
1036                if (head_name && !strcmp(namespaced_name, head_name)) {
1037                        switch (deny_delete_current) {
1038                        case DENY_IGNORE:
1039                                break;
1040                        case DENY_WARN:
1041                                rp_warning("deleting the current branch");
1042                                break;
1043                        case DENY_REFUSE:
1044                        case DENY_UNCONFIGURED:
1045                        case DENY_UPDATE_INSTEAD:
1046                                if (deny_delete_current == DENY_UNCONFIGURED)
1047                                        refuse_unconfigured_deny_delete_current();
1048                                rp_error("refusing to delete the current branch: %s", name);
1049                                return "deletion of the current branch prohibited";
1050                        default:
1051                                return "Invalid denyDeleteCurrent setting";
1052                        }
1053                }
1054        }
1055
1056        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
1057            !is_null_sha1(old_sha1) &&
1058            starts_with(name, "refs/heads/")) {
1059                struct object *old_object, *new_object;
1060                struct commit *old_commit, *new_commit;
1061
1062                old_object = parse_object(old_sha1);
1063                new_object = parse_object(new_sha1);
1064
1065                if (!old_object || !new_object ||
1066                    old_object->type != OBJ_COMMIT ||
1067                    new_object->type != OBJ_COMMIT) {
1068                        error("bad sha1 objects for %s", name);
1069                        return "bad ref";
1070                }
1071                old_commit = (struct commit *)old_object;
1072                new_commit = (struct commit *)new_object;
1073                if (!in_merge_bases(old_commit, new_commit)) {
1074                        rp_error("denying non-fast-forward %s"
1075                                 " (you should pull first)", name);
1076                        return "non-fast-forward";
1077                }
1078        }
1079        if (run_update_hook(cmd)) {
1080                rp_error("hook declined to update %s", name);
1081                return "hook declined";
1082        }
1083
1084        if (is_null_sha1(new_sha1)) {
1085                struct strbuf err = STRBUF_INIT;
1086                if (!parse_object(old_sha1)) {
1087                        old_sha1 = NULL;
1088                        if (ref_exists(name)) {
1089                                rp_warning("Allowing deletion of corrupt ref.");
1090                        } else {
1091                                rp_warning("Deleting a non-existent ref.");
1092                                cmd->did_not_exist = 1;
1093                        }
1094                }
1095                if (ref_transaction_delete(transaction,
1096                                           namespaced_name,
1097                                           old_sha1,
1098                                           0, "push", &err)) {
1099                        rp_error("%s", err.buf);
1100                        strbuf_release(&err);
1101                        return "failed to delete";
1102                }
1103                strbuf_release(&err);
1104                return NULL; /* good */
1105        }
1106        else {
1107                struct strbuf err = STRBUF_INIT;
1108                if (shallow_update && si->shallow_ref[cmd->index] &&
1109                    update_shallow_ref(cmd, si))
1110                        return "shallow error";
1111
1112                if (ref_transaction_update(transaction,
1113                                           namespaced_name,
1114                                           new_sha1, old_sha1,
1115                                           0, "push",
1116                                           &err)) {
1117                        rp_error("%s", err.buf);
1118                        strbuf_release(&err);
1119
1120                        return "failed to update ref";
1121                }
1122                strbuf_release(&err);
1123
1124                return NULL; /* good */
1125        }
1126}
1127
1128static void run_update_post_hook(struct command *commands)
1129{
1130        struct command *cmd;
1131        int argc;
1132        struct child_process proc = CHILD_PROCESS_INIT;
1133        const char *hook;
1134
1135        hook = find_hook("post-update");
1136        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1137                if (cmd->error_string || cmd->did_not_exist)
