Merge branch 'tb/reset-shallow'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "oid-array.h"
17 #include "connected.h"
18 #include "argv-array.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30 #include "worktree.h"
31
32 static const char * const receive_pack_usage[] = {
33         N_("git receive-pack <git-dir>"),
34         NULL
35 };
36
37 enum deny_action {
38         DENY_UNCONFIGURED,
39         DENY_IGNORE,
40         DENY_WARN,
41         DENY_REFUSE,
42         DENY_UPDATE_INSTEAD
43 };
44
45 static int deny_deletes;
46 static int deny_non_fast_forwards;
47 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
48 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
49 static int receive_fsck_objects = -1;
50 static int transfer_fsck_objects = -1;
51 static struct strbuf fsck_msg_types = STRBUF_INIT;
52 static int receive_unpack_limit = -1;
53 static int transfer_unpack_limit = -1;
54 static int advertise_atomic_push = 1;
55 static int advertise_push_options;
56 static int unpack_limit = 100;
57 static off_t max_input_size;
58 static int report_status;
59 static int use_sideband;
60 static int use_atomic;
61 static int use_push_options;
62 static int quiet;
63 static int prefer_ofs_delta = 1;
64 static int auto_update_server_info;
65 static int auto_gc = 1;
66 static int reject_thin;
67 static int stateless_rpc;
68 static const char *service_dir;
69 static const char *head_name;
70 static void *head_name_to_free;
71 static int sent_capabilities;
72 static int shallow_update;
73 static const char *alt_shallow_file;
74 static struct strbuf push_cert = STRBUF_INIT;
75 static struct object_id push_cert_oid;
76 static struct signature_check sigcheck;
77 static const char *push_cert_nonce;
78 static const char *cert_nonce_seed;
79
80 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
81 static const char *NONCE_BAD = "BAD";
82 static const char *NONCE_MISSING = "MISSING";
83 static const char *NONCE_OK = "OK";
84 static const char *NONCE_SLOP = "SLOP";
85 static const char *nonce_status;
86 static long nonce_stamp_slop;
87 static timestamp_t nonce_stamp_slop_limit;
88 static struct ref_transaction *transaction;
89
90 static enum {
91         KEEPALIVE_NEVER = 0,
92         KEEPALIVE_AFTER_NUL,
93         KEEPALIVE_ALWAYS
94 } use_keepalive;
95 static int keepalive_in_sec = 5;
96
97 static struct tmp_objdir *tmp_objdir;
98
99 static enum deny_action parse_deny_action(const char *var, const char *value)
100 {
101         if (value) {
102                 if (!strcasecmp(value, "ignore"))
103                         return DENY_IGNORE;
104                 if (!strcasecmp(value, "warn"))
105                         return DENY_WARN;
106                 if (!strcasecmp(value, "refuse"))
107                         return DENY_REFUSE;
108                 if (!strcasecmp(value, "updateinstead"))
109                         return DENY_UPDATE_INSTEAD;
110         }
111         if (git_config_bool(var, value))
112                 return DENY_REFUSE;
113         return DENY_IGNORE;
114 }
115
116 static int receive_pack_config(const char *var, const char *value, void *cb)
117 {
118         int status = parse_hide_refs_config(var, value, "receive");
119
120         if (status)
121                 return status;
122
123         if (strcmp(var, "receive.denydeletes") == 0) {
124                 deny_deletes = git_config_bool(var, value);
125                 return 0;
126         }
127
128         if (strcmp(var, "receive.denynonfastforwards") == 0) {
129                 deny_non_fast_forwards = git_config_bool(var, value);
130                 return 0;
131         }
132
133         if (strcmp(var, "receive.unpacklimit") == 0) {
134                 receive_unpack_limit = git_config_int(var, value);
135                 return 0;
136         }
137
138         if (strcmp(var, "transfer.unpacklimit") == 0) {
139                 transfer_unpack_limit = git_config_int(var, value);
140                 return 0;
141         }
142
143         if (strcmp(var, "receive.fsck.skiplist") == 0) {
144                 const char *path;
145
146                 if (git_config_pathname(&path, var, value))
147                         return 1;
148                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
149                         fsck_msg_types.len ? ',' : '=', path);
150                 free((char *)path);
151                 return 0;
152         }
153
154         if (skip_prefix(var, "receive.fsck.", &var)) {
155                 if (is_valid_msg_type(var, value))
156                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
157                                 fsck_msg_types.len ? ',' : '=', var, value);
158                 else
159                         warning("Skipping unknown msg id '%s'", var);
160                 return 0;
161         }
162
163         if (strcmp(var, "receive.fsckobjects") == 0) {
164                 receive_fsck_objects = git_config_bool(var, value);
165                 return 0;
166         }
167
168         if (strcmp(var, "transfer.fsckobjects") == 0) {
169                 transfer_fsck_objects = git_config_bool(var, value);
170                 return 0;
171         }
172
173         if (!strcmp(var, "receive.denycurrentbranch")) {
174                 deny_current_branch = parse_deny_action(var, value);
175                 return 0;
176         }
177
178         if (strcmp(var, "receive.denydeletecurrent") == 0) {
179                 deny_delete_current = parse_deny_action(var, value);
180                 return 0;
181         }
182
183         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
184                 prefer_ofs_delta = git_config_bool(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.updateserverinfo") == 0) {
189                 auto_update_server_info = git_config_bool(var, value);
190                 return 0;
191         }
192
193         if (strcmp(var, "receive.autogc") == 0) {
194                 auto_gc = git_config_bool(var, value);
195                 return 0;
196         }
197
198         if (strcmp(var, "receive.shallowupdate") == 0) {
199                 shallow_update = git_config_bool(var, value);
200                 return 0;
201         }
202
203         if (strcmp(var, "receive.certnonceseed") == 0)
204                 return git_config_string(&cert_nonce_seed, var, value);
205
206         if (strcmp(var, "receive.certnonceslop") == 0) {
207                 nonce_stamp_slop_limit = git_config_ulong(var, value);
208                 return 0;
209         }
210
211         if (strcmp(var, "receive.advertiseatomic") == 0) {
212                 advertise_atomic_push = git_config_bool(var, value);
213                 return 0;
214         }
215
216         if (strcmp(var, "receive.advertisepushoptions") == 0) {
217                 advertise_push_options = git_config_bool(var, value);
218                 return 0;
219         }
220
221         if (strcmp(var, "receive.keepalive") == 0) {
222                 keepalive_in_sec = git_config_int(var, value);
223                 return 0;
224         }
225
226         if (strcmp(var, "receive.maxinputsize") == 0) {
227                 max_input_size = git_config_int64(var, value);
228                 return 0;
229         }
230
231         return git_default_config(var, value, cb);
232 }
233
234 static void show_ref(const char *path, const struct object_id *oid)
235 {
236         if (sent_capabilities) {
237                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
238         } else {
239                 struct strbuf cap = STRBUF_INIT;
240
241                 strbuf_addstr(&cap,
242                               "report-status delete-refs side-band-64k quiet");
243                 if (advertise_atomic_push)
244                         strbuf_addstr(&cap, " atomic");
245                 if (prefer_ofs_delta)
246                         strbuf_addstr(&cap, " ofs-delta");
247                 if (push_cert_nonce)
248                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
249                 if (advertise_push_options)
250                         strbuf_addstr(&cap, " push-options");
251                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
252                 packet_write_fmt(1, "%s %s%c%s\n",
253                              oid_to_hex(oid), path, 0, cap.buf);
254                 strbuf_release(&cap);
255                 sent_capabilities = 1;
256         }
257 }
258
259 static int show_ref_cb(const char *path_full, const struct object_id *oid,
260                        int flag, void *data)
261 {
262         struct oidset *seen = data;
263         const char *path = strip_namespace(path_full);
264
265         if (ref_is_hidden(path, path_full))
266                 return 0;
267
268         /*
269          * Advertise refs outside our current namespace as ".have"
270          * refs, so that the client can use them to minimize data
271          * transfer but will otherwise ignore them.
