builtin / receive-pack.con commit submodule--helper: move config-sanitizing to submodule.c (4638728)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23
  24static const char receive_pack_usage[] = "git receive-pack <git-dir>";
  25
  26enum deny_action {
  27        DENY_UNCONFIGURED,
  28        DENY_IGNORE,
  29        DENY_WARN,
  30        DENY_REFUSE,
  31        DENY_UPDATE_INSTEAD
  32};
  33
  34static int deny_deletes;
  35static int deny_non_fast_forwards;
  36static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  37static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  38static int receive_fsck_objects = -1;
  39static int transfer_fsck_objects = -1;
  40static struct strbuf fsck_msg_types = STRBUF_INIT;
  41static int receive_unpack_limit = -1;
  42static int transfer_unpack_limit = -1;
  43static int advertise_atomic_push = 1;
  44static int unpack_limit = 100;
  45static int report_status;
  46static int use_sideband;
  47static int use_atomic;
  48static int quiet;
  49static int prefer_ofs_delta = 1;
  50static int auto_update_server_info;
  51static int auto_gc = 1;
  52static int fix_thin = 1;
  53static int stateless_rpc;
  54static const char *service_dir;
  55static const char *head_name;
  56static void *head_name_to_free;
  57static int sent_capabilities;
  58static int shallow_update;
  59static const char *alt_shallow_file;
  60static struct strbuf push_cert = STRBUF_INIT;
  61static unsigned char push_cert_sha1[20];
  62static struct signature_check sigcheck;
  63static const char *push_cert_nonce;
  64static const char *cert_nonce_seed;
  65
  66static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  67static const char *NONCE_BAD = "BAD";
  68static const char *NONCE_MISSING = "MISSING";
  69static const char *NONCE_OK = "OK";
  70static const char *NONCE_SLOP = "SLOP";
  71static const char *nonce_status;
  72static long nonce_stamp_slop;
  73static unsigned long nonce_stamp_slop_limit;
  74static struct ref_transaction *transaction;
  75
  76static enum deny_action parse_deny_action(const char *var, const char *value)
  77{
  78        if (value) {
  79                if (!strcasecmp(value, "ignore"))
  80                        return DENY_IGNORE;
  81                if (!strcasecmp(value, "warn"))
  82                        return DENY_WARN;
  83                if (!strcasecmp(value, "refuse"))
  84                        return DENY_REFUSE;
  85                if (!strcasecmp(value, "updateinstead"))
  86                        return DENY_UPDATE_INSTEAD;
  87        }
  88        if (git_config_bool(var, value))
  89                return DENY_REFUSE;
  90        return DENY_IGNORE;
  91}
  92
  93static int receive_pack_config(const char *var, const char *value, void *cb)
  94{
  95        int status = parse_hide_refs_config(var, value, "receive");
  96
  97        if (status)
  98                return status;
  99
 100        if (strcmp(var, "receive.denydeletes") == 0) {
 101                deny_deletes = git_config_bool(var, value);
 102                return 0;
 103        }
 104
 105        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 106                deny_non_fast_forwards = git_config_bool(var, value);
 107                return 0;
 108        }
 109
 110        if (strcmp(var, "receive.unpacklimit") == 0) {
 111                receive_unpack_limit = git_config_int(var, value);
 112                return 0;
 113        }
 114
 115        if (strcmp(var, "transfer.unpacklimit") == 0) {
 116                transfer_unpack_limit = git_config_int(var, value);
 117                return 0;
 118        }
 119
 120        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 121                const char *path;
 122
 123                if (git_config_pathname(&path, var, value))
 124                        return 1;
 125                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 126                        fsck_msg_types.len ? ',' : '=', path);
 127                free((char *)path);
 128                return 0;
 129        }
 130
 131        if (skip_prefix(var, "receive.fsck.", &var)) {
 132                if (is_valid_msg_type(var, value))
 133                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 134                                fsck_msg_types.len ? ',' : '=', var, value);
 135                else
 136                        warning("Skipping unknown msg id '%s'", var);
 137                return 0;
 138        }
 139
 140        if (strcmp(var, "receive.fsckobjects") == 0) {
 141                receive_fsck_objects = git_config_bool(var, value);
 142                return 0;
 143        }
 144
 145        if (strcmp(var, "transfer.fsckobjects") == 0) {
 146                transfer_fsck_objects = git_config_bool(var, value);
 147                return 0;
 148        }
 149
 150        if (!strcmp(var, "receive.denycurrentbranch")) {
 151                deny_current_branch = parse_deny_action(var, value);
 152                return 0;
 153        }
 154
 155        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 156                deny_delete_current = parse_deny_action(var, value);
 157                return 0;
 158        }
 159
 160        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 161                prefer_ofs_delta = git_config_bool(var, value);
 162                return 0;
 163        }
 164
 165        if (strcmp(var, "receive.updateserverinfo") == 0) {
 166                auto_update_server_info = git_config_bool(var, value);
 167                return 0;
 168        }
 169
 170        if (strcmp(var, "receive.autogc") == 0) {
 171                auto_gc = git_config_bool(var, value);
 172                return 0;
 173        }
 174
 175        if (strcmp(var, "receive.shallowupdate") == 0) {
 176                shallow_update = git_config_bool(var, value);
 177                return 0;
 178        }
 179
 180        if (strcmp(var, "receive.certnonceseed") == 0)
 181                return git_config_string(&cert_nonce_seed, var, value);
 182
 183        if (strcmp(var, "receive.certnonceslop") == 0) {
 184                nonce_stamp_slop_limit = git_config_ulong(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.advertiseatomic") == 0) {
 189                advertise_atomic_push = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        return git_default_config(var, value, cb);
 194}
 195
 196static void show_ref(const char *path, const unsigned char *sha1)
 197{
 198        if (sent_capabilities) {
 199                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 200        } else {
 201                struct strbuf cap = STRBUF_INIT;
 202
 203                strbuf_addstr(&cap,
 204                              "report-status delete-refs side-band-64k quiet");
 205                if (advertise_atomic_push)
 206                        strbuf_addstr(&cap, " atomic");
 207                if (prefer_ofs_delta)
 208                        strbuf_addstr(&cap, " ofs-delta");
 209                if (push_cert_nonce)
 210                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 211                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 212                packet_write(1, "%s %s%c%s\n",
 213                             sha1_to_hex(sha1), path, 0, cap.buf);
 214                strbuf_release(&cap);
 215                sent_capabilities = 1;
 216        }
 217}
 218
 219static int show_ref_cb(const char *path_full, const struct object_id *oid,
 220                       int flag, void *unused)
 221{
 222        const char *path = strip_namespace(path_full);
 223
 224        if (ref_is_hidden(path, path_full))
 225                return 0;
 226
 227        /*
 228         * Advertise refs outside our current namespace as ".have"
 229         * refs, so that the client can use them to minimize data
 230         * transfer but will otherwise ignore them. This happens to
 231         * cover ".have" that are thrown in by add_one_alternate_ref()
 232         * to mark histories that are complete in our alternates as
 233         * well.