1138                        continue;
1139                argc++;
1140        }
1141        if (!argc || !hook)
1142                return;
1143
1144        argv_array_push(&proc.args, hook);
1145        for (cmd = commands; cmd; cmd = cmd->next) {
1146                if (cmd->error_string || cmd->did_not_exist)
1147                        continue;
1148                argv_array_push(&proc.args, cmd->ref_name);
1149        }
1150
1151        proc.no_stdin = 1;
1152        proc.stdout_to_stderr = 1;
1153        proc.err = use_sideband ? -1 : 0;
1154
1155        if (!start_command(&proc)) {
1156                if (use_sideband)
1157                        copy_to_sideband(proc.err, -1, NULL);
1158                finish_command(&proc);
1159        }
1160}
1161
1162static void check_aliased_update(struct command *cmd, struct string_list *list)
1163{
1164        struct strbuf buf = STRBUF_INIT;
1165        const char *dst_name;
1166        struct string_list_item *item;
1167        struct command *dst_cmd;
1168        unsigned char sha1[GIT_SHA1_RAWSZ];
1169        int flag;
1170
1171        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1172        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1173        strbuf_release(&buf);
1174
1175        if (!(flag & REF_ISSYMREF))
1176                return;
1177
1178        if (!dst_name) {
1179                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1180                cmd->skip_update = 1;
1181                cmd->error_string = "broken symref";
1182                return;
1183        }
1184        dst_name = strip_namespace(dst_name);
1185
1186        if ((item = string_list_lookup(list, dst_name)) == NULL)
1187                return;
1188
1189        cmd->skip_update = 1;
1190
1191        dst_cmd = (struct command *) item->util;
1192
1193        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1194            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1195                return;
1196
1197        dst_cmd->skip_update = 1;
1198
1199        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1200                 " its target '%s' (%s..%s)",
1201                 cmd->ref_name,
1202                 find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV),
1203                 find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV),
1204                 dst_cmd->ref_name,
1205                 find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV),
1206                 find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1207
1208        cmd->error_string = dst_cmd->error_string =
1209                "inconsistent aliased update";
1210}
1211
1212static void check_aliased_updates(struct command *commands)
1213{
1214        struct command *cmd;
1215        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1216
1217        for (cmd = commands; cmd; cmd = cmd->next) {
1218                struct string_list_item *item =
1219                        string_list_append(&ref_list, cmd->ref_name);
1220                item->util = (void *)cmd;
1221        }
1222        string_list_sort(&ref_list);
1223
1224        for (cmd = commands; cmd; cmd = cmd->next) {
1225                if (!cmd->error_string)
1226                        check_aliased_update(cmd, &ref_list);
1227        }
1228
1229        string_list_clear(&ref_list, 0);
1230}
1231
1232static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1233{
1234        struct command **cmd_list = cb_data;
1235        struct command *cmd = *cmd_list;
1236
1237        if (!cmd || is_null_sha1(cmd->new_sha1))
1238                return -1; /* end of list */
1239        *cmd_list = NULL; /* this returns only one */
1240        hashcpy(sha1, cmd->new_sha1);
1241        return 0;
1242}
1243
1244static void set_connectivity_errors(struct command *commands,
1245                                    struct shallow_info *si)
1246{
1247        struct command *cmd;
1248
1249        for (cmd = commands; cmd; cmd = cmd->next) {
1250                struct command *singleton = cmd;
1251                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1252
1253                if (shallow_update && si->shallow_ref[cmd->index])
1254                        /* to be checked in update_shallow_ref() */
1255                        continue;
1256
1257                opt.env = tmp_objdir_env(tmp_objdir);
1258                if (!check_connected(command_singleton_iterator, &singleton,
1259                                     &opt))
1260                        continue;
1261
1262                cmd->error_string = "missing necessary objects";
