builtin / receive-pack.con commit Merge branch 'js/commit-gpgsign' of ../git-gui into js/git-gui-commit-gpgsign (f14a310)
   1#include "builtin.h"
   2#include "lockfile.h"
   3#include "pack.h"
   4#include "refs.h"
   5#include "pkt-line.h"
   6#include "sideband.h"
   7#include "run-command.h"
   8#include "exec_cmd.h"
   9#include "commit.h"
  10#include "object.h"
  11#include "remote.h"
  12#include "connect.h"
  13#include "transport.h"
  14#include "string-list.h"
  15#include "sha1-array.h"
  16#include "connected.h"
  17#include "argv-array.h"
  18#include "version.h"
  19#include "tag.h"
  20#include "gpg-interface.h"
  21#include "sigchain.h"
  22#include "fsck.h"
  23
  24static const char * const receive_pack_usage[] = {
  25        N_("git receive-pack <git-dir>"),
  26        NULL
  27};
  28
  29enum deny_action {
  30        DENY_UNCONFIGURED,
  31        DENY_IGNORE,
  32        DENY_WARN,
  33        DENY_REFUSE,
  34        DENY_UPDATE_INSTEAD
  35};
  36
  37static int deny_deletes;
  38static int deny_non_fast_forwards;
  39static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
  40static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
  41static int receive_fsck_objects = -1;
  42static int transfer_fsck_objects = -1;
  43static struct strbuf fsck_msg_types = STRBUF_INIT;
  44static int receive_unpack_limit = -1;
  45static int transfer_unpack_limit = -1;
  46static int advertise_atomic_push = 1;
  47static int unpack_limit = 100;
  48static int report_status;
  49static int use_sideband;
  50static int use_atomic;
  51static int quiet;
  52static int prefer_ofs_delta = 1;
  53static int auto_update_server_info;
  54static int auto_gc = 1;
  55static int reject_thin;
  56static int stateless_rpc;
  57static const char *service_dir;
  58static const char *head_name;
  59static void *head_name_to_free;
  60static int sent_capabilities;
  61static int shallow_update;
  62static const char *alt_shallow_file;
  63static struct strbuf push_cert = STRBUF_INIT;
  64static unsigned char push_cert_sha1[20];
  65static struct signature_check sigcheck;
  66static const char *push_cert_nonce;
  67static const char *cert_nonce_seed;
  68
  69static const char *NONCE_UNSOLICITED = "UNSOLICITED";
  70static const char *NONCE_BAD = "BAD";
  71static const char *NONCE_MISSING = "MISSING";
  72static const char *NONCE_OK = "OK";
  73static const char *NONCE_SLOP = "SLOP";
  74static const char *nonce_status;
  75static long nonce_stamp_slop;
  76static unsigned long nonce_stamp_slop_limit;
  77static struct ref_transaction *transaction;
  78
  79static enum deny_action parse_deny_action(const char *var, const char *value)
  80{
  81        if (value) {
  82                if (!strcasecmp(value, "ignore"))
  83                        return DENY_IGNORE;
  84                if (!strcasecmp(value, "warn"))
  85                        return DENY_WARN;
  86                if (!strcasecmp(value, "refuse"))
  87                        return DENY_REFUSE;
  88                if (!strcasecmp(value, "updateinstead"))
  89                        return DENY_UPDATE_INSTEAD;
  90        }
  91        if (git_config_bool(var, value))
  92                return DENY_REFUSE;
  93        return DENY_IGNORE;
  94}
  95
  96static int receive_pack_config(const char *var, const char *value, void *cb)
  97{
  98        int status = parse_hide_refs_config(var, value, "receive");
  99
 100        if (status)
 101                return status;
 102
 103        if (strcmp(var, "receive.denydeletes") == 0) {
 104                deny_deletes = git_config_bool(var, value);
 105                return 0;
 106        }
 107
 108        if (strcmp(var, "receive.denynonfastforwards") == 0) {
 109                deny_non_fast_forwards = git_config_bool(var, value);
 110                return 0;
 111        }
 112
 113        if (strcmp(var, "receive.unpacklimit") == 0) {
 114                receive_unpack_limit = git_config_int(var, value);
 115                return 0;
 116        }
 117
 118        if (strcmp(var, "transfer.unpacklimit") == 0) {
 119                transfer_unpack_limit = git_config_int(var, value);
 120                return 0;
 121        }
 122
 123        if (strcmp(var, "receive.fsck.skiplist") == 0) {
 124                const char *path;
 125
 126                if (git_config_pathname(&path, var, value))
 127                        return 1;
 128                strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
 129                        fsck_msg_types.len ? ',' : '=', path);
 130                free((char *)path);
 131                return 0;
 132        }
 133
 134        if (skip_prefix(var, "receive.fsck.", &var)) {
 135                if (is_valid_msg_type(var, value))
 136                        strbuf_addf(&fsck_msg_types, "%c%s=%s",
 137                                fsck_msg_types.len ? ',' : '=', var, value);
 138                else
 139                        warning("Skipping unknown msg id '%s'", var);
 140                return 0;
 141        }
 142
 143        if (strcmp(var, "receive.fsckobjects") == 0) {
 144                receive_fsck_objects = git_config_bool(var, value);
 145                return 0;
 146        }
 147
 148        if (strcmp(var, "transfer.fsckobjects") == 0) {
 149                transfer_fsck_objects = git_config_bool(var, value);
 150                return 0;
 151        }
 152
 153        if (!strcmp(var, "receive.denycurrentbranch")) {
 154                deny_current_branch = parse_deny_action(var, value);
 155                return 0;
 156        }
 157
 158        if (strcmp(var, "receive.denydeletecurrent") == 0) {
 159                deny_delete_current = parse_deny_action(var, value);
 160                return 0;
 161        }
 162
 163        if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
 164                prefer_ofs_delta = git_config_bool(var, value);
 165                return 0;
 166        }
 167
 168        if (strcmp(var, "receive.updateserverinfo") == 0) {
 169                auto_update_server_info = git_config_bool(var, value);
 170                return 0;
 171        }
 172
 173        if (strcmp(var, "receive.autogc") == 0) {
 174                auto_gc = git_config_bool(var, value);
 175                return 0;
 176        }
 177
 178        if (strcmp(var, "receive.shallowupdate") == 0) {
 179                shallow_update = git_config_bool(var, value);
 180                return 0;
 181        }
 182
 183        if (strcmp(var, "receive.certnonceseed") == 0)
 184                return git_config_string(&cert_nonce_seed, var, value);
 185
 186        if (strcmp(var, "receive.certnonceslop") == 0) {
 187                nonce_stamp_slop_limit = git_config_ulong(var, value);
 188                return 0;
 189        }
 190
 191        if (strcmp(var, "receive.advertiseatomic") == 0) {
 192                advertise_atomic_push = git_config_bool(var, value);
 193                return 0;
 194        }
 195
 196        return git_default_config(var, value, cb);
 197}
 198
 199static void show_ref(const char *path, const unsigned char *sha1)
 200{
 201        if (sent_capabilities) {
 202                packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
 203        } else {
 204                struct strbuf cap = STRBUF_INIT;
 205
 206                strbuf_addstr(&cap,
 207                              "report-status delete-refs side-band-64k quiet");
 208                if (advertise_atomic_push)
 209                        strbuf_addstr(&cap, " atomic");
 210                if (prefer_ofs_delta)
 211                        strbuf_addstr(&cap, " ofs-delta");
 212                if (push_cert_nonce)
 213                        strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
 214                strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
 215                packet_write(1, "%s %s%c%s\n",
 216                             sha1_to_hex(sha1), path, 0, cap.buf);
 217                strbuf_release(&cap);
 218                sent_capabilities = 1;
 219        }
 220}
 221
 222static int show_ref_cb(const char *path_full, const struct object_id *oid,
 223                       int flag, void *unused)
 224{
 225        const char *path = strip_namespace(path_full);
 226
 227        if (ref_is_hidden(path, path_full))
 228                return 0;
 229
 230        /*
 231         * Advertise refs outside our current namespace as ".have"
 232         * refs, so that the client can use them to minimize data
 233         * transfer but will otherwise ignore them. This happens to
 234         * cover ".have" that are thrown in by add_one_alternate_ref()
 235         * to mark histories that are complete in our alternates as
 236         * well.
