Merge branch 'rj/header-guards'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "transport.h"
16 #include "string-list.h"
17 #include "sha1-array.h"
18 #include "connected.h"
19 #include "argv-array.h"
20 #include "version.h"
21 #include "tag.h"
22 #include "gpg-interface.h"
23 #include "sigchain.h"
24 #include "fsck.h"
25 #include "tmp-objdir.h"
26 #include "oidset.h"
27 #include "packfile.h"
28 #include "object-store.h"
29 #include "protocol.h"
30 #include "commit-reach.h"
31
32 static const char * const receive_pack_usage[] = {
33         N_("git receive-pack <git-dir>"),
34         NULL
35 };
36
37 enum deny_action {
38         DENY_UNCONFIGURED,
39         DENY_IGNORE,
40         DENY_WARN,
41         DENY_REFUSE,
42         DENY_UPDATE_INSTEAD
43 };
44
45 static int deny_deletes;
46 static int deny_non_fast_forwards;
47 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
48 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
49 static int receive_fsck_objects = -1;
50 static int transfer_fsck_objects = -1;
51 static struct strbuf fsck_msg_types = STRBUF_INIT;
52 static int receive_unpack_limit = -1;
53 static int transfer_unpack_limit = -1;
54 static int advertise_atomic_push = 1;
55 static int advertise_push_options;
56 static int unpack_limit = 100;
57 static off_t max_input_size;
58 static int report_status;
59 static int use_sideband;
60 static int use_atomic;
61 static int use_push_options;
62 static int quiet;
63 static int prefer_ofs_delta = 1;
64 static int auto_update_server_info;
65 static int auto_gc = 1;
66 static int reject_thin;
67 static int stateless_rpc;
68 static const char *service_dir;
69 static const char *head_name;
70 static void *head_name_to_free;
71 static int sent_capabilities;
72 static int shallow_update;
73 static const char *alt_shallow_file;
74 static struct strbuf push_cert = STRBUF_INIT;
75 static struct object_id push_cert_oid;
76 static struct signature_check sigcheck;
77 static const char *push_cert_nonce;
78 static const char *cert_nonce_seed;
79
80 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
81 static const char *NONCE_BAD = "BAD";
82 static const char *NONCE_MISSING = "MISSING";
83 static const char *NONCE_OK = "OK";
84 static const char *NONCE_SLOP = "SLOP";
85 static const char *nonce_status;
86 static long nonce_stamp_slop;
87 static timestamp_t nonce_stamp_slop_limit;
88 static struct ref_transaction *transaction;
89
90 static enum {
91         KEEPALIVE_NEVER = 0,
92         KEEPALIVE_AFTER_NUL,
93         KEEPALIVE_ALWAYS
94 } use_keepalive;
95 static int keepalive_in_sec = 5;
96
97 static struct tmp_objdir *tmp_objdir;
98
99 static enum deny_action parse_deny_action(const char *var, const char *value)
100 {
101         if (value) {
102                 if (!strcasecmp(value, "ignore"))
103                         return DENY_IGNORE;
104                 if (!strcasecmp(value, "warn"))
105                         return DENY_WARN;
106                 if (!strcasecmp(value, "refuse"))
107                         return DENY_REFUSE;
108                 if (!strcasecmp(value, "updateinstead"))
109                         return DENY_UPDATE_INSTEAD;
110         }
111         if (git_config_bool(var, value))
112                 return DENY_REFUSE;
113         return DENY_IGNORE;
114 }
115
116 static int receive_pack_config(const char *var, const char *value, void *cb)
117 {
118         int status = parse_hide_refs_config(var, value, "receive");
119
120         if (status)
121                 return status;
122
123         if (strcmp(var, "receive.denydeletes") == 0) {
124                 deny_deletes = git_config_bool(var, value);
125                 return 0;
126         }
127
128         if (strcmp(var, "receive.denynonfastforwards") == 0) {
129                 deny_non_fast_forwards = git_config_bool(var, value);
130                 return 0;
131         }
132
133         if (strcmp(var, "receive.unpacklimit") == 0) {
134                 receive_unpack_limit = git_config_int(var, value);
135                 return 0;
136         }
137
138         if (strcmp(var, "transfer.unpacklimit") == 0) {
139                 transfer_unpack_limit = git_config_int(var, value);
140                 return 0;
141         }
142
143         if (strcmp(var, "receive.fsck.skiplist") == 0) {
144                 const char *path;
145
146                 if (git_config_pathname(&path, var, value))
147                         return 1;
148                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
149                         fsck_msg_types.len ? ',' : '=', path);
150                 free((char *)path);
151                 return 0;
152         }
153
154         if (skip_prefix(var, "receive.fsck.", &var)) {
155                 if (is_valid_msg_type(var, value))
156                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
157                                 fsck_msg_types.len ? ',' : '=', var, value);
158                 else
159                         warning("Skipping unknown msg id '%s'", var);
160                 return 0;
161         }
162
163         if (strcmp(var, "receive.fsckobjects") == 0) {
164                 receive_fsck_objects = git_config_bool(var, value);
165                 return 0;
166         }
167
168         if (strcmp(var, "transfer.fsckobjects") == 0) {
169                 transfer_fsck_objects = git_config_bool(var, value);
170                 return 0;
171         }
172
173         if (!strcmp(var, "receive.denycurrentbranch")) {
174                 deny_current_branch = parse_deny_action(var, value);
175                 return 0;
176         }
177
178         if (strcmp(var, "receive.denydeletecurrent") == 0) {
179                 deny_delete_current = parse_deny_action(var, value);
180                 return 0;
181         }
182
183         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
184                 prefer_ofs_delta = git_config_bool(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.updateserverinfo") == 0) {
189                 auto_update_server_info = git_config_bool(var, value);
190                 return 0;
191         }
192
193         if (strcmp(var, "receive.autogc") == 0) {
194                 auto_gc = git_config_bool(var, value);
195                 return 0;
196         }
197
198         if (strcmp(var, "receive.shallowupdate") == 0) {
199                 shallow_update = git_config_bool(var, value);
200                 return 0;
201         }
202
203         if (strcmp(var, "receive.certnonceseed") == 0)
204                 return git_config_string(&cert_nonce_seed, var, value);
205
206         if (strcmp(var, "receive.certnonceslop") == 0) {
207                 nonce_stamp_slop_limit = git_config_ulong(var, value);
208                 return 0;
209         }
210
211         if (strcmp(var, "receive.advertiseatomic") == 0) {
212                 advertise_atomic_push = git_config_bool(var, value);
213                 return 0;
214         }
215
216         if (strcmp(var, "receive.advertisepushoptions") == 0) {
217                 advertise_push_options = git_config_bool(var, value);
218                 return 0;
219         }
220
221         if (strcmp(var, "receive.keepalive") == 0) {
222                 keepalive_in_sec = git_config_int(var, value);
223                 return 0;
224         }
225
226         if (strcmp(var, "receive.maxinputsize") == 0) {
227                 max_input_size = git_config_int64(var, value);
228                 return 0;
229         }
230
231         return git_default_config(var, value, cb);
232 }
233
234 static void show_ref(const char *path, const struct object_id *oid)
235 {
236         if (sent_capabilities) {
237                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
238         } else {
239                 struct strbuf cap = STRBUF_INIT;
240
241                 strbuf_addstr(&cap,
242                               "report-status delete-refs side-band-64k quiet");
243                 if (advertise_atomic_push)
244                         strbuf_addstr(&cap, " atomic");
245                 if (prefer_ofs_delta)
246                         strbuf_addstr(&cap, " ofs-delta");
247                 if (push_cert_nonce)
248                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
249                 if (advertise_push_options)
250                         strbuf_addstr(&cap, " push-options");
251                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
252                 packet_write_fmt(1, "%s %s%c%s\n",
253                              oid_to_hex(oid), path, 0, cap.buf);
254                 strbuf_release(&cap);
255                 sent_capabilities = 1;
256         }
257 }
258
259 static int show_ref_cb(const char *path_full, const struct object_id *oid,
260                        int flag, void *data)
261 {
262         struct oidset *seen = data;
263         const char *path = strip_namespace(path_full);
264
265         if (ref_is_hidden(path, path_full))
266                 return 0;
267
268         /*
269          * Advertise refs outside our current namespace as ".have"
270          * refs, so that the client can use them to minimize data
271          * transfer but will otherwise ignore them.
