builtin / receive-pack.con commit Merge branch 'cb/notes-freeing-always-null-fix' (e14af5f)
   1#include "builtin.h"
   2#include "repository.h"
   3#include "config.h"
   4#include "lockfile.h"
   5#include "pack.h"
   6#include "refs.h"
   7#include "pkt-line.h"
   8#include "sideband.h"
   9#include "run-command.h"
  10#include "exec-cmd.h"
  11#include "commit.h"
  12#include "object.h"
  13#include "remote.h"
  14#include "connect.h"
  15#include "transport.h"
  16#include "string-list.h"
  17#include "sha1-array.h"
  18#include "connected.h"
  19#include "argv-array.h"
  20#include "version.h"
  21#include "tag.h"
  22#include "gpg-interface.h"
  23#include "sigchain.h"
  24#include "fsck.h"
  25#include "tmp-objdir.h"
  26#include "oidset.h"
  27#include "packfile.h"
  28#include "object-store.h"
  29#include "protocol.h"
  30#include "commit-reach.h"
  31
  32static const char * const receive_pack_usage[] = {
  33        N_("git receive-pack <git-dir>"),
  34        NULL
  35};
  36
  37enum deny_action {
  38        DENY_UNCONFIGURED,
  39        DENY_IGNORE,
  40        DENY_WARN,
  41        DENY_REFUSE,
  42        DENY_UPDATE_INSTEAD
  43};
  44
  45static int deny_deletes;
  46static int deny_non_fast_forwards;
  47static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  48static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  49static int receive_fsck_objects = -1;
  50static int transfer_fsck_objects = -1;
  51static struct strbuf fsck_msg_types = STRBUF_INIT;
  52static int receive_unpack_limit = -1;
  53static int transfer_unpack_limit = -1;
  54static int advertise_atomic_push = 1;
  55static int advertise_push_options;
  56static int unpack_limit = 100;
  57static off_t max_input_size;
  58static int report_status;
  59static int use_sideband;
  60static int use_atomic;
  61static int use_push_options;
  62static int quiet;
  63static int prefer_ofs_delta = 1;
  64static int auto_update_server_info;
  65static int auto_gc = 1;
  66static int reject_thin;
  67static int stateless_rpc;
  68static const char *service_dir;
  69static const char *head_name;
  70static void *head_name_to_free;
  71static int sent_capabilities;
  72static int shallow_update;
  73static const char *alt_shallow_file;
  74static struct strbuf push_cert = STRBUF_INIT;
  75static struct object_id push_cert_oid;
  76static struct signature_check sigcheck;
  77static const char *push_cert_nonce;
  78static const char *cert_nonce_seed;
  79
  80static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  81static const char *NONCE_BAD = "BAD";
  82static const char *NONCE_MISSING = "MISSING";
  83static const char *NONCE_OK = "OK";
  84static const char *NONCE_SLOP = "SLOP";
  85static const char *nonce_status;
  86static long nonce_stamp_slop;
  87static timestamp_t nonce_stamp_slop_limit;
  88static struct ref_transaction *transaction;
  89
  90static enum {
  91        KEEPALIVE_NEVER = 0,
  92        KEEPALIVE_AFTER_NUL,
  93        KEEPALIVE_ALWAYS
  94} use_keepalive;
  95static int keepalive_in_sec = 5;
  96
  97static struct tmp_objdir *tmp_objdir;
  98
  99static enum deny_action parse_deny_action(const char *var, const char *value)
 100{
 101        if (value) {
 102                if (!strcasecmp(value, "ignore"))
 103                        return DENY_IGNORE;
 104                if (!strcasecmp(value, "warn"))
 105                        return DENY_WARN;
 106                if (!strcasecmp(value, "refuse"))
 107                        return DENY_REFUSE;
 108                if (!strcasecmp(value, "updateinstead"))
 109                        return DENY_UPDATE_INSTEAD;
 110        }
 111        if (git_config_bool(var, value))
 112                return DENY_REFUSE;
 113        return DENY_IGNORE;
 114}
 115
 116static int receive_pack_config(const char *var, const char *value, void *cb)
 117{
 118        int status = parse_hide_refs_config(var, value, "receive");
 119
 120        if (status)
 121                return status;
 122
 123        if (strcmp(var, "receive.denydeletes") == 0) {
 124                deny_deletes = git_config_bool(var, value);
 125                return 0;
 126        }
 127
 128        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 129                deny_non_fast_forwards = git_config_bool(var, value);
 130                return 0;
 131        }
 132
 133        if (strcmp(var, "receive.unpacklimit") == 0) {
 134                receive_unpack_limit = git_config_int(var, value);
 135                return 0;
 136        }
 137
 138        if (strcmp(var, "transfer.unpacklimit") == 0) {
 139                transfer_unpack_limit = git_config_int(var, value);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 144                const char *path;
 145
 146                if (git_config_pathname(&path, var, value))
 147                        return 1;
 148                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 149                        fsck_msg_types.len ? ',' : '=', path);
 150                free((char *)path);
 151                return 0;
 152        }
 153
 154        if (skip_prefix(var, "receive.fsck.", &var)) {
 155                if (is_valid_msg_type(var, value))
 156                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 157                                fsck_msg_types.len ? ',' : '=', var, value);
 158                else
 159                        warning("Skipping unknown msg id '%s'", var);
 160                return 0;
 161        }
 162
 163        if (strcmp(var, "receive.fsckobjects") == 0) {
 164                receive_fsck_objects = git_config_bool(var, value);
 165                return 0;
 166        }
 167
 168        if (strcmp(var, "transfer.fsckobjects") == 0) {
 169                transfer_fsck_objects = git_config_bool(var, value);
 170                return 0;
 171        }
 172
 173        if (!strcmp(var, "receive.denycurrentbranch")) {
 174                deny_current_branch = parse_deny_action(var, value);
 175                return 0;
 176        }
 177
 178        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 179                deny_delete_current = parse_deny_action(var, value);
 180                return 0;
 181        }
 182
 183        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 184                prefer_ofs_delta = git_config_bool(var, value);
 185                return 0;
 186        }
 187
 188        if (strcmp(var, "receive.updateserverinfo") == 0) {
 189                auto_update_server_info = git_config_bool(var, value);
 190                return 0;
 191        }
 192
 193        if (strcmp(var, "receive.autogc") == 0) {
 194                auto_gc = git_config_bool(var, value);
 195                return 0;
 196        }
 197
 198        if (strcmp(var, "receive.shallowupdate") == 0) {
 199                shallow_update = git_config_bool(var, value);
 200                return 0;
 201        }
 202
 203        if (strcmp(var, "receive.certnonceseed") == 0)
 204                return git_config_string(&cert_nonce_seed, var, value);
 205
 206        if (strcmp(var, "receive.certnonceslop") == 0) {
 207                nonce_stamp_slop_limit = git_config_ulong(var, value);
 208                return 0;
 209        }
 210
 211        if (strcmp(var, "receive.advertiseatomic") == 0) {
 212                advertise_atomic_push = git_config_bool(var, value);
 213                return 0;
 214        }
 215
 216        if (strcmp(var, "receive.advertisepushoptions") == 0) {
 217                advertise_push_options = git_config_bool(var, value);
 218                return 0;
 219        }
 220
 221        if (strcmp(var, "receive.keepalive") == 0) {
 222                keepalive_in_sec = git_config_int(var, value);
 223                return 0;
 224        }
 225
 226        if (strcmp(var, "receive.maxinputsize") == 0) {
 227                max_input_size = git_config_int64(var, value);
 228                return 0;
 229        }
 230
 231        return git_default_config(var, value, cb);
 232}
 233
 234static void show_ref(const char *path, const struct object_id *oid)
 235{
 236        if (sent_capabilities) {
 237                packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
 238        } else {
 239                struct strbuf cap = STRBUF_INIT;
 240
 241                strbuf_addstr(&cap,
 242                              "report-status delete-refs side-band-64k quiet");
 243                if (advertise_atomic_push)
 244                        strbuf_addstr(&cap, " atomic");
 245                if (prefer_ofs_delta)
 246                        strbuf_addstr(&cap, " ofs-delta");
 247                if (push_cert_nonce)
 248                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 249                if (advertise_push_options)
 250                        strbuf_addstr(&cap, " push-options");
 251                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 252                packet_write_fmt(1, "%s %s%c%s\n",
 253                             oid_to_hex(oid), path, 0, cap.buf);
 254                strbuf_release(&cap);
 255                sent_capabilities = 1;
 256        }
 257}
 258
 259static int show_ref_cb(const char *path_full, const struct object_id *oid,
 260                       int flag, void *data)
 261{
 262        struct oidset *seen = data;
 263        const char *path = strip_namespace(path_full);
 264
 265        if (ref_is_hidden(path, path_full))
 266                return 0;
 267
 268        /*
 269         * Advertise refs outside our current namespace as ".have"
 270         * refs, so that the client can use them to minimize data
 271         * transfer but will otherwise ignore them.