 234         */
 235        if (!path)
 236                path = ".have";
 237        show_ref(path, oid->hash);
 238        return 0;
 239}
 240
 241static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 242{
 243        show_ref(".have", sha1);
 244}
 245
 246static void collect_one_alternate_ref(const struct ref *ref, void *data)
 247{
 248        struct sha1_array *sa = data;
 249        sha1_array_append(sa, ref->old_oid.hash);
 250}
 251
 252static void write_head_info(void)
 253{
 254        struct sha1_array sa = SHA1_ARRAY_INIT;
 255
 256        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 257        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 258        sha1_array_clear(&sa);
 259        for_each_ref(show_ref_cb, NULL);
 260        if (!sent_capabilities)
 261                show_ref("capabilities^{}", null_sha1);
 262
 263        advertise_shallow_grafts(1);
 264
 265        /* EOF */
 266        packet_flush(1);
 267}
 268
 269struct command {
 270        struct command *next;
 271        const char *error_string;
 272        unsigned int skip_update:1,
 273                     did_not_exist:1;
 274        int index;
 275        unsigned char old_sha1[20];
 276        unsigned char new_sha1[20];
 277        char ref_name[FLEX_ARRAY]; /* more */
 278};
 279
 280static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 281static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 282
 283static void report_message(const char *prefix, const char *err, va_list params)
 284{
 285        int sz;
 286        char msg[4096];
 287
 288        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 289        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 290        if (sz > (sizeof(msg) - 1))
 291                sz = sizeof(msg) - 1;
 292        msg[sz++] = '\n';
 293
 294        if (use_sideband)
 295                send_sideband(1, 2, msg, sz, use_sideband);
 296        else
 297                xwrite(2, msg, sz);
 298}
 299
 300static void rp_warning(const char *err, ...)
 301{
 302        va_list params;
 303        va_start(params, err);
 304        report_message("warning: ", err, params);
 305        va_end(params);
 306}
 307
 308static void rp_error(const char *err, ...)
 309{
 310        va_list params;
 311        va_start(params, err);
 312        report_message("error: ", err, params);
 313        va_end(params);
 314}
 315
 316static int copy_to_sideband(int in, int out, void *arg)
 317{
 318        char data[128];
 319        while (1) {
 320                ssize_t sz = xread(in, data, sizeof(data));
 321                if (sz <= 0)
 322                        break;
 323                send_sideband(1, 2, data, sz, use_sideband);
 324        }
 325        close(in);
 326        return 0;
 327}
 328
 329#define HMAC_BLOCK_SIZE 64
 330
 331static void hmac_sha1(unsigned char *out,
 332                      const char *key_in, size_t key_len,
 333                      const char *text, size_t text_len)
 334{
 335        unsigned char key[HMAC_BLOCK_SIZE];
 336        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 337        unsigned char k_opad[HMAC_BLOCK_SIZE];
 338        int i;
 339        git_SHA_CTX ctx;
 340
 341        /* RFC 2104 2. (1) */
 342        memset(key, '\0', HMAC_BLOCK_SIZE);
 343        if (HMAC_BLOCK_SIZE < key_len) {
 344                git_SHA1_Init(&ctx);
 345                git_SHA1_Update(&ctx, key_in, key_len);
 346                git_SHA1_Final(key, &ctx);
 347        } else {
 348                memcpy(key, key_in, key_len);
 349        }
 350
 351        /* RFC 2104 2. (2) & (5) */
 352        for (i = 0; i < sizeof(key); i++) {
 353                k_ipad[i] = key[i] ^ 0x36;
 354                k_opad[i] = key[i] ^ 0x5c;
 355        }
 356
 357        /* RFC 2104 2. (3) & (4) */
 358        git_SHA1_Init(&ctx);
 359        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 360        git_SHA1_Update(&ctx, text, text_len);
 361        git_SHA1_Final(out, &ctx);
 362
 363        /* RFC 2104 2. (6) & (7) */
 364        git_SHA1_Init(&ctx);
 365        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 366        git_SHA1_Update(&ctx, out, 20);
 367        git_SHA1_Final(out, &ctx);
 368}
 369
 370static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 371{
 372        struct strbuf buf = STRBUF_INIT;
 373        unsigned char sha1[20];
 374
 375        strbuf_addf(&buf, "%s:%lu", path, stamp);
 376        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 377        strbuf_release(&buf);
 378
 379        /* RFC 2104 5. HMAC-SHA1-80 */
 380        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 381        return strbuf_detach(&buf, NULL);
 382}
 383
 384/*
 385 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 386 * after dropping "_commit" from its name and possibly moving it out
 387 * of commit.c
 388 */
 389static char *find_header(const char *msg, size_t len, const char *key)
 390{
 391        int key_len = strlen(key);
 392        const char *line = msg;
 393
 394        while (line && line < msg + len) {
 395                const char *eol = strchrnul(line, '\n');
 396
 397                if ((msg + len <= eol) || line == eol)
 398                        return NULL;
 399                if (line + key_len < eol &&
 400                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 401                        int offset = key_len + 1;
 402                        return xmemdupz(line + offset, (eol - line) - offset);
 403                }
 404                line = *eol ? eol + 1 : NULL;
 405        }
 406        return NULL;
 407}
 408
 409static const char *check_nonce(const char *buf, size_t len)
 410{
 411        char *nonce = find_header(buf, len, "nonce");
 412        unsigned long stamp, ostamp;
 413        char *bohmac, *expect = NULL;
 414        const char *retval = NONCE_BAD;
 415
 416        if (!nonce) {
 417                retval = NONCE_MISSING;
 418                goto leave;
 419        } else if (!push_cert_nonce) {
 420                retval = NONCE_UNSOLICITED;
 421                goto leave;
 422        } else if (!strcmp(push_cert_nonce, nonce)) {
 423                retval = NONCE_OK;
 424                goto leave;
 425        }
 426
 427        if (!stateless_rpc) {
 428                /* returned nonce MUST match what we gave out earlier */
 429                retval = NONCE_BAD;
 430                goto leave;
 431        }
 432
 433        /*
 434         * In stateless mode, we may be receiving a nonce issued by
 435         * another instance of the server that serving the same
 436         * repository, and the timestamps may not match, but the
 437         * nonce-seed and dir should match, so we can recompute and
 438         * report the time slop.
 439         *
 440         * In addition, when a nonce issued by another instance has
 441         * timestamp within receive.certnonceslop seconds, we pretend
 442         * as if we issued that nonce when reporting to the hook.
 443         */
 444
 445        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 446        if (*nonce <= '0' || '9' < *nonce) {
 447                retval = NONCE_BAD;
 448                goto leave;
 449        }
 450        stamp = strtoul(nonce, &bohmac, 10);
 451        if (bohmac == nonce || bohmac[0] != '-') {
 452                retval = NONCE_BAD;
 453                goto leave;
 454        }
 455
 456        expect = prepare_push_cert_nonce(service_dir, stamp);
 457        if (strcmp(expect, nonce)) {
 458                /* Not what we would have signed earlier */
 459                retval = NONCE_BAD;
 460                goto leave;
 461        }
 462
 463        /*
 464         * By how many seconds is this nonce stale?  Negative value
 465         * would mean it was issued by another server with its clock
 466         * skewed in the future.