272          */
273         if (!path) {
274                 if (oidset_insert(seen, oid))
275                         return 0;
276                 path = ".have";
277         } else {
278                 oidset_insert(seen, oid);
279         }
280         show_ref(path, oid);
281         return 0;
282 }
283
284 static void show_one_alternate_ref(const struct object_id *oid,
285                                    void *data)
286 {
287         struct oidset *seen = data;
288
289         if (oidset_insert(seen, oid))
290                 return;
291
292         show_ref(".have", oid);
293 }
294
295 static void write_head_info(void)
296 {
297         static struct oidset seen = OIDSET_INIT;
298
299         for_each_ref(show_ref_cb, &seen);
300         for_each_alternate_ref(show_one_alternate_ref, &seen);
301         oidset_clear(&seen);
302         if (!sent_capabilities)
303                 show_ref("capabilities^{}", &null_oid);
304
305         advertise_shallow_grafts(1);
306
307         /* EOF */
308         packet_flush(1);
309 }
310
311 struct command {
312         struct command *next;
313         const char *error_string;
314         unsigned int skip_update:1,
315                      did_not_exist:1;
316         int index;
317         struct object_id old_oid;
318         struct object_id new_oid;
319         char ref_name[FLEX_ARRAY]; /* more */
320 };
321
322 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
323 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
324
325 static void report_message(const char *prefix, const char *err, va_list params)
326 {
327         int sz;
328         char msg[4096];
329
330         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
331         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
332         if (sz > (sizeof(msg) - 1))
333                 sz = sizeof(msg) - 1;
334         msg[sz++] = '\n';
335
336         if (use_sideband)
337                 send_sideband(1, 2, msg, sz, use_sideband);
338         else
339                 xwrite(2, msg, sz);
340 }
341
342 static void rp_warning(const char *err, ...)
343 {
344         va_list params;
345         va_start(params, err);
346         report_message("warning: ", err, params);
347         va_end(params);
348 }
349
350 static void rp_error(const char *err, ...)
351 {
352         va_list params;
353         va_start(params, err);
354         report_message("error: ", err, params);
355         va_end(params);
356 }
357
358 static int copy_to_sideband(int in, int out, void *arg)
359 {
360         char data[128];
361         int keepalive_active = 0;
362
363         if (keepalive_in_sec <= 0)
364                 use_keepalive = KEEPALIVE_NEVER;
365         if (use_keepalive == KEEPALIVE_ALWAYS)
366                 keepalive_active = 1;
367
368         while (1) {
369                 ssize_t sz;
370
371                 if (keepalive_active) {
372                         struct pollfd pfd;
373                         int ret;
374
375                         pfd.fd = in;
376                         pfd.events = POLLIN;
377                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
378
379                         if (ret < 0) {
380                                 if (errno == EINTR)
381                                         continue;
382                                 else
383                                         break;
384                         } else if (ret == 0) {
385                                 /* no data; send a keepalive packet */
386                                 static const char buf[] = "0005\1";
387                                 write_or_die(1, buf, sizeof(buf) - 1);
388                                 continue;
389                         } /* else there is actual data to read */
390                 }
391
392                 sz = xread(in, data, sizeof(data));
393                 if (sz <= 0)
394                         break;
395
396                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
397                         const char *p = memchr(data, '\0', sz);
398                         if (p) {
399                                 /*
400                                  * The NUL tells us to start sending keepalives. Make
401                                  * sure we send any other data we read along
402                                  * with it.
403                                  */
404                                 keepalive_active = 1;
405                                 send_sideband(1, 2, data, p - data, use_sideband);
406                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
407                                 continue;
408                         }
409                 }
410
411                 /*
412                  * Either we're not looking for a NUL signal, or we didn't see
413                  * it yet; just pass along the data.
414                  */
415                 send_sideband(1, 2, data, sz, use_sideband);
416         }
417         close(in);
418         return 0;
419 }
420
421 #define HMAC_BLOCK_SIZE 64
422
423 static void hmac_sha1(unsigned char *out,
424                       const char *key_in, size_t key_len,
425                       const char *text, size_t text_len)
426 {
427         unsigned char key[HMAC_BLOCK_SIZE];
428         unsigned char k_ipad[HMAC_BLOCK_SIZE];
429         unsigned char k_opad[HMAC_BLOCK_SIZE];
430         int i;
431         git_SHA_CTX ctx;
432
433         /* RFC 2104 2. (1) */
434         memset(key, '\0', HMAC_BLOCK_SIZE);
435         if (HMAC_BLOCK_SIZE < key_len) {
436                 git_SHA1_Init(&ctx);
437                 git_SHA1_Update(&ctx, key_in, key_len);
438                 git_SHA1_Final(key, &ctx);
439         } else {
440                 memcpy(key, key_in, key_len);
441         }
442
443         /* RFC 2104 2. (2) & (5) */
444         for (i = 0; i < sizeof(key); i++) {
445                 k_ipad[i] = key[i] ^ 0x36;
446                 k_opad[i] = key[i] ^ 0x5c;
447         }
448
449         /* RFC 2104 2. (3) & (4) */
450         git_SHA1_Init(&ctx);
451         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
452         git_SHA1_Update(&ctx, text, text_len);
453         git_SHA1_Final(out, &ctx);
454
455         /* RFC 2104 2. (6) & (7) */
456         git_SHA1_Init(&ctx);
457         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
458         git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
459         git_SHA1_Final(out, &ctx);
460 }
461
462 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
463 {
464         struct strbuf buf = STRBUF_INIT;
465         unsigned char sha1[GIT_SHA1_RAWSZ];
466
467         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
468         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
469         strbuf_release(&buf);
470
471         /* RFC 2104 5. HMAC-SHA1-80 */
472         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
473         return strbuf_detach(&buf, NULL);
474 }
475
476 /*
477  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
478  * after dropping "_commit" from its name and possibly moving it out
479  * of commit.c
480  */
481 static char *find_header(const char *msg, size_t len, const char *key,
482                          const char **next_line)
483 {
484         int key_len = strlen(key);
485         const char *line = msg;
486
487         while (line && line < msg + len) {
488                 const char *eol = strchrnul(line, '\n');
489
490                 if ((msg + len <= eol) || line == eol)
491                         return NULL;
492                 if (line + key_len < eol &&
493                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
494                         int offset = key_len + 1;
495                         if (next_line)
496                                 *next_line = *eol ? eol + 1 : eol;
497                         return xmemdupz(line + offset, (eol - line) - offset);
498                 }
499                 line = *eol ? eol + 1 : NULL;
500         }
501         return NULL;
502 }
503
504 static const char *check_nonce(const char *buf, size_t len)
505 {
506         char *nonce = find_header(buf, len, "nonce", NULL);
507         timestamp_t stamp, ostamp;
508         char *bohmac, *expect = NULL;
509         const char *retval = NONCE_BAD;
510
511         if (!nonce) {
512                 retval = NONCE_MISSING;
513                 goto leave;
514         } else if (!push_cert_nonce) {
515                 retval = NONCE_UNSOLICITED;
516                 goto leave;
517         } else if (!strcmp(push_cert_nonce, nonce)) {
518                 retval = NONCE_OK;
519                 goto leave;
520         }
521
522         if (!stateless_rpc) {
523                 /* returned nonce MUST match what we gave out earlier */
524                 retval = NONCE_BAD;
525                 goto leave;
526         }
527
528         /*
529          * In stateless mode, we may be receiving a nonce issued by
530          * another instance of the server that serving the same
531          * repository, and the timestamps may not match, but the
532          * nonce-seed and dir should match, so we can recompute and
533          * report the time slop.