272          */
273         if (!path) {
274                 if (oidset_insert(seen, oid))
275                         return 0;
276                 path = ".have";
277         } else {
278                 oidset_insert(seen, oid);
279         }
280         show_ref(path, oid);
281         return 0;
282 }
283
284 static void show_one_alternate_ref(const struct object_id *oid,
285                                    void *data)
286 {
287         struct oidset *seen = data;
288
289         if (oidset_insert(seen, oid))
290                 return;
291
292         show_ref(".have", oid);
293 }
294
295 static void write_head_info(void)
296 {
297         static struct oidset seen = OIDSET_INIT;
298
299         for_each_ref(show_ref_cb, &seen);
300         for_each_alternate_ref(show_one_alternate_ref, &seen);
301         oidset_clear(&seen);
302         if (!sent_capabilities)
303                 show_ref("capabilities^{}", &null_oid);
304
305         advertise_shallow_grafts(1);
306
307         /* EOF */
308         packet_flush(1);
309 }
310
311 struct command {
312         struct command *next;
313         const char *error_string;
314         unsigned int skip_update:1,
315                      did_not_exist:1;
316         int index;
317         struct object_id old_oid;
318         struct object_id new_oid;
319         char ref_name[FLEX_ARRAY]; /* more */
320 };
321
322 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
323 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
324
325 static void report_message(const char *prefix, const char *err, va_list params)
326 {
327         int sz;
328         char msg[4096];
329
330         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
331         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
332         if (sz > (sizeof(msg) - 1))
333                 sz = sizeof(msg) - 1;
334         msg[sz++] = '\n';
335
336         if (use_sideband)
337                 send_sideband(1, 2, msg, sz, use_sideband);
338         else
339                 xwrite(2, msg, sz);
340 }
341
342 static void rp_warning(const char *err, ...)
343 {
344         va_list params;
345         va_start(params, err);
346         report_message("warning: ", err, params);
347         va_end(params);
348 }
349
350 static void rp_error(const char *err, ...)
351 {
352         va_list params;
353         va_start(params, err);
354         report_message("error: ", err, params);
355         va_end(params);
356 }
357
358 static int copy_to_sideband(int in, int out, void *arg)
359 {
360         char data[128];
361         int keepalive_active = 0;
362
363         if (keepalive_in_sec <= 0)
364                 use_keepalive = KEEPALIVE_NEVER;
365         if (use_keepalive == KEEPALIVE_ALWAYS)
366                 keepalive_active = 1;
367
368         while (1) {
369                 ssize_t sz;
370
371                 if (keepalive_active) {
372                         struct pollfd pfd;
373                         int ret;
374
375                         pfd.fd = in;
376                         pfd.events = POLLIN;
377                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
378
379                         if (ret < 0) {
380                                 if (errno == EINTR)
381                                         continue;
382                                 else
383                                         break;
384                         } else if (ret == 0) {
385                                 /* no data; send a keepalive packet */
386                                 static const char buf[] = "0005\1";
387                                 write_or_die(1, buf, sizeof(buf) - 1);
388                                 continue;
389                         } /* else there is actual data to read */
390                 }
391
392                 sz = xread(in, data, sizeof(data));
393                 if (sz <= 0)
394                         break;
395
396                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
397                         const char *p = memchr(data, '\0', sz);
398                         if (p) {
399                                 /*
400                                  * The NUL tells us to start sending keepalives. Make
401                                  * sure we send any other data we read along
402                                  * with it.
403                                  */
404                                 keepalive_active = 1;
405                                 send_sideband(1, 2, data, p - data, use_sideband);
406                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
407                                 continue;
408                         }
409                 }
410
411                 /*
412                  * Either we're not looking for a NUL signal, or we didn't see
413                  * it yet; just pass along the data.
414                  */
415                 send_sideband(1, 2, data, sz, use_sideband);
416         }
417         close(in);
418         return 0;
419 }
420
421 static void hmac(unsigned char *out,
422                       const char *key_in, size_t key_len,
423                       const char *text, size_t text_len)
424 {
425         unsigned char key[GIT_MAX_BLKSZ];
426         unsigned char k_ipad[GIT_MAX_BLKSZ];
427         unsigned char k_opad[GIT_MAX_BLKSZ];
428         int i;
429         git_hash_ctx ctx;
430
431         /* RFC 2104 2. (1) */
432         memset(key, '\0', GIT_MAX_BLKSZ);
433         if (the_hash_algo->blksz < key_len) {
434                 the_hash_algo->init_fn(&ctx);
435                 the_hash_algo->update_fn(&ctx, key_in, key_len);
436                 the_hash_algo->final_fn(key, &ctx);
437         } else {
438                 memcpy(key, key_in, key_len);
439         }
440
441         /* RFC 2104 2. (2) & (5) */
442         for (i = 0; i < sizeof(key); i++) {
443                 k_ipad[i] = key[i] ^ 0x36;
444                 k_opad[i] = key[i] ^ 0x5c;
445         }
446
447         /* RFC 2104 2. (3) & (4) */
448         the_hash_algo->init_fn(&ctx);
449         the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
450         the_hash_algo->update_fn(&ctx, text, text_len);
451         the_hash_algo->final_fn(out, &ctx);
452
453         /* RFC 2104 2. (6) & (7) */
454         the_hash_algo->init_fn(&ctx);
455         the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
456         the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
457         the_hash_algo->final_fn(out, &ctx);
458 }
459
460 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
461 {
462         struct strbuf buf = STRBUF_INIT;
463         unsigned char hash[GIT_MAX_RAWSZ];
464
465         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
466         hmac(hash, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
467         strbuf_release(&buf);
468
469         /* RFC 2104 5. HMAC-SHA1-80 */
470         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, (int)the_hash_algo->hexsz, hash_to_hex(hash));
471         return strbuf_detach(&buf, NULL);
472 }
473
474 /*
475  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
476  * after dropping "_commit" from its name and possibly moving it out
477  * of commit.c
478  */
479 static char *find_header(const char *msg, size_t len, const char *key,
480                          const char **next_line)
481 {
482         int key_len = strlen(key);
483         const char *line = msg;
484
485         while (line && line < msg + len) {
486                 const char *eol = strchrnul(line, '\n');
487
488                 if ((msg + len <= eol) || line == eol)
489                         return NULL;
490                 if (line + key_len < eol &&
491                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
492                         int offset = key_len + 1;
493                         if (next_line)
494                                 *next_line = *eol ? eol + 1 : eol;
495                         return xmemdupz(line + offset, (eol - line) - offset);
496                 }
497                 line = *eol ? eol + 1 : NULL;
498         }
499         return NULL;
500 }
501
502 /*
503  * Return zero if a and b are equal up to n bytes and nonzero if they are not.
504  * This operation is guaranteed to run in constant time to avoid leaking data.
505  */
506 static int constant_memequal(const char *a, const char *b, size_t n)
507 {
508         int res = 0;
509         size_t i;
510
511         for (i = 0; i < n; i++)
512                 res |= a[i] ^ b[i];
513         return res;
514 }
515
516 static const char *check_nonce(const char *buf, size_t len)
517 {
518         char *nonce = find_header(buf, len, "nonce", NULL);
519         timestamp_t stamp, ostamp;
520         char *bohmac, *expect = NULL;
521         const char *retval = NONCE_BAD;
522         size_t noncelen;
523
524         if (!nonce) {
525                 retval = NONCE_MISSING;
526                 goto leave;
527         } else if (!push_cert_nonce) {
528                 retval = NONCE_UNSOLICITED;
529                 goto leave;
530         } else if (!strcmp(push_cert_nonce, nonce)) {
531                 retval = NONCE_OK;
532                 goto leave;
533         }
534
535         if (!stateless_rpc) {
536                 /* returned nonce MUST match what we gave out earlier */
537                 retval = NONCE_BAD;
538                 goto leave;
539         }
540
541         /*
542          * In stateless mode, we may be receiving a nonce issued by
543          * another instance of the server that serving the same
544          * repository, and the timestamps may not match, but the
545          * nonce-seed and dir should match, so we can recompute and
546          * report the time slop.