 467         */
 468        ostamp = strtoul(push_cert_nonce, NULL, 10);
 469        nonce_stamp_slop = (long)ostamp - (long)stamp;
 470
 471        if (nonce_stamp_slop_limit &&
 472            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 473                /*
 474                 * Pretend as if the received nonce (which passes the
 475                 * HMAC check, so it is not a forged by third-party)
 476                 * is what we issued.
 477                 */
 478                free((void *)push_cert_nonce);
 479                push_cert_nonce = xstrdup(nonce);
 480                retval = NONCE_OK;
 481        } else {
 482                retval = NONCE_SLOP;
 483        }
 484
 485leave:
 486        free(nonce);
 487        free(expect);
 488        return retval;
 489}
 490
 491static void prepare_push_cert_sha1(struct child_process *proc)
 492{
 493        static int already_done;
 494
 495        if (!push_cert.len)
 496                return;
 497
 498        if (!already_done) {
 499                struct strbuf gpg_output = STRBUF_INIT;
 500                struct strbuf gpg_status = STRBUF_INIT;
 501                int bogs /* beginning_of_gpg_sig */;
 502
 503                already_done = 1;
 504                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 505                        hashclr(push_cert_sha1);
 506
 507                memset(&sigcheck, '\0', sizeof(sigcheck));
 508                sigcheck.result = 'N';
 509
 510                bogs = parse_signature(push_cert.buf, push_cert.len);
 511                if (verify_signed_buffer(push_cert.buf, bogs,
 512                                         push_cert.buf + bogs, push_cert.len - bogs,
 513                                         &gpg_output, &gpg_status) < 0) {
 514                        ; /* error running gpg */
 515                } else {
 516                        sigcheck.payload = push_cert.buf;
 517                        sigcheck.gpg_output = gpg_output.buf;
 518                        sigcheck.gpg_status = gpg_status.buf;
 519                        parse_gpg_output(&sigcheck);
 520                }
 521
 522                strbuf_release(&gpg_output);
 523                strbuf_release(&gpg_status);
 524                nonce_status = check_nonce(push_cert.buf, bogs);
 525        }
 526        if (!is_null_sha1(push_cert_sha1)) {
 527                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 528                                 sha1_to_hex(push_cert_sha1));
 529                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 530                                 sigcheck.signer ? sigcheck.signer : "");
 531                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 532                                 sigcheck.key ? sigcheck.key : "");
 533                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 534                                 sigcheck.result);
 535                if (push_cert_nonce) {
 536                        argv_array_pushf(&proc->env_array,
 537                                         "GIT_PUSH_CERT_NONCE=%s",
 538                                         push_cert_nonce);
 539                        argv_array_pushf(&proc->env_array,
 540                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 541                                         nonce_status);
 542                        if (nonce_status == NONCE_SLOP)
 543                                argv_array_pushf(&proc->env_array,
 544                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 545                                                 nonce_stamp_slop);
 546                }
 547        }
 548}
 549
 550typedef int (*feed_fn)(void *, const char **, size_t *);
 551static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 552{
 553        struct child_process proc = CHILD_PROCESS_INIT;
 554        struct async muxer;
 555        const char *argv[2];
 556        int code;
 557
 558        argv[0] = find_hook(hook_name);
 559        if (!argv[0])
 560                return 0;
 561
 562        argv[1] = NULL;
 563
 564        proc.argv = argv;
 565        proc.in = -1;
 566        proc.stdout_to_stderr = 1;
 567
 568        if (use_sideband) {
 569                memset(&muxer, 0, sizeof(muxer));
 570                muxer.proc = copy_to_sideband;
 571                muxer.in = -1;
 572                code = start_async(&muxer);
 573                if (code)
 574                        return code;
 575                proc.err = muxer.in;
 576        }
 577
 578        prepare_push_cert_sha1(&proc);
 579
 580        code = start_command(&proc);
 581        if (code) {
 582                if (use_sideband)
 583                        finish_async(&muxer);
 584                return code;
 585        }
 586
 587        sigchain_push(SIGPIPE, SIG_IGN);
 588
 589        while (1) {
 590                const char *buf;
 591                size_t n;
 592                if (feed(feed_state, &buf, &n))
 593                        break;
 594                if (write_in_full(proc.in, buf, n) != n)
 595                        break;
 596        }
 597        close(proc.in);
 598        if (use_sideband)
 599                finish_async(&muxer);
 600
 601        sigchain_pop(SIGPIPE);
 602
 603        return finish_command(&proc);
 604}
 605
 606struct receive_hook_feed_state {
 607        struct command *cmd;
 608        int skip_broken;
 609        struct strbuf buf;
 610};
 611
 612static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 613{
 614        struct receive_hook_feed_state *state = state_;
 615        struct command *cmd = state->cmd;
 616
 617        while (cmd &&
 618               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 619                cmd = cmd->next;
 620        if (!cmd)
 621                return -1; /* EOF */
 622        strbuf_reset(&state->buf);
 623        strbuf_addf(&state->buf, "%s %s %s\n",
 624                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 625                    cmd->ref_name);
 626        state->cmd = cmd->next;
 627        if (bufp) {
 628                *bufp = state->buf.buf;
 629                *sizep = state->buf.len;
 630        }
 631        return 0;
 632}
 633
 634static int run_receive_hook(struct command *commands, const char *hook_name,
 635                            int skip_broken)
 636{
 637        struct receive_hook_feed_state state;
 638        int status;
 639
 640        strbuf_init(&state.buf, 0);
 641        state.cmd = commands;
 642        state.skip_broken = skip_broken;
 643        if (feed_receive_hook(&state, NULL, NULL))
 644                return 0;
 645        state.cmd = commands;
 646        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 647        strbuf_release(&state.buf);
 648        return status;
 649}
 650
 651static int run_update_hook(struct command *cmd)
 652{
 653        const char *argv[5];
 654        struct child_process proc = CHILD_PROCESS_INIT;
 655        int code;
 656
 657        argv[0] = find_hook("update");
 658        if (!argv[0])
 659                return 0;
 660
 661        argv[1] = cmd->ref_name;
 662        argv[2] = sha1_to_hex(cmd->old_sha1);
 663        argv[3] = sha1_to_hex(cmd->new_sha1);
 664        argv[4] = NULL;
 665
 666        proc.no_stdin = 1;
 667        proc.stdout_to_stderr = 1;
 668        proc.err = use_sideband ? -1 : 0;
 669        proc.argv = argv;
 670
 671        code = start_command(&proc);
 672        if (code)
 673                return code;
 674        if (use_sideband)
 675                copy_to_sideband(proc.err, -1, NULL);
 676        return finish_command(&proc);
 677}
 678
 679static int is_ref_checked_out(const char *ref)
 680{
 681        if (is_bare_repository())
 682                return 0;
 683
 684        if (!head_name)
 685                return 0;
 686        return !strcmp(head_name, ref);
 687}
 688
 689static char *refuse_unconfigured_deny_msg[] = {
 690        "By default, updating the current branch in a non-bare repository",
 691        "is denied, because it will make the index and work tree inconsistent",
 692        "with what you pushed, and will require 'git reset --hard' to match",
 693        "the work tree to HEAD.",
 694        "",
 695        "You can set 'receive.denyCurrentBranch' configuration variable to",
 696        "'ignore' or 'warn' in the remote repository to allow pushing into",
 697        "its current branch; however, this is not recommended unless you",
 698        "arranged to update its work tree to match what you pushed in some",
 699        "other way.",
 700        "",
 701        "To squelch this message and still keep the default behaviour, set",
 702        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 703};
 704
 705static void refuse_unconfigured_deny(void)
 706{
 707        int i;
 708        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 709                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 710}
 711
 712static char *refuse_unconfigured_deny_delete_current_msg[] = {
 713        "By default, deleting the current branch is denied, because the next",
 714        "'git clone' won't result in any file checked out, causing confusion.",
 715        "",
 716        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 717        "'warn' or 'ignore' in the remote repository to allow deleting the",
 718        "current branch, with or without a warning message.",
 719        "",
 720        "To squelch this message, you can set it to 'refuse'."
