builtin / receive-pack.con commit t4030: abstract away SHA-1-specific constants (a6c5799)
   1#include "builtin.h"
   2#include "repository.h"
   3#include "config.h"
   4#include "lockfile.h"
   5#include "pack.h"
   6#include "refs.h"
   7#include "pkt-line.h"
   8#include "sideband.h"
   9#include "run-command.h"
  10#include "exec-cmd.h"
  11#include "commit.h"
  12#include "object.h"
  13#include "remote.h"
  14#include "connect.h"
  15#include "transport.h"
  16#include "string-list.h"
  17#include "sha1-array.h"
  18#include "connected.h"
  19#include "argv-array.h"
  20#include "version.h"
  21#include "tag.h"
  22#include "gpg-interface.h"
  23#include "sigchain.h"
  24#include "fsck.h"
  25#include "tmp-objdir.h"
  26#include "oidset.h"
  27#include "packfile.h"
  28#include "protocol.h"
  29
  30static const char * const receive_pack_usage[] = {
  31        N_("git receive-pack <git-dir>"),
  32        NULL
  33};
  34
  35enum deny_action {
  36        DENY_UNCONFIGURED,
  37        DENY_IGNORE,
  38        DENY_WARN,
  39        DENY_REFUSE,
  40        DENY_UPDATE_INSTEAD
  41};
  42
  43static int deny_deletes;
  44static int deny_non_fast_forwards;
  45static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  46static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  47static int receive_fsck_objects = -1;
  48static int transfer_fsck_objects = -1;
  49static struct strbuf fsck_msg_types = STRBUF_INIT;
  50static int receive_unpack_limit = -1;
  51static int transfer_unpack_limit = -1;
  52static int advertise_atomic_push = 1;
  53static int advertise_push_options;
  54static int unpack_limit = 100;
  55static off_t max_input_size;
  56static int report_status;
  57static int use_sideband;
  58static int use_atomic;
  59static int use_push_options;
  60static int quiet;
  61static int prefer_ofs_delta = 1;
  62static int auto_update_server_info;
  63static int auto_gc = 1;
  64static int reject_thin;
  65static int stateless_rpc;
  66static const char *service_dir;
  67static const char *head_name;
  68static void *head_name_to_free;
  69static int sent_capabilities;
  70static int shallow_update;
  71static const char *alt_shallow_file;
  72static struct strbuf push_cert = STRBUF_INIT;
  73static struct object_id push_cert_oid;
  74static struct signature_check sigcheck;
  75static const char *push_cert_nonce;
  76static const char *cert_nonce_seed;
  77
  78static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  79static const char *NONCE_BAD = "BAD";
  80static const char *NONCE_MISSING = "MISSING";
  81static const char *NONCE_OK = "OK";
  82static const char *NONCE_SLOP = "SLOP";
  83static const char *nonce_status;
  84static long nonce_stamp_slop;
  85static timestamp_t nonce_stamp_slop_limit;
  86static struct ref_transaction *transaction;
  87
  88static enum {
  89        KEEPALIVE_NEVER = 0,
  90        KEEPALIVE_AFTER_NUL,
  91        KEEPALIVE_ALWAYS
  92} use_keepalive;
  93static int keepalive_in_sec = 5;
  94
  95static struct tmp_objdir *tmp_objdir;
  96
  97static enum deny_action parse_deny_action(const char *var, const char *value)
  98{
  99        if (value) {
 100                if (!strcasecmp(value, "ignore"))
 101                        return DENY_IGNORE;
 102                if (!strcasecmp(value, "warn"))
 103                        return DENY_WARN;
 104                if (!strcasecmp(value, "refuse"))
 105                        return DENY_REFUSE;
 106                if (!strcasecmp(value, "updateinstead"))
 107                        return DENY_UPDATE_INSTEAD;
 108        }
 109        if (git_config_bool(var, value))
 110                return DENY_REFUSE;
 111        return DENY_IGNORE;
 112}
 113
 114static int receive_pack_config(const char *var, const char *value, void *cb)
 115{
 116        int status = parse_hide_refs_config(var, value, "receive");
 117
 118        if (status)
 119                return status;
 120
 121        if (strcmp(var, "receive.denydeletes") == 0) {
 122                deny_deletes = git_config_bool(var, value);
 123                return 0;
 124        }
 125
 126        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 127                deny_non_fast_forwards = git_config_bool(var, value);
 128                return 0;
 129        }
 130
 131        if (strcmp(var, "receive.unpacklimit") == 0) {
 132                receive_unpack_limit = git_config_int(var, value);
 133                return 0;
 134        }
 135
 136        if (strcmp(var, "transfer.unpacklimit") == 0) {
 137                transfer_unpack_limit = git_config_int(var, value);
 138                return 0;
 139        }
 140
 141        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 142                const char *path;
 143
 144                if (git_config_pathname(&path, var, value))
 145                        return 1;
 146                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 147                        fsck_msg_types.len ? ',' : '=', path);
 148                free((char *)path);
 149                return 0;
 150        }
 151
 152        if (skip_prefix(var, "receive.fsck.", &var)) {
 153                if (is_valid_msg_type(var, value))
 154                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 155                                fsck_msg_types.len ? ',' : '=', var, value);
 156                else
 157                        warning("Skipping unknown msg id '%s'", var);
 158                return 0;
 159        }
 160
 161        if (strcmp(var, "receive.fsckobjects") == 0) {
 162                receive_fsck_objects = git_config_bool(var, value);
 163                return 0;
 164        }
 165
 166        if (strcmp(var, "transfer.fsckobjects") == 0) {
 167                transfer_fsck_objects = git_config_bool(var, value);
 168                return 0;
 169        }
 170
 171        if (!strcmp(var, "receive.denycurrentbranch")) {
 172                deny_current_branch = parse_deny_action(var, value);
 173                return 0;
 174        }
 175
 176        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 177                deny_delete_current = parse_deny_action(var, value);
 178                return 0;
 179        }
 180
 181        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 182                prefer_ofs_delta = git_config_bool(var, value);
 183                return 0;
 184        }
 185
 186        if (strcmp(var, "receive.updateserverinfo") == 0) {
 187                auto_update_server_info = git_config_bool(var, value);
 188                return 0;
 189        }
 190
 191        if (strcmp(var, "receive.autogc") == 0) {
 192                auto_gc = git_config_bool(var, value);
 193                return 0;
 194        }
 195
 196        if (strcmp(var, "receive.shallowupdate") == 0) {
 197                shallow_update = git_config_bool(var, value);
 198                return 0;
 199        }
 200
 201        if (strcmp(var, "receive.certnonceseed") == 0)
 202                return git_config_string(&cert_nonce_seed, var, value);
 203
 204        if (strcmp(var, "receive.certnonceslop") == 0) {
 205                nonce_stamp_slop_limit = git_config_ulong(var, value);
 206                return 0;
 207        }
 208
 209        if (strcmp(var, "receive.advertiseatomic") == 0) {
 210                advertise_atomic_push = git_config_bool(var, value);
 211                return 0;
 212        }
 213
 214        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 215                advertise_push_options = git_config_bool(var, value);
 216                return 0;
 217        }
 218
 219        if (strcmp(var, "receive.keepalive") == 0) {
 220                keepalive_in_sec = git_config_int(var, value);
 221                return 0;
 222        }
 223
 224        if (strcmp(var, "receive.maxinputsize") == 0) {
 225                max_input_size = git_config_int64(var, value);
 226                return 0;
 227        }
 228
 229        return git_default_config(var, value, cb);
 230}
 231
 232static void show_ref(const char *path, const struct object_id *oid)
 233{
 234        if (sent_capabilities) {
 235                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 236        } else {
 237                struct strbuf cap = STRBUF_INIT;
 238
 239                strbuf_addstr(&cap,
 240                              "report-status delete-refs side-band-64k quiet");
 241                if (advertise_atomic_push)
 242                        strbuf_addstr(&cap, " atomic");
 243                if (prefer_ofs_delta)
 244                        strbuf_addstr(&cap, " ofs-delta");
 245                if (push_cert_nonce)
 246                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 247                if (advertise_push_options)
 248                        strbuf_addstr(&cap, " push-options");
 249                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 250                packet_write_fmt(1, "%s %s%c%s\n",
 251                             oid_to_hex(oid), path, 0, cap.buf);
 252                strbuf_release(&cap);
 253                sent_capabilities = 1;
 254        }
 255}
 256
 257static int show_ref_cb(const char *path_full, const struct object_id *oid,
 258                       int flag, void *data)
 259{
 260        struct oidset *seen = data;
 261        const char *path = strip_namespace(path_full);
 262
 263        if (ref_is_hidden(path, path_full))
 264                return 0;
 265
 266        /*
 267         * Advertise refs outside our current namespace as ".have"
 268         * refs, so that the client can use them to minimize data
 269         * transfer but will otherwise ignore them.