1263        }
1264}
1265
1266struct iterate_data {
1267        struct command *cmds;
1268        struct shallow_info *si;
1269};
1270
1271static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1272{
1273        struct iterate_data *data = cb_data;
1274        struct command **cmd_list = &data->cmds;
1275        struct command *cmd = *cmd_list;
1276
1277        for (; cmd; cmd = cmd->next) {
1278                if (shallow_update && data->si->shallow_ref[cmd->index])
1279                        /* to be checked in update_shallow_ref() */
1280                        continue;
1281                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1282                        hashcpy(sha1, cmd->new_sha1);
1283                        *cmd_list = cmd->next;
1284                        return 0;
1285                }
1286        }
1287        *cmd_list = NULL;
1288        return -1; /* end of list */
1289}
1290
1291static void reject_updates_to_hidden(struct command *commands)
1292{
1293        struct strbuf refname_full = STRBUF_INIT;
1294        size_t prefix_len;
1295        struct command *cmd;
1296
1297        strbuf_addstr(&refname_full, get_git_namespace());
1298        prefix_len = refname_full.len;
1299
1300        for (cmd = commands; cmd; cmd = cmd->next) {
1301                if (cmd->error_string)
1302                        continue;
1303
1304                strbuf_setlen(&refname_full, prefix_len);
1305                strbuf_addstr(&refname_full, cmd->ref_name);
1306
1307                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1308                        continue;
1309                if (is_null_sha1(cmd->new_sha1))
1310                        cmd->error_string = "deny deleting a hidden ref";
1311                else
1312                        cmd->error_string = "deny updating a hidden ref";
1313        }
1314
1315        strbuf_release(&refname_full);
1316}
1317
1318static int should_process_cmd(struct command *cmd)
1319{
1320        return !cmd->error_string && !cmd->skip_update;
1321}
1322
1323static void warn_if_skipped_connectivity_check(struct command *commands,
1324                                               struct shallow_info *si)
1325{
1326        struct command *cmd;
1327        int checked_connectivity = 1;
1328
1329        for (cmd = commands; cmd; cmd = cmd->next) {
1330                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1331                        error("BUG: connectivity check has not been run on ref %s",
1332                              cmd->ref_name);
1333                        checked_connectivity = 0;
1334                }
1335        }
1336        if (!checked_connectivity)
1337                die("BUG: connectivity check skipped???");
1338}
1339
1340static void execute_commands_non_atomic(struct command *commands,
1341                                        struct shallow_info *si)
1342{
1343        struct command *cmd;
1344        struct strbuf err = STRBUF_INIT;
1345
1346        for (cmd = commands; cmd; cmd = cmd->next) {
1347                if (!should_process_cmd(cmd))
1348                        continue;
1349
1350                transaction = ref_transaction_begin(&err);
1351                if (!transaction) {
1352                        rp_error("%s", err.buf);
1353                        strbuf_reset(&err);
1354                        cmd->error_string = "transaction failed to start";
1355                        continue;
1356                }
1357
1358                cmd->error_string = update(cmd, si);
1359
1360                if (!cmd->error_string
1361                    && ref_transaction_commit(transaction, &err)) {
1362                        rp_error("%s", err.buf);
1363                        strbuf_reset(&err);
1364                        cmd->error_string = "failed to update ref";
1365                }
1366                ref_transaction_free(transaction);
1367        }
1368        strbuf_release(&err);
1369}
1370
1371static void execute_commands_atomic(struct command *commands,
1372                                        struct shallow_info *si)
1373{
1374        struct command *cmd;
1375        struct strbuf err = STRBUF_INIT;
1376        const char *reported_error = "atomic push failure";
1377
1378        transaction = ref_transaction_begin(&err);
1379        if (!transaction) {
1380                rp_error("%s", err.buf);
1381                strbuf_reset(&err);
1382                reported_error = "transaction failed to start";
1383                goto failure;
1384        }
1385
1386        for (cmd = commands; cmd; cmd = cmd->next) {
1387                if (!should_process_cmd(cmd))
1388                        continue;