534          *
535          * In addition, when a nonce issued by another instance has
536          * timestamp within receive.certnonceslop seconds, we pretend
537          * as if we issued that nonce when reporting to the hook.
538          */
539
540         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
541         if (*nonce <= '0' || '9' < *nonce) {
542                 retval = NONCE_BAD;
543                 goto leave;
544         }
545         stamp = parse_timestamp(nonce, &bohmac, 10);
546         if (bohmac == nonce || bohmac[0] != '-') {
547                 retval = NONCE_BAD;
548                 goto leave;
549         }
550
551         expect = prepare_push_cert_nonce(service_dir, stamp);
552         if (strcmp(expect, nonce)) {
553                 /* Not what we would have signed earlier */
554                 retval = NONCE_BAD;
555                 goto leave;
556         }
557
558         /*
559          * By how many seconds is this nonce stale?  Negative value
560          * would mean it was issued by another server with its clock
561          * skewed in the future.
562          */
563         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
564         nonce_stamp_slop = (long)ostamp - (long)stamp;
565
566         if (nonce_stamp_slop_limit &&
567             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
568                 /*
569                  * Pretend as if the received nonce (which passes the
570                  * HMAC check, so it is not a forged by third-party)
571                  * is what we issued.
572                  */
573                 free((void *)push_cert_nonce);
574                 push_cert_nonce = xstrdup(nonce);
575                 retval = NONCE_OK;
576         } else {
577                 retval = NONCE_SLOP;
578         }
579
580 leave:
581         free(nonce);
582         free(expect);
583         return retval;
584 }
585
586 /*
587  * Return 1 if there is no push_cert or if the push options in push_cert are
588  * the same as those in the argument; 0 otherwise.
589  */
590 static int check_cert_push_options(const struct string_list *push_options)
591 {
592         const char *buf = push_cert.buf;
593         int len = push_cert.len;
594
595         char *option;
596         const char *next_line;
597         int options_seen = 0;
598
599         int retval = 1;
600
601         if (!len)
602                 return 1;
603
604         while ((option = find_header(buf, len, "push-option", &next_line))) {
605                 len -= (next_line - buf);
606                 buf = next_line;
607                 options_seen++;
608                 if (options_seen > push_options->nr
609                     || strcmp(option,
610                               push_options->items[options_seen - 1].string)) {
611                         retval = 0;
612                         goto leave;
613                 }
614                 free(option);
615         }
616
617         if (options_seen != push_options->nr)
618                 retval = 0;
619
620 leave:
621         free(option);
622         return retval;
623 }
624
625 static void prepare_push_cert_sha1(struct child_process *proc)
626 {
627         static int already_done;
628
629         if (!push_cert.len)
630                 return;
631
632         if (!already_done) {
633                 int bogs /* beginning_of_gpg_sig */;
634
635                 already_done = 1;
636                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
637                                       &push_cert_oid))
638                         oidclr(&push_cert_oid);
639
640                 memset(&sigcheck, '\0', sizeof(sigcheck));
641
642                 bogs = parse_signature(push_cert.buf, push_cert.len);
643                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
644                                 push_cert.len - bogs, &sigcheck);
645
646                 nonce_status = check_nonce(push_cert.buf, bogs);
647         }
648         if (!is_null_oid(&push_cert_oid)) {
649                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
650                                  oid_to_hex(&push_cert_oid));
651                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
652                                  sigcheck.signer ? sigcheck.signer : "");
653                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
654                                  sigcheck.key ? sigcheck.key : "");
655                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
656                                  sigcheck.result);
657                 if (push_cert_nonce) {
658                         argv_array_pushf(&proc->env_array,
659                                          "GIT_PUSH_CERT_NONCE=%s",
660                                          push_cert_nonce);
661                         argv_array_pushf(&proc->env_array,
662                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
663                                          nonce_status);
664                         if (nonce_status == NONCE_SLOP)
665                                 argv_array_pushf(&proc->env_array,
666                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
667                                                  nonce_stamp_slop);
668                 }
669         }
670 }
671
672 struct receive_hook_feed_state {
673         struct command *cmd;
674         int skip_broken;
675         struct strbuf buf;
676         const struct string_list *push_options;
677 };
678
679 typedef int (*feed_fn)(void *, const char **, size_t *);
680 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
681                              struct receive_hook_feed_state *feed_state)
682 {
683         struct child_process proc = CHILD_PROCESS_INIT;
684         struct async muxer;
685         const char *argv[2];
686         int code;
687
688         argv[0] = find_hook(hook_name);
689         if (!argv[0])
690                 return 0;
691
692         argv[1] = NULL;
693
694         proc.argv = argv;
695         proc.in = -1;
696         proc.stdout_to_stderr = 1;
697         if (feed_state->push_options) {
698                 int i;
699                 for (i = 0; i < feed_state->push_options->nr; i++)
700                         argv_array_pushf(&proc.env_array,
701                                 "GIT_PUSH_OPTION_%d=%s", i,
702                                 feed_state->push_options->items[i].string);
703                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
704                                  feed_state->push_options->nr);
705         } else
706                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
707
708         if (tmp_objdir)
709                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
710
711         if (use_sideband) {
712                 memset(&muxer, 0, sizeof(muxer));
713                 muxer.proc = copy_to_sideband;
714                 muxer.in = -1;
715                 code = start_async(&muxer);
716                 if (code)
717                         return code;
718                 proc.err = muxer.in;
719         }
720
721         prepare_push_cert_sha1(&proc);
722
723         code = start_command(&proc);
724         if (code) {
725                 if (use_sideband)
726                         finish_async(&muxer);
727                 return code;
728         }
729
730         sigchain_push(SIGPIPE, SIG_IGN);
731
732         while (1) {
733                 const char *buf;
734                 size_t n;
735                 if (feed(feed_state, &buf, &n))
736                         break;
737                 if (write_in_full(proc.in, buf, n) < 0)
738                         break;
739         }
740         close(proc.in);
741         if (use_sideband)
742                 finish_async(&muxer);
743
744         sigchain_pop(SIGPIPE);
745
746         return finish_command(&proc);
747 }
748
749 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
750 {
751         struct receive_hook_feed_state *state = state_;
752         struct command *cmd = state->cmd;
753
754         while (cmd &&
755                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
756                 cmd = cmd->next;
757         if (!cmd)
758                 return -1; /* EOF */
759         strbuf_reset(&state->buf);
760         strbuf_addf(&state->buf, "%s %s %s\n",
761                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
762                     cmd->ref_name);
763         state->cmd = cmd->next;
764         if (bufp) {
765                 *bufp = state->buf.buf;
766                 *sizep = state->buf.len;
767         }
768         return 0;
769 }
770
771 static int run_receive_hook(struct command *commands,
772                             const char *hook_name,
773                             int skip_broken,
774                             const struct string_list *push_options)
775 {
776         struct receive_hook_feed_state state;
777         int status;
778
779         strbuf_init(&state.buf, 0);
780         state.cmd = commands;
781         state.skip_broken = skip_broken;
782         if (feed_receive_hook(&state, NULL, NULL))
783                 return 0;
784         state.cmd = commands;
785         state.push_options = push_options;
786         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