 270         */
 271        if (!path) {
 272                if (oidset_insert(seen, oid))
 273                        return 0;
 274                path = ".have";
 275        } else {
 276                oidset_insert(seen, oid);
 277        }
 278        show_ref(path, oid);
 279        return 0;
 280}
 281
 282static void show_one_alternate_ref(const char *refname,
 283                                   const struct object_id *oid,
 284                                   void *data)
 285{
 286        struct oidset *seen = data;
 287
 288        if (oidset_insert(seen, oid))
 289                return;
 290
 291        show_ref(".have", oid);
 292}
 293
 294static void write_head_info(void)
 295{
 296        static struct oidset seen = OIDSET_INIT;
 297
 298        for_each_ref(show_ref_cb, &seen);
 299        for_each_alternate_ref(show_one_alternate_ref, &seen);
 300        oidset_clear(&seen);
 301        if (!sent_capabilities)
 302                show_ref("capabilities^{}", &null_oid);
 303
 304        advertise_shallow_grafts(1);
 305
 306        /* EOF */
 307        packet_flush(1);
 308}
 309
 310struct command {
 311        struct command *next;
 312        const char *error_string;
 313        unsigned int skip_update:1,
 314                     did_not_exist:1;
 315        int index;
 316        struct object_id old_oid;
 317        struct object_id new_oid;
 318        char ref_name[FLEX_ARRAY]; /* more */
 319};
 320
 321static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 322static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 323
 324static void report_message(const char *prefix, const char *err, va_list params)
 325{
 326        int sz;
 327        char msg[4096];
 328
 329        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 330        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 331        if (sz > (sizeof(msg) - 1))
 332                sz = sizeof(msg) - 1;
 333        msg[sz++] = '\n';
 334
 335        if (use_sideband)
 336                send_sideband(1, 2, msg, sz, use_sideband);
 337        else
 338                xwrite(2, msg, sz);
 339}
 340
 341static void rp_warning(const char *err, ...)
 342{
 343        va_list params;
 344        va_start(params, err);
 345        report_message("warning: ", err, params);
 346        va_end(params);
 347}
 348
 349static void rp_error(const char *err, ...)
 350{
 351        va_list params;
 352        va_start(params, err);
 353        report_message("error: ", err, params);
 354        va_end(params);
 355}
 356
 357static int copy_to_sideband(int in, int out, void *arg)
 358{
 359        char data[128];
 360        int keepalive_active = 0;
 361
 362        if (keepalive_in_sec <= 0)
 363                use_keepalive = KEEPALIVE_NEVER;
 364        if (use_keepalive == KEEPALIVE_ALWAYS)
 365                keepalive_active = 1;
 366
 367        while (1) {
 368                ssize_t sz;
 369
 370                if (keepalive_active) {
 371                        struct pollfd pfd;
 372                        int ret;
 373
 374                        pfd.fd = in;
 375                        pfd.events = POLLIN;
 376                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 377
 378                        if (ret < 0) {
 379                                if (errno == EINTR)
 380                                        continue;
 381                                else
 382                                        break;
 383                        } else if (ret == 0) {
 384                                /* no data; send a keepalive packet */
 385                                static const char buf[] = "0005\1";
 386                                write_or_die(1, buf, sizeof(buf) - 1);
 387                                continue;
 388                        } /* else there is actual data to read */
 389                }
 390
 391                sz = xread(in, data, sizeof(data));
 392                if (sz <= 0)
 393                        break;
 394
 395                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 396                        const char *p = memchr(data, '\0', sz);
 397                        if (p) {
 398                                /*
 399                                 * The NUL tells us to start sending keepalives. Make
 400                                 * sure we send any other data we read along
 401                                 * with it.
 402                                 */
 403                                keepalive_active = 1;
 404                                send_sideband(1, 2, data, p - data, use_sideband);
 405                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 406                                continue;
 407                        }
 408                }
 409
 410                /*
 411                 * Either we're not looking for a NUL signal, or we didn't see
 412                 * it yet; just pass along the data.
 413                 */
 414                send_sideband(1, 2, data, sz, use_sideband);
 415        }
 416        close(in);
 417        return 0;
 418}
 419
 420#define HMAC_BLOCK_SIZE 64
 421
 422static void hmac_sha1(unsigned char *out,
 423                      const char *key_in, size_t key_len,
 424                      const char *text, size_t text_len)
 425{
 426        unsigned char key[HMAC_BLOCK_SIZE];
 427        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 428        unsigned char k_opad[HMAC_BLOCK_SIZE];
 429        int i;
 430        git_SHA_CTX ctx;
 431
 432        /* RFC 2104 2. (1) */
 433        memset(key, '\0', HMAC_BLOCK_SIZE);
 434        if (HMAC_BLOCK_SIZE < key_len) {
 435                git_SHA1_Init(&ctx);
 436                git_SHA1_Update(&ctx, key_in, key_len);
 437                git_SHA1_Final(key, &ctx);
 438        } else {
 439                memcpy(key, key_in, key_len);
 440        }
 441
 442        /* RFC 2104 2. (2) & (5) */
 443        for (i = 0; i < sizeof(key); i++) {
 444                k_ipad[i] = key[i] ^ 0x36;
 445                k_opad[i] = key[i] ^ 0x5c;
 446        }
 447
 448        /* RFC 2104 2. (3) & (4) */
 449        git_SHA1_Init(&ctx);
 450        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 451        git_SHA1_Update(&ctx, text, text_len);
 452        git_SHA1_Final(out, &ctx);
 453
 454        /* RFC 2104 2. (6) & (7) */
 455        git_SHA1_Init(&ctx);
 456        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 457        git_SHA1_Update(&ctx, out, 20);
 458        git_SHA1_Final(out, &ctx);
 459}
 460
 461static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 462{
 463        struct strbuf buf = STRBUF_INIT;
 464        unsigned char sha1[20];
 465
 466        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 467        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 468        strbuf_release(&buf);
 469
 470        /* RFC 2104 5. HMAC-SHA1-80 */
 471        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
 472        return strbuf_detach(&buf, NULL);
 473}
 474
 475/*
 476 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 477 * after dropping "_commit" from its name and possibly moving it out
 478 * of commit.c
 479 */
 480static char *find_header(const char *msg, size_t len, const char *key,
 481                         const char **next_line)
 482{
 483        int key_len = strlen(key);
 484        const char *line = msg;
 485
 486        while (line && line < msg + len) {
 487                const char *eol = strchrnul(line, '\n');
 488
 489                if ((msg + len <= eol) || line == eol)
 490                        return NULL;
 491                if (line + key_len < eol &&
 492                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 493                        int offset = key_len + 1;
 494                        if (next_line)
 495                                *next_line = *eol ? eol + 1 : eol;
 496                        return xmemdupz(line + offset, (eol - line) - offset);
 497                }
 498                line = *eol ? eol + 1 : NULL;
 499        }
 500        return NULL;
 501}
 502
 503static const char *check_nonce(const char *buf, size_t len)
 504{
 505        char *nonce = find_header(buf, len, "nonce", NULL);
 506        timestamp_t stamp, ostamp;
 507        char *bohmac, *expect = NULL;
 508        const char *retval = NONCE_BAD;
 509
 510        if (!nonce) {
 511                retval = NONCE_MISSING;
 512                goto leave;
 513        } else if (!push_cert_nonce) {
 514                retval = NONCE_UNSOLICITED;
 515                goto leave;
 516        } else if (!strcmp(push_cert_nonce, nonce)) {
 517                retval = NONCE_OK;
 518                goto leave;
 519        }
 520
 521        if (!stateless_rpc) {
 522                /* returned nonce MUST match what we gave out earlier */
 523                retval = NONCE_BAD;
 524                goto leave;
 525        }
 526
 527        /*
 528         * In stateless mode, we may be receiving a nonce issued by
 529         * another instance of the server that serving the same
 530         * repository, and the timestamps may not match, but the
 531         * nonce-seed and dir should match, so we can recompute and
 532         * report the time slop.