 237         */
 238        if (!path)
 239                path = ".have";
 240        show_ref(path, oid->hash);
 241        return 0;
 242}
 243
 244static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
 245{
 246        show_ref(".have", sha1);
 247}
 248
 249static void collect_one_alternate_ref(const struct ref *ref, void *data)
 250{
 251        struct sha1_array *sa = data;
 252        sha1_array_append(sa, ref->old_oid.hash);
 253}
 254
 255static void write_head_info(void)
 256{
 257        struct sha1_array sa = SHA1_ARRAY_INIT;
 258
 259        for_each_alternate_ref(collect_one_alternate_ref, &sa);
 260        sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
 261        sha1_array_clear(&sa);
 262        for_each_ref(show_ref_cb, NULL);
 263        if (!sent_capabilities)
 264                show_ref("capabilities^{}", null_sha1);
 265
 266        advertise_shallow_grafts(1);
 267
 268        /* EOF */
 269        packet_flush(1);
 270}
 271
 272struct command {
 273        struct command *next;
 274        const char *error_string;
 275        unsigned int skip_update:1,
 276                     did_not_exist:1;
 277        int index;
 278        unsigned char old_sha1[20];
 279        unsigned char new_sha1[20];
 280        char ref_name[FLEX_ARRAY]; /* more */
 281};
 282
 283static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
 284static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
 285
 286static void report_message(const char *prefix, const char *err, va_list params)
 287{
 288        int sz;
 289        char msg[4096];
 290
 291        sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
 292        sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
 293        if (sz > (sizeof(msg) - 1))
 294                sz = sizeof(msg) - 1;
 295        msg[sz++] = '\n';
 296
 297        if (use_sideband)
 298                send_sideband(1, 2, msg, sz, use_sideband);
 299        else
 300                xwrite(2, msg, sz);
 301}
 302
 303static void rp_warning(const char *err, ...)
 304{
 305        va_list params;
 306        va_start(params, err);
 307        report_message("warning: ", err, params);
 308        va_end(params);
 309}
 310
 311static void rp_error(const char *err, ...)
 312{
 313        va_list params;
 314        va_start(params, err);
 315        report_message("error: ", err, params);
 316        va_end(params);
 317}
 318
 319static int copy_to_sideband(int in, int out, void *arg)
 320{
 321        char data[128];
 322        while (1) {
 323                ssize_t sz = xread(in, data, sizeof(data));
 324                if (sz <= 0)
 325                        break;
 326                send_sideband(1, 2, data, sz, use_sideband);
 327        }
 328        close(in);
 329        return 0;
 330}
 331
 332#define HMAC_BLOCK_SIZE 64
 333
 334static void hmac_sha1(unsigned char *out,
 335                      const char *key_in, size_t key_len,
 336                      const char *text, size_t text_len)
 337{
 338        unsigned char key[HMAC_BLOCK_SIZE];
 339        unsigned char k_ipad[HMAC_BLOCK_SIZE];
 340        unsigned char k_opad[HMAC_BLOCK_SIZE];
 341        int i;
 342        git_SHA_CTX ctx;
 343
 344        /* RFC 2104 2. (1) */
 345        memset(key, '\0', HMAC_BLOCK_SIZE);
 346        if (HMAC_BLOCK_SIZE < key_len) {
 347                git_SHA1_Init(&ctx);
 348                git_SHA1_Update(&ctx, key_in, key_len);
 349                git_SHA1_Final(key, &ctx);
 350        } else {
 351                memcpy(key, key_in, key_len);
 352        }
 353
 354        /* RFC 2104 2. (2) & (5) */
 355        for (i = 0; i < sizeof(key); i++) {
 356                k_ipad[i] = key[i] ^ 0x36;
 357                k_opad[i] = key[i] ^ 0x5c;
 358        }
 359
 360        /* RFC 2104 2. (3) & (4) */
 361        git_SHA1_Init(&ctx);
 362        git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
 363        git_SHA1_Update(&ctx, text, text_len);
 364        git_SHA1_Final(out, &ctx);
 365
 366        /* RFC 2104 2. (6) & (7) */
 367        git_SHA1_Init(&ctx);
 368        git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
 369        git_SHA1_Update(&ctx, out, 20);
 370        git_SHA1_Final(out, &ctx);
 371}
 372
 373static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
 374{
 375        struct strbuf buf = STRBUF_INIT;
 376        unsigned char sha1[20];
 377
 378        strbuf_addf(&buf, "%s:%lu", path, stamp);
 379        hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
 380        strbuf_release(&buf);
 381
 382        /* RFC 2104 5. HMAC-SHA1-80 */
 383        strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
 384        return strbuf_detach(&buf, NULL);
 385}
 386
 387/*
 388 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
 389 * after dropping "_commit" from its name and possibly moving it out
 390 * of commit.c
 391 */
 392static char *find_header(const char *msg, size_t len, const char *key)
 393{
 394        int key_len = strlen(key);
 395        const char *line = msg;
 396
 397        while (line && line < msg + len) {
 398                const char *eol = strchrnul(line, '\n');
 399
 400                if ((msg + len <= eol) || line == eol)
 401                        return NULL;
 402                if (line + key_len < eol &&
 403                    !memcmp(line, key, key_len) && line[key_len] == ' ') {
 404                        int offset = key_len + 1;
 405                        return xmemdupz(line + offset, (eol - line) - offset);
 406                }
 407                line = *eol ? eol + 1 : NULL;
 408        }
 409        return NULL;
 410}
 411
 412static const char *check_nonce(const char *buf, size_t len)
 413{
 414        char *nonce = find_header(buf, len, "nonce");
 415        unsigned long stamp, ostamp;
 416        char *bohmac, *expect = NULL;
 417        const char *retval = NONCE_BAD;
 418
 419        if (!nonce) {
 420                retval = NONCE_MISSING;
 421                goto leave;
 422        } else if (!push_cert_nonce) {
 423                retval = NONCE_UNSOLICITED;
 424                goto leave;
 425        } else if (!strcmp(push_cert_nonce, nonce)) {
 426                retval = NONCE_OK;
 427                goto leave;
 428        }
 429
 430        if (!stateless_rpc) {
 431                /* returned nonce MUST match what we gave out earlier */
 432                retval = NONCE_BAD;
 433                goto leave;
 434        }
 435
 436        /*
 437         * In stateless mode, we may be receiving a nonce issued by
 438         * another instance of the server that serving the same
 439         * repository, and the timestamps may not match, but the
 440         * nonce-seed and dir should match, so we can recompute and
 441         * report the time slop.