1389
1390                cmd->error_string = update(cmd, si);
1391
1392                if (cmd->error_string)
1393                        goto failure;
1394        }
1395
1396        if (ref_transaction_commit(transaction, &err)) {
1397                rp_error("%s", err.buf);
1398                reported_error = "atomic transaction failed";
1399                goto failure;
1400        }
1401        goto cleanup;
1402
1403failure:
1404        for (cmd = commands; cmd; cmd = cmd->next)
1405                if (!cmd->error_string)
1406                        cmd->error_string = reported_error;
1407
1408cleanup:
1409        ref_transaction_free(transaction);
1410        strbuf_release(&err);
1411}
1412
1413static void execute_commands(struct command *commands,
1414                             const char *unpacker_error,
1415                             struct shallow_info *si,
1416                             const struct string_list *push_options)
1417{
1418        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1419        struct command *cmd;
1420        struct object_id oid;
1421        struct iterate_data data;
1422        struct async muxer;
1423        int err_fd = 0;
1424
1425        if (unpacker_error) {
1426                for (cmd = commands; cmd; cmd = cmd->next)
1427                        cmd->error_string = "unpacker error";
1428                return;
1429        }
1430
1431        if (use_sideband) {
1432                memset(&muxer, 0, sizeof(muxer));
1433                muxer.proc = copy_to_sideband;
1434                muxer.in = -1;
1435                if (!start_async(&muxer))
1436                        err_fd = muxer.in;
1437                /* ...else, continue without relaying sideband */
1438        }
1439
1440        data.cmds = commands;
1441        data.si = si;
1442        opt.err_fd = err_fd;
1443        opt.progress = err_fd && !quiet;
1444        opt.env = tmp_objdir_env(tmp_objdir);
1445        if (check_connected(iterate_receive_command_list, &data, &opt))
1446                set_connectivity_errors(commands, si);
1447
1448        if (use_sideband)
1449                finish_async(&muxer);
1450
1451        reject_updates_to_hidden(commands);
1452
1453        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1454                for (cmd = commands; cmd; cmd = cmd->next) {
1455                        if (!cmd->error_string)
1456                                cmd->error_string = "pre-receive hook declined";
1457                }
1458                return;
1459        }
1460
1461        /*
1462         * Now we'll start writing out refs, which means the objects need
1463         * to be in their final positions so that other processes can see them.
1464         */
1465        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1466                for (cmd = commands; cmd; cmd = cmd->next) {
1467                        if (!cmd->error_string)
1468                                cmd->error_string = "unable to migrate objects to permanent storage";
1469                }
1470                return;
1471        }
1472        tmp_objdir = NULL;
1473
1474        check_aliased_updates(commands);
1475
1476        free(head_name_to_free);
1477        head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1478
1479        if (use_atomic)
1480                execute_commands_atomic(commands, si);
1481        else
1482                execute_commands_non_atomic(commands, si);
1483
1484        if (shallow_update)
1485                warn_if_skipped_connectivity_check(commands, si);
1486}
1487
1488static struct command **queue_command(struct command **tail,
1489                                      const char *line,
1490                                      int linelen)
1491{
1492        unsigned char old_sha1[20], new_sha1[20];
1493        struct command *cmd;
1494        const char *refname;
1495        int reflen;
1496
1497        if (linelen < 83 ||
1498            line[40] != ' ' ||
1499            line[81] != ' ' ||
1500            get_sha1_hex(line, old_sha1) ||
1501            get_sha1_hex(line + 41, new_sha1))
1502                die("protocol error: expected old/new/ref, got '%s'", line);
1503
1504        refname = line + 82;
1505        reflen = linelen - 82;
1506        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1507        hashcpy(cmd->old_sha1, old_sha1);
1508        hashcpy(cmd->new_sha1, new_sha1);
1509        *tail = cmd;
1510        return &cmd->next;
1511}
1512
1513static void queue_commands_from_cert(struct command **tail,
1514                                     struct strbuf *push_cert)
1515{
1516        const char *boc, *eoc;