 533         *
 534         * In addition, when a nonce issued by another instance has
 535         * timestamp within receive.certnonceslop seconds, we pretend
 536         * as if we issued that nonce when reporting to the hook.
 537         */
 538
 539        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 540        if (*nonce <= '0' || '9' < *nonce) {
 541                retval = NONCE_BAD;
 542                goto leave;
 543        }
 544        stamp = parse_timestamp(nonce, &bohmac, 10);
 545        if (bohmac == nonce || bohmac[0] != '-') {
 546                retval = NONCE_BAD;
 547                goto leave;
 548        }
 549
 550        expect = prepare_push_cert_nonce(service_dir, stamp);
 551        if (strcmp(expect, nonce)) {
 552                /* Not what we would have signed earlier */
 553                retval = NONCE_BAD;
 554                goto leave;
 555        }
 556
 557        /*
 558         * By how many seconds is this nonce stale?  Negative value
 559         * would mean it was issued by another server with its clock
 560         * skewed in the future.
 561         */
 562        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 563        nonce_stamp_slop = (long)ostamp - (long)stamp;
 564
 565        if (nonce_stamp_slop_limit &&
 566            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 567                /*
 568                 * Pretend as if the received nonce (which passes the
 569                 * HMAC check, so it is not a forged by third-party)
 570                 * is what we issued.
 571                 */
 572                free((void *)push_cert_nonce);
 573                push_cert_nonce = xstrdup(nonce);
 574                retval = NONCE_OK;
 575        } else {
 576                retval = NONCE_SLOP;
 577        }
 578
 579leave:
 580        free(nonce);
 581        free(expect);
 582        return retval;
 583}
 584
 585/*
 586 * Return 1 if there is no push_cert or if the push options in push_cert are
 587 * the same as those in the argument; 0 otherwise.
 588 */
 589static int check_cert_push_options(const struct string_list *push_options)
 590{
 591        const char *buf = push_cert.buf;
 592        int len = push_cert.len;
 593
 594        char *option;
 595        const char *next_line;
 596        int options_seen = 0;
 597
 598        int retval = 1;
 599
 600        if (!len)
 601                return 1;
 602
 603        while ((option = find_header(buf, len, "push-option", &next_line))) {
 604                len -= (next_line - buf);
 605                buf = next_line;
 606                options_seen++;
 607                if (options_seen > push_options->nr
 608                    || strcmp(option,
 609                              push_options->items[options_seen - 1].string)) {
 610                        retval = 0;
 611                        goto leave;
 612                }
 613                free(option);
 614        }
 615
 616        if (options_seen != push_options->nr)
 617                retval = 0;
 618
 619leave:
 620        free(option);
 621        return retval;
 622}
 623
 624static void prepare_push_cert_sha1(struct child_process *proc)
 625{
 626        static int already_done;
 627
 628        if (!push_cert.len)
 629                return;
 630
 631        if (!already_done) {
 632                struct strbuf gpg_output = STRBUF_INIT;
 633                struct strbuf gpg_status = STRBUF_INIT;
 634                int bogs /* beginning_of_gpg_sig */;
 635
 636                already_done = 1;
 637                if (write_object_file(push_cert.buf, push_cert.len, "blob",
 638                                      &push_cert_oid))
 639                        oidclr(&push_cert_oid);
 640
 641                memset(&sigcheck, '\0', sizeof(sigcheck));
 642                sigcheck.result = 'N';
 643
 644                bogs = parse_signature(push_cert.buf, push_cert.len);
 645                if (verify_signed_buffer(push_cert.buf, bogs,
 646                                         push_cert.buf + bogs, push_cert.len - bogs,
 647                                         &gpg_output, &gpg_status) < 0) {
 648                        ; /* error running gpg */
 649                } else {
 650                        sigcheck.payload = push_cert.buf;
 651                        sigcheck.gpg_output = gpg_output.buf;
 652                        sigcheck.gpg_status = gpg_status.buf;
 653                        parse_gpg_output(&sigcheck);
 654                }
 655
 656                strbuf_release(&gpg_output);
 657                strbuf_release(&gpg_status);
 658                nonce_status = check_nonce(push_cert.buf, bogs);
 659        }
 660        if (!is_null_oid(&push_cert_oid)) {
 661                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 662                                 oid_to_hex(&push_cert_oid));
 663                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 664                                 sigcheck.signer ? sigcheck.signer : "");
 665                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 666                                 sigcheck.key ? sigcheck.key : "");
 667                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 668                                 sigcheck.result);
 669                if (push_cert_nonce) {
 670                        argv_array_pushf(&proc->env_array,
 671                                         "GIT_PUSH_CERT_NONCE=%s",
 672                                         push_cert_nonce);
 673                        argv_array_pushf(&proc->env_array,
 674                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 675                                         nonce_status);
 676                        if (nonce_status == NONCE_SLOP)
 677                                argv_array_pushf(&proc->env_array,
 678                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 679                                                 nonce_stamp_slop);
 680                }
 681        }
 682}
 683
 684struct receive_hook_feed_state {
 685        struct command *cmd;
 686        int skip_broken;
 687        struct strbuf buf;
 688        const struct string_list *push_options;
 689};
 690
 691typedef int (*feed_fn)(void *, const char **, size_t *);
 692static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 693                             struct receive_hook_feed_state *feed_state)
 694{
 695        struct child_process proc = CHILD_PROCESS_INIT;
 696        struct async muxer;
 697        const char *argv[2];
 698        int code;
 699
 700        argv[0] = find_hook(hook_name);
 701        if (!argv[0])
 702                return 0;
 703
 704        argv[1] = NULL;
 705
 706        proc.argv = argv;
 707        proc.in = -1;
 708        proc.stdout_to_stderr = 1;
 709        if (feed_state->push_options) {
 710                int i;
 711                for (i = 0; i < feed_state->push_options->nr; i++)
 712                        argv_array_pushf(&proc.env_array,
 713                                "GIT_PUSH_OPTION_%d=%s", i,
 714                                feed_state->push_options->items[i].string);
 715                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 716                                 feed_state->push_options->nr);
 717        } else
 718                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 719
 720        if (tmp_objdir)
 721                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 722
 723        if (use_sideband) {
 724                memset(&muxer, 0, sizeof(muxer));
 725                muxer.proc = copy_to_sideband;
 726                muxer.in = -1;
 727                code = start_async(&muxer);
 728                if (code)
 729                        return code;
 730                proc.err = muxer.in;
 731        }
 732
 733        prepare_push_cert_sha1(&proc);
 734
 735        code = start_command(&proc);
 736        if (code) {
 737                if (use_sideband)
 738                        finish_async(&muxer);
 739                return code;
 740        }
 741
 742        sigchain_push(SIGPIPE, SIG_IGN);
 743
 744        while (1) {
 745                const char *buf;
 746                size_t n;
 747                if (feed(feed_state, &buf, &n))
 748                        break;
 749                if (write_in_full(proc.in, buf, n) < 0)
 750                        break;
 751        }
 752        close(proc.in);
 753        if (use_sideband)
 754                finish_async(&muxer);
 755
 756        sigchain_pop(SIGPIPE);
 757
 758        return finish_command(&proc);
 759}
 760
 761static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 762{
 763        struct receive_hook_feed_state *state = state_;
 764        struct command *cmd = state->cmd;
 765
 766        while (cmd &&
 767               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 768                cmd = cmd->next;
 769        if (!cmd)
 770                return -1; /* EOF */
 771        strbuf_reset(&state->buf);
 772        strbuf_addf(&state->buf, "%s %s %s\n",
 773                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 774                    cmd->ref_name);
 775        state->cmd = cmd->next;
 776        if (bufp) {
 777                *bufp = state->buf.buf;
 778                *sizep = state->buf.len;
 779        }