 272         */
 273        if (!path) {
 274                if (oidset_insert(seen, oid))
 275                        return 0;
 276                path = ".have";
 277        } else {
 278                oidset_insert(seen, oid);
 279        }
 280        show_ref(path, oid);
 281        return 0;
 282}
 283
 284static void show_one_alternate_ref(const struct object_id *oid,
 285                                   void *data)
 286{
 287        struct oidset *seen = data;
 288
 289        if (oidset_insert(seen, oid))
 290                return;
 291
 292        show_ref(".have", oid);
 293}
 294
 295static void write_head_info(void)
 296{
 297        static struct oidset seen = OIDSET_INIT;
 298
 299        for_each_ref(show_ref_cb, &seen);
 300        for_each_alternate_ref(show_one_alternate_ref, &seen);
 301        oidset_clear(&seen);
 302        if (!sent_capabilities)
 303                show_ref("capabilities^{}", &null_oid);
 304
 305        advertise_shallow_grafts(1);
 306
 307        /* EOF */
 308        packet_flush(1);
 309}
 310
 311struct command {
 312        struct command *next;
 313        const char *error_string;
 314        unsigned int skip_update:1,
 315                     did_not_exist:1;
 316        int index;
 317        struct object_id old_oid;
 318        struct object_id new_oid;
 319        char ref_name[FLEX_ARRAY]; /* more */
 320};
 321
 322static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 323static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 324
 325static void report_message(const char *prefix, const char *err, va_list params)
 326{
 327        int sz;
 328        char msg[4096];
 329
 330        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 331        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 332        if (sz > (sizeof(msg) - 1))
 333                sz = sizeof(msg) - 1;
 334        msg[sz++] = '\n';
 335
 336        if (use_sideband)
 337                send_sideband(1, 2, msg, sz, use_sideband);
 338        else
 339                xwrite(2, msg, sz);
 340}
 341
 342static void rp_warning(const char *err, ...)
 343{
 344        va_list params;
 345        va_start(params, err);
 346        report_message("warning: ", err, params);
 347        va_end(params);
 348}
 349
 350static void rp_error(const char *err, ...)
 351{
 352        va_list params;
 353        va_start(params, err);
 354        report_message("error: ", err, params);
 355        va_end(params);
 356}
 357
 358static int copy_to_sideband(int in, int out, void *arg)
 359{
 360        char data[128];
 361        int keepalive_active = 0;
 362
 363        if (keepalive_in_sec <= 0)
 364                use_keepalive = KEEPALIVE_NEVER;
 365        if (use_keepalive == KEEPALIVE_ALWAYS)
 366                keepalive_active = 1;
 367
 368        while (1) {
 369                ssize_t sz;
 370
 371                if (keepalive_active) {
 372                        struct pollfd pfd;
 373                        int ret;
 374
 375                        pfd.fd = in;
 376                        pfd.events = POLLIN;
 377                        ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
 378
 379                        if (ret < 0) {
 380                                if (errno == EINTR)
 381                                        continue;
 382                                else
 383                                        break;
 384                        } else if (ret == 0) {
 385                                /* no data; send a keepalive packet */
 386                                static const char buf[] = "0005\1";
 387                                write_or_die(1, buf, sizeof(buf) - 1);
 388                                continue;
 389                        } /* else there is actual data to read */
 390                }
 391
 392                sz = xread(in, data, sizeof(data));
 393                if (sz <= 0)
 394                        break;
 395
 396                if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
 397                        const char *p = memchr(data, '\0', sz);
 398                        if (p) {
 399                                /*
 400                                 * The NUL tells us to start sending keepalives. Make
 401                                 * sure we send any other data we read along
 402                                 * with it.
 403                                 */
 404                                keepalive_active = 1;
 405                                send_sideband(1, 2, data, p - data, use_sideband);
 406                                send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
 407                                continue;
 408                        }
 409                }
 410
 411                /*
 412                 * Either we're not looking for a NUL signal, or we didn't see
 413                 * it yet; just pass along the data.
 414                 */
 415                send_sideband(1, 2, data, sz, use_sideband);
 416        }
 417        close(in);
 418        return 0;
 419}
 420
 421#define HMAC_BLOCK_SIZE 64
 422
 423static void hmac_sha1(unsigned char *out,
 424                      const char *key_in, size_t key_len,
 425                      const char *text, size_t text_len)
 426{
 427        unsigned char key[HMAC_BLOCK_SIZE];
 428        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 429        unsigned char k_opad[HMAC_BLOCK_SIZE];
 430        int i;
 431        git_SHA_CTX ctx;
 432
 433        /* RFC 2104 2. (1) */
 434        memset(key, '\0', HMAC_BLOCK_SIZE);
 435        if (HMAC_BLOCK_SIZE < key_len) {
 436                git_SHA1_Init(&ctx);
 437                git_SHA1_Update(&ctx, key_in, key_len);
 438                git_SHA1_Final(key, &ctx);
 439        } else {
 440                memcpy(key, key_in, key_len);
 441        }
 442
 443        /* RFC 2104 2. (2) & (5) */
 444        for (i = 0; i < sizeof(key); i++) {
 445                k_ipad[i] = key[i] ^ 0x36;
 446                k_opad[i] = key[i] ^ 0x5c;
 447        }
 448
 449        /* RFC 2104 2. (3) & (4) */
 450        git_SHA1_Init(&ctx);
 451        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 452        git_SHA1_Update(&ctx, text, text_len);
 453        git_SHA1_Final(out, &ctx);
 454
 455        /* RFC 2104 2. (6) & (7) */
 456        git_SHA1_Init(&ctx);
 457        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 458        git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
 459        git_SHA1_Final(out, &ctx);
 460}
 461
 462static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
 463{
 464        struct strbuf buf = STRBUF_INIT;
 465        unsigned char sha1[GIT_SHA1_RAWSZ];
 466
 467        strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
 468        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
 469        strbuf_release(&buf);
 470
 471        /* RFC 2104 5. HMAC-SHA1-80 */
 472        strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
 473        return strbuf_detach(&buf, NULL);
 474}
 475
 476/*
 477 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 478 * after dropping "_commit" from its name and possibly moving it out
 479 * of commit.c
 480 */
 481static char *find_header(const char *msg, size_t len, const char *key,
 482                         const char **next_line)
 483{
 484        int key_len = strlen(key);
 485        const char *line = msg;
 486
 487        while (line && line < msg + len) {
 488                const char *eol = strchrnul(line, '\n');
 489
 490                if ((msg + len <= eol) || line == eol)
 491                        return NULL;
 492                if (line + key_len < eol &&
 493                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 494                        int offset = key_len + 1;
 495                        if (next_line)
 496                                *next_line = *eol ? eol + 1 : eol;
 497                        return xmemdupz(line + offset, (eol - line) - offset);
 498                }
 499                line = *eol ? eol + 1 : NULL;
 500        }
 501        return NULL;
 502}
 503
 504static const char *check_nonce(const char *buf, size_t len)
 505{
 506        char *nonce = find_header(buf, len, "nonce", NULL);
 507        timestamp_t stamp, ostamp;
 508        char *bohmac, *expect = NULL;
 509        const char *retval = NONCE_BAD;
 510
 511        if (!nonce) {
 512                retval = NONCE_MISSING;
 513                goto leave;
 514        } else if (!push_cert_nonce) {
 515                retval = NONCE_UNSOLICITED;
 516                goto leave;
 517        } else if (!strcmp(push_cert_nonce, nonce)) {
 518                retval = NONCE_OK;
 519                goto leave;
 520        }
 521
 522        if (!stateless_rpc) {
 523                /* returned nonce MUST match what we gave out earlier */
 524                retval = NONCE_BAD;
 525                goto leave;
 526        }
 527
 528        /*
 529         * In stateless mode, we may be receiving a nonce issued by
 530         * another instance of the server that serving the same
 531         * repository, and the timestamps may not match, but the
 532         * nonce-seed and dir should match, so we can recompute and
 533         * report the time slop.