 442         *
 443         * In addition, when a nonce issued by another instance has
 444         * timestamp within receive.certnonceslop seconds, we pretend
 445         * as if we issued that nonce when reporting to the hook.
 446         */
 447
 448        /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
 449        if (*nonce <= '0' || '9' < *nonce) {
 450                retval = NONCE_BAD;
 451                goto leave;
 452        }
 453        stamp = strtoul(nonce, &bohmac, 10);
 454        if (bohmac == nonce || bohmac[0] != '-') {
 455                retval = NONCE_BAD;
 456                goto leave;
 457        }
 458
 459        expect = prepare_push_cert_nonce(service_dir, stamp);
 460        if (strcmp(expect, nonce)) {
 461                /* Not what we would have signed earlier */
 462                retval = NONCE_BAD;
 463                goto leave;
 464        }
 465
 466        /*
 467         * By how many seconds is this nonce stale?  Negative value
 468         * would mean it was issued by another server with its clock
 469         * skewed in the future.
 470         */
 471        ostamp = strtoul(push_cert_nonce, NULL, 10);
 472        nonce_stamp_slop = (long)ostamp - (long)stamp;
 473
 474        if (nonce_stamp_slop_limit &&
 475            labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
 476                /*
 477                 * Pretend as if the received nonce (which passes the
 478                 * HMAC check, so it is not a forged by third-party)
 479                 * is what we issued.
 480                 */
 481                free((void *)push_cert_nonce);
 482                push_cert_nonce = xstrdup(nonce);
 483                retval = NONCE_OK;
 484        } else {
 485                retval = NONCE_SLOP;
 486        }
 487
 488leave:
 489        free(nonce);
 490        free(expect);
 491        return retval;
 492}
 493
 494static void prepare_push_cert_sha1(struct child_process *proc)
 495{
 496        static int already_done;
 497
 498        if (!push_cert.len)
 499                return;
 500
 501        if (!already_done) {
 502                struct strbuf gpg_output = STRBUF_INIT;
 503                struct strbuf gpg_status = STRBUF_INIT;
 504                int bogs /* beginning_of_gpg_sig */;
 505
 506                already_done = 1;
 507                if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
 508                        hashclr(push_cert_sha1);
 509
 510                memset(&sigcheck, '\0', sizeof(sigcheck));
 511                sigcheck.result = 'N';
 512
 513                bogs = parse_signature(push_cert.buf, push_cert.len);
 514                if (verify_signed_buffer(push_cert.buf, bogs,
 515                                         push_cert.buf + bogs, push_cert.len - bogs,
 516                                         &gpg_output, &gpg_status) < 0) {
 517                        ; /* error running gpg */
 518                } else {
 519                        sigcheck.payload = push_cert.buf;
 520                        sigcheck.gpg_output = gpg_output.buf;
 521                        sigcheck.gpg_status = gpg_status.buf;
 522                        parse_gpg_output(&sigcheck);
 523                }
 524
 525                strbuf_release(&gpg_output);
 526                strbuf_release(&gpg_status);
 527                nonce_status = check_nonce(push_cert.buf, bogs);
 528        }
 529        if (!is_null_sha1(push_cert_sha1)) {
 530                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
 531                                 sha1_to_hex(push_cert_sha1));
 532                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
 533                                 sigcheck.signer ? sigcheck.signer : "");
 534                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
 535                                 sigcheck.key ? sigcheck.key : "");
 536                argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
 537                                 sigcheck.result);
 538                if (push_cert_nonce) {
 539                        argv_array_pushf(&proc->env_array,
 540                                         "GIT_PUSH_CERT_NONCE=%s",
 541                                         push_cert_nonce);
 542                        argv_array_pushf(&proc->env_array,
 543                                         "GIT_PUSH_CERT_NONCE_STATUS=%s",
 544                                         nonce_status);
 545                        if (nonce_status == NONCE_SLOP)
 546                                argv_array_pushf(&proc->env_array,
 547                                                 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
 548                                                 nonce_stamp_slop);
 549                }
 550        }
 551}
 552
 553typedef int (*feed_fn)(void *, const char **, size_t *);
 554static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
 555{
 556        struct child_process proc = CHILD_PROCESS_INIT;
 557        struct async muxer;
 558        const char *argv[2];
 559        int code;
 560
 561        argv[0] = find_hook(hook_name);
 562        if (!argv[0])
 563                return 0;
 564
 565        argv[1] = NULL;
 566
 567        proc.argv = argv;
 568        proc.in = -1;
 569        proc.stdout_to_stderr = 1;
 570
 571        if (use_sideband) {
 572                memset(&muxer, 0, sizeof(muxer));
 573                muxer.proc = copy_to_sideband;
 574                muxer.in = -1;
 575                code = start_async(&muxer);
 576                if (code)
 577                        return code;
 578                proc.err = muxer.in;
 579        }
 580
 581        prepare_push_cert_sha1(&proc);
 582
 583        code = start_command(&proc);
 584        if (code) {
 585                if (use_sideband)
 586                        finish_async(&muxer);
 587                return code;
 588        }
 589
 590        sigchain_push(SIGPIPE, SIG_IGN);
 591
 592        while (1) {
 593                const char *buf;
 594                size_t n;
 595                if (feed(feed_state, &buf, &n))
 596                        break;
 597                if (write_in_full(proc.in, buf, n) != n)
 598                        break;
 599        }
 600        close(proc.in);
 601        if (use_sideband)
 602                finish_async(&muxer);
 603
 604        sigchain_pop(SIGPIPE);
 605
 606        return finish_command(&proc);
 607}
 608
 609struct receive_hook_feed_state {
 610        struct command *cmd;
 611        int skip_broken;
 612        struct strbuf buf;
 613};
 614
 615static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
 616{
 617        struct receive_hook_feed_state *state = state_;
 618        struct command *cmd = state->cmd;
 619
 620        while (cmd &&
 621               state->skip_broken && (cmd->error_string || cmd->did_not_exist))
 622                cmd = cmd->next;
 623        if (!cmd)
 624                return -1; /* EOF */
 625        strbuf_reset(&state->buf);
 626        strbuf_addf(&state->buf, "%s %s %s\n",
 627                    sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
 628                    cmd->ref_name);
 629        state->cmd = cmd->next;
 630        if (bufp) {
 631                *bufp = state->buf.buf;
 632                *sizep = state->buf.len;
 633        }
 634        return 0;
 635}
 636
 637static int run_receive_hook(struct command *commands, const char *hook_name,
 638                            int skip_broken)
 639{
 640        struct receive_hook_feed_state state;
 641        int status;
 642
 643        strbuf_init(&state.buf, 0);
 644        state.cmd = commands;
 645        state.skip_broken = skip_broken;
 646        if (feed_receive_hook(&state, NULL, NULL))
 647                return 0;
 648        state.cmd = commands;
 649        status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
 650        strbuf_release(&state.buf);
 651        return status;
 652}
 653
 654static int run_update_hook(struct command *cmd)
 655{
 656        const char *argv[5];
 657        struct child_process proc = CHILD_PROCESS_INIT;
 658        int code;
 659
 660        argv[0] = find_hook("update");
 661        if (!argv[0])
 662                return 0;
 663
 664        argv[1] = cmd->ref_name;
 665        argv[2] = sha1_to_hex(cmd->old_sha1);
 666        argv[3] = sha1_to_hex(cmd->new_sha1);
 667        argv[4] = NULL;
 668
 669        proc.no_stdin = 1;
 670        proc.stdout_to_stderr = 1;
 671        proc.err = use_sideband ? -1 : 0;
 672        proc.argv = argv;
 673
 674        code = start_command(&proc);
 675        if (code)
 676                return code;
 677        if (use_sideband)
 678                copy_to_sideband(proc.err, -1, NULL);
 679        return finish_command(&proc);
 680}
 681
 682static int is_ref_checked_out(const char *ref)
 683{
 684        if (is_bare_repository())
 685                return 0;
 686
 687        if (!head_name)
 688                return 0;
 689        return !strcmp(head_name, ref);
 690}
 691
 692static char *refuse_unconfigured_deny_msg[] = {
 693        "By default, updating the current branch in a non-bare repository",
 694        "is denied, because it will make the index and work tree inconsistent",
 695        "with what you pushed, and will require 'git reset --hard' to match",
 696        "the work tree to HEAD.",
 697        "",
 698        "You can set 'receive.denyCurrentBranch' configuration variable to",
 699        "'ignore' or 'warn' in the remote repository to allow pushing into",
 700        "its current branch; however, this is not recommended unless you",
 701        "arranged to update its work tree to match what you pushed in some",
 702        "other way.",
 703        "",
 704        "To squelch this message and still keep the default behaviour, set",
 705        "'receive.denyCurrentBranch' configuration variable to 'refuse'."