 780        return 0;
 781}
 782
 783static int run_receive_hook(struct command *commands,
 784                            const char *hook_name,
 785                            int skip_broken,
 786                            const struct string_list *push_options)
 787{
 788        struct receive_hook_feed_state state;
 789        int status;
 790
 791        strbuf_init(&state.buf, 0);
 792        state.cmd = commands;
 793        state.skip_broken = skip_broken;
 794        if (feed_receive_hook(&state, NULL, NULL))
 795                return 0;
 796        state.cmd = commands;
 797        state.push_options = push_options;
 798        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 799        strbuf_release(&state.buf);
 800        return status;
 801}
 802
 803static int run_update_hook(struct command *cmd)
 804{
 805        const char *argv[5];
 806        struct child_process proc = CHILD_PROCESS_INIT;
 807        int code;
 808
 809        argv[0] = find_hook("update");
 810        if (!argv[0])
 811                return 0;
 812
 813        argv[1] = cmd->ref_name;
 814        argv[2] = oid_to_hex(&cmd->old_oid);
 815        argv[3] = oid_to_hex(&cmd->new_oid);
 816        argv[4] = NULL;
 817
 818        proc.no_stdin = 1;
 819        proc.stdout_to_stderr = 1;
 820        proc.err = use_sideband ? -1 : 0;
 821        proc.argv = argv;
 822
 823        code = start_command(&proc);
 824        if (code)
 825                return code;
 826        if (use_sideband)
 827                copy_to_sideband(proc.err, -1, NULL);
 828        return finish_command(&proc);
 829}
 830
 831static int is_ref_checked_out(const char *ref)
 832{
 833        if (is_bare_repository())
 834                return 0;
 835
 836        if (!head_name)
 837                return 0;
 838        return !strcmp(head_name, ref);
 839}
 840
 841static char *refuse_unconfigured_deny_msg =
 842        N_("By default, updating the current branch in a non-bare repository\n"
 843           "is denied, because it will make the index and work tree inconsistent\n"
 844           "with what you pushed, and will require 'git reset --hard' to match\n"
 845           "the work tree to HEAD.\n"
 846           "\n"
 847           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 848           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 849           "its current branch; however, this is not recommended unless you\n"
 850           "arranged to update its work tree to match what you pushed in some\n"
 851           "other way.\n"
 852           "\n"
 853           "To squelch this message and still keep the default behaviour, set\n"
 854           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 855
 856static void refuse_unconfigured_deny(void)
 857{
 858        rp_error("%s", _(refuse_unconfigured_deny_msg));
 859}
 860
 861static char *refuse_unconfigured_deny_delete_current_msg =
 862        N_("By default, deleting the current branch is denied, because the next\n"
 863           "'git clone' won't result in any file checked out, causing confusion.\n"
 864           "\n"
 865           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 866           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 867           "current branch, with or without a warning message.\n"
 868           "\n"
 869           "To squelch this message, you can set it to 'refuse'.");
 870
 871static void refuse_unconfigured_deny_delete_current(void)
 872{
 873        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 874}
 875
 876static int command_singleton_iterator(void *cb_data, struct object_id *oid);
 877static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 878{
 879        static struct lock_file shallow_lock;
 880        struct oid_array extra = OID_ARRAY_INIT;
 881        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 882        uint32_t mask = 1 << (cmd->index % 32);
 883        int i;
 884
 885        trace_printf_key(&trace_shallow,
 886                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 887        for (i = 0; i < si->shallow->nr; i++)
 888                if (si->used_shallow[i] &&
 889                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 890                    !delayed_reachability_test(si, i))
 891                        oid_array_append(&extra, &si->shallow->oid[i]);
 892
 893        opt.env = tmp_objdir_env(tmp_objdir);
 894        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 895        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 896                rollback_lock_file(&shallow_lock);
 897                oid_array_clear(&extra);
 898                return -1;
 899        }
 900
 901        commit_lock_file(&shallow_lock);
 902
 903        /*
 904         * Make sure setup_alternate_shallow() for the next ref does
 905         * not lose these new roots..
 906         */
 907        for (i = 0; i < extra.nr; i++)
 908                register_shallow(&extra.oid[i]);
 909
 910        si->shallow_ref[cmd->index] = 0;
 911        oid_array_clear(&extra);
 912        return 0;
 913}
 914
 915/*
 916 * NEEDSWORK: we should consolidate various implementions of "are we
 917 * on an unborn branch?" test into one, and make the unified one more
 918 * robust. !get_sha1() based check used here and elsewhere would not
 919 * allow us to tell an unborn branch from corrupt ref, for example.
 920 * For the purpose of fixing "deploy-to-update does not work when
 921 * pushing into an empty repository" issue, this should suffice for
 922 * now.
 923 */
 924static int head_has_history(void)
 925{
 926        struct object_id oid;
 927
 928        return !get_oid("HEAD", &oid);
 929}
 930
 931static const char *push_to_deploy(unsigned char *sha1,
 932                                  struct argv_array *env,
 933                                  const char *work_tree)
 934{
 935        const char *update_refresh[] = {
 936                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 937        };
 938        const char *diff_files[] = {
 939                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 940        };
 941        const char *diff_index[] = {
 942                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 943                NULL, "--", NULL
 944        };
 945        const char *read_tree[] = {
 946                "read-tree", "-u", "-m", NULL, NULL
 947        };
 948        struct child_process child = CHILD_PROCESS_INIT;
 949
 950        child.argv = update_refresh;
 951        child.env = env->argv;
 952        child.dir = work_tree;
 953        child.no_stdin = 1;
 954        child.stdout_to_stderr = 1;
 955        child.git_cmd = 1;
 956        if (run_command(&child))
 957                return "Up-to-date check failed";
 958
 959        /* run_command() does not clean up completely; reinitialize */
 960        child_process_init(&child);
 961        child.argv = diff_files;
 962        child.env = env->argv;
 963        child.dir = work_tree;
 964        child.no_stdin = 1;
 965        child.stdout_to_stderr = 1;
 966        child.git_cmd = 1;
 967        if (run_command(&child))
 968                return "Working directory has unstaged changes";
 969
 970        /* diff-index with either HEAD or an empty tree */
 971        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 972
 973        child_process_init(&child);
 974        child.argv = diff_index;
 975        child.env = env->argv;
 976        child.no_stdin = 1;
 977        child.no_stdout = 1;
 978        child.stdout_to_stderr = 0;
 979        child.git_cmd = 1;
 980        if (run_command(&child))
 981                return "Working directory has staged changes";
 982
 983        read_tree[3] = sha1_to_hex(sha1);
 984        child_process_init(&child);
 985        child.argv = read_tree;
 986        child.env = env->argv;
 987        child.dir = work_tree;
 988        child.no_stdin = 1;
 989        child.no_stdout = 1;
 990        child.stdout_to_stderr = 0;
 991        child.git_cmd = 1;
 992        if (run_command(&child))
 993                return "Could not update working tree to new HEAD";
 994
 995        return NULL;
 996}
 997
 998static const char *push_to_checkout_hook = "push-to-checkout";
 999
1000static const char *push_to_checkout(unsigned char *sha1,
1001                                    struct argv_array *env,
1002                                    const char *work_tree)
1003{
1004        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1005        if (run_hook_le(env->argv, push_to_checkout_hook,
1006                        sha1_to_hex(sha1), NULL))
1007                return "push-to-checkout hook declined";
1008        else
1009                return NULL;
1010}
1011
1012static const char *update_worktree(unsigned char *sha1)
1013{
1014        const char *retval;
1015        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1016        struct argv_array env = ARGV_ARRAY_INIT;
1017
1018        if (is_bare_repository())
1019                return "denyCurrentBranch = updateInstead needs a worktree";
1020
1021        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1022
1023        if (!find_hook(push_to_checkout_hook))
1024                retval = push_to_deploy(sha1, &env, work_tree);
1025        else
1026                retval = push_to_checkout(sha1, &env, work_tree);
1027
1028        argv_array_clear(&env);