 534         *
 535         * In addition, when a nonce issued by another instance has
 536         * timestamp within receive.certnonceslop seconds, we pretend
 537         * as if we issued that nonce when reporting to the hook.
 538         */
 539
 540        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 541        if (*nonce <= '0' || '9' < *nonce) {
 542                retval = NONCE_BAD;
 543                goto leave;
 544        }
 545        stamp = parse_timestamp(nonce, &bohmac, 10);
 546        if (bohmac == nonce || bohmac[0] != '-') {
 547                retval = NONCE_BAD;
 548                goto leave;
 549        }
 550
 551        expect = prepare_push_cert_nonce(service_dir, stamp);
 552        if (strcmp(expect, nonce)) {
 553                /* Not what we would have signed earlier */
 554                retval = NONCE_BAD;
 555                goto leave;
 556        }
 557
 558        /*
 559         * By how many seconds is this nonce stale?  Negative value
 560         * would mean it was issued by another server with its clock
 561         * skewed in the future.
 562         */
 563        ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
 564        nonce_stamp_slop = (long)ostamp - (long)stamp;
 565
 566        if (nonce_stamp_slop_limit &&
 567            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 568                /*
 569                 * Pretend as if the received nonce (which passes the
 570                 * HMAC check, so it is not a forged by third-party)
 571                 * is what we issued.
 572                 */
 573                free((void *)push_cert_nonce);
 574                push_cert_nonce = xstrdup(nonce);
 575                retval = NONCE_OK;
 576        } else {
 577                retval = NONCE_SLOP;
 578        }
 579
 580leave:
 581        free(nonce);
 582        free(expect);
 583        return retval;
 584}
 585
 586/*
 587 * Return 1 if there is no push_cert or if the push options in push_cert are
 588 * the same as those in the argument; 0 otherwise.
 589 */
 590static int check_cert_push_options(const struct string_list *push_options)
 591{
 592        const char *buf = push_cert.buf;
 593        int len = push_cert.len;
 594
 595        char *option;
 596        const char *next_line;
 597        int options_seen = 0;
 598
 599        int retval = 1;
 600
 601        if (!len)
 602                return 1;
 603
 604        while ((option = find_header(buf, len, "push-option", &next_line))) {
 605                len -= (next_line - buf);
 606                buf = next_line;
 607                options_seen++;
 608                if (options_seen > push_options->nr
 609                    || strcmp(option,
 610                              push_options->items[options_seen - 1].string)) {
 611                        retval = 0;
 612                        goto leave;
 613                }
 614                free(option);
 615        }
 616
 617        if (options_seen != push_options->nr)
 618                retval = 0;
 619
 620leave:
 621        free(option);
 622        return retval;
 623}
 624
 625static void prepare_push_cert_sha1(struct child_process *proc)
 626{
 627        static int already_done;
 628
 629        if (!push_cert.len)
 630                return;
 631
 632        if (!already_done) {
 633                int bogs /* beginning_of_gpg_sig */;
 634
 635                already_done = 1;
 636                if (write_object_file(push_cert.buf, push_cert.len, "blob",
 637                                      &push_cert_oid))
 638                        oidclr(&push_cert_oid);
 639
 640                memset(&sigcheck, '\0', sizeof(sigcheck));
 641
 642                bogs = parse_signature(push_cert.buf, push_cert.len);
 643                check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
 644                                push_cert.len - bogs, &sigcheck);
 645
 646                nonce_status = check_nonce(push_cert.buf, bogs);
 647        }
 648        if (!is_null_oid(&push_cert_oid)) {
 649                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 650                                 oid_to_hex(&push_cert_oid));
 651                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 652                                 sigcheck.signer ? sigcheck.signer : "");
 653                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 654                                 sigcheck.key ? sigcheck.key : "");
 655                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 656                                 sigcheck.result);
 657                if (push_cert_nonce) {
 658                        argv_array_pushf(&proc->env_array,
 659                                         "GIT_PUSH_CERT_NONCE=%s",
 660                                         push_cert_nonce);
 661                        argv_array_pushf(&proc->env_array,
 662                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 663                                         nonce_status);
 664                        if (nonce_status == NONCE_SLOP)
 665                                argv_array_pushf(&proc->env_array,
 666                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 667                                                 nonce_stamp_slop);
 668                }
 669        }
 670}
 671
 672struct receive_hook_feed_state {
 673        struct command *cmd;
 674        int skip_broken;
 675        struct strbuf buf;
 676        const struct string_list *push_options;
 677};
 678
 679typedef int (*feed_fn)(void *, const char **, size_t *);
 680static int run_and_feed_hook(const char *hook_name, feed_fn feed,
 681                             struct receive_hook_feed_state *feed_state)
 682{
 683        struct child_process proc = CHILD_PROCESS_INIT;
 684        struct async muxer;
 685        const char *argv[2];
 686        int code;
 687
 688        argv[0] = find_hook(hook_name);
 689        if (!argv[0])
 690                return 0;
 691
 692        argv[1] = NULL;
 693
 694        proc.argv = argv;
 695        proc.in = -1;
 696        proc.stdout_to_stderr = 1;
 697        if (feed_state->push_options) {
 698                int i;
 699                for (i = 0; i < feed_state->push_options->nr; i++)
 700                        argv_array_pushf(&proc.env_array,
 701                                "GIT_PUSH_OPTION_%d=%s", i,
 702                                feed_state->push_options->items[i].string);
 703                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
 704                                 feed_state->push_options->nr);
 705        } else
 706                argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
 707
 708        if (tmp_objdir)
 709                argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
 710
 711        if (use_sideband) {
 712                memset(&muxer, 0, sizeof(muxer));
 713                muxer.proc = copy_to_sideband;
 714                muxer.in = -1;
 715                code = start_async(&muxer);
 716                if (code)
 717                        return code;
 718                proc.err = muxer.in;
 719        }
 720
 721        prepare_push_cert_sha1(&proc);
 722
 723        code = start_command(&proc);
 724        if (code) {
 725                if (use_sideband)
 726                        finish_async(&muxer);
 727                return code;
 728        }
 729
 730        sigchain_push(SIGPIPE, SIG_IGN);
 731
 732        while (1) {
 733                const char *buf;
 734                size_t n;
 735                if (feed(feed_state, &buf, &n))
 736                        break;
 737                if (write_in_full(proc.in, buf, n) < 0)
 738                        break;
 739        }
 740        close(proc.in);
 741        if (use_sideband)
 742                finish_async(&muxer);
 743
 744        sigchain_pop(SIGPIPE);
 745
 746        return finish_command(&proc);
 747}
 748
 749static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 750{
 751        struct receive_hook_feed_state *state = state_;
 752        struct command *cmd = state->cmd;
 753
 754        while (cmd &&
 755               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 756                cmd = cmd->next;
 757        if (!cmd)
 758                return -1; /* EOF */
 759        strbuf_reset(&state->buf);
 760        strbuf_addf(&state->buf, "%s %s %s\n",
 761                    oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
 762                    cmd->ref_name);
 763        state->cmd = cmd->next;
 764        if (bufp) {
 765                *bufp = state->buf.buf;
 766                *sizep = state->buf.len;
 767        }
 768        return 0;
 769}
 770
 771static int run_receive_hook(struct command *commands,
 772                            const char *hook_name,
 773                            int skip_broken,
 774                            const struct string_list *push_options)
 775{
 776        struct receive_hook_feed_state state;
 777        int status;
 778
 779        strbuf_init(&state.buf, 0);
 780        state.cmd = commands;
 781        state.skip_broken = skip_broken;
 782        if (feed_receive_hook(&state, NULL, NULL))
 783                return 0;
 784        state.cmd = commands;