1517
1518        if (*tail)
1519                die("protocol error: got both push certificate and unsigned commands");
1520
1521        boc = strstr(push_cert->buf, "\n\n");
1522        if (!boc)
1523                die("malformed push certificate %.*s", 100, push_cert->buf);
1524        else
1525                boc += 2;
1526        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1527
1528        while (boc < eoc) {
1529                const char *eol = memchr(boc, '\n', eoc - boc);
1530                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1531                boc = eol ? eol + 1 : eoc;
1532        }
1533}
1534
1535static struct command *read_head_info(struct sha1_array *shallow)
1536{
1537        struct command *commands = NULL;
1538        struct command **p = &commands;
1539        for (;;) {
1540                char *line;
1541                int len, linelen;
1542
1543                line = packet_read_line(0, &len);
1544                if (!line)
1545                        break;
1546
1547                if (len == 48 && starts_with(line, "shallow ")) {
1548                        unsigned char sha1[20];
1549                        if (get_sha1_hex(line + 8, sha1))
1550                                die("protocol error: expected shallow sha, got '%s'",
1551                                    line + 8);
1552                        sha1_array_append(shallow, sha1);
1553                        continue;
1554                }
1555
1556                linelen = strlen(line);
1557                if (linelen < len) {
1558                        const char *feature_list = line + linelen + 1;
1559                        if (parse_feature_request(feature_list, "report-status"))
1560                                report_status = 1;
1561                        if (parse_feature_request(feature_list, "side-band-64k"))
1562                                use_sideband = LARGE_PACKET_MAX;
1563                        if (parse_feature_request(feature_list, "quiet"))
1564                                quiet = 1;
1565                        if (advertise_atomic_push
1566                            && parse_feature_request(feature_list, "atomic"))
1567                                use_atomic = 1;
1568                        if (advertise_push_options
1569                            && parse_feature_request(feature_list, "push-options"))
1570                                use_push_options = 1;
1571                }
1572
1573                if (!strcmp(line, "push-cert")) {
1574                        int true_flush = 0;
1575                        char certbuf[1024];
1576
1577                        for (;;) {
1578                                len = packet_read(0, NULL, NULL,
1579                                                  certbuf, sizeof(certbuf), 0);
1580                                if (!len) {
1581                                        true_flush = 1;
1582                                        break;
1583                                }
1584                                if (!strcmp(certbuf, "push-cert-end\n"))
1585                                        break; /* end of cert */
1586                                strbuf_addstr(&push_cert, certbuf);
1587                        }
1588
1589                        if (true_flush)
1590                                break;
1591                        continue;
1592                }
1593
1594                p = queue_command(p, line, linelen);
1595        }
1596
1597        if (push_cert.len)
1598                queue_commands_from_cert(p, &push_cert);
1599
1600        return commands;
1601}
1602
1603static void read_push_options(struct string_list *options)
1604{
1605        while (1) {
1606                char *line;
1607                int len;
1608
1609                line = packet_read_line(0, &len);
1610
1611                if (!line)
1612                        break;
1613
1614                string_list_append(options, line);
1615        }
1616}
1617
1618static const char *parse_pack_header(struct pack_header *hdr)
1619{
1620        switch (read_pack_header(0, hdr)) {
1621        case PH_ERROR_EOF:
1622                return "eof before pack header was fully read";
1623
1624        case PH_ERROR_PACK_SIGNATURE:
1625                return "protocol error (pack signature mismatch detected)";
1626
1627        case PH_ERROR_PROTOCOL:
1628                return "protocol error (pack version unsupported)";
1629
1630        default:
1631                return "unknown error in parse_pack_header";
1632
1633        case 0:
1634                return NULL;
1635        }
1636}
1637
1638static const char *pack_lockfile;
1639