 721};
 722
 723static void refuse_unconfigured_deny_delete_current(void)
 724{
 725        int i;
 726        for (i = 0;
 727             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 728             i++)
 729                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 730}
 731
 732static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 733static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 734{
 735        static struct lock_file shallow_lock;
 736        struct sha1_array extra = SHA1_ARRAY_INIT;
 737        const char *alt_file;
 738        uint32_t mask = 1 << (cmd->index % 32);
 739        int i;
 740
 741        trace_printf_key(&trace_shallow,
 742                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 743        for (i = 0; i < si->shallow->nr; i++)
 744                if (si->used_shallow[i] &&
 745                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 746                    !delayed_reachability_test(si, i))
 747                        sha1_array_append(&extra, si->shallow->sha1[i]);
 748
 749        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 750        if (check_shallow_connected(command_singleton_iterator,
 751                                    0, cmd, alt_file)) {
 752                rollback_lock_file(&shallow_lock);
 753                sha1_array_clear(&extra);
 754                return -1;
 755        }
 756
 757        commit_lock_file(&shallow_lock);
 758
 759        /*
 760         * Make sure setup_alternate_shallow() for the next ref does
 761         * not lose these new roots..
 762         */
 763        for (i = 0; i < extra.nr; i++)
 764                register_shallow(extra.sha1[i]);
 765
 766        si->shallow_ref[cmd->index] = 0;
 767        sha1_array_clear(&extra);
 768        return 0;
 769}
 770
 771/*
 772 * NEEDSWORK: we should consolidate various implementions of "are we
 773 * on an unborn branch?" test into one, and make the unified one more
 774 * robust. !get_sha1() based check used here and elsewhere would not
 775 * allow us to tell an unborn branch from corrupt ref, for example.
 776 * For the purpose of fixing "deploy-to-update does not work when
 777 * pushing into an empty repository" issue, this should suffice for
 778 * now.
 779 */
 780static int head_has_history(void)
 781{
 782        unsigned char sha1[20];
 783
 784        return !get_sha1("HEAD", sha1);
 785}
 786
 787static const char *push_to_deploy(unsigned char *sha1,
 788                                  struct argv_array *env,
 789                                  const char *work_tree)
 790{
 791        const char *update_refresh[] = {
 792                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 793        };
 794        const char *diff_files[] = {
 795                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 796        };
 797        const char *diff_index[] = {
 798                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 799                NULL, "--", NULL
 800        };
 801        const char *read_tree[] = {
 802                "read-tree", "-u", "-m", NULL, NULL
 803        };
 804        struct child_process child = CHILD_PROCESS_INIT;
 805
 806        child.argv = update_refresh;
 807        child.env = env->argv;
 808        child.dir = work_tree;
 809        child.no_stdin = 1;
 810        child.stdout_to_stderr = 1;
 811        child.git_cmd = 1;
 812        if (run_command(&child))
 813                return "Up-to-date check failed";
 814
 815        /* run_command() does not clean up completely; reinitialize */
 816        child_process_init(&child);
 817        child.argv = diff_files;
 818        child.env = env->argv;
 819        child.dir = work_tree;
 820        child.no_stdin = 1;
 821        child.stdout_to_stderr = 1;
 822        child.git_cmd = 1;
 823        if (run_command(&child))
 824                return "Working directory has unstaged changes";
 825
 826        /* diff-index with either HEAD or an empty tree */
 827        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 828
 829        child_process_init(&child);
 830        child.argv = diff_index;
 831        child.env = env->argv;
 832        child.no_stdin = 1;
 833        child.no_stdout = 1;
 834        child.stdout_to_stderr = 0;
 835        child.git_cmd = 1;
 836        if (run_command(&child))
 837                return "Working directory has staged changes";
 838
 839        read_tree[3] = sha1_to_hex(sha1);
 840        child_process_init(&child);
 841        child.argv = read_tree;
 842        child.env = env->argv;
 843        child.dir = work_tree;
 844        child.no_stdin = 1;
 845        child.no_stdout = 1;
 846        child.stdout_to_stderr = 0;
 847        child.git_cmd = 1;
 848        if (run_command(&child))
 849                return "Could not update working tree to new HEAD";
 850
 851        return NULL;
 852}
 853
 854static const char *push_to_checkout_hook = "push-to-checkout";
 855
 856static const char *push_to_checkout(unsigned char *sha1,
 857                                    struct argv_array *env,
 858                                    const char *work_tree)
 859{
 860        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 861        if (run_hook_le(env->argv, push_to_checkout_hook,
 862                        sha1_to_hex(sha1), NULL))
 863                return "push-to-checkout hook declined";
 864        else
 865                return NULL;
 866}
 867
 868static const char *update_worktree(unsigned char *sha1)
 869{
 870        const char *retval;
 871        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 872        struct argv_array env = ARGV_ARRAY_INIT;
 873
 874        if (is_bare_repository())
 875                return "denyCurrentBranch = updateInstead needs a worktree";
 876
 877        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 878
 879        if (!find_hook(push_to_checkout_hook))
 880                retval = push_to_deploy(sha1, &env, work_tree);
 881        else
 882                retval = push_to_checkout(sha1, &env, work_tree);
 883
 884        argv_array_clear(&env);
 885        return retval;
 886}
 887
 888static const char *update(struct command *cmd, struct shallow_info *si)
 889{
 890        const char *name = cmd->ref_name;
 891        struct strbuf namespaced_name_buf = STRBUF_INIT;
 892        const char *namespaced_name, *ret;
 893        unsigned char *old_sha1 = cmd->old_sha1;
 894        unsigned char *new_sha1 = cmd->new_sha1;
 895
 896        /* only refs/... are allowed */
 897        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 898                rp_error("refusing to create funny ref '%s' remotely", name);
 899                return "funny refname";
 900        }
 901
 902        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 903        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 904
 905        if (is_ref_checked_out(namespaced_name)) {
 906                switch (deny_current_branch) {
 907                case DENY_IGNORE:
 908                        break;
 909                case DENY_WARN:
 910                        rp_warning("updating the current branch");
 911                        break;
 912                case DENY_REFUSE:
 913                case DENY_UNCONFIGURED:
 914                        rp_error("refusing to update checked out branch: %s", name);
 915                        if (deny_current_branch == DENY_UNCONFIGURED)
 916                                refuse_unconfigured_deny();
 917                        return "branch is currently checked out";
 918                case DENY_UPDATE_INSTEAD:
 919                        ret = update_worktree(new_sha1);
 920                        if (ret)
 921                                return ret;
 922                        break;
 923                }
 924        }
 925
 926        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 927                error("unpack should have generated %s, "
 928                      "but I can't find it!", sha1_to_hex(new_sha1));
 929                return "bad pack";
 930        }
 931
 932        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 933                if (deny_deletes && starts_with(name, "refs/heads/")) {
 934                        rp_error("denying ref deletion for %s", name);
 935                        return "deletion prohibited";
 936                }
 937
 938                if (head_name && !strcmp(namespaced_name, head_name)) {
 939                        switch (deny_delete_current) {
 940                        case DENY_IGNORE:
 941                                break;
 942                        case DENY_WARN:
 943                                rp_warning("deleting the current branch");
 944                                break;
 945                        case DENY_REFUSE:
 946                        case DENY_UNCONFIGURED:
 947                        case DENY_UPDATE_INSTEAD:
 948                                if (deny_delete_current == DENY_UNCONFIGURED)
 949                                        refuse_unconfigured_deny_delete_current();
 950                                rp_error("refusing to delete the current branch: %s", name);
 951                                return "deletion of the current branch prohibited";
 952                        default:
 953                                return "Invalid denyDeleteCurrent setting";
 954                        }
 955                }
 956        }
 957
 958        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 959            !is_null_sha1(old_sha1) &&
 960            starts_with(name, "refs/heads/")) {
 961                struct object *old_object, *new_object;
 962                struct commit *old_commit, *new_commit;
 963
 964                old_object = parse_object(old_sha1);
 965                new_object = parse_object(new_sha1);
 966
 967                if (!old_object || !new_object ||
 968                    old_object->type != OBJ_COMMIT ||
 969                    new_object->type != OBJ_COMMIT) {
 970                        error("bad sha1 objects for %s", name);
 971                        return "bad ref";
 972                }
 973                old_commit = (struct commit *)old_object;
 974                new_commit = (struct commit *)new_object;
 975                if (!in_merge_bases(old_commit, new_commit)) {
 976                        rp_error("denying non-fast-forward %s"
 977                                 " (you should pull first)", name);
 978                        return "non-fast-forward";
 979                }
 980        }
 981        if (run_update_hook(cmd)) {
 982                rp_error("hook declined to update %s", name);
 983                return "hook declined";
 984        }
 985
 986        if (is_null_sha1(new_sha1)) {
 987                struct strbuf err = STRBUF_INIT;
 988                if (!parse_object(old_sha1)) {
 989                        old_sha1 = NULL;
 990                        if (ref_exists(name)) {
 991                                rp_warning("Allowing deletion of corrupt ref.");
 992                        } else {
 993                                rp_warning("Deleting a non-existent ref.");
 994                                cmd->did_not_exist = 1;
 995                        }
 996                }
 997                if (ref_transaction_delete(transaction,
 998                                           namespaced_name,
 999                                           old_sha1,
1000                                           0, "push", &err)) {
1001                        rp_error("%s", err.buf);
1002                        strbuf_release(&err);
1003                        return "failed to delete";
1004                }
1005                strbuf_release(&err);
1006                return NULL; /* good */
1007        }
1008        else {
1009                struct strbuf err = STRBUF_INIT;
1010                if (shallow_update && si->shallow_ref[cmd->index] &&
1011                    update_shallow_ref(cmd, si))
1012                        return "shallow error";
1013
1014                if (ref_transaction_update(transaction,
1015                                           namespaced_name,
1016                                           new_sha1, old_sha1,
1017                                           0, "push",
1018                                           &err)) {
1019                        rp_error("%s", err.buf);
1020                        strbuf_release(&err);
1021
1022                        return "failed to update ref";
1023                }
1024                strbuf_release(&err);
1025
1026                return NULL; /* good */
1027        }
1028}
1029
1030static void run_update_post_hook(struct command *commands)
1031{
1032        struct command *cmd;
1033        int argc;
1034        const char **argv;
1035        struct child_process proc = CHILD_PROCESS_INIT;
1036        const char *hook;
1037
1038        hook = find_hook("post-update");
1039        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1040                if (cmd->error_string || cmd->did_not_exist)
1041                        continue;
1042                argc++;
1043        }
1044        if (!argc || !hook)
1045                return;
1046
1047        argv = xmalloc(sizeof(*argv) * (2 + argc));
1048        argv[0] = hook;
1049
1050        for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1051                if (cmd->error_string || cmd->did_not_exist)
1052                        continue;
1053                argv[argc] = xstrdup(cmd->ref_name);
1054                argc++;
1055        }
1056        argv[argc] = NULL;
1057
1058        proc.no_stdin = 1;
1059        proc.stdout_to_stderr = 1;
1060        proc.err = use_sideband ? -1 : 0;
1061        proc.argv = argv;
1062
1063        if (!start_command(&proc)) {
1064                if (use_sideband)
1065                        copy_to_sideband(proc.err, -1, NULL);
1066                finish_command(&proc);
1067        }
1068}
1069
1070static void check_aliased_update(struct command *cmd, struct string_list *list)
1071{
1072        struct strbuf buf = STRBUF_INIT;
1073        const char *dst_name;
1074        struct string_list_item *item;
1075        struct command *dst_cmd;
1076        unsigned char sha1[GIT_SHA1_RAWSZ];
1077        char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1078             cmd_newh[GIT_SHA1_HEXSZ + 1],
1079             dst_oldh[GIT_SHA1_HEXSZ + 1],
1080             dst_newh[GIT_SHA1_HEXSZ + 1];
1081        int flag;
1082
1083        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1084        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1085        strbuf_release(&buf);
1086
1087        if (!(flag & REF_ISSYMREF))
1088                return;
1089
1090        dst_name = strip_namespace(dst_name);
1091        if (!dst_name) {
1092                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1093                cmd->skip_update = 1;
1094                cmd->error_string = "broken symref";
1095                return;
1096        }
1097
1098        if ((item = string_list_lookup(list, dst_name)) == NULL)
1099                return;
1100
1101        cmd->skip_update = 1;
1102
1103        dst_cmd = (struct command *) item->util;
1104
1105        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1106            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1107                return;
1108
1109        dst_cmd->skip_update = 1;
1110
1111        find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1112        find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1113        find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1114        find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1115        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1116                 " its target '%s' (%s..%s)",
1117                 cmd->ref_name, cmd_oldh, cmd_newh,
1118                 dst_cmd->ref_name, dst_oldh, dst_newh);
1119
1120        cmd->error_string = dst_cmd->error_string =
1121                "inconsistent aliased update";
1122}
1123
1124static void check_aliased_updates(struct command *commands)
1125{
1126        struct command *cmd;
1127        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1128
1129        for (cmd = commands; cmd; cmd = cmd->next) {
1130                struct string_list_item *item =
1131                        string_list_append(&ref_list, cmd->ref_name);
1132                item->util = (void *)cmd;
1133        }
1134        string_list_sort(&ref_list);
1135
1136        for (cmd = commands; cmd; cmd = cmd->next) {
1137                if (!cmd->error_string)
1138                        check_aliased_update(cmd, &ref_list);
1139        }
1140
1141        string_list_clear(&ref_list, 0);
1142}
1143
1144static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1145{
1146        struct command **cmd_list = cb_data;
1147        struct command *cmd = *cmd_list;
1148
1149        if (!cmd || is_null_sha1(cmd->new_sha1))
1150                return -1; /* end of list */
1151        *cmd_list = NULL; /* this returns only one */
1152        hashcpy(sha1, cmd->new_sha1);
1153        return 0;
1154}
1155
1156static void set_connectivity_errors(struct command *commands,
1157                                    struct shallow_info *si)
1158{
1159        struct command *cmd;
1160
1161        for (cmd = commands; cmd; cmd = cmd->next) {
1162                struct command *singleton = cmd;
1163                if (shallow_update && si->shallow_ref[cmd->index])
1164                        /* to be checked in update_shallow_ref() */
1165                        continue;
1166                if (!check_everything_connected(command_singleton_iterator,
1167                                                0, &singleton))
1168                        continue;
1169                cmd->error_string = "missing necessary objects";