 785        state.push_options = push_options;
 786        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 787        strbuf_release(&state.buf);
 788        return status;
 789}
 790
 791static int run_update_hook(struct command *cmd)
 792{
 793        const char *argv[5];
 794        struct child_process proc = CHILD_PROCESS_INIT;
 795        int code;
 796
 797        argv[0] = find_hook("update");
 798        if (!argv[0])
 799                return 0;
 800
 801        argv[1] = cmd->ref_name;
 802        argv[2] = oid_to_hex(&cmd->old_oid);
 803        argv[3] = oid_to_hex(&cmd->new_oid);
 804        argv[4] = NULL;
 805
 806        proc.no_stdin = 1;
 807        proc.stdout_to_stderr = 1;
 808        proc.err = use_sideband ? -1 : 0;
 809        proc.argv = argv;
 810
 811        code = start_command(&proc);
 812        if (code)
 813                return code;
 814        if (use_sideband)
 815                copy_to_sideband(proc.err, -1, NULL);
 816        return finish_command(&proc);
 817}
 818
 819static int is_ref_checked_out(const char *ref)
 820{
 821        if (is_bare_repository())
 822                return 0;
 823
 824        if (!head_name)
 825                return 0;
 826        return !strcmp(head_name, ref);
 827}
 828
 829static char *refuse_unconfigured_deny_msg =
 830        N_("By default, updating the current branch in a non-bare repository\n"
 831           "is denied, because it will make the index and work tree inconsistent\n"
 832           "with what you pushed, and will require 'git reset --hard' to match\n"
 833           "the work tree to HEAD.\n"
 834           "\n"
 835           "You can set the 'receive.denyCurrentBranch' configuration variable\n"
 836           "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
 837           "its current branch; however, this is not recommended unless you\n"
 838           "arranged to update its work tree to match what you pushed in some\n"
 839           "other way.\n"
 840           "\n"
 841           "To squelch this message and still keep the default behaviour, set\n"
 842           "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
 843
 844static void refuse_unconfigured_deny(void)
 845{
 846        rp_error("%s", _(refuse_unconfigured_deny_msg));
 847}
 848
 849static char *refuse_unconfigured_deny_delete_current_msg =
 850        N_("By default, deleting the current branch is denied, because the next\n"
 851           "'git clone' won't result in any file checked out, causing confusion.\n"
 852           "\n"
 853           "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
 854           "'warn' or 'ignore' in the remote repository to allow deleting the\n"
 855           "current branch, with or without a warning message.\n"
 856           "\n"
 857           "To squelch this message, you can set it to 'refuse'.");
 858
 859static void refuse_unconfigured_deny_delete_current(void)
 860{
 861        rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
 862}
 863
 864static int command_singleton_iterator(void *cb_data, struct object_id *oid);
 865static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 866{
 867        struct lock_file shallow_lock = LOCK_INIT;
 868        struct oid_array extra = OID_ARRAY_INIT;
 869        struct check_connected_options opt = CHECK_CONNECTED_INIT;
 870        uint32_t mask = 1 << (cmd->index % 32);
 871        int i;
 872
 873        trace_printf_key(&trace_shallow,
 874                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 875        for (i = 0; i < si->shallow->nr; i++)
 876                if (si->used_shallow[i] &&
 877                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 878                    !delayed_reachability_test(si, i))
 879                        oid_array_append(&extra, &si->shallow->oid[i]);
 880
 881        opt.env = tmp_objdir_env(tmp_objdir);
 882        setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
 883        if (check_connected(command_singleton_iterator, cmd, &opt)) {
 884                rollback_lock_file(&shallow_lock);
 885                oid_array_clear(&extra);
 886                return -1;
 887        }
 888
 889        commit_lock_file(&shallow_lock);
 890
 891        /*
 892         * Make sure setup_alternate_shallow() for the next ref does
 893         * not lose these new roots..
 894         */
 895        for (i = 0; i < extra.nr; i++)
 896                register_shallow(the_repository, &extra.oid[i]);
 897
 898        si->shallow_ref[cmd->index] = 0;
 899        oid_array_clear(&extra);
 900        return 0;
 901}
 902
 903/*
 904 * NEEDSWORK: we should consolidate various implementions of "are we
 905 * on an unborn branch?" test into one, and make the unified one more
 906 * robust. !get_sha1() based check used here and elsewhere would not
 907 * allow us to tell an unborn branch from corrupt ref, for example.
 908 * For the purpose of fixing "deploy-to-update does not work when
 909 * pushing into an empty repository" issue, this should suffice for
 910 * now.
 911 */
 912static int head_has_history(void)
 913{
 914        struct object_id oid;
 915
 916        return !get_oid("HEAD", &oid);
 917}
 918
 919static const char *push_to_deploy(unsigned char *sha1,
 920                                  struct argv_array *env,
 921                                  const char *work_tree)
 922{
 923        const char *update_refresh[] = {
 924                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 925        };
 926        const char *diff_files[] = {
 927                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 928        };
 929        const char *diff_index[] = {
 930                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 931                NULL, "--", NULL
 932        };
 933        const char *read_tree[] = {
 934                "read-tree", "-u", "-m", NULL, NULL
 935        };
 936        struct child_process child = CHILD_PROCESS_INIT;
 937
 938        child.argv = update_refresh;
 939        child.env = env->argv;
 940        child.dir = work_tree;
 941        child.no_stdin = 1;
 942        child.stdout_to_stderr = 1;
 943        child.git_cmd = 1;
 944        if (run_command(&child))
 945                return "Up-to-date check failed";
 946
 947        /* run_command() does not clean up completely; reinitialize */
 948        child_process_init(&child);
 949        child.argv = diff_files;
 950        child.env = env->argv;
 951        child.dir = work_tree;
 952        child.no_stdin = 1;
 953        child.stdout_to_stderr = 1;
 954        child.git_cmd = 1;
 955        if (run_command(&child))
 956                return "Working directory has unstaged changes";
 957
 958        /* diff-index with either HEAD or an empty tree */
 959        diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
 960
 961        child_process_init(&child);
 962        child.argv = diff_index;
 963        child.env = env->argv;
 964        child.no_stdin = 1;
 965        child.no_stdout = 1;
 966        child.stdout_to_stderr = 0;
 967        child.git_cmd = 1;
 968        if (run_command(&child))
 969                return "Working directory has staged changes";
 970
 971        read_tree[3] = sha1_to_hex(sha1);
 972        child_process_init(&child);
 973        child.argv = read_tree;
 974        child.env = env->argv;
 975        child.dir = work_tree;
 976        child.no_stdin = 1;
 977        child.no_stdout = 1;
 978        child.stdout_to_stderr = 0;
 979        child.git_cmd = 1;
 980        if (run_command(&child))
 981                return "Could not update working tree to new HEAD";
 982
 983        return NULL;
 984}
 985
 986static const char *push_to_checkout_hook = "push-to-checkout";
 987
 988static const char *push_to_checkout(unsigned char *sha1,
 989                                    struct argv_array *env,
 990                                    const char *work_tree)
 991{
 992        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 993        if (run_hook_le(env->argv, push_to_checkout_hook,
 994                        sha1_to_hex(sha1), NULL))
 995                return "push-to-checkout hook declined";
 996        else
 997                return NULL;
 998}
 999
1000static const char *update_worktree(unsigned char *sha1)
1001{
1002        const char *retval;
1003        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1004        struct argv_array env = ARGV_ARRAY_INIT;
1005
1006        if (is_bare_repository())
1007                return "denyCurrentBranch = updateInstead needs a worktree";
1008
1009        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1010
1011        if (!find_hook(push_to_checkout_hook))
1012                retval = push_to_deploy(sha1, &env, work_tree);
1013        else
1014                retval = push_to_checkout(sha1, &env, work_tree);
1015
1016        argv_array_clear(&env);
1017        return retval;
1018}
1019
1020static const char *update(struct command *cmd, struct shallow_info *si)
1021{
1022        const char *name = cmd->ref_name;
1023        struct strbuf namespaced_name_buf = STRBUF_INIT;
1024        static char *namespaced_name;
1025        const char *ret;
1026        struct object_id *old_oid = &cmd->old_oid;
1027        struct object_id *new_oid = &cmd->new_oid;