1640static const char *unpack(int err_fd, struct shallow_info *si)
1641{
1642        struct pack_header hdr;
1643        const char *hdr_err;
1644        int status;
1645        char hdr_arg[38];
1646        struct child_process child = CHILD_PROCESS_INIT;
1647        int fsck_objects = (receive_fsck_objects >= 0
1648                            ? receive_fsck_objects
1649                            : transfer_fsck_objects >= 0
1650                            ? transfer_fsck_objects
1651                            : 0);
1652
1653        hdr_err = parse_pack_header(&hdr);
1654        if (hdr_err) {
1655                if (err_fd > 0)
1656                        close(err_fd);
1657                return hdr_err;
1658        }
1659        snprintf(hdr_arg, sizeof(hdr_arg),
1660                        "--pack_header=%"PRIu32",%"PRIu32,
1661                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1662
1663        if (si->nr_ours || si->nr_theirs) {
1664                alt_shallow_file = setup_temporary_shallow(si->shallow);
1665                argv_array_push(&child.args, "--shallow-file");
1666                argv_array_push(&child.args, alt_shallow_file);
1667        }
1668
1669        tmp_objdir = tmp_objdir_create();
1670        if (!tmp_objdir) {
1671                if (err_fd > 0)
1672                        close(err_fd);
1673                return "unable to create temporary object directory";
1674        }
1675        child.env = tmp_objdir_env(tmp_objdir);
1676
1677        /*
1678         * Normally we just pass the tmp_objdir environment to the child
1679         * processes that do the heavy lifting, but we may need to see these
1680         * objects ourselves to set up shallow information.
1681         */
1682        tmp_objdir_add_as_alternate(tmp_objdir);
1683
1684        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1685                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1686                if (quiet)
1687                        argv_array_push(&child.args, "-q");
1688                if (fsck_objects)
1689                        argv_array_pushf(&child.args, "--strict%s",
1690                                fsck_msg_types.buf);
1691                if (max_input_size)
1692                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1693                                (uintmax_t)max_input_size);
1694                child.no_stdout = 1;
1695                child.err = err_fd;
1696                child.git_cmd = 1;
1697                status = run_command(&child);
1698                if (status)
1699                        return "unpack-objects abnormal exit";
1700        } else {
1701                char hostname[256];
1702
1703                argv_array_pushl(&child.args, "index-pack",
1704                                 "--stdin", hdr_arg, NULL);
1705
1706                if (gethostname(hostname, sizeof(hostname)))
1707                        xsnprintf(hostname, sizeof(hostname), "localhost");
1708                argv_array_pushf(&child.args,
1709                                 "--keep=receive-pack %"PRIuMAX" on %s",
1710                                 (uintmax_t)getpid(),
1711                                 hostname);
1712
1713                if (!quiet && err_fd)
1714                        argv_array_push(&child.args, "--show-resolving-progress");
1715                if (use_sideband)
1716                        argv_array_push(&child.args, "--report-end-of-input");
1717                if (fsck_objects)
1718                        argv_array_pushf(&child.args, "--strict%s",
1719                                fsck_msg_types.buf);
1720                if (!reject_thin)
1721                        argv_array_push(&child.args, "--fix-thin");
1722                if (max_input_size)
1723                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1724                                (uintmax_t)max_input_size);
1725                child.out = -1;
1726                child.err = err_fd;
1727                child.git_cmd = 1;
1728                status = start_command(&child);
1729                if (status)
1730                        return "index-pack fork failed";
1731                pack_lockfile = index_pack_lockfile(child.out);
1732                close(child.out);
1733                status = finish_command(&child);
1734                if (status)
1735                        return "index-pack abnormal exit";
1736                reprepare_packed_git();
1737        }
1738        return NULL;
1739}
1740
1741static const char *unpack_with_sideband(struct shallow_info *si)
1742{
1743        struct async muxer;
1744        const char *ret;