547          *
548          * In addition, when a nonce issued by another instance has
549          * timestamp within receive.certnonceslop seconds, we pretend
550          * as if we issued that nonce when reporting to the hook.
551          */
552
553         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
554         if (*nonce <= '0' || '9' < *nonce) {
555                 retval = NONCE_BAD;
556                 goto leave;
557         }
558         stamp = parse_timestamp(nonce, &bohmac, 10);
559         if (bohmac == nonce || bohmac[0] != '-') {
560                 retval = NONCE_BAD;
561                 goto leave;
562         }
563
564         noncelen = strlen(nonce);
565         expect = prepare_push_cert_nonce(service_dir, stamp);
566         if (noncelen != strlen(expect)) {
567                 /* This is not even the right size. */
568                 retval = NONCE_BAD;
569                 goto leave;
570         }
571         if (constant_memequal(expect, nonce, noncelen)) {
572                 /* Not what we would have signed earlier */
573                 retval = NONCE_BAD;
574                 goto leave;
575         }
576
577         /*
578          * By how many seconds is this nonce stale?  Negative value
579          * would mean it was issued by another server with its clock
580          * skewed in the future.
581          */
582         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
583         nonce_stamp_slop = (long)ostamp - (long)stamp;
584
585         if (nonce_stamp_slop_limit &&
586             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
587                 /*
588                  * Pretend as if the received nonce (which passes the
589                  * HMAC check, so it is not a forged by third-party)
590                  * is what we issued.
591                  */
592                 free((void *)push_cert_nonce);
593                 push_cert_nonce = xstrdup(nonce);
594                 retval = NONCE_OK;
595         } else {
596                 retval = NONCE_SLOP;
597         }
598
599 leave:
600         free(nonce);
601         free(expect);
602         return retval;
603 }
604
605 /*
606  * Return 1 if there is no push_cert or if the push options in push_cert are
607  * the same as those in the argument; 0 otherwise.
608  */
609 static int check_cert_push_options(const struct string_list *push_options)
610 {
611         const char *buf = push_cert.buf;
612         int len = push_cert.len;
613
614         char *option;
615         const char *next_line;
616         int options_seen = 0;
617
618         int retval = 1;
619
620         if (!len)
621                 return 1;
622
623         while ((option = find_header(buf, len, "push-option", &next_line))) {
624                 len -= (next_line - buf);
625                 buf = next_line;
626                 options_seen++;
627                 if (options_seen > push_options->nr
628                     || strcmp(option,
629                               push_options->items[options_seen - 1].string)) {
630                         retval = 0;
631                         goto leave;
632                 }
633                 free(option);
634         }
635
636         if (options_seen != push_options->nr)
637                 retval = 0;
638
639 leave:
640         free(option);
641         return retval;
642 }
643
644 static void prepare_push_cert_sha1(struct child_process *proc)
645 {
646         static int already_done;
647
648         if (!push_cert.len)
649                 return;
650
651         if (!already_done) {
652                 int bogs /* beginning_of_gpg_sig */;
653
654                 already_done = 1;
655                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
656                                       &push_cert_oid))
657                         oidclr(&push_cert_oid);
658
659                 memset(&sigcheck, '\0', sizeof(sigcheck));
660
661                 bogs = parse_signature(push_cert.buf, push_cert.len);
662                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
663                                 push_cert.len - bogs, &sigcheck);
664
665                 nonce_status = check_nonce(push_cert.buf, bogs);
666         }
667         if (!is_null_oid(&push_cert_oid)) {
668                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
669                                  oid_to_hex(&push_cert_oid));
670                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
671                                  sigcheck.signer ? sigcheck.signer : "");
672                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
673                                  sigcheck.key ? sigcheck.key : "");
674                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
675                                  sigcheck.result);
676                 if (push_cert_nonce) {
677                         argv_array_pushf(&proc->env_array,
678                                          "GIT_PUSH_CERT_NONCE=%s",
679                                          push_cert_nonce);
680                         argv_array_pushf(&proc->env_array,
681                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
682                                          nonce_status);
683                         if (nonce_status == NONCE_SLOP)
684                                 argv_array_pushf(&proc->env_array,
685                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
686                                                  nonce_stamp_slop);
687                 }
688         }
689 }
690
691 struct receive_hook_feed_state {
692         struct command *cmd;
693         int skip_broken;
694         struct strbuf buf;
695         const struct string_list *push_options;
696 };
697
698 typedef int (*feed_fn)(void *, const char **, size_t *);
699 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
700                              struct receive_hook_feed_state *feed_state)
701 {
702         struct child_process proc = CHILD_PROCESS_INIT;
703         struct async muxer;
704         const char *argv[2];
705         int code;
706
707         argv[0] = find_hook(hook_name);
708         if (!argv[0])
709                 return 0;
710
711         argv[1] = NULL;
712
713         proc.argv = argv;
714         proc.in = -1;
715         proc.stdout_to_stderr = 1;
716         proc.trace2_hook_name = hook_name;
717
718         if (feed_state->push_options) {
719                 int i;
720                 for (i = 0; i < feed_state->push_options->nr; i++)
721                         argv_array_pushf(&proc.env_array,
722                                 "GIT_PUSH_OPTION_%d=%s", i,
723                                 feed_state->push_options->items[i].string);
724                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
725                                  feed_state->push_options->nr);
726         } else
727                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
728
729         if (tmp_objdir)
730                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
731
732         if (use_sideband) {
733                 memset(&muxer, 0, sizeof(muxer));
734                 muxer.proc = copy_to_sideband;
735                 muxer.in = -1;
736                 code = start_async(&muxer);
737                 if (code)
738                         return code;
739                 proc.err = muxer.in;
740         }
741
742         prepare_push_cert_sha1(&proc);
743
744         code = start_command(&proc);
745         if (code) {
746                 if (use_sideband)
747                         finish_async(&muxer);
748                 return code;
749         }
750
751         sigchain_push(SIGPIPE, SIG_IGN);
752
753         while (1) {
754                 const char *buf;
755                 size_t n;
756                 if (feed(feed_state, &buf, &n))
757                         break;
758                 if (write_in_full(proc.in, buf, n) < 0)
759                         break;
760         }
761         close(proc.in);
762         if (use_sideband)
763                 finish_async(&muxer);
764
765         sigchain_pop(SIGPIPE);
766
767         return finish_command(&proc);
768 }
769
770 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
771 {
772         struct receive_hook_feed_state *state = state_;
773         struct command *cmd = state->cmd;
774
775         while (cmd &&
776                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
777                 cmd = cmd->next;
778         if (!cmd)
779                 return -1; /* EOF */
780         strbuf_reset(&state->buf);
781         strbuf_addf(&state->buf, "%s %s %s\n",
782                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
783                     cmd->ref_name);
784         state->cmd = cmd->next;
785         if (bufp) {
786                 *bufp = state->buf.buf;
787                 *sizep = state->buf.len;
788         }
789         return 0;
790 }
791
792 static int run_receive_hook(struct command *commands,
793                             const char *hook_name,
794                             int skip_broken,
795                             const struct string_list *push_options)
796 {
797         struct receive_hook_feed_state state;
798         int status;
799
800         strbuf_init(&state.buf, 0);
801         state.cmd = commands;
802         state.skip_broken = skip_broken;
803         if (feed_receive_hook(&state, NULL, NULL))
804                 return 0;
805         state.cmd = commands;
806         state.push_options = push_options;
807         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