1028        int do_update_worktree = 0;
1029
1030        /* only refs/... are allowed */
1031        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1032                rp_error("refusing to create funny ref '%s' remotely", name);
1033                return "funny refname";
1034        }
1035
1036        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1037        free(namespaced_name);
1038        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1039
1040        if (is_ref_checked_out(namespaced_name)) {
1041                switch (deny_current_branch) {
1042                case DENY_IGNORE:
1043                        break;
1044                case DENY_WARN:
1045                        rp_warning("updating the current branch");
1046                        break;
1047                case DENY_REFUSE:
1048                case DENY_UNCONFIGURED:
1049                        rp_error("refusing to update checked out branch: %s", name);
1050                        if (deny_current_branch == DENY_UNCONFIGURED)
1051                                refuse_unconfigured_deny();
1052                        return "branch is currently checked out";
1053                case DENY_UPDATE_INSTEAD:
1054                        /* pass -- let other checks intervene first */
1055                        do_update_worktree = 1;
1056                        break;
1057                }
1058        }
1059
1060        if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1061                error("unpack should have generated %s, "
1062                      "but I can't find it!", oid_to_hex(new_oid));
1063                return "bad pack";
1064        }
1065
1066        if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1067                if (deny_deletes && starts_with(name, "refs/heads/")) {
1068                        rp_error("denying ref deletion for %s", name);
1069                        return "deletion prohibited";
1070                }
1071
1072                if (head_name && !strcmp(namespaced_name, head_name)) {
1073                        switch (deny_delete_current) {
1074                        case DENY_IGNORE:
1075                                break;
1076                        case DENY_WARN:
1077                                rp_warning("deleting the current branch");
1078                                break;
1079                        case DENY_REFUSE:
1080                        case DENY_UNCONFIGURED:
1081                        case DENY_UPDATE_INSTEAD:
1082                                if (deny_delete_current == DENY_UNCONFIGURED)
1083                                        refuse_unconfigured_deny_delete_current();
1084                                rp_error("refusing to delete the current branch: %s", name);
1085                                return "deletion of the current branch prohibited";
1086                        default:
1087                                return "Invalid denyDeleteCurrent setting";
1088                        }
1089                }
1090        }
1091
1092        if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1093            !is_null_oid(old_oid) &&
1094            starts_with(name, "refs/heads/")) {
1095                struct object *old_object, *new_object;
1096                struct commit *old_commit, *new_commit;
1097
1098                old_object = parse_object(the_repository, old_oid);
1099                new_object = parse_object(the_repository, new_oid);
1100
1101                if (!old_object || !new_object ||
1102                    old_object->type != OBJ_COMMIT ||
1103                    new_object->type != OBJ_COMMIT) {
1104                        error("bad sha1 objects for %s", name);
1105                        return "bad ref";
1106                }
1107                old_commit = (struct commit *)old_object;
1108                new_commit = (struct commit *)new_object;
1109                if (!in_merge_bases(old_commit, new_commit)) {
1110                        rp_error("denying non-fast-forward %s"
1111                                 " (you should pull first)", name);
1112                        return "non-fast-forward";
1113                }
1114        }
1115        if (run_update_hook(cmd)) {
1116                rp_error("hook declined to update %s", name);
1117                return "hook declined";
1118        }
1119
1120        if (do_update_worktree) {
1121                ret = update_worktree(new_oid->hash);
1122                if (ret)
1123                        return ret;
1124        }
1125
1126        if (is_null_oid(new_oid)) {
1127                struct strbuf err = STRBUF_INIT;
1128                if (!parse_object(the_repository, old_oid)) {
1129                        old_oid = NULL;
1130                        if (ref_exists(name)) {
1131                                rp_warning("Allowing deletion of corrupt ref.");
1132                        } else {
1133                                rp_warning("Deleting a non-existent ref.");
1134                                cmd->did_not_exist = 1;
1135                        }
1136                }
1137                if (ref_transaction_delete(transaction,
1138                                           namespaced_name,
1139                                           old_oid,
1140                                           0, "push", &err)) {
1141                        rp_error("%s", err.buf);
1142                        strbuf_release(&err);
1143                        return "failed to delete";
1144                }
1145                strbuf_release(&err);
1146                return NULL; /* good */
1147        }
1148        else {
1149                struct strbuf err = STRBUF_INIT;
1150                if (shallow_update && si->shallow_ref[cmd->index] &&
1151                    update_shallow_ref(cmd, si))
1152                        return "shallow error";
1153
1154                if (ref_transaction_update(transaction,
1155                                           namespaced_name,
1156                                           new_oid, old_oid,
1157                                           0, "push",
1158                                           &err)) {
1159                        rp_error("%s", err.buf);
1160                        strbuf_release(&err);
1161
1162                        return "failed to update ref";
1163                }
1164                strbuf_release(&err);
1165
1166                return NULL; /* good */
1167        }
1168}
1169
1170static void run_update_post_hook(struct command *commands)
1171{
1172        struct command *cmd;
1173        struct child_process proc = CHILD_PROCESS_INIT;
1174        const char *hook;
1175
1176        hook = find_hook("post-update");
1177        if (!hook)
1178                return;
1179
1180        for (cmd = commands; cmd; cmd = cmd->next) {
1181                if (cmd->error_string || cmd->did_not_exist)
1182                        continue;
1183                if (!proc.args.argc)
1184                        argv_array_push(&proc.args, hook);
1185                argv_array_push(&proc.args, cmd->ref_name);
1186        }
1187        if (!proc.args.argc)
1188                return;
1189
1190        proc.no_stdin = 1;
1191        proc.stdout_to_stderr = 1;
1192        proc.err = use_sideband ? -1 : 0;
1193
1194        if (!start_command(&proc)) {
1195                if (use_sideband)
1196                        copy_to_sideband(proc.err, -1, NULL);
1197                finish_command(&proc);
1198        }
1199}
1200
1201static void check_aliased_update(struct command *cmd, struct string_list *list)
1202{
1203        struct strbuf buf = STRBUF_INIT;
1204        const char *dst_name;
1205        struct string_list_item *item;
1206        struct command *dst_cmd;
1207        int flag;
1208
1209        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1210        dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1211        strbuf_release(&buf);
1212
1213        if (!(flag & REF_ISSYMREF))
1214                return;
1215
1216        if (!dst_name) {
1217                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1218                cmd->skip_update = 1;
1219                cmd->error_string = "broken symref";
1220                return;
1221        }
1222        dst_name = strip_namespace(dst_name);
1223
1224        if ((item = string_list_lookup(list, dst_name)) == NULL)
1225                return;
1226
1227        cmd->skip_update = 1;
1228
1229        dst_cmd = (struct command *) item->util;
1230
1231        if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1232            oideq(&cmd->new_oid, &dst_cmd->new_oid))
1233                return;
1234
1235        dst_cmd->skip_update = 1;
1236
1237        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1238                 " its target '%s' (%s..%s)",
1239                 cmd->ref_name,
1240                 find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1241                 find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1242                 dst_cmd->ref_name,
1243                 find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1244                 find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1245
1246        cmd->error_string = dst_cmd->error_string =
1247                "inconsistent aliased update";