1029        return retval;
1030}
1031
1032static const char *update(struct command *cmd, struct shallow_info *si)
1033{
1034        const char *name = cmd->ref_name;
1035        struct strbuf namespaced_name_buf = STRBUF_INIT;
1036        static char *namespaced_name;
1037        const char *ret;
1038        struct object_id *old_oid = &cmd->old_oid;
1039        struct object_id *new_oid = &cmd->new_oid;
1040
1041        /* only refs/... are allowed */
1042        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1043                rp_error("refusing to create funny ref '%s' remotely", name);
1044                return "funny refname";
1045        }
1046
1047        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1048        free(namespaced_name);
1049        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1050
1051        if (is_ref_checked_out(namespaced_name)) {
1052                switch (deny_current_branch) {
1053                case DENY_IGNORE:
1054                        break;
1055                case DENY_WARN:
1056                        rp_warning("updating the current branch");
1057                        break;
1058                case DENY_REFUSE:
1059                case DENY_UNCONFIGURED:
1060                        rp_error("refusing to update checked out branch: %s", name);
1061                        if (deny_current_branch == DENY_UNCONFIGURED)
1062                                refuse_unconfigured_deny();
1063                        return "branch is currently checked out";
1064                case DENY_UPDATE_INSTEAD:
1065                        ret = update_worktree(new_oid->hash);
1066                        if (ret)
1067                                return ret;
1068                        break;
1069                }
1070        }
1071
1072        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1073                error("unpack should have generated %s, "
1074                      "but I can't find it!", oid_to_hex(new_oid));
1075                return "bad pack";
1076        }
1077
1078        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1079                if (deny_deletes && starts_with(name, "refs/heads/")) {
1080                        rp_error("denying ref deletion for %s", name);
1081                        return "deletion prohibited";
1082                }
1083
1084                if (head_name && !strcmp(namespaced_name, head_name)) {
1085                        switch (deny_delete_current) {
1086                        case DENY_IGNORE:
1087                                break;
1088                        case DENY_WARN:
1089                                rp_warning("deleting the current branch");
1090                                break;
1091                        case DENY_REFUSE:
1092                        case DENY_UNCONFIGURED:
1093                        case DENY_UPDATE_INSTEAD:
1094                                if (deny_delete_current == DENY_UNCONFIGURED)
1095                                        refuse_unconfigured_deny_delete_current();
1096                                rp_error("refusing to delete the current branch: %s", name);
1097                                return "deletion of the current branch prohibited";
1098                        default:
1099                                return "Invalid denyDeleteCurrent setting";
1100                        }
1101                }
1102        }
1103
1104        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1105            !is_null_oid(old_oid) &&
1106            starts_with(name, "refs/heads/")) {
1107                struct object *old_object, *new_object;
1108                struct commit *old_commit, *new_commit;
1109
1110                old_object = parse_object(old_oid);
1111                new_object = parse_object(new_oid);
1112
1113                if (!old_object || !new_object ||
1114                    old_object->type != OBJ_COMMIT ||
1115                    new_object->type != OBJ_COMMIT) {
1116                        error("bad sha1 objects for %s", name);
1117                        return "bad ref";
1118                }
1119                old_commit = (struct commit *)old_object;
1120                new_commit = (struct commit *)new_object;
1121                if (!in_merge_bases(old_commit, new_commit)) {
1122                        rp_error("denying non-fast-forward %s"
1123                                 " (you should pull first)", name);
1124                        return "non-fast-forward";
1125                }
1126        }
1127        if (run_update_hook(cmd)) {
1128                rp_error("hook declined to update %s", name);
1129                return "hook declined";
1130        }
1131
1132        if (is_null_oid(new_oid)) {
1133                struct strbuf err = STRBUF_INIT;
1134                if (!parse_object(old_oid)) {
1135                        old_oid = NULL;
1136                        if (ref_exists(name)) {
1137                                rp_warning("Allowing deletion of corrupt ref.");
1138                        } else {
1139                                rp_warning("Deleting a non-existent ref.");
1140                                cmd->did_not_exist = 1;
1141                        }
1142                }
1143                if (ref_transaction_delete(transaction,
1144                                           namespaced_name,
1145                                           old_oid,
1146                                           0, "push", &err)) {
1147                        rp_error("%s", err.buf);
1148                        strbuf_release(&err);
1149                        return "failed to delete";
1150                }
1151                strbuf_release(&err);
1152                return NULL; /* good */
1153        }
1154        else {
1155                struct strbuf err = STRBUF_INIT;
1156                if (shallow_update && si->shallow_ref[cmd->index] &&
1157                    update_shallow_ref(cmd, si))
1158                        return "shallow error";
1159
1160                if (ref_transaction_update(transaction,
1161                                           namespaced_name,
1162                                           new_oid, old_oid,
1163                                           0, "push",
1164                                           &err)) {
1165                        rp_error("%s", err.buf);
1166                        strbuf_release(&err);
1167
1168                        return "failed to update ref";
1169                }
1170                strbuf_release(&err);
1171
1172                return NULL; /* good */
1173        }
1174}
1175
1176static void run_update_post_hook(struct command *commands)
1177{
1178        struct command *cmd;
1179        struct child_process proc = CHILD_PROCESS_INIT;
1180        const char *hook;
1181
1182        hook = find_hook("post-update");
1183        if (!hook)
1184                return;
1185
1186        for (cmd = commands; cmd; cmd = cmd->next) {
1187                if (cmd->error_string || cmd->did_not_exist)
1188                        continue;
1189                if (!proc.args.argc)
1190                        argv_array_push(&proc.args, hook);
1191                argv_array_push(&proc.args, cmd->ref_name);
1192        }
1193        if (!proc.args.argc)
1194                return;
1195
1196        proc.no_stdin = 1;
1197        proc.stdout_to_stderr = 1;
1198        proc.err = use_sideband ? -1 : 0;
1199
1200        if (!start_command(&proc)) {
1201                if (use_sideband)
1202                        copy_to_sideband(proc.err, -1, NULL);
1203                finish_command(&proc);
1204        }
1205}
1206
1207static void check_aliased_update(struct command *cmd, struct string_list *list)
1208{
1209        struct strbuf buf = STRBUF_INIT;
1210        const char *dst_name;
1211        struct string_list_item *item;
1212        struct command *dst_cmd;
1213        int flag;
1214
1215        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1216        dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1217        strbuf_release(&buf);
1218
1219        if (!(flag & REF_ISSYMREF))
1220                return;
1221
1222        if (!dst_name) {
1223                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1224                cmd->skip_update = 1;
1225                cmd->error_string = "broken symref";
1226                return;
1227        }
1228        dst_name = strip_namespace(dst_name);
1229
1230        if ((item = string_list_lookup(list, dst_name)) == NULL)
1231                return;
1232
1233        cmd->skip_update = 1;
1234
1235        dst_cmd = (struct command *) item->util;
1236
1237        if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1238            !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1239                return;
1240
1241        dst_cmd->skip_update = 1;
1242
1243        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1244                 " its target '%s' (%s..%s)",
1245                 cmd->ref_name,
1246                 find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1247                 find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1248                 dst_cmd->ref_name,
1249                 find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1250                 find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1251