 706};
 707
 708static void refuse_unconfigured_deny(void)
 709{
 710        int i;
 711        for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
 712                rp_error("%s", refuse_unconfigured_deny_msg[i]);
 713}
 714
 715static char *refuse_unconfigured_deny_delete_current_msg[] = {
 716        "By default, deleting the current branch is denied, because the next",
 717        "'git clone' won't result in any file checked out, causing confusion.",
 718        "",
 719        "You can set 'receive.denyDeleteCurrent' configuration variable to",
 720        "'warn' or 'ignore' in the remote repository to allow deleting the",
 721        "current branch, with or without a warning message.",
 722        "",
 723        "To squelch this message, you can set it to 'refuse'."
 724};
 725
 726static void refuse_unconfigured_deny_delete_current(void)
 727{
 728        int i;
 729        for (i = 0;
 730             i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
 731             i++)
 732                rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
 733}
 734
 735static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
 736static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
 737{
 738        static struct lock_file shallow_lock;
 739        struct sha1_array extra = SHA1_ARRAY_INIT;
 740        const char *alt_file;
 741        uint32_t mask = 1 << (cmd->index % 32);
 742        int i;
 743
 744        trace_printf_key(&trace_shallow,
 745                         "shallow: update_shallow_ref %s\n", cmd->ref_name);
 746        for (i = 0; i < si->shallow->nr; i++)
 747                if (si->used_shallow[i] &&
 748                    (si->used_shallow[i][cmd->index / 32] & mask) &&
 749                    !delayed_reachability_test(si, i))
 750                        sha1_array_append(&extra, si->shallow->sha1[i]);
 751
 752        setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
 753        if (check_shallow_connected(command_singleton_iterator,
 754                                    0, cmd, alt_file)) {
 755                rollback_lock_file(&shallow_lock);
 756                sha1_array_clear(&extra);
 757                return -1;
 758        }
 759
 760        commit_lock_file(&shallow_lock);
 761
 762        /*
 763         * Make sure setup_alternate_shallow() for the next ref does
 764         * not lose these new roots..
 765         */
 766        for (i = 0; i < extra.nr; i++)
 767                register_shallow(extra.sha1[i]);
 768
 769        si->shallow_ref[cmd->index] = 0;
 770        sha1_array_clear(&extra);
 771        return 0;
 772}
 773
 774/*
 775 * NEEDSWORK: we should consolidate various implementions of "are we
 776 * on an unborn branch?" test into one, and make the unified one more
 777 * robust. !get_sha1() based check used here and elsewhere would not
 778 * allow us to tell an unborn branch from corrupt ref, for example.
 779 * For the purpose of fixing "deploy-to-update does not work when
 780 * pushing into an empty repository" issue, this should suffice for
 781 * now.
 782 */
 783static int head_has_history(void)
 784{
 785        unsigned char sha1[20];
 786
 787        return !get_sha1("HEAD", sha1);
 788}
 789
 790static const char *push_to_deploy(unsigned char *sha1,
 791                                  struct argv_array *env,
 792                                  const char *work_tree)
 793{
 794        const char *update_refresh[] = {
 795                "update-index", "-q", "--ignore-submodules", "--refresh", NULL
 796        };
 797        const char *diff_files[] = {
 798                "diff-files", "--quiet", "--ignore-submodules", "--", NULL
 799        };
 800        const char *diff_index[] = {
 801                "diff-index", "--quiet", "--cached", "--ignore-submodules",
 802                NULL, "--", NULL
 803        };
 804        const char *read_tree[] = {
 805                "read-tree", "-u", "-m", NULL, NULL
 806        };
 807        struct child_process child = CHILD_PROCESS_INIT;
 808
 809        child.argv = update_refresh;
 810        child.env = env->argv;
 811        child.dir = work_tree;
 812        child.no_stdin = 1;
 813        child.stdout_to_stderr = 1;
 814        child.git_cmd = 1;
 815        if (run_command(&child))
 816                return "Up-to-date check failed";
 817
 818        /* run_command() does not clean up completely; reinitialize */
 819        child_process_init(&child);
 820        child.argv = diff_files;
 821        child.env = env->argv;
 822        child.dir = work_tree;
 823        child.no_stdin = 1;
 824        child.stdout_to_stderr = 1;
 825        child.git_cmd = 1;
 826        if (run_command(&child))
 827                return "Working directory has unstaged changes";
 828
 829        /* diff-index with either HEAD or an empty tree */
 830        diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
 831
 832        child_process_init(&child);
 833        child.argv = diff_index;
 834        child.env = env->argv;
 835        child.no_stdin = 1;
 836        child.no_stdout = 1;
 837        child.stdout_to_stderr = 0;
 838        child.git_cmd = 1;
 839        if (run_command(&child))
 840                return "Working directory has staged changes";
 841
 842        read_tree[3] = sha1_to_hex(sha1);
 843        child_process_init(&child);
 844        child.argv = read_tree;
 845        child.env = env->argv;
 846        child.dir = work_tree;
 847        child.no_stdin = 1;
 848        child.no_stdout = 1;
 849        child.stdout_to_stderr = 0;
 850        child.git_cmd = 1;
 851        if (run_command(&child))
 852                return "Could not update working tree to new HEAD";
 853
 854        return NULL;
 855}
 856
 857static const char *push_to_checkout_hook = "push-to-checkout";
 858
 859static const char *push_to_checkout(unsigned char *sha1,
 860                                    struct argv_array *env,
 861                                    const char *work_tree)
 862{
 863        argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
 864        if (run_hook_le(env->argv, push_to_checkout_hook,
 865                        sha1_to_hex(sha1), NULL))
 866                return "push-to-checkout hook declined";
 867        else
 868                return NULL;
 869}
 870
 871static const char *update_worktree(unsigned char *sha1)
 872{
 873        const char *retval;
 874        const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
 875        struct argv_array env = ARGV_ARRAY_INIT;
 876
 877        if (is_bare_repository())
 878                return "denyCurrentBranch = updateInstead needs a worktree";
 879
 880        argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
 881
 882        if (!find_hook(push_to_checkout_hook))
 883                retval = push_to_deploy(sha1, &env, work_tree);
 884        else
 885                retval = push_to_checkout(sha1, &env, work_tree);
 886
 887        argv_array_clear(&env);
 888        return retval;
 889}
 890
 891static const char *update(struct command *cmd, struct shallow_info *si)
 892{
 893        const char *name = cmd->ref_name;
 894        struct strbuf namespaced_name_buf = STRBUF_INIT;
 895        const char *namespaced_name, *ret;
 896        unsigned char *old_sha1 = cmd->old_sha1;
 897        unsigned char *new_sha1 = cmd->new_sha1;
 898
 899        /* only refs/... are allowed */
 900        if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
 901                rp_error("refusing to create funny ref '%s' remotely", name);
 902                return "funny refname";
 903        }
 904
 905        strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
 906        namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
 907
 908        if (is_ref_checked_out(namespaced_name)) {
 909                switch (deny_current_branch) {
 910                case DENY_IGNORE:
 911                        break;
 912                case DENY_WARN:
 913                        rp_warning("updating the current branch");
 914                        break;
 915                case DENY_REFUSE:
 916                case DENY_UNCONFIGURED:
 917                        rp_error("refusing to update checked out branch: %s", name);
 918                        if (deny_current_branch == DENY_UNCONFIGURED)
 919                                refuse_unconfigured_deny();
 920                        return "branch is currently checked out";
 921                case DENY_UPDATE_INSTEAD:
 922                        ret = update_worktree(new_sha1);
 923                        if (ret)
 924                                return ret;
 925                        break;
 926                }
 927        }
 928
 929        if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
 930                error("unpack should have generated %s, "
 931                      "but I can't find it!", sha1_to_hex(new_sha1));
 932                return "bad pack";
 933        }
 934
 935        if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
 936                if (deny_deletes && starts_with(name, "refs/heads/")) {
 937                        rp_error("denying ref deletion for %s", name);
 938                        return "deletion prohibited";
 939                }
 940
 941                if (head_name && !strcmp(namespaced_name, head_name)) {
 942                        switch (deny_delete_current) {
 943                        case DENY_IGNORE:
 944                                break;
 945                        case DENY_WARN:
 946                                rp_warning("deleting the current branch");
 947                                break;
 948                        case DENY_REFUSE:
 949                        case DENY_UNCONFIGURED:
 950                        case DENY_UPDATE_INSTEAD:
 951                                if (deny_delete_current == DENY_UNCONFIGURED)
 952                                        refuse_unconfigured_deny_delete_current();
 953                                rp_error("refusing to delete the current branch: %s", name);
 954                                return "deletion of the current branch prohibited";
 955                        default:
 956                                return "Invalid denyDeleteCurrent setting";
 957                        }
 958                }
 959        }
 960
 961        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
 962            !is_null_sha1(old_sha1) &&
 963            starts_with(name, "refs/heads/")) {
 964                struct object *old_object, *new_object;
 965                struct commit *old_commit, *new_commit;
 966
 967                old_object = parse_object(old_sha1);
 968                new_object = parse_object(new_sha1);
 969
 970                if (!old_object || !new_object ||
 971                    old_object->type != OBJ_COMMIT ||
 972                    new_object->type != OBJ_COMMIT) {
 973                        error("bad sha1 objects for %s", name);
 974                        return "bad ref";
 975                }
 976                old_commit = (struct commit *)old_object;
 977                new_commit = (struct commit *)new_object;
 978                if (!in_merge_bases(old_commit, new_commit)) {
 979                        rp_error("denying non-fast-forward %s"
 980                                 " (you should pull first)", name);
 981                        return "non-fast-forward";
 982                }
 983        }
 984        if (run_update_hook(cmd)) {
 985                rp_error("hook declined to update %s", name);
 986                return "hook declined";
 987        }
 988
 989        if (is_null_sha1(new_sha1)) {
 990                struct strbuf err = STRBUF_INIT;
 991                if (!parse_object(old_sha1)) {
 992                        old_sha1 = NULL;
 993                        if (ref_exists(name)) {
 994                                rp_warning("Allowing deletion of corrupt ref.");
 995                        } else {
 996                                rp_warning("Deleting a non-existent ref.");
 997                                cmd->did_not_exist = 1;
 998                        }
 999                }
1000                if (ref_transaction_delete(transaction,
1001                                           namespaced_name,
1002                                           old_sha1,
1003                                           0, "push", &err)) {
1004                        rp_error("%s", err.buf);
1005                        strbuf_release(&err);
1006                        return "failed to delete";
1007                }
1008                strbuf_release(&err);
1009                return NULL; /* good */
1010        }
1011        else {
1012                struct strbuf err = STRBUF_INIT;
1013                if (shallow_update && si->shallow_ref[cmd->index] &&
1014                    update_shallow_ref(cmd, si))
1015                        return "shallow error";
1016
1017                if (ref_transaction_update(transaction,
1018                                           namespaced_name,
1019                                           new_sha1, old_sha1,
1020                                           0, "push",
1021                                           &err)) {
1022                        rp_error("%s", err.buf);
1023                        strbuf_release(&err);
1024
1025                        return "failed to update ref";
1026                }
1027                strbuf_release(&err);
1028
1029                return NULL; /* good */
1030        }
1031}
1032
1033static void run_update_post_hook(struct command *commands)
1034{
1035        struct command *cmd;
1036        int argc;
1037        struct child_process proc = CHILD_PROCESS_INIT;
1038        const char *hook;
1039
1040        hook = find_hook("post-update");
1041        for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1042                if (cmd->error_string || cmd->did_not_exist)
1043                        continue;
1044                argc++;
1045        }
1046        if (!argc || !hook)
1047                return;
1048
1049        argv_array_push(&proc.args, hook);
1050        for (cmd = commands; cmd; cmd = cmd->next) {
1051                if (cmd->error_string || cmd->did_not_exist)
1052                        continue;
1053                argv_array_push(&proc.args, cmd->ref_name);
1054        }
1055
1056        proc.no_stdin = 1;
1057        proc.stdout_to_stderr = 1;
1058        proc.err = use_sideband ? -1 : 0;
1059
1060        if (!start_command(&proc)) {
1061                if (use_sideband)
1062                        copy_to_sideband(proc.err, -1, NULL);
1063                finish_command(&proc);
1064        }
1065}
1066
1067static void check_aliased_update(struct command *cmd, struct string_list *list)
1068{
1069        struct strbuf buf = STRBUF_INIT;
1070        const char *dst_name;
1071        struct string_list_item *item;
1072        struct command *dst_cmd;
1073        unsigned char sha1[GIT_SHA1_RAWSZ];
1074        char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1075             cmd_newh[GIT_SHA1_HEXSZ + 1],
1076             dst_oldh[GIT_SHA1_HEXSZ + 1],
1077             dst_newh[GIT_SHA1_HEXSZ + 1];
1078        int flag;
1079
1080        strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1081        dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1082        strbuf_release(&buf);
1083
1084        if (!(flag & REF_ISSYMREF))
1085                return;
1086
1087        if (!dst_name) {
1088                rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1089                cmd->skip_update = 1;
1090                cmd->error_string = "broken symref";
1091                return;
1092        }
1093        dst_name = strip_namespace(dst_name);
1094
1095        if ((item = string_list_lookup(list, dst_name)) == NULL)
1096                return;
1097
1098        cmd->skip_update = 1;
1099
1100        dst_cmd = (struct command *) item->util;
1101
1102        if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1103            !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1104                return;
1105
1106        dst_cmd->skip_update = 1;
1107
1108        find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1109        find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1110        find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1111        find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1112        rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1113                 " its target '%s' (%s..%s)",
1114                 cmd->ref_name, cmd_oldh, cmd_newh,
1115                 dst_cmd->ref_name, dst_oldh, dst_newh);
1116
1117        cmd->error_string = dst_cmd->error_string =
1118                "inconsistent aliased update";
1119}
1120
1121static void check_aliased_updates(struct command *commands)
1122{
1123        struct command *cmd;
1124        struct string_list ref_list = STRING_LIST_INIT_NODUP;
1125