1170        }
1171}
1172
1173struct iterate_data {
1174        struct command *cmds;
1175        struct shallow_info *si;
1176};
1177
1178static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1179{
1180        struct iterate_data *data = cb_data;
1181        struct command **cmd_list = &data->cmds;
1182        struct command *cmd = *cmd_list;
1183
1184        for (; cmd; cmd = cmd->next) {
1185                if (shallow_update && data->si->shallow_ref[cmd->index])
1186                        /* to be checked in update_shallow_ref() */
1187                        continue;
1188                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1189                        hashcpy(sha1, cmd->new_sha1);
1190                        *cmd_list = cmd->next;
1191                        return 0;
1192                }
1193        }
1194        *cmd_list = NULL;
1195        return -1; /* end of list */
1196}
1197
1198static void reject_updates_to_hidden(struct command *commands)
1199{
1200        struct strbuf refname_full = STRBUF_INIT;
1201        size_t prefix_len;
1202        struct command *cmd;
1203
1204        strbuf_addstr(&refname_full, get_git_namespace());
1205        prefix_len = refname_full.len;
1206
1207        for (cmd = commands; cmd; cmd = cmd->next) {
1208                if (cmd->error_string)
1209                        continue;
1210
1211                strbuf_setlen(&refname_full, prefix_len);
1212                strbuf_addstr(&refname_full, cmd->ref_name);
1213
1214                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1215                        continue;
1216                if (is_null_sha1(cmd->new_sha1))
1217                        cmd->error_string = "deny deleting a hidden ref";
1218                else
1219                        cmd->error_string = "deny updating a hidden ref";
1220        }
1221
1222        strbuf_release(&refname_full);
1223}
1224
1225static int should_process_cmd(struct command *cmd)
1226{
1227        return !cmd->error_string && !cmd->skip_update;
1228}
1229
1230static void warn_if_skipped_connectivity_check(struct command *commands,
1231                                               struct shallow_info *si)
1232{
1233        struct command *cmd;
1234        int checked_connectivity = 1;
1235
1236        for (cmd = commands; cmd; cmd = cmd->next) {
1237                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1238                        error("BUG: connectivity check has not been run on ref %s",
1239                              cmd->ref_name);
1240                        checked_connectivity = 0;
1241                }
1242        }
1243        if (!checked_connectivity)
1244                die("BUG: connectivity check skipped???");
1245}
1246
1247static void execute_commands_non_atomic(struct command *commands,
1248                                        struct shallow_info *si)
1249{
1250        struct command *cmd;
1251        struct strbuf err = STRBUF_INIT;
1252
1253        for (cmd = commands; cmd; cmd = cmd->next) {
1254                if (!should_process_cmd(cmd))
1255                        continue;
1256
1257                transaction = ref_transaction_begin(&err);
1258                if (!transaction) {
1259                        rp_error("%s", err.buf);
1260                        strbuf_reset(&err);
1261                        cmd->error_string = "transaction failed to start";
1262                        continue;
1263                }
1264
1265                cmd->error_string = update(cmd, si);
1266
1267                if (!cmd->error_string
1268                    && ref_transaction_commit(transaction, &err)) {
1269                        rp_error("%s", err.buf);
1270                        strbuf_reset(&err);
1271                        cmd->error_string = "failed to update ref";
1272                }
1273                ref_transaction_free(transaction);
1274        }
1275        strbuf_release(&err);
1276}
1277
1278static void execute_commands_atomic(struct command *commands,
1279                                        struct shallow_info *si)
1280{
1281        struct command *cmd;
1282        struct strbuf err = STRBUF_INIT;
1283        const char *reported_error = "atomic push failure";
1284
1285        transaction = ref_transaction_begin(&err);
1286        if (!transaction) {
1287                rp_error("%s", err.buf);
1288                strbuf_reset(&err);
1289                reported_error = "transaction failed to start";
1290                goto failure;
1291        }
1292
1293        for (cmd = commands; cmd; cmd = cmd->next) {
1294                if (!should_process_cmd(cmd))
1295                        continue;
1296
1297                cmd->error_string = update(cmd, si);
1298
1299                if (cmd->error_string)
1300                        goto failure;
1301        }
1302
1303        if (ref_transaction_commit(transaction, &err)) {
1304                rp_error("%s", err.buf);
1305                reported_error = "atomic transaction failed";
1306                goto failure;
1307        }
1308        goto cleanup;
1309
1310failure:
1311        for (cmd = commands; cmd; cmd = cmd->next)
1312                if (!cmd->error_string)
1313                        cmd->error_string = reported_error;
1314
1315cleanup:
1316        ref_transaction_free(transaction);
1317        strbuf_release(&err);
1318}
1319
1320static void execute_commands(struct command *commands,
1321                             const char *unpacker_error,
1322                             struct shallow_info *si)
1323{
1324        struct command *cmd;
1325        unsigned char sha1[20];
1326        struct iterate_data data;
1327
1328        if (unpacker_error) {
1329                for (cmd = commands; cmd; cmd = cmd->next)
1330                        cmd->error_string = "unpacker error";
1331                return;
1332        }
1333
1334        data.cmds = commands;
1335        data.si = si;
1336        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1337                set_connectivity_errors(commands, si);
1338
1339        reject_updates_to_hidden(commands);
1340
1341        if (run_receive_hook(commands, "pre-receive", 0)) {
1342                for (cmd = commands; cmd; cmd = cmd->next) {
1343                        if (!cmd->error_string)
1344                                cmd->error_string = "pre-receive hook declined";
1345                }
1346                return;
1347        }
1348
1349        check_aliased_updates(commands);
1350
1351        free(head_name_to_free);
1352        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1353
1354        if (use_atomic)
1355                execute_commands_atomic(commands, si);
1356        else
1357                execute_commands_non_atomic(commands, si);
1358
1359        if (shallow_update)
1360                warn_if_skipped_connectivity_check(commands, si);
1361}
1362
1363static struct command **queue_command(struct command **tail,
1364                                      const char *line,
1365                                      int linelen)
1366{
1367        unsigned char old_sha1[20], new_sha1[20];
1368        struct command *cmd;
1369        const char *refname;
1370        int reflen;
1371
1372        if (linelen < 83 ||
1373            line[40] != ' ' ||
1374            line[81] != ' ' ||
1375            get_sha1_hex(line, old_sha1) ||
1376            get_sha1_hex(line + 41, new_sha1))
1377                die("protocol error: expected old/new/ref, got '%s'", line);
1378
1379        refname = line + 82;
1380        reflen = linelen - 82;
1381        cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1382        hashcpy(cmd->old_sha1, old_sha1);
1383        hashcpy(cmd->new_sha1, new_sha1);
1384        memcpy(cmd->ref_name, refname, reflen);
1385        cmd->ref_name[reflen] = '\0';
1386        *tail = cmd;
1387        return &cmd->next;
1388}
1389
1390static void queue_commands_from_cert(struct command **tail,
1391                                     struct strbuf *push_cert)
1392{
1393        const char *boc, *eoc;
1394
1395        if (*tail)
1396                die("protocol error: got both push certificate and unsigned commands");
1397
1398        boc = strstr(push_cert->buf, "\n\n");
1399        if (!boc)
1400                die("malformed push certificate %.*s", 100, push_cert->buf);
1401        else
1402                boc += 2;
1403        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1404
1405        while (boc < eoc) {
1406                const char *eol = memchr(boc, '\n', eoc - boc);
1407                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1408                boc = eol ? eol + 1 : eoc;
1409        }
1410}
1411
1412static struct command *read_head_info(struct sha1_array *shallow)
1413{
1414        struct command *commands = NULL;
1415        struct command **p = &commands;
1416        for (;;) {
1417                char *line;
1418                int len, linelen;
1419