787         strbuf_release(&state.buf);
788         return status;
789 }
790
791 static int run_update_hook(struct command *cmd)
792 {
793         const char *argv[5];
794         struct child_process proc = CHILD_PROCESS_INIT;
795         int code;
796
797         argv[0] = find_hook("update");
798         if (!argv[0])
799                 return 0;
800
801         argv[1] = cmd->ref_name;
802         argv[2] = oid_to_hex(&cmd->old_oid);
803         argv[3] = oid_to_hex(&cmd->new_oid);
804         argv[4] = NULL;
805
806         proc.no_stdin = 1;
807         proc.stdout_to_stderr = 1;
808         proc.err = use_sideband ? -1 : 0;
809         proc.argv = argv;
810
811         code = start_command(&proc);
812         if (code)
813                 return code;
814         if (use_sideband)
815                 copy_to_sideband(proc.err, -1, NULL);
816         return finish_command(&proc);
817 }
818
819 static int is_ref_checked_out(const char *ref)
820 {
821         if (is_bare_repository())
822                 return 0;
823
824         if (!head_name)
825                 return 0;
826         return !strcmp(head_name, ref);
827 }
828
829 static char *refuse_unconfigured_deny_msg =
830         N_("By default, updating the current branch in a non-bare repository\n"
831            "is denied, because it will make the index and work tree inconsistent\n"
832            "with what you pushed, and will require 'git reset --hard' to match\n"
833            "the work tree to HEAD.\n"
834            "\n"
835            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
836            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
837            "its current branch; however, this is not recommended unless you\n"
838            "arranged to update its work tree to match what you pushed in some\n"
839            "other way.\n"
840            "\n"
841            "To squelch this message and still keep the default behaviour, set\n"
842            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
843
844 static void refuse_unconfigured_deny(void)
845 {
846         rp_error("%s", _(refuse_unconfigured_deny_msg));
847 }
848
849 static char *refuse_unconfigured_deny_delete_current_msg =
850         N_("By default, deleting the current branch is denied, because the next\n"
851            "'git clone' won't result in any file checked out, causing confusion.\n"
852            "\n"
853            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
854            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
855            "current branch, with or without a warning message.\n"
856            "\n"
857            "To squelch this message, you can set it to 'refuse'.");
858
859 static void refuse_unconfigured_deny_delete_current(void)
860 {
861         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
862 }
863
864 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
865 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
866 {
867         struct lock_file shallow_lock = LOCK_INIT;
868         struct oid_array extra = OID_ARRAY_INIT;
869         struct check_connected_options opt = CHECK_CONNECTED_INIT;
870         uint32_t mask = 1 << (cmd->index % 32);
871         int i;
872
873         trace_printf_key(&trace_shallow,
874                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
875         for (i = 0; i < si->shallow->nr; i++)
876                 if (si->used_shallow[i] &&
877                     (si->used_shallow[i][cmd->index / 32] & mask) &&
878                     !delayed_reachability_test(si, i))
879                         oid_array_append(&extra, &si->shallow->oid[i]);
880
881         opt.env = tmp_objdir_env(tmp_objdir);
882         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
883         if (check_connected(command_singleton_iterator, cmd, &opt)) {
884                 rollback_lock_file(&shallow_lock);
885                 oid_array_clear(&extra);
886                 return -1;
887         }
888
889         commit_lock_file(&shallow_lock);
890
891         /*
892          * Make sure setup_alternate_shallow() for the next ref does
893          * not lose these new roots..
894          */
895         for (i = 0; i < extra.nr; i++)
896                 register_shallow(the_repository, &extra.oid[i]);
897
898         si->shallow_ref[cmd->index] = 0;
899         oid_array_clear(&extra);
900         return 0;
901 }
902
903 /*
904  * NEEDSWORK: we should consolidate various implementions of "are we
905  * on an unborn branch?" test into one, and make the unified one more
906  * robust. !get_sha1() based check used here and elsewhere would not
907  * allow us to tell an unborn branch from corrupt ref, for example.
908  * For the purpose of fixing "deploy-to-update does not work when
909  * pushing into an empty repository" issue, this should suffice for
910  * now.
911  */
912 static int head_has_history(void)
913 {
914         struct object_id oid;
915
916         return !get_oid("HEAD", &oid);
917 }
918
919 static const char *push_to_deploy(unsigned char *sha1,
920                                   struct argv_array *env,
921                                   const char *work_tree)
922 {
923         const char *update_refresh[] = {
924                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
925         };
926         const char *diff_files[] = {
927                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
928         };
929         const char *diff_index[] = {
930                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
931                 NULL, "--", NULL
932         };
933         const char *read_tree[] = {
934                 "read-tree", "-u", "-m", NULL, NULL
935         };
936         struct child_process child = CHILD_PROCESS_INIT;
937
938         child.argv = update_refresh;
939         child.env = env->argv;
940         child.dir = work_tree;
941         child.no_stdin = 1;
942         child.stdout_to_stderr = 1;
943         child.git_cmd = 1;
944         if (run_command(&child))
945                 return "Up-to-date check failed";
946
947         /* run_command() does not clean up completely; reinitialize */
948         child_process_init(&child);
949         child.argv = diff_files;
950         child.env = env->argv;
951         child.dir = work_tree;
952         child.no_stdin = 1;
953         child.stdout_to_stderr = 1;
954         child.git_cmd = 1;
955         if (run_command(&child))
956                 return "Working directory has unstaged changes";
957
958         /* diff-index with either HEAD or an empty tree */
959         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
960
961         child_process_init(&child);
962         child.argv = diff_index;
963         child.env = env->argv;
964         child.no_stdin = 1;
965         child.no_stdout = 1;
966         child.stdout_to_stderr = 0;
967         child.git_cmd = 1;
968         if (run_command(&child))
969                 return "Working directory has staged changes";
970
971         read_tree[3] = sha1_to_hex(sha1);
972         child_process_init(&child);
973         child.argv = read_tree;
974         child.env = env->argv;
975         child.dir = work_tree;
976         child.no_stdin = 1;
977         child.no_stdout = 1;
978         child.stdout_to_stderr = 0;
979         child.git_cmd = 1;
980         if (run_command(&child))
981                 return "Could not update working tree to new HEAD";
982
983         return NULL;
984 }
985
986 static const char *push_to_checkout_hook = "push-to-checkout";
987
988 static const char *push_to_checkout(unsigned char *sha1,
989                                     struct argv_array *env,
990                                     const char *work_tree)
991 {
992         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
993         if (run_hook_le(env->argv, push_to_checkout_hook,
994                         sha1_to_hex(sha1), NULL))
995                 return "push-to-checkout hook declined";
996         else
997                 return NULL;
998 }
999
1000 static const char *update_worktree(unsigned char *sha1)
1001 {
1002         const char *retval;
1003         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1004         struct argv_array env = ARGV_ARRAY_INIT;
1005
1006         if (is_bare_repository())
1007                 return "denyCurrentBranch = updateInstead needs a worktree";
1008
1009         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1010
1011         if (!find_hook(push_to_checkout_hook))
1012                 retval = push_to_deploy(sha1, &env, work_tree);
1013         else
1014                 retval = push_to_checkout(sha1, &env, work_tree);
1015
1016         argv_array_clear(&env);
1017         return retval;
1018 }
1019
1020 static const char *update(struct command *cmd, struct shallow_info *si)
1021 {
1022         const char *name = cmd->ref_name;
1023         struct strbuf namespaced_name_buf = STRBUF_INIT;
1024         static char *namespaced_name;
1025         const char *ret;
1026         struct object_id *old_oid = &cmd->old_oid;
1027         struct object_id *new_oid = &cmd->new_oid;
1028
1029         /* only refs/... are allowed */
1030         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1031                 rp_error("refusing to create funny ref '%s' remotely", name);