808         strbuf_release(&state.buf);
809         return status;
810 }
811
812 static int run_update_hook(struct command *cmd)
813 {
814         const char *argv[5];
815         struct child_process proc = CHILD_PROCESS_INIT;
816         int code;
817
818         argv[0] = find_hook("update");
819         if (!argv[0])
820                 return 0;
821
822         argv[1] = cmd->ref_name;
823         argv[2] = oid_to_hex(&cmd->old_oid);
824         argv[3] = oid_to_hex(&cmd->new_oid);
825         argv[4] = NULL;
826
827         proc.no_stdin = 1;
828         proc.stdout_to_stderr = 1;
829         proc.err = use_sideband ? -1 : 0;
830         proc.argv = argv;
831         proc.trace2_hook_name = "update";
832
833         code = start_command(&proc);
834         if (code)
835                 return code;
836         if (use_sideband)
837                 copy_to_sideband(proc.err, -1, NULL);
838         return finish_command(&proc);
839 }
840
841 static char *refuse_unconfigured_deny_msg =
842         N_("By default, updating the current branch in a non-bare repository\n"
843            "is denied, because it will make the index and work tree inconsistent\n"
844            "with what you pushed, and will require 'git reset --hard' to match\n"
845            "the work tree to HEAD.\n"
846            "\n"
847            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
848            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
849            "its current branch; however, this is not recommended unless you\n"
850            "arranged to update its work tree to match what you pushed in some\n"
851            "other way.\n"
852            "\n"
853            "To squelch this message and still keep the default behaviour, set\n"
854            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
855
856 static void refuse_unconfigured_deny(void)
857 {
858         rp_error("%s", _(refuse_unconfigured_deny_msg));
859 }
860
861 static char *refuse_unconfigured_deny_delete_current_msg =
862         N_("By default, deleting the current branch is denied, because the next\n"
863            "'git clone' won't result in any file checked out, causing confusion.\n"
864            "\n"
865            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
866            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
867            "current branch, with or without a warning message.\n"
868            "\n"
869            "To squelch this message, you can set it to 'refuse'.");
870
871 static void refuse_unconfigured_deny_delete_current(void)
872 {
873         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
874 }
875
876 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
877 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
878 {
879         struct lock_file shallow_lock = LOCK_INIT;
880         struct oid_array extra = OID_ARRAY_INIT;
881         struct check_connected_options opt = CHECK_CONNECTED_INIT;
882         uint32_t mask = 1 << (cmd->index % 32);
883         int i;
884
885         trace_printf_key(&trace_shallow,
886                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
887         for (i = 0; i < si->shallow->nr; i++)
888                 if (si->used_shallow[i] &&
889                     (si->used_shallow[i][cmd->index / 32] & mask) &&
890                     !delayed_reachability_test(si, i))
891                         oid_array_append(&extra, &si->shallow->oid[i]);
892
893         opt.env = tmp_objdir_env(tmp_objdir);
894         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
895         if (check_connected(command_singleton_iterator, cmd, &opt)) {
896                 rollback_shallow_file(the_repository, &shallow_lock);
897                 oid_array_clear(&extra);
898                 return -1;
899         }
900
901         commit_shallow_file(the_repository, &shallow_lock);
902
903         /*
904          * Make sure setup_alternate_shallow() for the next ref does
905          * not lose these new roots..
906          */
907         for (i = 0; i < extra.nr; i++)
908                 register_shallow(the_repository, &extra.oid[i]);
909
910         si->shallow_ref[cmd->index] = 0;
911         oid_array_clear(&extra);
912         return 0;
913 }
914
915 /*
916  * NEEDSWORK: we should consolidate various implementions of "are we
917  * on an unborn branch?" test into one, and make the unified one more
918  * robust. !get_sha1() based check used here and elsewhere would not
919  * allow us to tell an unborn branch from corrupt ref, for example.
920  * For the purpose of fixing "deploy-to-update does not work when
921  * pushing into an empty repository" issue, this should suffice for
922  * now.
923  */
924 static int head_has_history(void)
925 {
926         struct object_id oid;
927
928         return !get_oid("HEAD", &oid);
929 }
930
931 static const char *push_to_deploy(unsigned char *sha1,
932                                   struct argv_array *env,
933                                   const char *work_tree)
934 {
935         const char *update_refresh[] = {
936                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
937         };
938         const char *diff_files[] = {
939                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
940         };
941         const char *diff_index[] = {
942                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
943                 NULL, "--", NULL
944         };
945         const char *read_tree[] = {
946                 "read-tree", "-u", "-m", NULL, NULL
947         };
948         struct child_process child = CHILD_PROCESS_INIT;
949
950         child.argv = update_refresh;
951         child.env = env->argv;
952         child.dir = work_tree;
953         child.no_stdin = 1;
954         child.stdout_to_stderr = 1;
955         child.git_cmd = 1;
956         if (run_command(&child))
957                 return "Up-to-date check failed";
958
959         /* run_command() does not clean up completely; reinitialize */
960         child_process_init(&child);
961         child.argv = diff_files;
962         child.env = env->argv;
963         child.dir = work_tree;
964         child.no_stdin = 1;
965         child.stdout_to_stderr = 1;
966         child.git_cmd = 1;
967         if (run_command(&child))
968                 return "Working directory has unstaged changes";
969
970         /* diff-index with either HEAD or an empty tree */
971         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
972
973         child_process_init(&child);
974         child.argv = diff_index;
975         child.env = env->argv;
976         child.no_stdin = 1;
977         child.no_stdout = 1;
978         child.stdout_to_stderr = 0;
979         child.git_cmd = 1;
980         if (run_command(&child))
981                 return "Working directory has staged changes";
982
983         read_tree[3] = hash_to_hex(sha1);
984         child_process_init(&child);
985         child.argv = read_tree;
986         child.env = env->argv;
987         child.dir = work_tree;
988         child.no_stdin = 1;
989         child.no_stdout = 1;
990         child.stdout_to_stderr = 0;
991         child.git_cmd = 1;
992         if (run_command(&child))
993                 return "Could not update working tree to new HEAD";
994
995         return NULL;
996 }
997
998 static const char *push_to_checkout_hook = "push-to-checkout";
999
1000 static const char *push_to_checkout(unsigned char *hash,
1001                                     struct argv_array *env,
1002                                     const char *work_tree)
1003 {
1004         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1005         if (run_hook_le(env->argv, push_to_checkout_hook,
1006                         hash_to_hex(hash), NULL))
1007                 return "push-to-checkout hook declined";
1008         else
1009                 return NULL;
1010 }
1011
1012 static const char *update_worktree(unsigned char *sha1, const struct worktree *worktree)
1013 {
1014         const char *retval, *work_tree, *git_dir = NULL;
1015         struct argv_array env = ARGV_ARRAY_INIT;
1016
1017         if (worktree && worktree->path)
1018                 work_tree = worktree->path;
1019         else if (git_work_tree_cfg)
1020                 work_tree = git_work_tree_cfg;
1021         else
1022                 work_tree = "..";
1023
1024         if (is_bare_repository())
1025                 return "denyCurrentBranch = updateInstead needs a worktree";
1026         if (worktree)
1027                 git_dir = get_worktree_git_dir(worktree);
1028         if (!git_dir)
1029                 git_dir = get_git_dir();
1030
1031         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(git_dir));
1032
1033         if (!find_hook(push_to_checkout_hook))
1034                 retval = push_to_deploy(sha1, &env, work_tree);
1035         else
1036                 retval = push_to_checkout(sha1, &env, work_tree);
1037
1038         argv_array_clear(&env);
1039         return retval;
1040 }
1041
1042 static const char *update(struct command *cmd, struct shallow_info *si)
1043 {
1044         const char *name = cmd->ref_name;
1045         struct strbuf namespaced_name_buf = STRBUF_INIT;
1046         static char *namespaced_name;
1047         const char *ret;
1048         struct object_id *old_oid = &cmd->old_oid;
1049         struct object_id *new_oid = &cmd->new_oid;
1050         int do_update_worktree = 0;
1051         const struct worktree *worktree = is_bare_repository() ? NULL : find_shared_symref("HEAD", name);
1052
1053         /* only refs/... are allowed */