1745
1746        if (!use_sideband)
1747                return unpack(0, si);
1748
1749        use_keepalive = KEEPALIVE_AFTER_NUL;
1750        memset(&muxer, 0, sizeof(muxer));
1751        muxer.proc = copy_to_sideband;
1752        muxer.in = -1;
1753        if (start_async(&muxer))
1754                return NULL;
1755
1756        ret = unpack(muxer.in, si);
1757
1758        finish_async(&muxer);
1759        return ret;
1760}
1761
1762static void prepare_shallow_update(struct command *commands,
1763                                   struct shallow_info *si)
1764{
1765        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1766
1767        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1768        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1769
1770        si->need_reachability_test =
1771                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1772        si->reachable =
1773                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1774        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1775
1776        for (i = 0; i < si->nr_ours; i++)
1777                si->need_reachability_test[si->ours[i]] = 1;
1778
1779        for (i = 0; i < si->shallow->nr; i++) {
1780                if (!si->used_shallow[i])
1781                        continue;
1782                for (j = 0; j < bitmap_size; j++) {
1783                        if (!si->used_shallow[i][j])
1784                                continue;
1785                        si->need_reachability_test[i]++;
1786                        for (k = 0; k < 32; k++)
1787                                if (si->used_shallow[i][j] & (1U << k))
1788                                        si->shallow_ref[j * 32 + k]++;
1789                }
1790
1791                /*
1792                 * true for those associated with some refs and belong
1793                 * in "ours" list aka "step 7 not done yet"
1794                 */
1795                si->need_reachability_test[i] =
1796                        si->need_reachability_test[i] > 1;
1797        }
1798
1799        /*
1800         * keep hooks happy by forcing a temporary shallow file via
1801         * env variable because we can't add --shallow-file to every
1802         * command. check_everything_connected() will be done with
1803         * true .git/shallow though.
1804         */
1805        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1806}
1807
1808static void update_shallow_info(struct command *commands,
1809                                struct shallow_info *si,
1810                                struct sha1_array *ref)
1811{
1812        struct command *cmd;
1813        int *ref_status;
1814        remove_nonexistent_theirs_shallow(si);
1815        if (!si->nr_ours && !si->nr_theirs) {
1816                shallow_update = 0;
1817                return;
1818        }
1819
1820        for (cmd = commands; cmd; cmd = cmd->next) {
1821                if (is_null_sha1(cmd->new_sha1))
1822                        continue;
1823                sha1_array_append(ref, cmd->new_sha1);
1824                cmd->index = ref->nr - 1;
1825        }
1826        si->ref = ref;
1827
1828        if (shallow_update) {
1829                prepare_shallow_update(commands, si);
1830                return;
1831        }
1832
1833        ALLOC_ARRAY(ref_status, ref->nr);
1834        assign_shallow_commits_to_refs(si, NULL, ref_status);
1835        for (cmd = commands; cmd; cmd = cmd->next) {
1836                if (is_null_sha1(cmd->new_sha1))
1837                        continue;
1838                if (ref_status[cmd->index]) {
1839                        cmd->error_string = "shallow update not allowed";
1840                        cmd->skip_update = 1;
1841                }
1842        }
1843        free(ref_status);
1844}
1845
1846static void report(struct command *commands, const char *unpack_status)
1847{
1848        struct command *cmd;
1849        struct strbuf buf = STRBUF_INIT;
1850
1851        packet_buf_write(&buf, "unpack %s\n",
1852                         unpack_status ? unpack_status : "ok");
1853        for (cmd = commands; cmd; cmd = cmd->next) {
1854                if (!cmd->error_string)
1855                        packet_buf_write(&buf, "ok %s\n",
1856                                         cmd->ref_name);
1857                else
1858                        packet_buf_write(&buf, "ng %s %s\n",
1859                                         cmd->ref_name, cmd->error_string);
1860        }
1861        packet_buf_flush(&buf);
1862
1863        if (use_sideband)
1864                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1865        else