1252        cmd->error_string = dst_cmd->error_string =
1253                "inconsistent aliased update";
1254}
1255
1256static void check_aliased_updates(struct command *commands)
1257{
1258        struct command *cmd;
1259        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1260
1261        for (cmd = commands; cmd; cmd = cmd->next) {
1262                struct string_list_item *item =
1263                        string_list_append(&ref_list, cmd->ref_name);
1264                item->util = (void *)cmd;
1265        }
1266        string_list_sort(&ref_list);
1267
1268        for (cmd = commands; cmd; cmd = cmd->next) {
1269                if (!cmd->error_string)
1270                        check_aliased_update(cmd, &ref_list);
1271        }
1272
1273        string_list_clear(&ref_list, 0);
1274}
1275
1276static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1277{
1278        struct command **cmd_list = cb_data;
1279        struct command *cmd = *cmd_list;
1280
1281        if (!cmd || is_null_oid(&cmd->new_oid))
1282                return -1; /* end of list */
1283        *cmd_list = NULL; /* this returns only one */
1284        oidcpy(oid, &cmd->new_oid);
1285        return 0;
1286}
1287
1288static void set_connectivity_errors(struct command *commands,
1289                                    struct shallow_info *si)
1290{
1291        struct command *cmd;
1292
1293        for (cmd = commands; cmd; cmd = cmd->next) {
1294                struct command *singleton = cmd;
1295                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1296
1297                if (shallow_update && si->shallow_ref[cmd->index])
1298                        /* to be checked in update_shallow_ref() */
1299                        continue;
1300
1301                opt.env = tmp_objdir_env(tmp_objdir);
1302                if (!check_connected(command_singleton_iterator, &singleton,
1303                                     &opt))
1304                        continue;
1305
1306                cmd->error_string = "missing necessary objects";
1307        }
1308}
1309
1310struct iterate_data {
1311        struct command *cmds;
1312        struct shallow_info *si;
1313};
1314
1315static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1316{
1317        struct iterate_data *data = cb_data;
1318        struct command **cmd_list = &data->cmds;
1319        struct command *cmd = *cmd_list;
1320
1321        for (; cmd; cmd = cmd->next) {
1322                if (shallow_update && data->si->shallow_ref[cmd->index])
1323                        /* to be checked in update_shallow_ref() */
1324                        continue;
1325                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1326                        oidcpy(oid, &cmd->new_oid);
1327                        *cmd_list = cmd->next;
1328                        return 0;
1329                }
1330        }
1331        *cmd_list = NULL;
1332        return -1; /* end of list */
1333}
1334
1335static void reject_updates_to_hidden(struct command *commands)
1336{
1337        struct strbuf refname_full = STRBUF_INIT;
1338        size_t prefix_len;
1339        struct command *cmd;
1340
1341        strbuf_addstr(&refname_full, get_git_namespace());
1342        prefix_len = refname_full.len;
1343
1344        for (cmd = commands; cmd; cmd = cmd->next) {
1345                if (cmd->error_string)
1346                        continue;
1347
1348                strbuf_setlen(&refname_full, prefix_len);
1349                strbuf_addstr(&refname_full, cmd->ref_name);
1350
1351                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1352                        continue;
1353                if (is_null_oid(&cmd->new_oid))
1354                        cmd->error_string = "deny deleting a hidden ref";
1355                else
1356                        cmd->error_string = "deny updating a hidden ref";
1357        }
1358
1359        strbuf_release(&refname_full);
1360}
1361
1362static int should_process_cmd(struct command *cmd)
1363{
1364        return !cmd->error_string && !cmd->skip_update;
1365}
1366
1367static void warn_if_skipped_connectivity_check(struct command *commands,
1368                                               struct shallow_info *si)
1369{
1370        struct command *cmd;
1371        int checked_connectivity = 1;
1372
1373        for (cmd = commands; cmd; cmd = cmd->next) {
1374                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1375                        error("BUG: connectivity check has not been run on ref %s",
1376                              cmd->ref_name);
1377                        checked_connectivity = 0;
1378                }
1379        }
1380        if (!checked_connectivity)
1381                die("BUG: connectivity check skipped???");
1382}
1383
1384static void execute_commands_non_atomic(struct command *commands,
1385                                        struct shallow_info *si)
1386{
1387        struct command *cmd;
1388        struct strbuf err = STRBUF_INIT;
1389
1390        for (cmd = commands; cmd; cmd = cmd->next) {
1391                if (!should_process_cmd(cmd))
1392                        continue;
1393
1394                transaction = ref_transaction_begin(&err);
1395                if (!transaction) {
1396                        rp_error("%s", err.buf);
1397                        strbuf_reset(&err);
1398                        cmd->error_string = "transaction failed to start";
1399                        continue;
1400                }
1401
1402                cmd->error_string = update(cmd, si);
1403
1404                if (!cmd->error_string
1405                    && ref_transaction_commit(transaction, &err)) {
1406                        rp_error("%s", err.buf);
1407                        strbuf_reset(&err);
1408                        cmd->error_string = "failed to update ref";
1409                }
1410                ref_transaction_free(transaction);
1411        }
1412        strbuf_release(&err);
1413}
1414
1415static void execute_commands_atomic(struct command *commands,
1416                                        struct shallow_info *si)
1417{
1418        struct command *cmd;
1419        struct strbuf err = STRBUF_INIT;
1420        const char *reported_error = "atomic push failure";
1421
1422        transaction = ref_transaction_begin(&err);
1423        if (!transaction) {
1424                rp_error("%s", err.buf);
1425                strbuf_reset(&err);
1426                reported_error = "transaction failed to start";
1427                goto failure;
1428        }
1429
1430        for (cmd = commands; cmd; cmd = cmd->next) {
1431                if (!should_process_cmd(cmd))
1432                        continue;
1433
1434                cmd->error_string = update(cmd, si);
1435
1436                if (cmd->error_string)
1437                        goto failure;
1438        }
1439
1440        if (ref_transaction_commit(transaction, &err)) {
1441                rp_error("%s", err.buf);
1442                reported_error = "atomic transaction failed";
1443                goto failure;
1444        }
1445        goto cleanup;
1446
1447failure:
1448        for (cmd = commands; cmd; cmd = cmd->next)
1449                if (!cmd->error_string)
1450                        cmd->error_string = reported_error;
1451
1452cleanup:
1453        ref_transaction_free(transaction);
1454        strbuf_release(&err);
1455}
1456
1457static void execute_commands(struct command *commands,
1458                             const char *unpacker_error,
1459                             struct shallow_info *si,
1460                             const struct string_list *push_options)
1461{
1462        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1463        struct command *cmd;
1464        struct iterate_data data;
1465        struct async muxer;
1466        int err_fd = 0;
1467
1468        if (unpacker_error) {
1469                for (cmd = commands; cmd; cmd = cmd->next)
1470                        cmd->error_string = "unpacker error";
1471                return;
1472        }
1473
1474        if (use_sideband) {
1475                memset(&muxer, 0, sizeof(muxer));
1476                muxer.proc = copy_to_sideband;
1477                muxer.in = -1;
1478                if (!start_async(&muxer))
1479                        err_fd = muxer.in;
1480                /* ...else, continue without relaying sideband */
1481        }
1482
1483        data.cmds = commands;
1484        data.si = si;
1485        opt.err_fd = err_fd;
1486        opt.progress = err_fd && !quiet;
1487        opt.env = tmp_objdir_env(tmp_objdir);
1488        if (check_connected(iterate_receive_command_list, &data, &opt))
1489                set_connectivity_errors(commands, si);
1490
1491        if (use_sideband)
1492                finish_async(&muxer);
1493
1494        reject_updates_to_hidden(commands);
1495
1496        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1497                for (cmd = commands; cmd; cmd = cmd->next) {
1498                        if (!cmd->error_string)
1499                                cmd->error_string = "pre-receive hook declined";
1500                }
1501                return;
1502        }
1503
1504        /*
1505         * Now we'll start writing out refs, which means the objects need
1506         * to be in their final positions so that other processes can see them.