1126        for (cmd = commands; cmd; cmd = cmd->next) {
1127                struct string_list_item *item =
1128                        string_list_append(&ref_list, cmd->ref_name);
1129                item->util = (void *)cmd;
1130        }
1131        string_list_sort(&ref_list);
1132
1133        for (cmd = commands; cmd; cmd = cmd->next) {
1134                if (!cmd->error_string)
1135                        check_aliased_update(cmd, &ref_list);
1136        }
1137
1138        string_list_clear(&ref_list, 0);
1139}
1140
1141static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1142{
1143        struct command **cmd_list = cb_data;
1144        struct command *cmd = *cmd_list;
1145
1146        if (!cmd || is_null_sha1(cmd->new_sha1))
1147                return -1; /* end of list */
1148        *cmd_list = NULL; /* this returns only one */
1149        hashcpy(sha1, cmd->new_sha1);
1150        return 0;
1151}
1152
1153static void set_connectivity_errors(struct command *commands,
1154                                    struct shallow_info *si)
1155{
1156        struct command *cmd;
1157
1158        for (cmd = commands; cmd; cmd = cmd->next) {
1159                struct command *singleton = cmd;
1160                if (shallow_update && si->shallow_ref[cmd->index])
1161                        /* to be checked in update_shallow_ref() */
1162                        continue;
1163                if (!check_everything_connected(command_singleton_iterator,
1164                                                0, &singleton))
1165                        continue;
1166                cmd->error_string = "missing necessary objects";
1167        }
1168}
1169
1170struct iterate_data {
1171        struct command *cmds;
1172        struct shallow_info *si;
1173};
1174
1175static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1176{
1177        struct iterate_data *data = cb_data;
1178        struct command **cmd_list = &data->cmds;
1179        struct command *cmd = *cmd_list;
1180
1181        for (; cmd; cmd = cmd->next) {
1182                if (shallow_update && data->si->shallow_ref[cmd->index])
1183                        /* to be checked in update_shallow_ref() */
1184                        continue;
1185                if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1186                        hashcpy(sha1, cmd->new_sha1);
1187                        *cmd_list = cmd->next;
1188                        return 0;
1189                }
1190        }
1191        *cmd_list = NULL;
1192        return -1; /* end of list */
1193}
1194
1195static void reject_updates_to_hidden(struct command *commands)
1196{
1197        struct strbuf refname_full = STRBUF_INIT;
1198        size_t prefix_len;
1199        struct command *cmd;
1200
1201        strbuf_addstr(&refname_full, get_git_namespace());
1202        prefix_len = refname_full.len;
1203
1204        for (cmd = commands; cmd; cmd = cmd->next) {
1205                if (cmd->error_string)
1206                        continue;
1207
1208                strbuf_setlen(&refname_full, prefix_len);
1209                strbuf_addstr(&refname_full, cmd->ref_name);
1210
1211                if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1212                        continue;
1213                if (is_null_sha1(cmd->new_sha1))
1214                        cmd->error_string = "deny deleting a hidden ref";
1215                else
1216                        cmd->error_string = "deny updating a hidden ref";
1217        }
1218
1219        strbuf_release(&refname_full);
1220}
1221
1222static int should_process_cmd(struct command *cmd)
1223{
1224        return !cmd->error_string && !cmd->skip_update;
1225}
1226
1227static void warn_if_skipped_connectivity_check(struct command *commands,
1228                                               struct shallow_info *si)
1229{
1230        struct command *cmd;
1231        int checked_connectivity = 1;
1232
1233        for (cmd = commands; cmd; cmd = cmd->next) {
1234                if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1235                        error("BUG: connectivity check has not been run on ref %s",
1236                              cmd->ref_name);
1237                        checked_connectivity = 0;
1238                }
1239        }
1240        if (!checked_connectivity)
1241                die("BUG: connectivity check skipped???");
1242}
1243
1244static void execute_commands_non_atomic(struct command *commands,
1245                                        struct shallow_info *si)
1246{
1247        struct command *cmd;
1248        struct strbuf err = STRBUF_INIT;
1249
1250        for (cmd = commands; cmd; cmd = cmd->next) {
1251                if (!should_process_cmd(cmd))
1252                        continue;
1253
1254                transaction = ref_transaction_begin(&err);
1255                if (!transaction) {
1256                        rp_error("%s", err.buf);
1257                        strbuf_reset(&err);
1258                        cmd->error_string = "transaction failed to start";
1259                        continue;
1260                }
1261
1262                cmd->error_string = update(cmd, si);
1263
1264                if (!cmd->error_string
1265                    && ref_transaction_commit(transaction, &err)) {
1266                        rp_error("%s", err.buf);
1267                        strbuf_reset(&err);
1268                        cmd->error_string = "failed to update ref";
1269                }
1270                ref_transaction_free(transaction);
1271        }
1272        strbuf_release(&err);
1273}
1274
1275static void execute_commands_atomic(struct command *commands,
1276                                        struct shallow_info *si)
1277{
1278        struct command *cmd;
1279        struct strbuf err = STRBUF_INIT;
1280        const char *reported_error = "atomic push failure";
1281
1282        transaction = ref_transaction_begin(&err);
1283        if (!transaction) {
1284                rp_error("%s", err.buf);
1285                strbuf_reset(&err);
1286                reported_error = "transaction failed to start";
1287                goto failure;
1288        }
1289
1290        for (cmd = commands; cmd; cmd = cmd->next) {
1291                if (!should_process_cmd(cmd))
1292                        continue;
1293
1294                cmd->error_string = update(cmd, si);
1295
1296                if (cmd->error_string)
1297                        goto failure;
1298        }
1299
1300        if (ref_transaction_commit(transaction, &err)) {
1301                rp_error("%s", err.buf);
1302                reported_error = "atomic transaction failed";
1303                goto failure;
1304        }
1305        goto cleanup;
1306
1307failure:
1308        for (cmd = commands; cmd; cmd = cmd->next)
1309                if (!cmd->error_string)
1310                        cmd->error_string = reported_error;
1311
1312cleanup:
1313        ref_transaction_free(transaction);
1314        strbuf_release(&err);
1315}
1316
1317static void execute_commands(struct command *commands,
1318                             const char *unpacker_error,
1319                             struct shallow_info *si)
1320{
1321        struct command *cmd;
1322        unsigned char sha1[20];
1323        struct iterate_data data;
1324
1325        if (unpacker_error) {
1326                for (cmd = commands; cmd; cmd = cmd->next)
1327                        cmd->error_string = "unpacker error";
1328                return;
1329        }
1330
1331        data.cmds = commands;
1332        data.si = si;
1333        if (check_everything_connected(iterate_receive_command_list, 0, &data))
1334                set_connectivity_errors(commands, si);
1335
1336        reject_updates_to_hidden(commands);
1337
1338        if (run_receive_hook(commands, "pre-receive", 0)) {
1339                for (cmd = commands; cmd; cmd = cmd->next) {
1340                        if (!cmd->error_string)
1341                                cmd->error_string = "pre-receive hook declined";
1342                }
1343                return;
1344        }
1345
1346        check_aliased_updates(commands);
1347
1348        free(head_name_to_free);
1349        head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1350
1351        if (use_atomic)
1352                execute_commands_atomic(commands, si);
1353        else
1354                execute_commands_non_atomic(commands, si);
1355
1356        if (shallow_update)
1357                warn_if_skipped_connectivity_check(commands, si);