1054         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1055                 rp_error("refusing to create funny ref '%s' remotely", name);
1056                 return "funny refname";
1057         }
1058
1059         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1060         free(namespaced_name);
1061         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1062
1063         if (worktree) {
1064                 switch (deny_current_branch) {
1065                 case DENY_IGNORE:
1066                         break;
1067                 case DENY_WARN:
1068                         rp_warning("updating the current branch");
1069                         break;
1070                 case DENY_REFUSE:
1071                 case DENY_UNCONFIGURED:
1072                         rp_error("refusing to update checked out branch: %s", name);
1073                         if (deny_current_branch == DENY_UNCONFIGURED)
1074                                 refuse_unconfigured_deny();
1075                         return "branch is currently checked out";
1076                 case DENY_UPDATE_INSTEAD:
1077                         /* pass -- let other checks intervene first */
1078                         do_update_worktree = 1;
1079                         break;
1080                 }
1081         }
1082
1083         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1084                 error("unpack should have generated %s, "
1085                       "but I can't find it!", oid_to_hex(new_oid));
1086                 return "bad pack";
1087         }
1088
1089         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1090                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1091                         rp_error("denying ref deletion for %s", name);
1092                         return "deletion prohibited";
1093                 }
1094
1095                 if (worktree || (head_name && !strcmp(namespaced_name, head_name))) {
1096                         switch (deny_delete_current) {
1097                         case DENY_IGNORE:
1098                                 break;
1099                         case DENY_WARN:
1100                                 rp_warning("deleting the current branch");
1101                                 break;
1102                         case DENY_REFUSE:
1103                         case DENY_UNCONFIGURED:
1104                         case DENY_UPDATE_INSTEAD:
1105                                 if (deny_delete_current == DENY_UNCONFIGURED)
1106                                         refuse_unconfigured_deny_delete_current();
1107                                 rp_error("refusing to delete the current branch: %s", name);
1108                                 return "deletion of the current branch prohibited";
1109                         default:
1110                                 return "Invalid denyDeleteCurrent setting";
1111                         }
1112                 }
1113         }
1114
1115         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1116             !is_null_oid(old_oid) &&
1117             starts_with(name, "refs/heads/")) {
1118                 struct object *old_object, *new_object;
1119                 struct commit *old_commit, *new_commit;
1120
1121                 old_object = parse_object(the_repository, old_oid);
1122                 new_object = parse_object(the_repository, new_oid);
1123
1124                 if (!old_object || !new_object ||
1125                     old_object->type != OBJ_COMMIT ||
1126                     new_object->type != OBJ_COMMIT) {
1127                         error("bad sha1 objects for %s", name);
1128                         return "bad ref";
1129                 }
1130                 old_commit = (struct commit *)old_object;
1131                 new_commit = (struct commit *)new_object;
1132                 if (!in_merge_bases(old_commit, new_commit)) {
1133                         rp_error("denying non-fast-forward %s"
1134                                  " (you should pull first)", name);
1135                         return "non-fast-forward";
1136                 }
1137         }
1138         if (run_update_hook(cmd)) {
1139                 rp_error("hook declined to update %s", name);
1140                 return "hook declined";
1141         }
1142
1143         if (do_update_worktree) {
1144                 ret = update_worktree(new_oid->hash, find_shared_symref("HEAD", name));
1145                 if (ret)
1146                         return ret;
1147         }
1148
1149         if (is_null_oid(new_oid)) {
1150                 struct strbuf err = STRBUF_INIT;
1151                 if (!parse_object(the_repository, old_oid)) {
1152                         old_oid = NULL;
1153                         if (ref_exists(name)) {
1154                                 rp_warning("Allowing deletion of corrupt ref.");
1155                         } else {
1156                                 rp_warning("Deleting a non-existent ref.");
1157                                 cmd->did_not_exist = 1;
1158                         }
1159                 }
1160                 if (ref_transaction_delete(transaction,
1161                                            namespaced_name,
1162                                            old_oid,
1163                                            0, "push", &err)) {
1164                         rp_error("%s", err.buf);
1165                         strbuf_release(&err);
1166                         return "failed to delete";
1167                 }
1168                 strbuf_release(&err);
1169                 return NULL; /* good */
1170         }
1171         else {
1172                 struct strbuf err = STRBUF_INIT;
1173                 if (shallow_update && si->shallow_ref[cmd->index] &&
1174                     update_shallow_ref(cmd, si))
1175                         return "shallow error";
1176
1177                 if (ref_transaction_update(transaction,
1178                                            namespaced_name,
1179                                            new_oid, old_oid,
1180                                            0, "push",
1181                                            &err)) {
1182                         rp_error("%s", err.buf);
1183                         strbuf_release(&err);
1184
1185                         return "failed to update ref";
1186                 }
1187                 strbuf_release(&err);
1188
1189                 return NULL; /* good */
1190         }
1191 }
1192
1193 static void run_update_post_hook(struct command *commands)
1194 {
1195         struct command *cmd;
1196         struct child_process proc = CHILD_PROCESS_INIT;
1197         const char *hook;
1198
1199         hook = find_hook("post-update");
1200         if (!hook)
1201                 return;
1202
1203         for (cmd = commands; cmd; cmd = cmd->next) {
1204                 if (cmd->error_string || cmd->did_not_exist)
1205                         continue;
1206                 if (!proc.args.argc)
1207                         argv_array_push(&proc.args, hook);
1208                 argv_array_push(&proc.args, cmd->ref_name);
1209         }
1210         if (!proc.args.argc)
1211                 return;
1212
1213         proc.no_stdin = 1;
1214         proc.stdout_to_stderr = 1;
1215         proc.err = use_sideband ? -1 : 0;
1216         proc.trace2_hook_name = "post-update";
1217
1218         if (!start_command(&proc)) {
1219                 if (use_sideband)
1220                         copy_to_sideband(proc.err, -1, NULL);
1221                 finish_command(&proc);
1222         }
1223 }
1224
1225 static void check_aliased_update_internal(struct command *cmd,
1226                                           struct string_list *list,
1227                                           const char *dst_name, int flag)
1228 {
1229         struct string_list_item *item;
1230         struct command *dst_cmd;
1231
1232         if (!(flag & REF_ISSYMREF))
1233                 return;
1234
1235         if (!dst_name) {
1236                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1237                 cmd->skip_update = 1;
1238                 cmd->error_string = "broken symref";
1239                 return;
1240         }
1241         dst_name = strip_namespace(dst_name);
1242
1243         if ((item = string_list_lookup(list, dst_name)) == NULL)
1244                 return;
1245
1246         cmd->skip_update = 1;
1247
1248         dst_cmd = (struct command *) item->util;
1249
1250         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1251             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1252                 return;
1253
1254         dst_cmd->skip_update = 1;
1255
1256         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1257                  " its target '%s' (%s..%s)",
1258                  cmd->ref_name,
1259                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1260                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1261                  dst_cmd->ref_name,
1262                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1263                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1264
1265         cmd->error_string = dst_cmd->error_string =
1266                 "inconsistent aliased update";
1267 }
1268
1269 static void check_aliased_update(struct command *cmd, struct string_list *list)
1270 {
1271         struct strbuf buf = STRBUF_INIT;
1272         const char *dst_name;
1273         int flag;
1274