1507         */
1508        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1509                for (cmd = commands; cmd; cmd = cmd->next) {
1510                        if (!cmd->error_string)
1511                                cmd->error_string = "unable to migrate objects to permanent storage";
1512                }
1513                return;
1514        }
1515        tmp_objdir = NULL;
1516
1517        check_aliased_updates(commands);
1518
1519        free(head_name_to_free);
1520        head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1521
1522        if (use_atomic)
1523                execute_commands_atomic(commands, si);
1524        else
1525                execute_commands_non_atomic(commands, si);
1526
1527        if (shallow_update)
1528                warn_if_skipped_connectivity_check(commands, si);
1529}
1530
1531static struct command **queue_command(struct command **tail,
1532                                      const char *line,
1533                                      int linelen)
1534{
1535        struct object_id old_oid, new_oid;
1536        struct command *cmd;
1537        const char *refname;
1538        int reflen;
1539        const char *p;
1540
1541        if (parse_oid_hex(line, &old_oid, &p) ||
1542            *p++ != ' ' ||
1543            parse_oid_hex(p, &new_oid, &p) ||
1544            *p++ != ' ')
1545                die("protocol error: expected old/new/ref, got '%s'", line);
1546
1547        refname = p;
1548        reflen = linelen - (p - line);
1549        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1550        oidcpy(&cmd->old_oid, &old_oid);
1551        oidcpy(&cmd->new_oid, &new_oid);
1552        *tail = cmd;
1553        return &cmd->next;
1554}
1555
1556static void queue_commands_from_cert(struct command **tail,
1557                                     struct strbuf *push_cert)
1558{
1559        const char *boc, *eoc;
1560
1561        if (*tail)
1562                die("protocol error: got both push certificate and unsigned commands");
1563
1564        boc = strstr(push_cert->buf, "\n\n");
1565        if (!boc)
1566                die("malformed push certificate %.*s", 100, push_cert->buf);
1567        else
1568                boc += 2;
1569        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1570
1571        while (boc < eoc) {
1572                const char *eol = memchr(boc, '\n', eoc - boc);
1573                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1574                boc = eol ? eol + 1 : eoc;
1575        }
1576}
1577
1578static struct command *read_head_info(struct oid_array *shallow)
1579{
1580        struct command *commands = NULL;
1581        struct command **p = &commands;
1582        for (;;) {
1583                char *line;
1584                int len, linelen;
1585
1586                line = packet_read_line(0, &len);
1587                if (!line)
1588                        break;
1589
1590                if (len > 8 && starts_with(line, "shallow ")) {
1591                        struct object_id oid;
1592                        if (get_oid_hex(line + 8, &oid))
1593                                die("protocol error: expected shallow sha, got '%s'",
1594                                    line + 8);
1595                        oid_array_append(shallow, &oid);
1596                        continue;
1597                }
1598
1599                linelen = strlen(line);
1600                if (linelen < len) {
1601                        const char *feature_list = line + linelen + 1;
1602                        if (parse_feature_request(feature_list, "report-status"))
1603                                report_status = 1;
1604                        if (parse_feature_request(feature_list, "side-band-64k"))
1605                                use_sideband = LARGE_PACKET_MAX;
1606                        if (parse_feature_request(feature_list, "quiet"))
1607                                quiet = 1;
1608                        if (advertise_atomic_push
1609                            && parse_feature_request(feature_list, "atomic"))
1610                                use_atomic = 1;
1611                        if (advertise_push_options
1612                            && parse_feature_request(feature_list, "push-options"))
1613                                use_push_options = 1;
1614                }
1615
1616                if (!strcmp(line, "push-cert")) {
1617                        int true_flush = 0;
1618                        char certbuf[1024];
1619
1620                        for (;;) {
1621                                len = packet_read(0, NULL, NULL,
1622                                                  certbuf, sizeof(certbuf), 0);
1623                                if (!len) {
1624                                        true_flush = 1;
1625                                        break;
1626                                }
1627                                if (!strcmp(certbuf, "push-cert-end\n"))
1628                                        break; /* end of cert */
1629                                strbuf_addstr(&push_cert, certbuf);
1630                        }
1631
1632                        if (true_flush)
1633                                break;
1634                        continue;
1635                }
1636
1637                p = queue_command(p, line, linelen);
1638        }
1639
1640        if (push_cert.len)
1641                queue_commands_from_cert(p, &push_cert);
1642
1643        return commands;
1644}
1645
1646static void read_push_options(struct string_list *options)
1647{
1648        while (1) {
1649                char *line;
1650                int len;
1651
1652                line = packet_read_line(0, &len);
1653
1654                if (!line)
1655                        break;
1656
1657                string_list_append(options, line);
1658        }
1659}
1660
1661static const char *parse_pack_header(struct pack_header *hdr)
1662{
1663        switch (read_pack_header(0, hdr)) {
1664        case PH_ERROR_EOF:
1665                return "eof before pack header was fully read";
1666
1667        case PH_ERROR_PACK_SIGNATURE:
1668                return "protocol error (pack signature mismatch detected)";
1669
1670        case PH_ERROR_PROTOCOL:
1671                return "protocol error (pack version unsupported)";
1672
1673        default:
1674                return "unknown error in parse_pack_header";
1675
1676        case 0:
1677                return NULL;
1678        }
1679}
1680
1681static const char *pack_lockfile;
1682
1683static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1684{
1685        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1686                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1687}
1688
1689static const char *unpack(int err_fd, struct shallow_info *si)
1690{
1691        struct pack_header hdr;
1692        const char *hdr_err;
1693        int status;
1694        struct child_process child = CHILD_PROCESS_INIT;
1695        int fsck_objects = (receive_fsck_objects >= 0
1696                            ? receive_fsck_objects
1697                            : transfer_fsck_objects >= 0
1698                            ? transfer_fsck_objects
1699                            : 0);
1700
1701        hdr_err = parse_pack_header(&hdr);
1702        if (hdr_err) {
1703                if (err_fd > 0)
1704                        close(err_fd);
1705                return hdr_err;
1706        }
1707
1708        if (si->nr_ours || si->nr_theirs) {
1709                alt_shallow_file = setup_temporary_shallow(si->shallow);
1710                argv_array_push(&child.args, "--shallow-file");
1711                argv_array_push(&child.args, alt_shallow_file);
1712        }
1713
1714        tmp_objdir = tmp_objdir_create();
1715        if (!tmp_objdir) {
1716                if (err_fd > 0)
1717                        close(err_fd);
1718                return "unable to create temporary object directory";
1719        }
1720        child.env = tmp_objdir_env(tmp_objdir);
1721
1722        /*
1723         * Normally we just pass the tmp_objdir environment to the child
1724         * processes that do the heavy lifting, but we may need to see these
1725         * objects ourselves to set up shallow information.
1726         */
1727        tmp_objdir_add_as_alternate(tmp_objdir);
1728
1729        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1730                argv_array_push(&child.args, "unpack-objects");
1731                push_header_arg(&child.args, &hdr);
1732                if (quiet)
1733                        argv_array_push(&child.args, "-q");
1734                if (fsck_objects)
1735                        argv_array_pushf(&child.args, "--strict%s",
1736                                fsck_msg_types.buf);
1737                if (max_input_size)
1738                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1739                                (uintmax_t)max_input_size);
1740                child.no_stdout = 1;
1741                child.err = err_fd;
1742                child.git_cmd = 1;
1743                status = run_command(&child);
1744                if (status)
1745                        return "unpack-objects abnormal exit";
1746        } else {
1747                char hostname[HOST_NAME_MAX + 1];
1748
1749                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1750                push_header_arg(&child.args, &hdr);
1751
1752                if (xgethostname(hostname, sizeof(hostname)))
1753                        xsnprintf(hostname, sizeof(hostname), "localhost");
1754                argv_array_pushf(&child.args,
1755                                 "--keep=receive-pack %"PRIuMAX" on %s",
1756                                 (uintmax_t)getpid(),
1757                                 hostname);
1758
1759                if (!quiet && err_fd)
1760                        argv_array_push(&child.args, "--show-resolving-progress");
1761                if (use_sideband)
1762                        argv_array_push(&child.args, "--report-end-of-input");
1763                if (fsck_objects)
1764                        argv_array_pushf(&child.args, "--strict%s",
1765                                fsck_msg_types.buf);
1766                if (!reject_thin)
1767                        argv_array_push(&child.args, "--fix-thin");
1768                if (max_input_size)
1769                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1770                                (uintmax_t)max_input_size);
1771                child.out = -1;
1772                child.err = err_fd;
1773                child.git_cmd = 1;
1774                status = start_command(&child);
1775                if (status)
1776                        return "index-pack fork failed";
1777                pack_lockfile = index_pack_lockfile(child.out);
1778                close(child.out);
1779                status = finish_command(&child);
1780                if (status)
1781                        return "index-pack abnormal exit";
1782                reprepare_packed_git(the_repository);
1783        }
1784        return NULL;
1785}
1786
1787static const char *unpack_with_sideband(struct shallow_info *si)
1788{
1789        struct async muxer;
1790        const char *ret;
1791
1792        if (!use_sideband)
1793                return unpack(0, si);
1794
1795        use_keepalive = KEEPALIVE_AFTER_NUL;
1796        memset(&muxer, 0, sizeof(muxer));
1797        muxer.proc = copy_to_sideband;
1798        muxer.in = -1;
1799        if (start_async(&muxer))
1800                return NULL;
1801
1802        ret = unpack(muxer.in, si);
1803
1804        finish_async(&muxer);
1805        return ret;
1806}
1807
1808static void prepare_shallow_update(struct command *commands,
1809                                   struct shallow_info *si)
1810{
1811        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1812
1813        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1814        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1815
1816        si->need_reachability_test =
1817                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1818        si->reachable =
1819                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1820        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1821
1822        for (i = 0; i < si->nr_ours; i++)
1823                si->need_reachability_test[si->ours[i]] = 1;
1824
1825        for (i = 0; i < si->shallow->nr; i++) {
1826                if (!si->used_shallow[i])
1827                        continue;
1828                for (j = 0; j < bitmap_size; j++) {
1829                        if (!si->used_shallow[i][j])
1830                                continue;
1831                        si->need_reachability_test[i]++;
1832                        for (k = 0; k < 32; k++)
1833                                if (si->used_shallow[i][j] & (1U << k))
1834                                        si->shallow_ref[j * 32 + k]++;
1835                }
1836
1837                /*
1838                 * true for those associated with some refs and belong
1839                 * in "ours" list aka "step 7 not done yet"
1840                 */
1841                si->need_reachability_test[i] =
1842                        si->need_reachability_test[i] > 1;
1843        }
1844
1845        /*
1846         * keep hooks happy by forcing a temporary shallow file via
1847         * env variable because we can't add --shallow-file to every
1848         * command. check_everything_connected() will be done with
1849         * true .git/shallow though.