1032                 return "funny refname";
1033         }
1034
1035         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1036         free(namespaced_name);
1037         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1038
1039         if (is_ref_checked_out(namespaced_name)) {
1040                 switch (deny_current_branch) {
1041                 case DENY_IGNORE:
1042                         break;
1043                 case DENY_WARN:
1044                         rp_warning("updating the current branch");
1045                         break;
1046                 case DENY_REFUSE:
1047                 case DENY_UNCONFIGURED:
1048                         rp_error("refusing to update checked out branch: %s", name);
1049                         if (deny_current_branch == DENY_UNCONFIGURED)
1050                                 refuse_unconfigured_deny();
1051                         return "branch is currently checked out";
1052                 case DENY_UPDATE_INSTEAD:
1053                         ret = update_worktree(new_oid->hash);
1054                         if (ret)
1055                                 return ret;
1056                         break;
1057                 }
1058         }
1059
1060         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1061                 error("unpack should have generated %s, "
1062                       "but I can't find it!", oid_to_hex(new_oid));
1063                 return "bad pack";
1064         }
1065
1066         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1067                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1068                         rp_error("denying ref deletion for %s", name);
1069                         return "deletion prohibited";
1070                 }
1071
1072                 if (head_name && !strcmp(namespaced_name, head_name)) {
1073                         switch (deny_delete_current) {
1074                         case DENY_IGNORE:
1075                                 break;
1076                         case DENY_WARN:
1077                                 rp_warning("deleting the current branch");
1078                                 break;
1079                         case DENY_REFUSE:
1080                         case DENY_UNCONFIGURED:
1081                         case DENY_UPDATE_INSTEAD:
1082                                 if (deny_delete_current == DENY_UNCONFIGURED)
1083                                         refuse_unconfigured_deny_delete_current();
1084                                 rp_error("refusing to delete the current branch: %s", name);
1085                                 return "deletion of the current branch prohibited";
1086                         default:
1087                                 return "Invalid denyDeleteCurrent setting";
1088                         }
1089                 }
1090         }
1091
1092         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1093             !is_null_oid(old_oid) &&
1094             starts_with(name, "refs/heads/")) {
1095                 struct object *old_object, *new_object;
1096                 struct commit *old_commit, *new_commit;
1097
1098                 old_object = parse_object(the_repository, old_oid);
1099                 new_object = parse_object(the_repository, new_oid);
1100
1101                 if (!old_object || !new_object ||
1102                     old_object->type != OBJ_COMMIT ||
1103                     new_object->type != OBJ_COMMIT) {
1104                         error("bad sha1 objects for %s", name);
1105                         return "bad ref";
1106                 }
1107                 old_commit = (struct commit *)old_object;
1108                 new_commit = (struct commit *)new_object;
1109                 if (!in_merge_bases(old_commit, new_commit)) {
1110                         rp_error("denying non-fast-forward %s"
1111                                  " (you should pull first)", name);
1112                         return "non-fast-forward";
1113                 }
1114         }
1115         if (run_update_hook(cmd)) {
1116                 rp_error("hook declined to update %s", name);
1117                 return "hook declined";
1118         }
1119
1120         if (is_null_oid(new_oid)) {
1121                 struct strbuf err = STRBUF_INIT;
1122                 if (!parse_object(the_repository, old_oid)) {
1123                         old_oid = NULL;
1124                         if (ref_exists(name)) {
1125                                 rp_warning("Allowing deletion of corrupt ref.");
1126                         } else {
1127                                 rp_warning("Deleting a non-existent ref.");
1128                                 cmd->did_not_exist = 1;
1129                         }
1130                 }
1131                 if (ref_transaction_delete(transaction,
1132                                            namespaced_name,
1133                                            old_oid,
1134                                            0, "push", &err)) {
1135                         rp_error("%s", err.buf);
1136                         strbuf_release(&err);
1137                         return "failed to delete";
1138                 }
1139                 strbuf_release(&err);
1140                 return NULL; /* good */
1141         }
1142         else {
1143                 struct strbuf err = STRBUF_INIT;
1144                 if (shallow_update && si->shallow_ref[cmd->index] &&
1145                     update_shallow_ref(cmd, si))
1146                         return "shallow error";
1147
1148                 if (ref_transaction_update(transaction,
1149                                            namespaced_name,
1150                                            new_oid, old_oid,
1151                                            0, "push",
1152                                            &err)) {
1153                         rp_error("%s", err.buf);
1154                         strbuf_release(&err);
1155
1156                         return "failed to update ref";
1157                 }
1158                 strbuf_release(&err);
1159
1160                 return NULL; /* good */
1161         }
1162 }
1163
1164 static void run_update_post_hook(struct command *commands)
1165 {
1166         struct command *cmd;
1167         struct child_process proc = CHILD_PROCESS_INIT;
1168         const char *hook;
1169
1170         hook = find_hook("post-update");
1171         if (!hook)
1172                 return;
1173
1174         for (cmd = commands; cmd; cmd = cmd->next) {
1175                 if (cmd->error_string || cmd->did_not_exist)
1176                         continue;
1177                 if (!proc.args.argc)
1178                         argv_array_push(&proc.args, hook);
1179                 argv_array_push(&proc.args, cmd->ref_name);
1180         }
1181         if (!proc.args.argc)
1182                 return;
1183
1184         proc.no_stdin = 1;
1185         proc.stdout_to_stderr = 1;
1186         proc.err = use_sideband ? -1 : 0;
1187
1188         if (!start_command(&proc)) {
1189                 if (use_sideband)
1190                         copy_to_sideband(proc.err, -1, NULL);
1191                 finish_command(&proc);
1192         }
1193 }
1194
1195 static void check_aliased_update(struct command *cmd, struct string_list *list)
1196 {
1197         struct strbuf buf = STRBUF_INIT;
1198         const char *dst_name;
1199         struct string_list_item *item;
1200         struct command *dst_cmd;
1201         int flag;
1202
1203         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1204         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1205         strbuf_release(&buf);
1206
1207         if (!(flag & REF_ISSYMREF))
1208                 return;
1209
1210         if (!dst_name) {
1211                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1212                 cmd->skip_update = 1;
1213                 cmd->error_string = "broken symref";
1214                 return;
1215         }
1216         dst_name = strip_namespace(dst_name);
1217
1218         if ((item = string_list_lookup(list, dst_name)) == NULL)
1219                 return;
1220
1221         cmd->skip_update = 1;
1222
1223         dst_cmd = (struct command *) item->util;
1224
1225         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1226             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1227                 return;
1228
1229         dst_cmd->skip_update = 1;
1230
1231         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1232                  " its target '%s' (%s..%s)",
1233                  cmd->ref_name,
1234                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1235                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1236                  dst_cmd->ref_name,
1237                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1238                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1239
1240         cmd->error_string = dst_cmd->error_string =
1241                 "inconsistent aliased update";
1242 }
1243
1244 static void check_aliased_updates(struct command *commands)
1245 {
1246         struct command *cmd;
1247         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1248