1248}
1249
1250static void check_aliased_updates(struct command *commands)
1251{
1252        struct command *cmd;
1253        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1254
1255        for (cmd = commands; cmd; cmd = cmd->next) {
1256                struct string_list_item *item =
1257                        string_list_append(&ref_list, cmd->ref_name);
1258                item->util = (void *)cmd;
1259        }
1260        string_list_sort(&ref_list);
1261
1262        for (cmd = commands; cmd; cmd = cmd->next) {
1263                if (!cmd->error_string)
1264                        check_aliased_update(cmd, &ref_list);
1265        }
1266
1267        string_list_clear(&ref_list, 0);
1268}
1269
1270static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1271{
1272        struct command **cmd_list = cb_data;
1273        struct command *cmd = *cmd_list;
1274
1275        if (!cmd || is_null_oid(&cmd->new_oid))
1276                return -1; /* end of list */
1277        *cmd_list = NULL; /* this returns only one */
1278        oidcpy(oid, &cmd->new_oid);
1279        return 0;
1280}
1281
1282static void set_connectivity_errors(struct command *commands,
1283                                    struct shallow_info *si)
1284{
1285        struct command *cmd;
1286
1287        for (cmd = commands; cmd; cmd = cmd->next) {
1288                struct command *singleton = cmd;
1289                struct check_connected_options opt = CHECK_CONNECTED_INIT;
1290
1291                if (shallow_update && si->shallow_ref[cmd->index])
1292                        /* to be checked in update_shallow_ref() */
1293                        continue;
1294
1295                opt.env = tmp_objdir_env(tmp_objdir);
1296                if (!check_connected(command_singleton_iterator, &singleton,
1297                                     &opt))
1298                        continue;
1299
1300                cmd->error_string = "missing necessary objects";
1301        }
1302}
1303
1304struct iterate_data {
1305        struct command *cmds;
1306        struct shallow_info *si;
1307};
1308
1309static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1310{
1311        struct iterate_data *data = cb_data;
1312        struct command **cmd_list = &data->cmds;
1313        struct command *cmd = *cmd_list;
1314
1315        for (; cmd; cmd = cmd->next) {
1316                if (shallow_update && data->si->shallow_ref[cmd->index])
1317                        /* to be checked in update_shallow_ref() */
1318                        continue;
1319                if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1320                        oidcpy(oid, &cmd->new_oid);
1321                        *cmd_list = cmd->next;
1322                        return 0;
1323                }
1324        }
1325        *cmd_list = NULL;
1326        return -1; /* end of list */
1327}
1328
1329static void reject_updates_to_hidden(struct command *commands)
1330{
1331        struct strbuf refname_full = STRBUF_INIT;
1332        size_t prefix_len;
1333        struct command *cmd;
1334
1335        strbuf_addstr(&refname_full, get_git_namespace());
1336        prefix_len = refname_full.len;
1337
1338        for (cmd = commands; cmd; cmd = cmd->next) {
1339                if (cmd->error_string)
1340                        continue;
1341
1342                strbuf_setlen(&refname_full, prefix_len);
1343                strbuf_addstr(&refname_full, cmd->ref_name);
1344
1345                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1346                        continue;
1347                if (is_null_oid(&cmd->new_oid))
1348                        cmd->error_string = "deny deleting a hidden ref";
1349                else
1350                        cmd->error_string = "deny updating a hidden ref";
1351        }
1352
1353        strbuf_release(&refname_full);
1354}
1355
1356static int should_process_cmd(struct command *cmd)
1357{
1358        return !cmd->error_string && !cmd->skip_update;
1359}
1360
1361static void warn_if_skipped_connectivity_check(struct command *commands,
1362                                               struct shallow_info *si)
1363{
1364        struct command *cmd;
1365        int checked_connectivity = 1;
1366
1367        for (cmd = commands; cmd; cmd = cmd->next) {
1368                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1369                        error("BUG: connectivity check has not been run on ref %s",
1370                              cmd->ref_name);
1371                        checked_connectivity = 0;
1372                }
1373        }
1374        if (!checked_connectivity)
1375                BUG("connectivity check skipped???");
1376}
1377
1378static void execute_commands_non_atomic(struct command *commands,
1379                                        struct shallow_info *si)
1380{
1381        struct command *cmd;
1382        struct strbuf err = STRBUF_INIT;
1383
1384        for (cmd = commands; cmd; cmd = cmd->next) {
1385                if (!should_process_cmd(cmd))
1386                        continue;
1387
1388                transaction = ref_transaction_begin(&err);
1389                if (!transaction) {
1390                        rp_error("%s", err.buf);
1391                        strbuf_reset(&err);
1392                        cmd->error_string = "transaction failed to start";
1393                        continue;
1394                }
1395
1396                cmd->error_string = update(cmd, si);
1397
1398                if (!cmd->error_string
1399                    && ref_transaction_commit(transaction, &err)) {
1400                        rp_error("%s", err.buf);
1401                        strbuf_reset(&err);
1402                        cmd->error_string = "failed to update ref";
1403                }
1404                ref_transaction_free(transaction);
1405        }
1406        strbuf_release(&err);
1407}
1408
1409static void execute_commands_atomic(struct command *commands,
1410                                        struct shallow_info *si)
1411{
1412        struct command *cmd;
1413        struct strbuf err = STRBUF_INIT;
1414        const char *reported_error = "atomic push failure";
1415
1416        transaction = ref_transaction_begin(&err);
1417        if (!transaction) {
1418                rp_error("%s", err.buf);
1419                strbuf_reset(&err);
1420                reported_error = "transaction failed to start";
1421                goto failure;
1422        }
1423
1424        for (cmd = commands; cmd; cmd = cmd->next) {
1425                if (!should_process_cmd(cmd))
1426                        continue;
1427
1428                cmd->error_string = update(cmd, si);
1429
1430                if (cmd->error_string)
1431                        goto failure;
1432        }
1433
1434        if (ref_transaction_commit(transaction, &err)) {
1435                rp_error("%s", err.buf);
1436                reported_error = "atomic transaction failed";
1437                goto failure;
1438        }
1439        goto cleanup;
1440
1441failure:
1442        for (cmd = commands; cmd; cmd = cmd->next)
1443                if (!cmd->error_string)
1444                        cmd->error_string = reported_error;
1445
1446cleanup:
1447        ref_transaction_free(transaction);
1448        strbuf_release(&err);
1449}
1450
1451static void execute_commands(struct command *commands,
1452                             const char *unpacker_error,
1453                             struct shallow_info *si,
1454                             const struct string_list *push_options)
1455{
1456        struct check_connected_options opt = CHECK_CONNECTED_INIT;
1457        struct command *cmd;
1458        struct iterate_data data;
1459        struct async muxer;
1460        int err_fd = 0;
1461
1462        if (unpacker_error) {
1463                for (cmd = commands; cmd; cmd = cmd->next)
1464                        cmd->error_string = "unpacker error";
1465                return;
1466        }
1467
1468        if (use_sideband) {
1469                memset(&muxer, 0, sizeof(muxer));
1470                muxer.proc = copy_to_sideband;
1471                muxer.in = -1;
1472                if (!start_async(&muxer))
1473                        err_fd = muxer.in;
1474                /* ...else, continue without relaying sideband */
1475        }
1476
1477        data.cmds = commands;
1478        data.si = si;
1479        opt.err_fd = err_fd;
1480        opt.progress = err_fd && !quiet;
1481        opt.env = tmp_objdir_env(tmp_objdir);
1482        if (check_connected(iterate_receive_command_list, &data, &opt))
1483                set_connectivity_errors(commands, si);
1484
1485        if (use_sideband)
1486                finish_async(&muxer);
1487
1488        reject_updates_to_hidden(commands);
1489
1490        if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1491                for (cmd = commands; cmd; cmd = cmd->next) {
1492                        if (!cmd->error_string)
1493                                cmd->error_string = "pre-receive hook declined";
1494                }
1495                return;
1496        }
1497
1498        /*
1499         * Now we'll start writing out refs, which means the objects need
1500         * to be in their final positions so that other processes can see them.