1358}
1359
1360static struct command **queue_command(struct command **tail,
1361                                      const char *line,
1362                                      int linelen)
1363{
1364        unsigned char old_sha1[20], new_sha1[20];
1365        struct command *cmd;
1366        const char *refname;
1367        int reflen;
1368
1369        if (linelen < 83 ||
1370            line[40] != ' ' ||
1371            line[81] != ' ' ||
1372            get_sha1_hex(line, old_sha1) ||
1373            get_sha1_hex(line + 41, new_sha1))
1374                die("protocol error: expected old/new/ref, got '%s'", line);
1375
1376        refname = line + 82;
1377        reflen = linelen - 82;
1378        FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1379        hashcpy(cmd->old_sha1, old_sha1);
1380        hashcpy(cmd->new_sha1, new_sha1);
1381        *tail = cmd;
1382        return &cmd->next;
1383}
1384
1385static void queue_commands_from_cert(struct command **tail,
1386                                     struct strbuf *push_cert)
1387{
1388        const char *boc, *eoc;
1389
1390        if (*tail)
1391                die("protocol error: got both push certificate and unsigned commands");
1392
1393        boc = strstr(push_cert->buf, "\n\n");
1394        if (!boc)
1395                die("malformed push certificate %.*s", 100, push_cert->buf);
1396        else
1397                boc += 2;
1398        eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1399
1400        while (boc < eoc) {
1401                const char *eol = memchr(boc, '\n', eoc - boc);
1402                tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1403                boc = eol ? eol + 1 : eoc;
1404        }
1405}
1406
1407static struct command *read_head_info(struct sha1_array *shallow)
1408{
1409        struct command *commands = NULL;
1410        struct command **p = &commands;
1411        for (;;) {
1412                char *line;
1413                int len, linelen;
1414
1415                line = packet_read_line(0, &len);
1416                if (!line)
1417                        break;
1418
1419                if (len == 48 && starts_with(line, "shallow ")) {
1420                        unsigned char sha1[20];
1421                        if (get_sha1_hex(line + 8, sha1))
1422                                die("protocol error: expected shallow sha, got '%s'",
1423                                    line + 8);
1424                        sha1_array_append(shallow, sha1);
1425                        continue;
1426                }
1427
1428                linelen = strlen(line);
1429                if (linelen < len) {
1430                        const char *feature_list = line + linelen + 1;
1431                        if (parse_feature_request(feature_list, "report-status"))
1432                                report_status = 1;
1433                        if (parse_feature_request(feature_list, "side-band-64k"))
1434                                use_sideband = LARGE_PACKET_MAX;
1435                        if (parse_feature_request(feature_list, "quiet"))
1436                                quiet = 1;
1437                        if (advertise_atomic_push
1438                            && parse_feature_request(feature_list, "atomic"))
1439                                use_atomic = 1;
1440                }
1441
1442                if (!strcmp(line, "push-cert")) {
1443                        int true_flush = 0;
1444                        char certbuf[1024];
1445
1446                        for (;;) {
1447                                len = packet_read(0, NULL, NULL,
1448                                                  certbuf, sizeof(certbuf), 0);
1449                                if (!len) {
1450                                        true_flush = 1;
1451                                        break;
1452                                }
1453                                if (!strcmp(certbuf, "push-cert-end\n"))
1454                                        break; /* end of cert */
1455                                strbuf_addstr(&push_cert, certbuf);
1456                        }
1457
1458                        if (true_flush)
1459                                break;
1460                        continue;
1461                }
1462
1463                p = queue_command(p, line, linelen);
1464        }
1465
1466        if (push_cert.len)
1467                queue_commands_from_cert(p, &push_cert);
1468
1469        return commands;
1470}
1471
1472static const char *parse_pack_header(struct pack_header *hdr)
1473{
1474        switch (read_pack_header(0, hdr)) {
1475        case PH_ERROR_EOF:
1476                return "eof before pack header was fully read";
1477
1478        case PH_ERROR_PACK_SIGNATURE:
1479                return "protocol error (pack signature mismatch detected)";
1480
1481        case PH_ERROR_PROTOCOL:
1482                return "protocol error (pack version unsupported)";
1483
1484        default:
1485                return "unknown error in parse_pack_header";
1486
1487        case 0:
1488                return NULL;
1489        }
1490}
1491
1492static const char *pack_lockfile;
1493
1494static const char *unpack(int err_fd, struct shallow_info *si)
1495{
1496        struct pack_header hdr;
1497        const char *hdr_err;
1498        int status;
1499        char hdr_arg[38];
1500        struct child_process child = CHILD_PROCESS_INIT;
1501        int fsck_objects = (receive_fsck_objects >= 0
1502                            ? receive_fsck_objects
1503                            : transfer_fsck_objects >= 0
1504                            ? transfer_fsck_objects
1505                            : 0);
1506
1507        hdr_err = parse_pack_header(&hdr);
1508        if (hdr_err) {
1509                if (err_fd > 0)
1510                        close(err_fd);
1511                return hdr_err;
1512        }
1513        snprintf(hdr_arg, sizeof(hdr_arg),
1514                        "--pack_header=%"PRIu32",%"PRIu32,
1515                        ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1516
1517        if (si->nr_ours || si->nr_theirs) {
1518                alt_shallow_file = setup_temporary_shallow(si->shallow);
1519                argv_array_push(&child.args, "--shallow-file");
1520                argv_array_push(&child.args, alt_shallow_file);
1521        }
1522
1523        if (ntohl(hdr.hdr_entries) < unpack_limit) {
1524                argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1525                if (quiet)
1526                        argv_array_push(&child.args, "-q");
1527                if (fsck_objects)
1528                        argv_array_pushf(&child.args, "--strict%s",
1529                                fsck_msg_types.buf);
1530                child.no_stdout = 1;
1531                child.err = err_fd;
1532                child.git_cmd = 1;
1533                status = run_command(&child);
1534                if (status)
1535                        return "unpack-objects abnormal exit";
1536        } else {
1537                char hostname[256];
1538
1539                argv_array_pushl(&child.args, "index-pack",
1540                                 "--stdin", hdr_arg, NULL);
1541
1542                if (gethostname(hostname, sizeof(hostname)))
1543                        xsnprintf(hostname, sizeof(hostname), "localhost");
1544                argv_array_pushf(&child.args,
1545                                 "--keep=receive-pack %"PRIuMAX" on %s",
1546                                 (uintmax_t)getpid(),
1547                                 hostname);
1548
1549                if (fsck_objects)
1550                        argv_array_pushf(&child.args, "--strict%s",
1551                                fsck_msg_types.buf);
1552                if (!reject_thin)
1553                        argv_array_push(&child.args, "--fix-thin");
1554                child.out = -1;
1555                child.err = err_fd;
1556                child.git_cmd = 1;
1557                status = start_command(&child);
1558                if (status)
1559                        return "index-pack fork failed";
1560                pack_lockfile = index_pack_lockfile(child.out);
1561                close(child.out);
1562                status = finish_command(&child);
1563                if (status)
1564                        return "index-pack abnormal exit";
1565                reprepare_packed_git();
1566        }
1567        return NULL;
1568}
1569