1249         for (cmd = commands; cmd; cmd = cmd->next) {
1250                 struct string_list_item *item =
1251                         string_list_append(&ref_list, cmd->ref_name);
1252                 item->util = (void *)cmd;
1253         }
1254         string_list_sort(&ref_list);
1255
1256         for (cmd = commands; cmd; cmd = cmd->next) {
1257                 if (!cmd->error_string)
1258                         check_aliased_update(cmd, &ref_list);
1259         }
1260
1261         string_list_clear(&ref_list, 0);
1262 }
1263
1264 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1265 {
1266         struct command **cmd_list = cb_data;
1267         struct command *cmd = *cmd_list;
1268
1269         if (!cmd || is_null_oid(&cmd->new_oid))
1270                 return -1; /* end of list */
1271         *cmd_list = NULL; /* this returns only one */
1272         oidcpy(oid, &cmd->new_oid);
1273         return 0;
1274 }
1275
1276 static void set_connectivity_errors(struct command *commands,
1277                                     struct shallow_info *si)
1278 {
1279         struct command *cmd;
1280
1281         for (cmd = commands; cmd; cmd = cmd->next) {
1282                 struct command *singleton = cmd;
1283                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1284
1285                 if (shallow_update && si->shallow_ref[cmd->index])
1286                         /* to be checked in update_shallow_ref() */
1287                         continue;
1288
1289                 opt.env = tmp_objdir_env(tmp_objdir);
1290                 if (!check_connected(command_singleton_iterator, &singleton,
1291                                      &opt))
1292                         continue;
1293
1294                 cmd->error_string = "missing necessary objects";
1295         }
1296 }
1297
1298 struct iterate_data {
1299         struct command *cmds;
1300         struct shallow_info *si;
1301 };
1302
1303 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1304 {
1305         struct iterate_data *data = cb_data;
1306         struct command **cmd_list = &data->cmds;
1307         struct command *cmd = *cmd_list;
1308
1309         for (; cmd; cmd = cmd->next) {
1310                 if (shallow_update && data->si->shallow_ref[cmd->index])
1311                         /* to be checked in update_shallow_ref() */
1312                         continue;
1313                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1314                         oidcpy(oid, &cmd->new_oid);
1315                         *cmd_list = cmd->next;
1316                         return 0;
1317                 }
1318         }
1319         *cmd_list = NULL;
1320         return -1; /* end of list */
1321 }
1322
1323 static void reject_updates_to_hidden(struct command *commands)
1324 {
1325         struct strbuf refname_full = STRBUF_INIT;
1326         size_t prefix_len;
1327         struct command *cmd;
1328
1329         strbuf_addstr(&refname_full, get_git_namespace());
1330         prefix_len = refname_full.len;
1331
1332         for (cmd = commands; cmd; cmd = cmd->next) {
1333                 if (cmd->error_string)
1334                         continue;
1335
1336                 strbuf_setlen(&refname_full, prefix_len);
1337                 strbuf_addstr(&refname_full, cmd->ref_name);
1338
1339                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1340                         continue;
1341                 if (is_null_oid(&cmd->new_oid))
1342                         cmd->error_string = "deny deleting a hidden ref";
1343                 else
1344                         cmd->error_string = "deny updating a hidden ref";
1345         }
1346
1347         strbuf_release(&refname_full);
1348 }
1349
1350 static int should_process_cmd(struct command *cmd)
1351 {
1352         return !cmd->error_string && !cmd->skip_update;
1353 }
1354
1355 static void warn_if_skipped_connectivity_check(struct command *commands,
1356                                                struct shallow_info *si)
1357 {
1358         struct command *cmd;
1359         int checked_connectivity = 1;
1360
1361         for (cmd = commands; cmd; cmd = cmd->next) {
1362                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1363                         error("BUG: connectivity check has not been run on ref %s",
1364                               cmd->ref_name);
1365                         checked_connectivity = 0;
1366                 }
1367         }
1368         if (!checked_connectivity)
1369                 BUG("connectivity check skipped???");
1370 }
1371
1372 static void execute_commands_non_atomic(struct command *commands,
1373                                         struct shallow_info *si)
1374 {
1375         struct command *cmd;
1376         struct strbuf err = STRBUF_INIT;
1377
1378         for (cmd = commands; cmd; cmd = cmd->next) {
1379                 if (!should_process_cmd(cmd))
1380                         continue;
1381
1382                 transaction = ref_transaction_begin(&err);
1383                 if (!transaction) {
1384                         rp_error("%s", err.buf);
1385                         strbuf_reset(&err);
1386                         cmd->error_string = "transaction failed to start";
1387                         continue;
1388                 }
1389
1390                 cmd->error_string = update(cmd, si);
1391
1392                 if (!cmd->error_string
1393                     && ref_transaction_commit(transaction, &err)) {
1394                         rp_error("%s", err.buf);
1395                         strbuf_reset(&err);
1396                         cmd->error_string = "failed to update ref";
1397                 }
1398                 ref_transaction_free(transaction);
1399         }
1400         strbuf_release(&err);
1401 }
1402
1403 static void execute_commands_atomic(struct command *commands,
1404                                         struct shallow_info *si)
1405 {
1406         struct command *cmd;
1407         struct strbuf err = STRBUF_INIT;
1408         const char *reported_error = "atomic push failure";
1409
1410         transaction = ref_transaction_begin(&err);
1411         if (!transaction) {
1412                 rp_error("%s", err.buf);
1413                 strbuf_reset(&err);
1414                 reported_error = "transaction failed to start";
1415                 goto failure;
1416         }
1417
1418         for (cmd = commands; cmd; cmd = cmd->next) {
1419                 if (!should_process_cmd(cmd))
1420                         continue;
1421
1422                 cmd->error_string = update(cmd, si);
1423
1424                 if (cmd->error_string)
1425                         goto failure;
1426         }
1427
1428         if (ref_transaction_commit(transaction, &err)) {
1429                 rp_error("%s", err.buf);
1430                 reported_error = "atomic transaction failed";
1431                 goto failure;
1432         }
1433         goto cleanup;
1434
1435 failure:
1436         for (cmd = commands; cmd; cmd = cmd->next)
1437                 if (!cmd->error_string)
1438                         cmd->error_string = reported_error;
1439
1440 cleanup:
1441         ref_transaction_free(transaction);
1442         strbuf_release(&err);
1443 }
1444
1445 static void execute_commands(struct command *commands,
1446                              const char *unpacker_error,
1447                              struct shallow_info *si,
1448                              const struct string_list *push_options)
1449 {
1450         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1451         struct command *cmd;
1452         struct iterate_data data;
1453         struct async muxer;
1454         int err_fd = 0;
1455
1456         if (unpacker_error) {
1457                 for (cmd = commands; cmd; cmd = cmd->next)
1458                         cmd->error_string = "unpacker error";
1459                 return;
1460         }
1461
1462         if (use_sideband) {
1463                 memset(&muxer, 0, sizeof(muxer));
1464                 muxer.proc = copy_to_sideband;
1465                 muxer.in = -1;
1466                 if (!start_async(&muxer))
1467                         err_fd = muxer.in;
1468                 /* ...else, continue without relaying sideband */
1469         }
1470
1471         data.cmds = commands;
1472         data.si = si;
1473         opt.err_fd = err_fd;
1474         opt.progress = err_fd && !quiet;
1475         opt.env = tmp_objdir_env(tmp_objdir);
1476         if (check_connected(iterate_receive_command_list, &data, &opt))
1477                 set_connectivity_errors(commands, si);
1478
1479         if (use_sideband)
1480                 finish_async(&muxer);
1481
1482         reject_updates_to_hidden(commands);
1483
1484         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1485                 for (cmd = commands; cmd; cmd = cmd->next) {
1486                         if (!cmd->error_string)
1487                                 cmd->error_string = "pre-receive hook declined";
1488                 }
1489                 return;
1490         }
1491
1492         /*
1493          * Now we'll start writing out refs, which means the objects need
1494          * to be in their final positions so that other processes can see them.