1275         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1276         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1277         check_aliased_update_internal(cmd, list, dst_name, flag);
1278         strbuf_release(&buf);
1279 }
1280
1281 static void check_aliased_updates(struct command *commands)
1282 {
1283         struct command *cmd;
1284         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1285
1286         for (cmd = commands; cmd; cmd = cmd->next) {
1287                 struct string_list_item *item =
1288                         string_list_append(&ref_list, cmd->ref_name);
1289                 item->util = (void *)cmd;
1290         }
1291         string_list_sort(&ref_list);
1292
1293         for (cmd = commands; cmd; cmd = cmd->next) {
1294                 if (!cmd->error_string)
1295                         check_aliased_update(cmd, &ref_list);
1296         }
1297
1298         string_list_clear(&ref_list, 0);
1299 }
1300
1301 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1302 {
1303         struct command **cmd_list = cb_data;
1304         struct command *cmd = *cmd_list;
1305
1306         if (!cmd || is_null_oid(&cmd->new_oid))
1307                 return -1; /* end of list */
1308         *cmd_list = NULL; /* this returns only one */
1309         oidcpy(oid, &cmd->new_oid);
1310         return 0;
1311 }
1312
1313 static void set_connectivity_errors(struct command *commands,
1314                                     struct shallow_info *si)
1315 {
1316         struct command *cmd;
1317
1318         for (cmd = commands; cmd; cmd = cmd->next) {
1319                 struct command *singleton = cmd;
1320                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1321
1322                 if (shallow_update && si->shallow_ref[cmd->index])
1323                         /* to be checked in update_shallow_ref() */
1324                         continue;
1325
1326                 opt.env = tmp_objdir_env(tmp_objdir);
1327                 if (!check_connected(command_singleton_iterator, &singleton,
1328                                      &opt))
1329                         continue;
1330
1331                 cmd->error_string = "missing necessary objects";
1332         }
1333 }
1334
1335 struct iterate_data {
1336         struct command *cmds;
1337         struct shallow_info *si;
1338 };
1339
1340 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1341 {
1342         struct iterate_data *data = cb_data;
1343         struct command **cmd_list = &data->cmds;
1344         struct command *cmd = *cmd_list;
1345
1346         for (; cmd; cmd = cmd->next) {
1347                 if (shallow_update && data->si->shallow_ref[cmd->index])
1348                         /* to be checked in update_shallow_ref() */
1349                         continue;
1350                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1351                         oidcpy(oid, &cmd->new_oid);
1352                         *cmd_list = cmd->next;
1353                         return 0;
1354                 }
1355         }
1356         *cmd_list = NULL;
1357         return -1; /* end of list */
1358 }
1359
1360 static void reject_updates_to_hidden(struct command *commands)
1361 {
1362         struct strbuf refname_full = STRBUF_INIT;
1363         size_t prefix_len;
1364         struct command *cmd;
1365
1366         strbuf_addstr(&refname_full, get_git_namespace());
1367         prefix_len = refname_full.len;
1368
1369         for (cmd = commands; cmd; cmd = cmd->next) {
1370                 if (cmd->error_string)
1371                         continue;
1372
1373                 strbuf_setlen(&refname_full, prefix_len);
1374                 strbuf_addstr(&refname_full, cmd->ref_name);
1375
1376                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1377                         continue;
1378                 if (is_null_oid(&cmd->new_oid))
1379                         cmd->error_string = "deny deleting a hidden ref";
1380                 else
1381                         cmd->error_string = "deny updating a hidden ref";
1382         }
1383
1384         strbuf_release(&refname_full);
1385 }
1386
1387 static int should_process_cmd(struct command *cmd)
1388 {
1389         return !cmd->error_string && !cmd->skip_update;
1390 }
1391
1392 static void warn_if_skipped_connectivity_check(struct command *commands,
1393                                                struct shallow_info *si)
1394 {
1395         struct command *cmd;
1396         int checked_connectivity = 1;
1397
1398         for (cmd = commands; cmd; cmd = cmd->next) {
1399                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1400                         error("BUG: connectivity check has not been run on ref %s",
1401                               cmd->ref_name);
1402                         checked_connectivity = 0;
1403                 }
1404         }
1405         if (!checked_connectivity)
1406                 BUG("connectivity check skipped???");
1407 }
1408
1409 static void execute_commands_non_atomic(struct command *commands,
1410                                         struct shallow_info *si)
1411 {
1412         struct command *cmd;
1413         struct strbuf err = STRBUF_INIT;
1414
1415         for (cmd = commands; cmd; cmd = cmd->next) {
1416                 if (!should_process_cmd(cmd))
1417                         continue;
1418
1419                 transaction = ref_transaction_begin(&err);
1420                 if (!transaction) {
1421                         rp_error("%s", err.buf);
1422                         strbuf_reset(&err);
1423                         cmd->error_string = "transaction failed to start";
1424                         continue;
1425                 }
1426
1427                 cmd->error_string = update(cmd, si);
1428
1429                 if (!cmd->error_string
1430                     && ref_transaction_commit(transaction, &err)) {
1431                         rp_error("%s", err.buf);
1432                         strbuf_reset(&err);
1433                         cmd->error_string = "failed to update ref";
1434                 }
1435                 ref_transaction_free(transaction);
1436         }
1437         strbuf_release(&err);
1438 }
1439
1440 static void execute_commands_atomic(struct command *commands,
1441                                         struct shallow_info *si)
1442 {
1443         struct command *cmd;
1444         struct strbuf err = STRBUF_INIT;
1445         const char *reported_error = "atomic push failure";
1446
1447         transaction = ref_transaction_begin(&err);
1448         if (!transaction) {
1449                 rp_error("%s", err.buf);
1450                 strbuf_reset(&err);
1451                 reported_error = "transaction failed to start";
1452                 goto failure;
1453         }
1454
1455         for (cmd = commands; cmd; cmd = cmd->next) {
1456                 if (!should_process_cmd(cmd))
1457                         continue;
1458
1459                 cmd->error_string = update(cmd, si);
1460
1461                 if (cmd->error_string)
1462                         goto failure;
1463         }
1464
1465         if (ref_transaction_commit(transaction, &err)) {
1466                 rp_error("%s", err.buf);
1467                 reported_error = "atomic transaction failed";
1468                 goto failure;
1469         }
1470         goto cleanup;
1471
1472 failure:
1473         for (cmd = commands; cmd; cmd = cmd->next)
1474                 if (!cmd->error_string)
1475                         cmd->error_string = reported_error;
1476
1477 cleanup:
1478         ref_transaction_free(transaction);
1479         strbuf_release(&err);
1480 }
1481
1482 static void execute_commands(struct command *commands,
1483                              const char *unpacker_error,
1484                              struct shallow_info *si,
1485                              const struct string_list *push_options)
1486 {
1487         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1488         struct command *cmd;
1489         struct iterate_data data;
1490         struct async muxer;
1491         int err_fd = 0;
1492
1493         if (unpacker_error) {
1494                 for (cmd = commands; cmd; cmd = cmd->next)
1495                         cmd->error_string = "unpacker error";
1496                 return;
1497         }
1498
1499         if (use_sideband) {
1500                 memset(&muxer, 0, sizeof(muxer));
1501                 muxer.proc = copy_to_sideband;
1502                 muxer.in = -1;
1503                 if (!start_async(&muxer))
1504                         err_fd = muxer.in;
1505                 /* ...else, continue without relaying sideband */
1506         }
1507
1508         data.cmds = commands;
1509         data.si = si;
1510         opt.err_fd = err_fd;
1511         opt.progress = err_fd && !quiet;
1512         opt.env = tmp_objdir_env(tmp_objdir);
1513         if (check_connected(iterate_receive_command_list, &data, &opt))
1514                 set_connectivity_errors(commands, si);
1515
1516         if (use_sideband)
1517                 finish_async(&muxer);
1518
1519         reject_updates_to_hidden(commands);
1520
1521         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1522                 for (cmd = commands; cmd; cmd = cmd->next) {
1523                         if (!cmd->error_string)
1524                                 cmd->error_string = "pre-receive hook declined";
1525                 }
1526                 return;
1527         }
1528
1529         /*
1530          * Now we'll start writing out refs, which means the objects need
1531          * to be in their final positions so that other processes can see them.