1501         */
1502        if (tmp_objdir_migrate(tmp_objdir) < 0) {
1503                for (cmd = commands; cmd; cmd = cmd->next) {
1504                        if (!cmd->error_string)
1505                                cmd->error_string = "unable to migrate objects to permanent storage";
1506                }
1507                return;
1508        }
1509        tmp_objdir = NULL;
1510
1511        check_aliased_updates(commands);
1512
1513        free(head_name_to_free);
1514        head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1515
1516        if (use_atomic)
1517                execute_commands_atomic(commands, si);
1518        else
1519                execute_commands_non_atomic(commands, si);
1520
1521        if (shallow_update)
1522                warn_if_skipped_connectivity_check(commands, si);
1523}
1524
1525static struct command **queue_command(struct command **tail,
1526                                      const char *line,
1527                                      int linelen)
1528{
1529        struct object_id old_oid, new_oid;
1530        struct command *cmd;
1531        const char *refname;
1532        int reflen;
1533        const char *p;
1534
1535        if (parse_oid_hex(line, &old_oid, &p) ||
1536            *p++ != ' ' ||
1537            parse_oid_hex(p, &new_oid, &p) ||
1538            *p++ != ' ')
1539                die("protocol error: expected old/new/ref, got '%s'", line);
1540
1541        refname = p;
1542        reflen = linelen - (p - line);
1543        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1544        oidcpy(&cmd->old_oid, &old_oid);
1545        oidcpy(&cmd->new_oid, &new_oid);
1546        *tail = cmd;
1547        return &cmd->next;
1548}
1549
1550static void queue_commands_from_cert(struct command **tail,
1551                                     struct strbuf *push_cert)
1552{
1553        const char *boc, *eoc;
1554
1555        if (*tail)
1556                die("protocol error: got both push certificate and unsigned commands");
1557
1558        boc = strstr(push_cert->buf, "\n\n");
1559        if (!boc)
1560                die("malformed push certificate %.*s", 100, push_cert->buf);
1561        else
1562                boc += 2;
1563        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1564
1565        while (boc < eoc) {
1566                const char *eol = memchr(boc, '\n', eoc - boc);
1567                tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1568                boc = eol ? eol + 1 : eoc;
1569        }
1570}
1571
1572static struct command *read_head_info(struct oid_array *shallow)
1573{
1574        struct command *commands = NULL;
1575        struct command **p = &commands;
1576        for (;;) {
1577                char *line;
1578                int len, linelen;
1579
1580                line = packet_read_line(0, &len);
1581                if (!line)
1582                        break;
1583
1584                if (len > 8 && starts_with(line, "shallow ")) {
1585                        struct object_id oid;
1586                        if (get_oid_hex(line + 8, &oid))
1587                                die("protocol error: expected shallow sha, got '%s'",
1588                                    line + 8);
1589                        oid_array_append(shallow, &oid);
1590                        continue;
1591                }
1592
1593                linelen = strlen(line);
1594                if (linelen < len) {
1595                        const char *feature_list = line + linelen + 1;
1596                        if (parse_feature_request(feature_list, "report-status"))
1597                                report_status = 1;
1598                        if (parse_feature_request(feature_list, "side-band-64k"))
1599                                use_sideband = LARGE_PACKET_MAX;
1600                        if (parse_feature_request(feature_list, "quiet"))
1601                                quiet = 1;
1602                        if (advertise_atomic_push
1603                            && parse_feature_request(feature_list, "atomic"))
1604                                use_atomic = 1;
1605                        if (advertise_push_options
1606                            && parse_feature_request(feature_list, "push-options"))
1607                                use_push_options = 1;
1608                }
1609
1610                if (!strcmp(line, "push-cert")) {
1611                        int true_flush = 0;
1612                        char certbuf[1024];
1613
1614                        for (;;) {
1615                                len = packet_read(0, NULL, NULL,
1616                                                  certbuf, sizeof(certbuf), 0);
1617                                if (!len) {
1618                                        true_flush = 1;
1619                                        break;
1620                                }
1621                                if (!strcmp(certbuf, "push-cert-end\n"))
1622                                        break; /* end of cert */
1623                                strbuf_addstr(&push_cert, certbuf);
1624                        }
1625
1626                        if (true_flush)
1627                                break;
1628                        continue;
1629                }
1630
1631                p = queue_command(p, line, linelen);
1632        }
1633
1634        if (push_cert.len)
1635                queue_commands_from_cert(p, &push_cert);
1636
1637        return commands;
1638}
1639
1640static void read_push_options(struct string_list *options)
1641{
1642        while (1) {
1643                char *line;
1644                int len;
1645
1646                line = packet_read_line(0, &len);
1647
1648                if (!line)
1649                        break;
1650
1651                string_list_append(options, line);
1652        }
1653}
1654
1655static const char *parse_pack_header(struct pack_header *hdr)
1656{
1657        switch (read_pack_header(0, hdr)) {
1658        case PH_ERROR_EOF:
1659                return "eof before pack header was fully read";
1660
1661        case PH_ERROR_PACK_SIGNATURE:
1662                return "protocol error (pack signature mismatch detected)";
1663
1664        case PH_ERROR_PROTOCOL:
1665                return "protocol error (pack version unsupported)";
1666
1667        default:
1668                return "unknown error in parse_pack_header";
1669
1670        case 0:
1671                return NULL;
1672        }
1673}
1674
1675static const char *pack_lockfile;
1676
1677static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1678{
1679        argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1680                        ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1681}
1682
1683static const char *unpack(int err_fd, struct shallow_info *si)
1684{
1685        struct pack_header hdr;
1686        const char *hdr_err;
1687        int status;
1688        struct child_process child = CHILD_PROCESS_INIT;
1689        int fsck_objects = (receive_fsck_objects >= 0
1690                            ? receive_fsck_objects
1691                            : transfer_fsck_objects >= 0
1692                            ? transfer_fsck_objects
1693                            : 0);
1694
1695        hdr_err = parse_pack_header(&hdr);
1696        if (hdr_err) {
1697                if (err_fd > 0)
1698                        close(err_fd);
1699                return hdr_err;
1700        }
1701
1702        if (si->nr_ours || si->nr_theirs) {
1703                alt_shallow_file = setup_temporary_shallow(si->shallow);
1704                argv_array_push(&child.args, "--shallow-file");
1705                argv_array_push(&child.args, alt_shallow_file);
1706        }
1707
1708        tmp_objdir = tmp_objdir_create();
1709        if (!tmp_objdir) {
1710                if (err_fd > 0)
1711                        close(err_fd);
1712                return "unable to create temporary object directory";
1713        }
1714        child.env = tmp_objdir_env(tmp_objdir);
1715
1716        /*
1717         * Normally we just pass the tmp_objdir environment to the child
1718         * processes that do the heavy lifting, but we may need to see these
1719         * objects ourselves to set up shallow information.
1720         */
1721        tmp_objdir_add_as_alternate(tmp_objdir);
1722
1723        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1724                argv_array_push(&child.args, "unpack-objects");
1725                push_header_arg(&child.args, &hdr);
1726                if (quiet)
1727                        argv_array_push(&child.args, "-q");
1728                if (fsck_objects)
1729                        argv_array_pushf(&child.args, "--strict%s",
1730                                fsck_msg_types.buf);
1731                if (max_input_size)
1732                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1733                                (uintmax_t)max_input_size);
1734                child.no_stdout = 1;
1735                child.err = err_fd;
1736                child.git_cmd = 1;
1737                status = run_command(&child);
1738                if (status)
1739                        return "unpack-objects abnormal exit";
1740        } else {
1741                char hostname[HOST_NAME_MAX + 1];
1742
1743                argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1744                push_header_arg(&child.args, &hdr);
1745
1746                if (xgethostname(hostname, sizeof(hostname)))
1747                        xsnprintf(hostname, sizeof(hostname), "localhost");
1748                argv_array_pushf(&child.args,
1749                                 "--keep=receive-pack %"PRIuMAX" on %s",
1750                                 (uintmax_t)getpid(),
1751                                 hostname);
1752
1753                if (!quiet && err_fd)
1754                        argv_array_push(&child.args, "--show-resolving-progress");
1755                if (use_sideband)
1756                        argv_array_push(&child.args, "--report-end-of-input");
1757                if (fsck_objects)
1758                        argv_array_pushf(&child.args, "--strict%s",
1759                                fsck_msg_types.buf);
1760                if (!reject_thin)
1761                        argv_array_push(&child.args, "--fix-thin");
1762                if (max_input_size)
1763                        argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1764                                (uintmax_t)max_input_size);
1765                child.out = -1;
1766                child.err = err_fd;
1767                child.git_cmd = 1;
1768                status = start_command(&child);
1769                if (status)
1770                        return "index-pack fork failed";
1771                pack_lockfile = index_pack_lockfile(child.out);
1772                close(child.out);
1773                status = finish_command(&child);
1774                if (status)
1775                        return "index-pack abnormal exit";
1776                reprepare_packed_git(the_repository);
1777        }
1778        return NULL;
1779}
1780
1781static const char *unpack_with_sideband(struct shallow_info *si)
1782{
1783        struct async muxer;
1784        const char *ret;
1785
1786        if (!use_sideband)
1787                return unpack(0, si);
1788
1789        use_keepalive = KEEPALIVE_AFTER_NUL;
1790        memset(&muxer, 0, sizeof(muxer));
1791        muxer.proc = copy_to_sideband;
1792        muxer.in = -1;
1793        if (start_async(&muxer))
1794                return NULL;
1795
1796        ret = unpack(muxer.in, si);
1797
1798        finish_async(&muxer);
1799        return ret;
1800}
1801
1802static void prepare_shallow_update(struct command *commands,
1803                                   struct shallow_info *si)
1804{
1805        int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1806
1807        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1808        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1809
1810        si->need_reachability_test =
1811                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1812        si->reachable =
1813                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1814        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1815
1816        for (i = 0; i < si->nr_ours; i++)
1817                si->need_reachability_test[si->ours[i]] = 1;
1818
1819        for (i = 0; i < si->shallow->nr; i++) {
1820                if (!si->used_shallow[i])
1821                        continue;
1822                for (j = 0; j < bitmap_size; j++) {
1823                        if (!si->used_shallow[i][j])
1824                                continue;
1825                        si->need_reachability_test[i]++;
1826                        for (k = 0; k < 32; k++)
1827                                if (si->used_shallow[i][j] & (1U << k))
1828                                        si->shallow_ref[j * 32 + k]++;
1829                }
1830
1831                /*
1832                 * true for those associated with some refs and belong
1833                 * in "ours" list aka "step 7 not done yet"
1834                 */
1835                si->need_reachability_test[i] =
1836                        si->need_reachability_test[i] > 1;
1837        }
1838
1839        /*
1840         * keep hooks happy by forcing a temporary shallow file via
1841         * env variable because we can't add --shallow-file to every
1842         * command. check_connected() will be done with
1843         * true .git/shallow though.