1495          */
1496         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1497                 for (cmd = commands; cmd; cmd = cmd->next) {
1498                         if (!cmd->error_string)
1499                                 cmd->error_string = "unable to migrate objects to permanent storage";
1500                 }
1501                 return;
1502         }
1503         tmp_objdir = NULL;
1504
1505         check_aliased_updates(commands);
1506
1507         free(head_name_to_free);
1508         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1509
1510         if (use_atomic)
1511                 execute_commands_atomic(commands, si);
1512         else
1513                 execute_commands_non_atomic(commands, si);
1514
1515         if (shallow_update)
1516                 warn_if_skipped_connectivity_check(commands, si);
1517 }
1518
1519 static struct command **queue_command(struct command **tail,
1520                                       const char *line,
1521                                       int linelen)
1522 {
1523         struct object_id old_oid, new_oid;
1524         struct command *cmd;
1525         const char *refname;
1526         int reflen;
1527         const char *p;
1528
1529         if (parse_oid_hex(line, &old_oid, &p) ||
1530             *p++ != ' ' ||
1531             parse_oid_hex(p, &new_oid, &p) ||
1532             *p++ != ' ')
1533                 die("protocol error: expected old/new/ref, got '%s'", line);
1534
1535         refname = p;
1536         reflen = linelen - (p - line);
1537         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1538         oidcpy(&cmd->old_oid, &old_oid);
1539         oidcpy(&cmd->new_oid, &new_oid);
1540         *tail = cmd;
1541         return &cmd->next;
1542 }
1543
1544 static void queue_commands_from_cert(struct command **tail,
1545                                      struct strbuf *push_cert)
1546 {
1547         const char *boc, *eoc;
1548
1549         if (*tail)
1550                 die("protocol error: got both push certificate and unsigned commands");
1551
1552         boc = strstr(push_cert->buf, "\n\n");
1553         if (!boc)
1554                 die("malformed push certificate %.*s", 100, push_cert->buf);
1555         else
1556                 boc += 2;
1557         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1558
1559         while (boc < eoc) {
1560                 const char *eol = memchr(boc, '\n', eoc - boc);
1561                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1562                 boc = eol ? eol + 1 : eoc;
1563         }
1564 }
1565
1566 static struct command *read_head_info(struct oid_array *shallow)
1567 {
1568         struct command *commands = NULL;
1569         struct command **p = &commands;
1570         for (;;) {
1571                 char *line;
1572                 int len, linelen;
1573
1574                 line = packet_read_line(0, &len);
1575                 if (!line)
1576                         break;
1577
1578                 if (len > 8 && starts_with(line, "shallow ")) {
1579                         struct object_id oid;
1580                         if (get_oid_hex(line + 8, &oid))
1581                                 die("protocol error: expected shallow sha, got '%s'",
1582                                     line + 8);
1583                         oid_array_append(shallow, &oid);
1584                         continue;
1585                 }
1586
1587                 linelen = strlen(line);
1588                 if (linelen < len) {
1589                         const char *feature_list = line + linelen + 1;
1590                         if (parse_feature_request(feature_list, "report-status"))
1591                                 report_status = 1;
1592                         if (parse_feature_request(feature_list, "side-band-64k"))
1593                                 use_sideband = LARGE_PACKET_MAX;
1594                         if (parse_feature_request(feature_list, "quiet"))
1595                                 quiet = 1;
1596                         if (advertise_atomic_push
1597                             && parse_feature_request(feature_list, "atomic"))
1598                                 use_atomic = 1;
1599                         if (advertise_push_options
1600                             && parse_feature_request(feature_list, "push-options"))
1601                                 use_push_options = 1;
1602                 }
1603
1604                 if (!strcmp(line, "push-cert")) {
1605                         int true_flush = 0;
1606                         char certbuf[1024];
1607
1608                         for (;;) {
1609                                 len = packet_read(0, NULL, NULL,
1610                                                   certbuf, sizeof(certbuf), 0);
1611                                 if (!len) {
1612                                         true_flush = 1;
1613                                         break;
1614                                 }
1615                                 if (!strcmp(certbuf, "push-cert-end\n"))
1616                                         break; /* end of cert */
1617                                 strbuf_addstr(&push_cert, certbuf);
1618                         }
1619
1620                         if (true_flush)
1621                                 break;
1622                         continue;
1623                 }
1624
1625                 p = queue_command(p, line, linelen);
1626         }
1627
1628         if (push_cert.len)
1629                 queue_commands_from_cert(p, &push_cert);
1630
1631         return commands;
1632 }
1633
1634 static void read_push_options(struct string_list *options)
1635 {
1636         while (1) {
1637                 char *line;
1638                 int len;
1639
1640                 line = packet_read_line(0, &len);
1641
1642                 if (!line)
1643                         break;
1644
1645                 string_list_append(options, line);
1646         }
1647 }
1648
1649 static const char *parse_pack_header(struct pack_header *hdr)
1650 {
1651         switch (read_pack_header(0, hdr)) {
1652         case PH_ERROR_EOF:
1653                 return "eof before pack header was fully read";
1654
1655         case PH_ERROR_PACK_SIGNATURE:
1656                 return "protocol error (pack signature mismatch detected)";
1657
1658         case PH_ERROR_PROTOCOL:
1659                 return "protocol error (pack version unsupported)";
1660
1661         default:
1662                 return "unknown error in parse_pack_header";
1663
1664         case 0:
1665                 return NULL;
1666         }
1667 }
1668
1669 static const char *pack_lockfile;
1670
1671 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1672 {
1673         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1674                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1675 }
1676
1677 static const char *unpack(int err_fd, struct shallow_info *si)
1678 {
1679         struct pack_header hdr;
1680         const char *hdr_err;
1681         int status;
1682         struct child_process child = CHILD_PROCESS_INIT;
1683         int fsck_objects = (receive_fsck_objects >= 0
1684                             ? receive_fsck_objects
1685                             : transfer_fsck_objects >= 0
1686                             ? transfer_fsck_objects
1687                             : 0);
1688
1689         hdr_err = parse_pack_header(&hdr);
1690         if (hdr_err) {
1691                 if (err_fd > 0)
1692                         close(err_fd);
1693                 return hdr_err;
1694         }
1695
1696         if (si->nr_ours || si->nr_theirs) {
1697                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1698                 argv_array_push(&child.args, "--shallow-file");
1699                 argv_array_push(&child.args, alt_shallow_file);
1700         }
1701
1702         tmp_objdir = tmp_objdir_create();
1703         if (!tmp_objdir) {
1704                 if (err_fd > 0)
1705                         close(err_fd);
1706                 return "unable to create temporary object directory";
1707         }
1708         child.env = tmp_objdir_env(tmp_objdir);
1709
1710         /*
1711          * Normally we just pass the tmp_objdir environment to the child
1712          * processes that do the heavy lifting, but we may need to see these
1713          * objects ourselves to set up shallow information.
1714          */
1715         tmp_objdir_add_as_alternate(tmp_objdir);
1716
1717         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1718                 argv_array_push(&child.args, "unpack-objects");
1719                 push_header_arg(&child.args, &hdr);
1720                 if (quiet)
1721                         argv_array_push(&child.args, "-q");
1722                 if (fsck_objects)
1723                         argv_array_pushf(&child.args, "--strict%s",
1724                                 fsck_msg_types.buf);
1725                 if (max_input_size)
1726                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1727                                 (uintmax_t)max_input_size);
1728                 child.no_stdout = 1;
1729                 child.err = err_fd;
1730                 child.git_cmd = 1;
1731                 status = run_command(&child);
1732                 if (status)
1733                         return "unpack-objects abnormal exit";
1734         } else {
1735                 char hostname[HOST_NAME_MAX + 1];
1736
1737                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1738                 push_header_arg(&child.args, &hdr);
1739
1740                 if (xgethostname(hostname, sizeof(hostname)))
1741                         xsnprintf(hostname, sizeof(hostname), "localhost");
1742                 argv_array_pushf(&child.args,
1743                                  "--keep=receive-pack %"PRIuMAX" on %s",
1744                                  (uintmax_t)getpid(),
1745                                  hostname);
1746
1747                 if (!quiet && err_fd)
1748                         argv_array_push(&child.args, "--show-resolving-progress");
1749                 if (use_sideband)
1750                         argv_array_push(&child.args, "--report-end-of-input");
1751                 if (fsck_objects)
1752                         argv_array_pushf(&child.args, "--strict%s",
1753                                 fsck_msg_types.buf);
1754                 if (!reject_thin)
1755                         argv_array_push(&child.args, "--fix-thin");
1756                 if (max_input_size)
1757                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1758                                 (uintmax_t)max_input_size);
1759                 child.out = -1;
1760                 child.err = err_fd;
1761                 child.git_cmd = 1;
1762                 status = start_command(&child);
1763                 if (status)
1764                         return "index-pack fork failed";
1765                 pack_lockfile = index_pack_lockfile(child.out);
1766                 close(child.out);
1767                 status = finish_command(&child);
1768                 if (status)
1769                         return "index-pack abnormal exit";
1770                 reprepare_packed_git(the_repository);
1771         }
1772         return NULL;
1773 }
1774
1775 static const char *unpack_with_sideband(struct shallow_info *si)
1776 {
1777         struct async muxer;
1778         const char *ret;
1779
1780         if (!use_sideband)
1781                 return unpack(0, si);
1782
1783         use_keepalive = KEEPALIVE_AFTER_NUL;
1784         memset(&muxer, 0, sizeof(muxer));
1785         muxer.proc = copy_to_sideband;
1786         muxer.in = -1;
1787         if (start_async(&muxer))
1788                 return NULL;
1789
1790         ret = unpack(muxer.in, si);
1791
1792         finish_async(&muxer);
1793         return ret;
1794 }
1795
1796 static void prepare_shallow_update(struct command *commands,
1797                                    struct shallow_info *si)
1798 {
1799         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1800
1801         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1802         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1803
1804         si->need_reachability_test =
1805                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1806         si->reachable =
1807                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1808         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1809
1810         for (i = 0; i < si->nr_ours; i++)
1811                 si->need_reachability_test[si->ours[i]] = 1;
1812
1813         for (i = 0; i < si->shallow->nr; i++) {
1814                 if (!si->used_shallow[i])
1815                         continue;
1816                 for (j = 0; j < bitmap_size; j++) {
1817                         if (!si->used_shallow[i][j])
1818                                 continue;
1819                         si->need_reachability_test[i]++;
1820                         for (k = 0; k < 32; k++)
1821                                 if (si->used_shallow[i][j] & (1U << k))
1822                                         si->shallow_ref[j * 32 + k]++;
1823                 }
1824
1825                 /*
1826                  * true for those associated with some refs and belong
1827                  * in "ours" list aka "step 7 not done yet"
1828                  */
1829                 si->need_reachability_test[i] =
1830                         si->need_reachability_test[i] > 1;
1831         }
1832
1833         /*
1834          * keep hooks happy by forcing a temporary shallow file via
1835          * env variable because we can't add --shallow-file to every
1836          * command. check_connected() will be done with
1837          * true .git/shallow though.