1570static const char *unpack_with_sideband(struct shallow_info *si)
1571{
1572        struct async muxer;
1573        const char *ret;
1574
1575        if (!use_sideband)
1576                return unpack(0, si);
1577
1578        memset(&muxer, 0, sizeof(muxer));
1579        muxer.proc = copy_to_sideband;
1580        muxer.in = -1;
1581        if (start_async(&muxer))
1582                return NULL;
1583
1584        ret = unpack(muxer.in, si);
1585
1586        finish_async(&muxer);
1587        return ret;
1588}
1589
1590static void prepare_shallow_update(struct command *commands,
1591                                   struct shallow_info *si)
1592{
1593        int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1594
1595        ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1596        assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1597
1598        si->need_reachability_test =
1599                xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1600        si->reachable =
1601                xcalloc(si->shallow->nr, sizeof(*si->reachable));
1602        si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1603
1604        for (i = 0; i < si->nr_ours; i++)
1605                si->need_reachability_test[si->ours[i]] = 1;
1606
1607        for (i = 0; i < si->shallow->nr; i++) {
1608                if (!si->used_shallow[i])
1609                        continue;
1610                for (j = 0; j < bitmap_size; j++) {
1611                        if (!si->used_shallow[i][j])
1612                                continue;
1613                        si->need_reachability_test[i]++;
1614                        for (k = 0; k < 32; k++)
1615                                if (si->used_shallow[i][j] & (1U << k))
1616                                        si->shallow_ref[j * 32 + k]++;
1617                }
1618
1619                /*
1620                 * true for those associated with some refs and belong
1621                 * in "ours" list aka "step 7 not done yet"
1622                 */
1623                si->need_reachability_test[i] =
1624                        si->need_reachability_test[i] > 1;
1625        }
1626
1627        /*
1628         * keep hooks happy by forcing a temporary shallow file via
1629         * env variable because we can't add --shallow-file to every
1630         * command. check_everything_connected() will be done with
1631         * true .git/shallow though.
1632         */
1633        setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1634}
1635
1636static void update_shallow_info(struct command *commands,
1637                                struct shallow_info *si,
1638                                struct sha1_array *ref)
1639{
1640        struct command *cmd;
1641        int *ref_status;
1642        remove_nonexistent_theirs_shallow(si);
1643        if (!si->nr_ours && !si->nr_theirs) {
1644                shallow_update = 0;
1645                return;
1646        }
1647
1648        for (cmd = commands; cmd; cmd = cmd->next) {
1649                if (is_null_sha1(cmd->new_sha1))
1650                        continue;
1651                sha1_array_append(ref, cmd->new_sha1);
1652                cmd->index = ref->nr - 1;
1653        }
1654        si->ref = ref;
1655
1656        if (shallow_update) {
1657                prepare_shallow_update(commands, si);
1658                return;
1659        }
1660
1661        ALLOC_ARRAY(ref_status, ref->nr);
1662        assign_shallow_commits_to_refs(si, NULL, ref_status);
1663        for (cmd = commands; cmd; cmd = cmd->next) {
1664                if (is_null_sha1(cmd->new_sha1))
1665                        continue;
1666                if (ref_status[cmd->index]) {
1667                        cmd->error_string = "shallow update not allowed";
1668                        cmd->skip_update = 1;
1669                }
1670        }
1671        free(ref_status);
1672}
1673
1674static void report(struct command *commands, const char *unpack_status)
1675{
1676        struct command *cmd;
1677        struct strbuf buf = STRBUF_INIT;
1678
1679        packet_buf_write(&buf, "unpack %s\n",
1680                         unpack_status ? unpack_status : "ok");
1681        for (cmd = commands; cmd; cmd = cmd->next) {
1682                if (!cmd->error_string)
1683                        packet_buf_write(&buf, "ok %s\n",
1684                                         cmd->ref_name);
1685                else
1686                        packet_buf_write(&buf, "ng %s %s\n",
1687                                         cmd->ref_name, cmd->error_string);
1688        }
1689        packet_buf_flush(&buf);
1690
1691        if (use_sideband)
1692                send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1693        else
1694                write_or_die(1, buf.buf, buf.len);
1695        strbuf_release(&buf);
1696}
1697
1698static int delete_only(struct command *commands)
1699{
1700        struct command *cmd;
1701        for (cmd = commands; cmd; cmd = cmd->next) {
1702                if (!is_null_sha1(cmd->new_sha1))
1703                        return 0;
1704        }
1705        return 1;
1706}
1707
1708int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1709{
1710        int advertise_refs = 0;
1711        struct command *commands;
1712        struct sha1_array shallow = SHA1_ARRAY_INIT;
1713        struct sha1_array ref = SHA1_ARRAY_INIT;
1714        struct shallow_info si;
1715
1716        struct option options[] = {
1717                OPT__QUIET(&quiet, N_("quiet")),
1718                OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1719                OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1720                OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1721                OPT_END()
1722        };
1723
1724        packet_trace_identity("receive-pack");
1725
1726        argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1727
1728        if (argc > 1)
1729                usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1730        if (argc == 0)
1731                usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1732
1733        service_dir = argv[0];
1734
1735        setup_path();
1736
1737        if (!enter_repo(service_dir, 0))
1738                die("'%s' does not appear to be a git repository", service_dir);
1739
1740        git_config(receive_pack_config, NULL);
1741        if (cert_nonce_seed)
1742                push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1743
1744        if (0 <= transfer_unpack_limit)
1745                unpack_limit = transfer_unpack_limit;
1746        else if (0 <= receive_unpack_limit)
1747                unpack_limit = receive_unpack_limit;
1748
1749        if (advertise_refs || !stateless_rpc) {
1750                write_head_info();
1751        }
1752        if (advertise_refs)
1753                return 0;
1754
1755        if ((commands = read_head_info(&shallow)) != NULL) {
1756                const char *unpack_status = NULL;
1757
1758                prepare_shallow_info(&si, &shallow);
1759                if (!si.nr_ours && !si.nr_theirs)
1760                        shallow_update = 0;
1761                if (!delete_only(commands)) {
1762                        unpack_status = unpack_with_sideband(&si);
1763                        update_shallow_info(commands, &si, &ref);
1764                }
1765                execute_commands(commands, unpack_status, &si);
1766                if (pack_lockfile)
1767                        unlink_or_warn(pack_lockfile);
1768                if (report_status)
1769                        report(commands, unpack_status);
1770                run_receive_hook(commands, "post-receive", 1);
1771                run_update_post_hook(commands);
1772                if (auto_gc) {
1773                        const char *argv_gc_auto[] = {
1774                                "gc", "--auto", "--quiet", NULL,
1775                        };
1776                        int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1777                        close_all_packs();
1778                        run_command_v_opt(argv_gc_auto, opt);
1779                }
1780                if (auto_update_server_info)
1781                        update_server_info(0);
1782                clear_shallow_info(&si);
1783        }
1784        if (use_sideband)
1785                packet_flush(1);
1786        sha1_array_clear(&shallow);
1787        sha1_array_clear(&ref);
1788        free((void *)push_cert_nonce);
1789        return 0;
1790}