1532          */
1533         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1534                 for (cmd = commands; cmd; cmd = cmd->next) {
1535                         if (!cmd->error_string)
1536                                 cmd->error_string = "unable to migrate objects to permanent storage";
1537                 }
1538                 return;
1539         }
1540         tmp_objdir = NULL;
1541
1542         check_aliased_updates(commands);
1543
1544         free(head_name_to_free);
1545         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1546
1547         if (use_atomic)
1548                 execute_commands_atomic(commands, si);
1549         else
1550                 execute_commands_non_atomic(commands, si);
1551
1552         if (shallow_update)
1553                 warn_if_skipped_connectivity_check(commands, si);
1554 }
1555
1556 static struct command **queue_command(struct command **tail,
1557                                       const char *line,
1558                                       int linelen)
1559 {
1560         struct object_id old_oid, new_oid;
1561         struct command *cmd;
1562         const char *refname;
1563         int reflen;
1564         const char *p;
1565
1566         if (parse_oid_hex(line, &old_oid, &p) ||
1567             *p++ != ' ' ||
1568             parse_oid_hex(p, &new_oid, &p) ||
1569             *p++ != ' ')
1570                 die("protocol error: expected old/new/ref, got '%s'", line);
1571
1572         refname = p;
1573         reflen = linelen - (p - line);
1574         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1575         oidcpy(&cmd->old_oid, &old_oid);
1576         oidcpy(&cmd->new_oid, &new_oid);
1577         *tail = cmd;
1578         return &cmd->next;
1579 }
1580
1581 static void queue_commands_from_cert(struct command **tail,
1582                                      struct strbuf *push_cert)
1583 {
1584         const char *boc, *eoc;
1585
1586         if (*tail)
1587                 die("protocol error: got both push certificate and unsigned commands");
1588
1589         boc = strstr(push_cert->buf, "\n\n");
1590         if (!boc)
1591                 die("malformed push certificate %.*s", 100, push_cert->buf);
1592         else
1593                 boc += 2;
1594         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1595
1596         while (boc < eoc) {
1597                 const char *eol = memchr(boc, '\n', eoc - boc);
1598                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1599                 boc = eol ? eol + 1 : eoc;
1600         }
1601 }
1602
1603 static struct command *read_head_info(struct packet_reader *reader,
1604                                       struct oid_array *shallow)
1605 {
1606         struct command *commands = NULL;
1607         struct command **p = &commands;
1608         for (;;) {
1609                 int linelen;
1610
1611                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1612                         break;
1613
1614                 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1615                         struct object_id oid;
1616                         if (get_oid_hex(reader->line + 8, &oid))
1617                                 die("protocol error: expected shallow sha, got '%s'",
1618                                     reader->line + 8);
1619                         oid_array_append(shallow, &oid);
1620                         continue;
1621                 }
1622
1623                 linelen = strlen(reader->line);
1624                 if (linelen < reader->pktlen) {
1625                         const char *feature_list = reader->line + linelen + 1;
1626                         if (parse_feature_request(feature_list, "report-status"))
1627                                 report_status = 1;
1628                         if (parse_feature_request(feature_list, "side-band-64k"))
1629                                 use_sideband = LARGE_PACKET_MAX;
1630                         if (parse_feature_request(feature_list, "quiet"))
1631                                 quiet = 1;
1632                         if (advertise_atomic_push
1633                             && parse_feature_request(feature_list, "atomic"))
1634                                 use_atomic = 1;
1635                         if (advertise_push_options
1636                             && parse_feature_request(feature_list, "push-options"))
1637                                 use_push_options = 1;
1638                 }
1639
1640                 if (!strcmp(reader->line, "push-cert")) {
1641                         int true_flush = 0;
1642                         int saved_options = reader->options;
1643                         reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1644
1645                         for (;;) {
1646                                 packet_reader_read(reader);
1647                                 if (reader->status == PACKET_READ_FLUSH) {
1648                                         true_flush = 1;
1649                                         break;
1650                                 }
1651                                 if (reader->status != PACKET_READ_NORMAL) {
1652                                         die("protocol error: got an unexpected packet");
1653                                 }
1654                                 if (!strcmp(reader->line, "push-cert-end\n"))
1655                                         break; /* end of cert */
1656                                 strbuf_addstr(&push_cert, reader->line);
1657                         }
1658                         reader->options = saved_options;
1659
1660                         if (true_flush)
1661                                 break;
1662                         continue;
1663                 }
1664
1665                 p = queue_command(p, reader->line, linelen);
1666         }
1667
1668         if (push_cert.len)
1669                 queue_commands_from_cert(p, &push_cert);
1670
1671         return commands;
1672 }
1673
1674 static void read_push_options(struct packet_reader *reader,
1675                               struct string_list *options)
1676 {
1677         while (1) {
1678                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1679                         break;
1680
1681                 string_list_append(options, reader->line);
1682         }
1683 }
1684
1685 static const char *parse_pack_header(struct pack_header *hdr)
1686 {
1687         switch (read_pack_header(0, hdr)) {
1688         case PH_ERROR_EOF:
1689                 return "eof before pack header was fully read";
1690
1691         case PH_ERROR_PACK_SIGNATURE:
1692                 return "protocol error (pack signature mismatch detected)";
1693
1694         case PH_ERROR_PROTOCOL:
1695                 return "protocol error (pack version unsupported)";
1696
1697         default:
1698                 return "unknown error in parse_pack_header";
1699
1700         case 0:
1701                 return NULL;
1702         }
1703 }
1704
1705 static const char *pack_lockfile;
1706
1707 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1708 {
1709         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1710                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1711 }
1712
1713 static const char *unpack(int err_fd, struct shallow_info *si)
1714 {
1715         struct pack_header hdr;
1716         const char *hdr_err;
1717         int status;
1718         struct child_process child = CHILD_PROCESS_INIT;
1719         int fsck_objects = (receive_fsck_objects >= 0
1720                             ? receive_fsck_objects
1721                             : transfer_fsck_objects >= 0
1722                             ? transfer_fsck_objects
1723                             : 0);
1724
1725         hdr_err = parse_pack_header(&hdr);
1726         if (hdr_err) {
1727                 if (err_fd > 0)
1728                         close(err_fd);
1729                 return hdr_err;
1730         }
1731
1732         if (si->nr_ours || si->nr_theirs) {
1733                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1734                 argv_array_push(&child.args, "--shallow-file");
1735                 argv_array_push(&child.args, alt_shallow_file);
1736         }
1737
1738         tmp_objdir = tmp_objdir_create();
1739         if (!tmp_objdir) {
1740                 if (err_fd > 0)
1741                         close(err_fd);
1742                 return "unable to create temporary object directory";
1743         }
1744         child.env = tmp_objdir_env(tmp_objdir);
1745
1746         /*
1747          * Normally we just pass the tmp_objdir environment to the child
1748          * processes that do the heavy lifting, but we may need to see these
1749          * objects ourselves to set up shallow information.