1844         */
1845        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1846}
1847
1848static void update_shallow_info(struct command *commands,
1849                                struct shallow_info *si,
1850                                struct oid_array *ref)
1851{
1852        struct command *cmd;
1853        int *ref_status;
1854        remove_nonexistent_theirs_shallow(si);
1855        if (!si->nr_ours && !si->nr_theirs) {
1856                shallow_update = 0;
1857                return;
1858        }
1859
1860        for (cmd = commands; cmd; cmd = cmd->next) {
1861                if (is_null_oid(&cmd->new_oid))
1862                        continue;
1863                oid_array_append(ref, &cmd->new_oid);
1864                cmd->index = ref->nr - 1;
1865        }
1866        si->ref = ref;
1867
1868        if (shallow_update) {
1869                prepare_shallow_update(commands, si);
1870                return;
1871        }
1872
1873        ALLOC_ARRAY(ref_status, ref->nr);
1874        assign_shallow_commits_to_refs(si, NULL, ref_status);
1875        for (cmd = commands; cmd; cmd = cmd->next) {
1876                if (is_null_oid(&cmd->new_oid))
1877                        continue;
1878                if (ref_status[cmd->index]) {
1879                        cmd->error_string = "shallow update not allowed";
1880                        cmd->skip_update = 1;
1881                }
1882        }
1883        free(ref_status);
1884}
1885
1886static void report(struct command *commands, const char *unpack_status)
1887{
1888        struct command *cmd;
1889        struct strbuf buf = STRBUF_INIT;
1890
1891        packet_buf_write(&buf, "unpack %s\n",
1892                         unpack_status ? unpack_status : "ok");
1893        for (cmd = commands; cmd; cmd = cmd->next) {
1894                if (!cmd->error_string)
1895                        packet_buf_write(&buf, "ok %s\n",
1896                                         cmd->ref_name);
1897                else
1898                        packet_buf_write(&buf, "ng %s %s\n",
1899                                         cmd->ref_name, cmd->error_string);
1900        }
1901        packet_buf_flush(&buf);
1902
1903        if (use_sideband)
1904                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1905        else
1906                write_or_die(1, buf.buf, buf.len);
1907        strbuf_release(&buf);
1908}
1909
1910static int delete_only(struct command *commands)
1911{
1912        struct command *cmd;
1913        for (cmd = commands; cmd; cmd = cmd->next) {
1914                if (!is_null_oid(&cmd->new_oid))
1915                        return 0;
1916        }
1917        return 1;
1918}
1919
1920int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1921{
1922        int advertise_refs = 0;
1923        struct command *commands;
1924        struct oid_array shallow = OID_ARRAY_INIT;
1925        struct oid_array ref = OID_ARRAY_INIT;
1926        struct shallow_info si;
1927
1928        struct option options[] = {
1929                OPT__QUIET(&quiet, N_("quiet")),
1930                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1931                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1932                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1933                OPT_END()
1934        };
1935
1936        packet_trace_identity("receive-pack");
1937
1938        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1939
1940        if (argc > 1)
1941                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1942        if (argc == 0)
1943                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1944
1945        service_dir = argv[0];
1946
1947        setup_path();
1948
1949        if (!enter_repo(service_dir, 0))
1950                die("'%s' does not appear to be a git repository", service_dir);
1951
1952        git_config(receive_pack_config, NULL);
1953        if (cert_nonce_seed)
1954                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1955
1956        if (0 <= transfer_unpack_limit)
1957                unpack_limit = transfer_unpack_limit;
1958        else if (0 <= receive_unpack_limit)
1959                unpack_limit = receive_unpack_limit;
1960
1961        switch (determine_protocol_version_server()) {
1962        case protocol_v2:
1963                /*
1964                 * push support for protocol v2 has not been implemented yet,
1965                 * so ignore the request to use v2 and fallback to using v0.
1966                 */
1967                break;
1968        case protocol_v1:
1969                /*
1970                 * v1 is just the original protocol with a version string,
1971                 * so just fall through after writing the version string.
1972                 */
1973                if (advertise_refs || !stateless_rpc)
1974                        packet_write_fmt(1, "version 1\n");
1975
1976                /* fallthrough */
1977        case protocol_v0:
1978                break;
1979        case protocol_unknown_version:
1980                BUG("unknown protocol version");
1981        }
1982
1983        if (advertise_refs || !stateless_rpc) {
1984                write_head_info();
1985        }
1986        if (advertise_refs)
1987                return 0;
1988
1989        if ((commands = read_head_info(&shallow)) != NULL) {
1990                const char *unpack_status = NULL;
1991                struct string_list push_options = STRING_LIST_INIT_DUP;
1992
1993                if (use_push_options)
1994                        read_push_options(&push_options);
1995                if (!check_cert_push_options(&push_options)) {
1996                        struct command *cmd;
1997                        for (cmd = commands; cmd; cmd = cmd->next)
1998                                cmd->error_string = "inconsistent push options";
1999                }
2000
2001                prepare_shallow_info(&si, &shallow);
2002                if (!si.nr_ours && !si.nr_theirs)
2003                        shallow_update = 0;
2004                if (!delete_only(commands)) {
2005                        unpack_status = unpack_with_sideband(&si);
2006                        update_shallow_info(commands, &si, &ref);
2007                }
2008                use_keepalive = KEEPALIVE_ALWAYS;
2009                execute_commands(commands, unpack_status, &si,
2010                                 &push_options);
2011                if (pack_lockfile)
2012                        unlink_or_warn(pack_lockfile);
2013                if (report_status)
2014                        report(commands, unpack_status);
2015                run_receive_hook(commands, "post-receive", 1,
2016                                 &push_options);
2017                run_update_post_hook(commands);
2018                string_list_clear(&push_options, 0);
2019                if (auto_gc) {
2020                        const char *argv_gc_auto[] = {
2021                                "gc", "--auto", "--quiet", NULL,
2022                        };
2023                        struct child_process proc = CHILD_PROCESS_INIT;
2024
2025                        proc.no_stdin = 1;
2026                        proc.stdout_to_stderr = 1;
2027                        proc.err = use_sideband ? -1 : 0;
2028                        proc.git_cmd = 1;
2029                        proc.argv = argv_gc_auto;
2030
2031                        close_all_packs(the_repository->objects);
2032                        if (!start_command(&proc)) {
2033                                if (use_sideband)
2034                                        copy_to_sideband(proc.err, -1, NULL);
2035                                finish_command(&proc);
2036                        }
2037                }
2038                if (auto_update_server_info)
2039                        update_server_info(0);
2040                clear_shallow_info(&si);
2041        }
2042        if (use_sideband)
2043                packet_flush(1);
2044        oid_array_clear(&shallow);
2045        oid_array_clear(&ref);
2046        free((void *)push_cert_nonce);
2047        return 0;
2048}