1850         */
1851        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1852}
1853
1854static void update_shallow_info(struct command *commands,
1855                                struct shallow_info *si,
1856                                struct oid_array *ref)
1857{
1858        struct command *cmd;
1859        int *ref_status;
1860        remove_nonexistent_theirs_shallow(si);
1861        if (!si->nr_ours && !si->nr_theirs) {
1862                shallow_update = 0;
1863                return;
1864        }
1865
1866        for (cmd = commands; cmd; cmd = cmd->next) {
1867                if (is_null_oid(&cmd->new_oid))
1868                        continue;
1869                oid_array_append(ref, &cmd->new_oid);
1870                cmd->index = ref->nr - 1;
1871        }
1872        si->ref = ref;
1873
1874        if (shallow_update) {
1875                prepare_shallow_update(commands, si);
1876                return;
1877        }
1878
1879        ALLOC_ARRAY(ref_status, ref->nr);
1880        assign_shallow_commits_to_refs(si, NULL, ref_status);
1881        for (cmd = commands; cmd; cmd = cmd->next) {
1882                if (is_null_oid(&cmd->new_oid))
1883                        continue;
1884                if (ref_status[cmd->index]) {
1885                        cmd->error_string = "shallow update not allowed";
1886                        cmd->skip_update = 1;
1887                }
1888        }
1889        free(ref_status);
1890}
1891
1892static void report(struct command *commands, const char *unpack_status)
1893{
1894        struct command *cmd;
1895        struct strbuf buf = STRBUF_INIT;
1896
1897        packet_buf_write(&buf, "unpack %s\n",
1898                         unpack_status ? unpack_status : "ok");
1899        for (cmd = commands; cmd; cmd = cmd->next) {
1900                if (!cmd->error_string)
1901                        packet_buf_write(&buf, "ok %s\n",
1902                                         cmd->ref_name);
1903                else
1904                        packet_buf_write(&buf, "ng %s %s\n",
1905                                         cmd->ref_name, cmd->error_string);
1906        }
1907        packet_buf_flush(&buf);
1908
1909        if (use_sideband)
1910                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1911        else
1912                write_or_die(1, buf.buf, buf.len);
1913        strbuf_release(&buf);
1914}
1915
1916static int delete_only(struct command *commands)
1917{
1918        struct command *cmd;
1919        for (cmd = commands; cmd; cmd = cmd->next) {
1920                if (!is_null_oid(&cmd->new_oid))
1921                        return 0;
1922        }
1923        return 1;
1924}
1925
1926int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1927{
1928        int advertise_refs = 0;
1929        struct command *commands;
1930        struct oid_array shallow = OID_ARRAY_INIT;
1931        struct oid_array ref = OID_ARRAY_INIT;
1932        struct shallow_info si;
1933
1934        struct option options[] = {
1935                OPT__QUIET(&quiet, N_("quiet")),
1936                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1937                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1938                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1939                OPT_END()
1940        };
1941
1942        packet_trace_identity("receive-pack");
1943
1944        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1945
1946        if (argc > 1)
1947                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1948        if (argc == 0)
1949                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1950
1951        service_dir = argv[0];
1952
1953        setup_path();
1954
1955        if (!enter_repo(service_dir, 0))
1956                die("'%s' does not appear to be a git repository", service_dir);
1957
1958        git_config(receive_pack_config, NULL);
1959        if (cert_nonce_seed)
1960                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1961
1962        if (0 <= transfer_unpack_limit)
1963                unpack_limit = transfer_unpack_limit;
1964        else if (0 <= receive_unpack_limit)
1965                unpack_limit = receive_unpack_limit;
1966
1967        switch (determine_protocol_version_server()) {
1968        case protocol_v2:
1969                /*
1970                 * push support for protocol v2 has not been implemented yet,
1971                 * so ignore the request to use v2 and fallback to using v0.
1972                 */
1973                break;
1974        case protocol_v1:
1975                /*
1976                 * v1 is just the original protocol with a version string,
1977                 * so just fall through after writing the version string.
1978                 */
1979                if (advertise_refs || !stateless_rpc)
1980                        packet_write_fmt(1, "version 1\n");
1981
1982                /* fallthrough */
1983        case protocol_v0:
1984                break;
1985        case protocol_unknown_version:
1986                BUG("unknown protocol version");
1987        }
1988
1989        if (advertise_refs || !stateless_rpc) {
1990                write_head_info();
1991        }
1992        if (advertise_refs)
1993                return 0;
1994
1995        if ((commands = read_head_info(&shallow)) != NULL) {
1996                const char *unpack_status = NULL;
1997                struct string_list push_options = STRING_LIST_INIT_DUP;
1998
1999                if (use_push_options)
2000                        read_push_options(&push_options);
2001                if (!check_cert_push_options(&push_options)) {
2002                        struct command *cmd;
2003                        for (cmd = commands; cmd; cmd = cmd->next)
2004                                cmd->error_string = "inconsistent push options";
2005                }
2006
2007                prepare_shallow_info(&si, &shallow);
2008                if (!si.nr_ours && !si.nr_theirs)
2009                        shallow_update = 0;
2010                if (!delete_only(commands)) {
2011                        unpack_status = unpack_with_sideband(&si);
2012                        update_shallow_info(commands, &si, &ref);
2013                }
2014                use_keepalive = KEEPALIVE_ALWAYS;
2015                execute_commands(commands, unpack_status, &si,
2016                                 &push_options);
2017                if (pack_lockfile)
2018                        unlink_or_warn(pack_lockfile);
2019                if (report_status)
2020                        report(commands, unpack_status);
2021                run_receive_hook(commands, "post-receive", 1,
2022                                 &push_options);
2023                run_update_post_hook(commands);
2024                string_list_clear(&push_options, 0);
2025                if (auto_gc) {
2026                        const char *argv_gc_auto[] = {
2027                                "gc", "--auto", "--quiet", NULL,
2028                        };
2029                        struct child_process proc = CHILD_PROCESS_INIT;
2030
2031                        proc.no_stdin = 1;
2032                        proc.stdout_to_stderr = 1;
2033                        proc.err = use_sideband ? -1 : 0;
2034                        proc.git_cmd = 1;
2035                        proc.argv = argv_gc_auto;
2036
2037                        close_all_packs(the_repository->objects);
2038                        if (!start_command(&proc)) {
2039                                if (use_sideband)
2040                                        copy_to_sideband(proc.err, -1, NULL);
2041                                finish_command(&proc);
2042                        }
2043                }
2044                if (auto_update_server_info)
2045                        update_server_info(0);
2046                clear_shallow_info(&si);
2047        }
2048        if (use_sideband)
2049                packet_flush(1);
2050        oid_array_clear(&shallow);
2051        oid_array_clear(&ref);
2052        free((void *)push_cert_nonce);
2053        return 0;
2054}