1838          */
1839         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1840 }
1841
1842 static void update_shallow_info(struct command *commands,
1843                                 struct shallow_info *si,
1844                                 struct oid_array *ref)
1845 {
1846         struct command *cmd;
1847         int *ref_status;
1848         remove_nonexistent_theirs_shallow(si);
1849         if (!si->nr_ours && !si->nr_theirs) {
1850                 shallow_update = 0;
1851                 return;
1852         }
1853
1854         for (cmd = commands; cmd; cmd = cmd->next) {
1855                 if (is_null_oid(&cmd->new_oid))
1856                         continue;
1857                 oid_array_append(ref, &cmd->new_oid);
1858                 cmd->index = ref->nr - 1;
1859         }
1860         si->ref = ref;
1861
1862         if (shallow_update) {
1863                 prepare_shallow_update(commands, si);
1864                 return;
1865         }
1866
1867         ALLOC_ARRAY(ref_status, ref->nr);
1868         assign_shallow_commits_to_refs(si, NULL, ref_status);
1869         for (cmd = commands; cmd; cmd = cmd->next) {
1870                 if (is_null_oid(&cmd->new_oid))
1871                         continue;
1872                 if (ref_status[cmd->index]) {
1873                         cmd->error_string = "shallow update not allowed";
1874                         cmd->skip_update = 1;
1875                 }
1876         }
1877         free(ref_status);
1878 }
1879
1880 static void report(struct command *commands, const char *unpack_status)
1881 {
1882         struct command *cmd;
1883         struct strbuf buf = STRBUF_INIT;
1884
1885         packet_buf_write(&buf, "unpack %s\n",
1886                          unpack_status ? unpack_status : "ok");
1887         for (cmd = commands; cmd; cmd = cmd->next) {
1888                 if (!cmd->error_string)
1889                         packet_buf_write(&buf, "ok %s\n",
1890                                          cmd->ref_name);
1891                 else
1892                         packet_buf_write(&buf, "ng %s %s\n",
1893                                          cmd->ref_name, cmd->error_string);
1894         }
1895         packet_buf_flush(&buf);
1896
1897         if (use_sideband)
1898                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1899         else
1900                 write_or_die(1, buf.buf, buf.len);
1901         strbuf_release(&buf);
1902 }
1903
1904 static int delete_only(struct command *commands)
1905 {
1906         struct command *cmd;
1907         for (cmd = commands; cmd; cmd = cmd->next) {
1908                 if (!is_null_oid(&cmd->new_oid))
1909                         return 0;
1910         }
1911         return 1;
1912 }
1913
1914 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1915 {
1916         int advertise_refs = 0;
1917         struct command *commands;
1918         struct oid_array shallow = OID_ARRAY_INIT;
1919         struct oid_array ref = OID_ARRAY_INIT;
1920         struct shallow_info si;
1921
1922         struct option options[] = {
1923                 OPT__QUIET(&quiet, N_("quiet")),
1924                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1925                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1926                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1927                 OPT_END()
1928         };
1929
1930         packet_trace_identity("receive-pack");
1931
1932         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1933
1934         if (argc > 1)
1935                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1936         if (argc == 0)
1937                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1938
1939         service_dir = argv[0];
1940
1941         setup_path();
1942
1943         if (!enter_repo(service_dir, 0))
1944                 die("'%s' does not appear to be a git repository", service_dir);
1945
1946         git_config(receive_pack_config, NULL);
1947         if (cert_nonce_seed)
1948                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1949
1950         if (0 <= transfer_unpack_limit)
1951                 unpack_limit = transfer_unpack_limit;
1952         else if (0 <= receive_unpack_limit)
1953                 unpack_limit = receive_unpack_limit;
1954
1955         switch (determine_protocol_version_server()) {
1956         case protocol_v2:
1957                 /*
1958                  * push support for protocol v2 has not been implemented yet,
1959                  * so ignore the request to use v2 and fallback to using v0.
1960                  */
1961                 break;
1962         case protocol_v1:
1963                 /*
1964                  * v1 is just the original protocol with a version string,
1965                  * so just fall through after writing the version string.
1966                  */
1967                 if (advertise_refs || !stateless_rpc)
1968                         packet_write_fmt(1, "version 1\n");
1969
1970                 /* fallthrough */
1971         case protocol_v0:
1972                 break;
1973         case protocol_unknown_version:
1974                 BUG("unknown protocol version");
1975         }
1976
1977         if (advertise_refs || !stateless_rpc) {
1978                 write_head_info();
1979         }
1980         if (advertise_refs)
1981                 return 0;
1982
1983         if ((commands = read_head_info(&shallow)) != NULL) {
1984                 const char *unpack_status = NULL;
1985                 struct string_list push_options = STRING_LIST_INIT_DUP;
1986
1987                 if (use_push_options)
1988                         read_push_options(&push_options);
1989                 if (!check_cert_push_options(&push_options)) {
1990                         struct command *cmd;
1991                         for (cmd = commands; cmd; cmd = cmd->next)
1992                                 cmd->error_string = "inconsistent push options";
1993                 }
1994
1995                 prepare_shallow_info(&si, &shallow);
1996                 if (!si.nr_ours && !si.nr_theirs)
1997                         shallow_update = 0;
1998                 if (!delete_only(commands)) {
1999                         unpack_status = unpack_with_sideband(&si);
2000                         update_shallow_info(commands, &si, &ref);
2001                 }
2002                 use_keepalive = KEEPALIVE_ALWAYS;
2003                 execute_commands(commands, unpack_status, &si,
2004                                  &push_options);
2005                 if (pack_lockfile)
2006                         unlink_or_warn(pack_lockfile);
2007                 if (report_status)
2008                         report(commands, unpack_status);
2009                 run_receive_hook(commands, "post-receive", 1,
2010                                  &push_options);
2011                 run_update_post_hook(commands);
2012                 string_list_clear(&push_options, 0);
2013                 if (auto_gc) {
2014                         const char *argv_gc_auto[] = {
2015                                 "gc", "--auto", "--quiet", NULL,
2016                         };
2017                         struct child_process proc = CHILD_PROCESS_INIT;
2018
2019                         proc.no_stdin = 1;
2020                         proc.stdout_to_stderr = 1;
2021                         proc.err = use_sideband ? -1 : 0;
2022                         proc.git_cmd = 1;
2023                         proc.argv = argv_gc_auto;
2024
2025                         close_all_packs(the_repository->objects);
2026                         if (!start_command(&proc)) {
2027                                 if (use_sideband)
2028                                         copy_to_sideband(proc.err, -1, NULL);
2029                                 finish_command(&proc);
2030                         }
2031                 }
2032                 if (auto_update_server_info)
2033                         update_server_info(0);
2034                 clear_shallow_info(&si);
2035         }
2036         if (use_sideband)
2037                 packet_flush(1);
2038         oid_array_clear(&shallow);
2039         oid_array_clear(&ref);
2040         free((void *)push_cert_nonce);
2041         return 0;
2042 }