1420                line = packet_read_line(0, &len);
1421                if (!line)
1422                        break;
1423
1424                if (len == 48 && starts_with(line, "shallow ")) {
1425                        unsigned char sha1[20];
1426                        if (get_sha1_hex(line + 8, sha1))
1427                                die("protocol error: expected shallow sha, got '%s'",
1428                                    line + 8);
1429                        sha1_array_append(shallow, sha1);
1430                        continue;
1431                }
1432
1433                linelen = strlen(line);
1434                if (linelen < len) {
1435                        const char *feature_list = line + linelen + 1;
1436                        if (parse_feature_request(feature_list, "report-status"))
1437                                report_status = 1;
1438                        if (parse_feature_request(feature_list, "side-band-64k"))
1439                                use_sideband = LARGE_PACKET_MAX;
1440                        if (parse_feature_request(feature_list, "quiet"))
1441                                quiet = 1;
1442                        if (advertise_atomic_push
1443                            && parse_feature_request(feature_list, "atomic"))
1444                                use_atomic = 1;
1445                }
1446
1447                if (!strcmp(line, "push-cert")) {
1448                        int true_flush = 0;
1449                        char certbuf[1024];
1450
1451                        for (;;) {
1452                                len = packet_read(0, NULL, NULL,
1453                                                  certbuf, sizeof(certbuf), 0);
1454                                if (!len) {
1455                                        true_flush = 1;
1456                                        break;
1457                                }
1458                                if (!strcmp(certbuf, "push-cert-end\n"))
1459                                        break; /* end of cert */
1460                                strbuf_addstr(&push_cert, certbuf);
1461                        }
1462
1463                        if (true_flush)
1464                                break;
1465                        continue;
1466                }
1467
1468                p = queue_command(p, line, linelen);
1469        }
1470
1471        if (push_cert.len)
1472                queue_commands_from_cert(p, &push_cert);
1473
1474        return commands;
1475}
1476
1477static const char *parse_pack_header(struct pack_header *hdr)
1478{
1479        switch (read_pack_header(0, hdr)) {
1480        case PH_ERROR_EOF:
1481                return "eof before pack header was fully read";
1482
1483        case PH_ERROR_PACK_SIGNATURE:
1484                return "protocol error (pack signature mismatch detected)";
1485
1486        case PH_ERROR_PROTOCOL:
1487                return "protocol error (pack version unsupported)";
1488
1489        default:
1490                return "unknown error in parse_pack_header";
1491
1492        case 0:
1493                return NULL;
1494        }
1495}
1496
1497static const char *pack_lockfile;
1498
1499static const char *unpack(int err_fd, struct shallow_info *si)
1500{
1501        struct pack_header hdr;
1502        const char *hdr_err;
1503        int status;
1504        char hdr_arg[38];
1505        struct child_process child = CHILD_PROCESS_INIT;
1506        int fsck_objects = (receive_fsck_objects >= 0
1507                            ? receive_fsck_objects
1508                            : transfer_fsck_objects >= 0
1509                            ? transfer_fsck_objects
1510                            : 0);
1511
1512        hdr_err = parse_pack_header(&hdr);
1513        if (hdr_err) {
1514                if (err_fd > 0)
1515                        close(err_fd);
1516                return hdr_err;
1517        }
1518        snprintf(hdr_arg, sizeof(hdr_arg),
1519                        "--pack_header=%"PRIu32",%"PRIu32,
1520                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1521
1522        if (si->nr_ours || si->nr_theirs) {
1523                alt_shallow_file = setup_temporary_shallow(si->shallow);
1524                argv_array_push(&child.args, "--shallow-file");
1525                argv_array_push(&child.args, alt_shallow_file);
1526        }
1527
1528        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1529                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1530                if (quiet)
1531                        argv_array_push(&child.args, "-q");
1532                if (fsck_objects)
1533                        argv_array_pushf(&child.args, "--strict%s",
1534                                fsck_msg_types.buf);
1535                child.no_stdout = 1;
1536                child.err = err_fd;
1537                child.git_cmd = 1;
1538                status = run_command(&child);
1539                if (status)
1540                        return "unpack-objects abnormal exit";
1541        } else {
1542                char hostname[256];
1543
1544                argv_array_pushl(&child.args, "index-pack",
1545                                 "--stdin", hdr_arg, NULL);
1546
1547                if (gethostname(hostname, sizeof(hostname)))
1548                        xsnprintf(hostname, sizeof(hostname), "localhost");
1549                argv_array_pushf(&child.args,
1550                                 "--keep=receive-pack %"PRIuMAX" on %s",
1551                                 (uintmax_t)getpid(),
1552                                 hostname);
1553
1554                if (fsck_objects)
1555                        argv_array_pushf(&child.args, "--strict%s",
1556                                fsck_msg_types.buf);
1557                if (fix_thin)
1558                        argv_array_push(&child.args, "--fix-thin");
1559                child.out = -1;
1560                child.err = err_fd;
1561                child.git_cmd = 1;
1562                status = start_command(&child);
1563                if (status)
1564                        return "index-pack fork failed";
1565                pack_lockfile = index_pack_lockfile(child.out);
1566                close(child.out);
1567                status = finish_command(&child);
1568                if (status)
1569                        return "index-pack abnormal exit";
1570                reprepare_packed_git();
1571        }
1572        return NULL;
1573}
1574
1575static const char *unpack_with_sideband(struct shallow_info *si)
1576{
1577        struct async muxer;
1578        const char *ret;
1579
1580        if (!use_sideband)
1581                return unpack(0, si);
1582
1583        memset(&muxer, 0, sizeof(muxer));
1584        muxer.proc = copy_to_sideband;
1585        muxer.in = -1;
1586        if (start_async(&muxer))
1587                return NULL;
1588
1589        ret = unpack(muxer.in, si);
1590
1591        finish_async(&muxer);
1592        return ret;
1593}
1594
1595static void prepare_shallow_update(struct command *commands,
1596                                   struct shallow_info *si)
1597{
1598        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1599
1600        si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1601                                   si->shallow->nr);
1602        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1603
1604        si->need_reachability_test =
1605                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1606        si->reachable =
1607                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1608        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1609
1610        for (i = 0; i < si->nr_ours; i++)
1611                si->need_reachability_test[si->ours[i]] = 1;
1612
1613        for (i = 0; i < si->shallow->nr; i++) {
1614                if (!si->used_shallow[i])
1615                        continue;
1616                for (j = 0; j < bitmap_size; j++) {
1617                        if (!si->used_shallow[i][j])
1618                                continue;
1619                        si->need_reachability_test[i]++;
1620                        for (k = 0; k < 32; k++)
1621                                if (si->used_shallow[i][j] & (1U << k))
1622                                        si->shallow_ref[j * 32 + k]++;
1623                }
1624
1625                /*
1626                 * true for those associated with some refs and belong
1627                 * in "ours" list aka "step 7 not done yet"
1628                 */
1629                si->need_reachability_test[i] =
1630                        si->need_reachability_test[i] > 1;
1631        }
1632
1633        /*
1634         * keep hooks happy by forcing a temporary shallow file via
1635         * env variable because we can't add --shallow-file to every
1636         * command. check_everything_connected() will be done with
1637         * true .git/shallow though.