1866                write_or_die(1, buf.buf, buf.len);
1867        strbuf_release(&buf);
1868}
1869
1870static int delete_only(struct command *commands)
1871{
1872        struct command *cmd;
1873        for (cmd = commands; cmd; cmd = cmd->next) {
1874                if (!is_null_sha1(cmd->new_sha1))
1875                        return 0;
1876        }
1877        return 1;
1878}
1879
1880int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1881{
1882        int advertise_refs = 0;
1883        struct command *commands;
1884        struct sha1_array shallow = SHA1_ARRAY_INIT;
1885        struct sha1_array ref = SHA1_ARRAY_INIT;
1886        struct shallow_info si;
1887
1888        struct option options[] = {
1889                OPT__QUIET(&quiet, N_("quiet")),
1890                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1891                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1892                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1893                OPT_END()
1894        };
1895
1896        packet_trace_identity("receive-pack");
1897
1898        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1899
1900        if (argc > 1)
1901                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1902        if (argc == 0)
1903                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1904
1905        service_dir = argv[0];
1906
1907        setup_path();
1908
1909        if (!enter_repo(service_dir, 0))
1910                die("'%s' does not appear to be a git repository", service_dir);
1911
1912        git_config(receive_pack_config, NULL);
1913        if (cert_nonce_seed)
1914                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1915
1916        if (0 <= transfer_unpack_limit)
1917                unpack_limit = transfer_unpack_limit;
1918        else if (0 <= receive_unpack_limit)
1919                unpack_limit = receive_unpack_limit;
1920
1921        if (advertise_refs || !stateless_rpc) {
1922                write_head_info();
1923        }
1924        if (advertise_refs)
1925                return 0;
1926
1927        if ((commands = read_head_info(&shallow)) != NULL) {
1928                const char *unpack_status = NULL;
1929                struct string_list push_options = STRING_LIST_INIT_DUP;
1930
1931                if (use_push_options)
1932                        read_push_options(&push_options);
1933
1934                prepare_shallow_info(&si, &shallow);
1935                if (!si.nr_ours && !si.nr_theirs)
1936                        shallow_update = 0;
1937                if (!delete_only(commands)) {
1938                        unpack_status = unpack_with_sideband(&si);
1939                        update_shallow_info(commands, &si, &ref);
1940                }
1941                use_keepalive = KEEPALIVE_ALWAYS;
1942                execute_commands(commands, unpack_status, &si,
1943                                 &push_options);
1944                if (pack_lockfile)
1945                        unlink_or_warn(pack_lockfile);
1946                if (report_status)
1947                        report(commands, unpack_status);
1948                run_receive_hook(commands, "post-receive", 1,
1949                                 &push_options);
1950                run_update_post_hook(commands);
1951                string_list_clear(&push_options, 0);
1952                if (auto_gc) {
1953                        const char *argv_gc_auto[] = {
1954                                "gc", "--auto", "--quiet", NULL,
1955                        };
1956                        struct child_process proc = CHILD_PROCESS_INIT;
1957
1958                        proc.no_stdin = 1;
1959                        proc.stdout_to_stderr = 1;
1960                        proc.err = use_sideband ? -1 : 0;
1961                        proc.git_cmd = 1;
1962                        proc.argv = argv_gc_auto;
1963
1964                        close_all_packs();
1965                        if (!start_command(&proc)) {
1966                                if (use_sideband)
1967                                        copy_to_sideband(proc.err, -1, NULL);
1968                                finish_command(&proc);
1969                        }
1970                }
1971                if (auto_update_server_info)
1972                        update_server_info(0);
1973                clear_shallow_info(&si);
1974        }
1975        if (use_sideband)
1976                packet_flush(1);
1977        sha1_array_clear(&shallow);
1978        sha1_array_clear(&ref);
1979        free((void *)push_cert_nonce);
1980        return 0;
1981}