1638         */
1639        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1640}
1641
1642static void update_shallow_info(struct command *commands,
1643                                struct shallow_info *si,
1644                                struct sha1_array *ref)
1645{
1646        struct command *cmd;
1647        int *ref_status;
1648        remove_nonexistent_theirs_shallow(si);
1649        if (!si->nr_ours && !si->nr_theirs) {
1650                shallow_update = 0;
1651                return;
1652        }
1653
1654        for (cmd = commands; cmd; cmd = cmd->next) {
1655                if (is_null_sha1(cmd->new_sha1))
1656                        continue;
1657                sha1_array_append(ref, cmd->new_sha1);
1658                cmd->index = ref->nr - 1;
1659        }
1660        si->ref = ref;
1661
1662        if (shallow_update) {
1663                prepare_shallow_update(commands, si);
1664                return;
1665        }
1666
1667        ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1668        assign_shallow_commits_to_refs(si, NULL, ref_status);
1669        for (cmd = commands; cmd; cmd = cmd->next) {
1670                if (is_null_sha1(cmd->new_sha1))
1671                        continue;
1672                if (ref_status[cmd->index]) {
1673                        cmd->error_string = "shallow update not allowed";
1674                        cmd->skip_update = 1;
1675                }
1676        }
1677        free(ref_status);
1678}
1679
1680static void report(struct command *commands, const char *unpack_status)
1681{
1682        struct command *cmd;
1683        struct strbuf buf = STRBUF_INIT;
1684
1685        packet_buf_write(&buf, "unpack %s\n",
1686                         unpack_status ? unpack_status : "ok");
1687        for (cmd = commands; cmd; cmd = cmd->next) {
1688                if (!cmd->error_string)
1689                        packet_buf_write(&buf, "ok %s\n",
1690                                         cmd->ref_name);
1691                else
1692                        packet_buf_write(&buf, "ng %s %s\n",
1693                                         cmd->ref_name, cmd->error_string);
1694        }
1695        packet_buf_flush(&buf);
1696
1697        if (use_sideband)
1698                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1699        else
1700                write_or_die(1, buf.buf, buf.len);
1701        strbuf_release(&buf);
1702}
1703
1704static int delete_only(struct command *commands)
1705{
1706        struct command *cmd;
1707        for (cmd = commands; cmd; cmd = cmd->next) {
1708                if (!is_null_sha1(cmd->new_sha1))
1709                        return 0;
1710        }
1711        return 1;
1712}
1713
1714int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1715{
1716        int advertise_refs = 0;
1717        int i;
1718        struct command *commands;
1719        struct sha1_array shallow = SHA1_ARRAY_INIT;
1720        struct sha1_array ref = SHA1_ARRAY_INIT;
1721        struct shallow_info si;
1722
1723        packet_trace_identity("receive-pack");
1724
1725        argv++;
1726        for (i = 1; i < argc; i++) {
1727                const char *arg = *argv++;
1728
1729                if (*arg == '-') {
1730                        if (!strcmp(arg, "--quiet")) {
1731                                quiet = 1;
1732                                continue;
1733                        }
1734
1735                        if (!strcmp(arg, "--advertise-refs")) {
1736                                advertise_refs = 1;
1737                                continue;
1738                        }
1739                        if (!strcmp(arg, "--stateless-rpc")) {
1740                                stateless_rpc = 1;
1741                                continue;
1742                        }
1743                        if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1744                                fix_thin = 0;
1745                                continue;
1746                        }
1747
1748                        usage(receive_pack_usage);
1749                }
1750                if (service_dir)
1751                        usage(receive_pack_usage);
1752                service_dir = arg;
1753        }
1754        if (!service_dir)
1755                usage(receive_pack_usage);
1756
1757        setup_path();
1758
1759        if (!enter_repo(service_dir, 0))
1760                die("'%s' does not appear to be a git repository", service_dir);
1761
1762        git_config(receive_pack_config, NULL);
1763        if (cert_nonce_seed)
1764                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1765
1766        if (0 <= transfer_unpack_limit)
1767                unpack_limit = transfer_unpack_limit;
1768        else if (0 <= receive_unpack_limit)
1769                unpack_limit = receive_unpack_limit;
1770
1771        if (advertise_refs || !stateless_rpc) {
1772                write_head_info();
1773        }
1774        if (advertise_refs)
1775                return 0;
1776
1777        if ((commands = read_head_info(&shallow)) != NULL) {
1778                const char *unpack_status = NULL;
1779
1780                prepare_shallow_info(&si, &shallow);
1781                if (!si.nr_ours && !si.nr_theirs)
1782                        shallow_update = 0;
1783                if (!delete_only(commands)) {
1784                        unpack_status = unpack_with_sideband(&si);
1785                        update_shallow_info(commands, &si, &ref);
1786                }
1787                execute_commands(commands, unpack_status, &si);
1788                if (pack_lockfile)
1789                        unlink_or_warn(pack_lockfile);
1790                if (report_status)
1791                        report(commands, unpack_status);
1792                run_receive_hook(commands, "post-receive", 1);
1793                run_update_post_hook(commands);
1794                if (auto_gc) {
1795                        const char *argv_gc_auto[] = {
1796                                "gc", "--auto", "--quiet", NULL,
1797                        };
1798                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1799                        close_all_packs();
1800                        run_command_v_opt(argv_gc_auto, opt);
1801                }
1802                if (auto_update_server_info)
1803                        update_server_info(0);
1804                clear_shallow_info(&si);
1805        }
1806        if (use_sideband)
1807                packet_flush(1);
1808        sha1_array_clear(&shallow);
1809        sha1_array_clear(&ref);
1810        free((void *)push_cert_nonce);
1811        return 0;
1812}