1750          */
1751         tmp_objdir_add_as_alternate(tmp_objdir);
1752
1753         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1754                 argv_array_push(&child.args, "unpack-objects");
1755                 push_header_arg(&child.args, &hdr);
1756                 if (quiet)
1757                         argv_array_push(&child.args, "-q");
1758                 if (fsck_objects)
1759                         argv_array_pushf(&child.args, "--strict%s",
1760                                 fsck_msg_types.buf);
1761                 if (max_input_size)
1762                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1763                                 (uintmax_t)max_input_size);
1764                 child.no_stdout = 1;
1765                 child.err = err_fd;
1766                 child.git_cmd = 1;
1767                 status = run_command(&child);
1768                 if (status)
1769                         return "unpack-objects abnormal exit";
1770         } else {
1771                 char hostname[HOST_NAME_MAX + 1];
1772
1773                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1774                 push_header_arg(&child.args, &hdr);
1775
1776                 if (xgethostname(hostname, sizeof(hostname)))
1777                         xsnprintf(hostname, sizeof(hostname), "localhost");
1778                 argv_array_pushf(&child.args,
1779                                  "--keep=receive-pack %"PRIuMAX" on %s",
1780                                  (uintmax_t)getpid(),
1781                                  hostname);
1782
1783                 if (!quiet && err_fd)
1784                         argv_array_push(&child.args, "--show-resolving-progress");
1785                 if (use_sideband)
1786                         argv_array_push(&child.args, "--report-end-of-input");
1787                 if (fsck_objects)
1788                         argv_array_pushf(&child.args, "--strict%s",
1789                                 fsck_msg_types.buf);
1790                 if (!reject_thin)
1791                         argv_array_push(&child.args, "--fix-thin");
1792                 if (max_input_size)
1793                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1794                                 (uintmax_t)max_input_size);
1795                 child.out = -1;
1796                 child.err = err_fd;
1797                 child.git_cmd = 1;
1798                 status = start_command(&child);
1799                 if (status)
1800                         return "index-pack fork failed";
1801                 pack_lockfile = index_pack_lockfile(child.out);
1802                 close(child.out);
1803                 status = finish_command(&child);
1804                 if (status)
1805                         return "index-pack abnormal exit";
1806                 reprepare_packed_git(the_repository);
1807         }
1808         return NULL;
1809 }
1810
1811 static const char *unpack_with_sideband(struct shallow_info *si)
1812 {
1813         struct async muxer;
1814         const char *ret;
1815
1816         if (!use_sideband)
1817                 return unpack(0, si);
1818
1819         use_keepalive = KEEPALIVE_AFTER_NUL;
1820         memset(&muxer, 0, sizeof(muxer));
1821         muxer.proc = copy_to_sideband;
1822         muxer.in = -1;
1823         if (start_async(&muxer))
1824                 return NULL;
1825
1826         ret = unpack(muxer.in, si);
1827
1828         finish_async(&muxer);
1829         return ret;
1830 }
1831
1832 static void prepare_shallow_update(struct shallow_info *si)
1833 {
1834         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1835
1836         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1837         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1838
1839         si->need_reachability_test =
1840                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1841         si->reachable =
1842                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1843         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1844
1845         for (i = 0; i < si->nr_ours; i++)
1846                 si->need_reachability_test[si->ours[i]] = 1;
1847
1848         for (i = 0; i < si->shallow->nr; i++) {
1849                 if (!si->used_shallow[i])
1850                         continue;
1851                 for (j = 0; j < bitmap_size; j++) {
1852                         if (!si->used_shallow[i][j])
1853                                 continue;
1854                         si->need_reachability_test[i]++;
1855                         for (k = 0; k < 32; k++)
1856                                 if (si->used_shallow[i][j] & (1U << k))
1857                                         si->shallow_ref[j * 32 + k]++;
1858                 }
1859
1860                 /*
1861                  * true for those associated with some refs and belong
1862                  * in "ours" list aka "step 7 not done yet"
1863                  */
1864                 si->need_reachability_test[i] =
1865                         si->need_reachability_test[i] > 1;
1866         }
1867
1868         /*
1869          * keep hooks happy by forcing a temporary shallow file via
1870          * env variable because we can't add --shallow-file to every
1871          * command. check_connected() will be done with
1872          * true .git/shallow though.
1873          */
1874         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1875 }
1876
1877 static void update_shallow_info(struct command *commands,
1878                                 struct shallow_info *si,
1879                                 struct oid_array *ref)
1880 {
1881         struct command *cmd;
1882         int *ref_status;
1883         remove_nonexistent_theirs_shallow(si);
1884         if (!si->nr_ours && !si->nr_theirs) {
1885                 shallow_update = 0;
1886                 return;
1887         }
1888
1889         for (cmd = commands; cmd; cmd = cmd->next) {
1890                 if (is_null_oid(&cmd->new_oid))
1891                         continue;
1892                 oid_array_append(ref, &cmd->new_oid);
1893                 cmd->index = ref->nr - 1;
1894         }
1895         si->ref = ref;
1896
1897         if (shallow_update) {
1898                 prepare_shallow_update(si);
1899                 return;
1900         }
1901
1902         ALLOC_ARRAY(ref_status, ref->nr);
1903         assign_shallow_commits_to_refs(si, NULL, ref_status);
1904         for (cmd = commands; cmd; cmd = cmd->next) {
1905                 if (is_null_oid(&cmd->new_oid))
1906                         continue;
1907                 if (ref_status[cmd->index]) {
1908                         cmd->error_string = "shallow update not allowed";
1909                         cmd->skip_update = 1;
1910                 }
1911         }
1912         free(ref_status);
1913 }
1914
1915 static void report(struct command *commands, const char *unpack_status)
1916 {
1917         struct command *cmd;
1918         struct strbuf buf = STRBUF_INIT;
1919
1920         packet_buf_write(&buf, "unpack %s\n",
1921                          unpack_status ? unpack_status : "ok");
1922         for (cmd = commands; cmd; cmd = cmd->next) {
1923                 if (!cmd->error_string)
1924                         packet_buf_write(&buf, "ok %s\n",
1925                                          cmd->ref_name);
1926                 else
1927                         packet_buf_write(&buf, "ng %s %s\n",
1928                                          cmd->ref_name, cmd->error_string);
1929         }
1930         packet_buf_flush(&buf);
1931
1932         if (use_sideband)
1933                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1934         else
1935                 write_or_die(1, buf.buf, buf.len);
1936         strbuf_release(&buf);
1937 }
1938
1939 static int delete_only(struct command *commands)
1940 {
1941         struct command *cmd;
1942         for (cmd = commands; cmd; cmd = cmd->next) {
1943                 if (!is_null_oid(&cmd->new_oid))
1944                         return 0;
1945         }
1946         return 1;
1947 }
1948
1949 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1950 {
1951         int advertise_refs = 0;
1952         struct command *commands;
1953         struct oid_array shallow = OID_ARRAY_INIT;
1954         struct oid_array ref = OID_ARRAY_INIT;
1955         struct shallow_info si;
1956         struct packet_reader reader;
1957
1958         struct option options[] = {
1959                 OPT__QUIET(&quiet, N_("quiet")),
1960                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1961                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1962                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1963                 OPT_END()
1964         };
1965
1966         packet_trace_identity("receive-pack");
1967
1968         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1969
1970         if (argc > 1)
1971                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1972         if (argc == 0)
1973                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1974
1975         service_dir = argv[0];
1976
1977         setup_path();
1978
1979         if (!enter_repo(service_dir, 0))
1980                 die("'%s' does not appear to be a git repository", service_dir);
1981
1982         git_config(receive_pack_config, NULL);
1983         if (cert_nonce_seed)
1984                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1985
1986         if (0 <= transfer_unpack_limit)
1987                 unpack_limit = transfer_unpack_limit;
1988         else if (0 <= receive_unpack_limit)
1989                 unpack_limit = receive_unpack_limit;
1990
1991         switch (determine_protocol_version_server()) {
1992         case protocol_v2:
1993                 /*
1994                  * push support for protocol v2 has not been implemented yet,
1995                  * so ignore the request to use v2 and fallback to using v0.
1996                  */
1997                 break;
1998         case protocol_v1:
1999                 /*
2000                  * v1 is just the original protocol with a version string,
2001                  * so just fall through after writing the version string.
2002                  */
2003                 if (advertise_refs || !stateless_rpc)
2004                         packet_write_fmt(1, "version 1\n");
2005
2006                 /* fallthrough */
2007         case protocol_v0:
2008                 break;
2009         case protocol_unknown_version:
2010                 BUG("unknown protocol version");
2011         }
2012
2013         if (advertise_refs || !stateless_rpc) {
2014                 write_head_info();
2015         }
2016         if (advertise_refs)
2017                 return 0;
2018
2019         packet_reader_init(&reader, 0, NULL, 0,
2020                            PACKET_READ_CHOMP_NEWLINE |
2021                            PACKET_READ_DIE_ON_ERR_PACKET);
2022
2023         if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2024                 const char *unpack_status = NULL;
2025                 struct string_list push_options = STRING_LIST_INIT_DUP;
2026
2027                 if (use_push_options)
2028                         read_push_options(&reader, &push_options);
2029                 if (!check_cert_push_options(&push_options)) {
2030                         struct command *cmd;
2031                         for (cmd = commands; cmd; cmd = cmd->next)
2032                                 cmd->error_string = "inconsistent push options";
2033                 }
2034
2035                 prepare_shallow_info(&si, &shallow);
2036                 if (!si.nr_ours && !si.nr_theirs)
2037                         shallow_update = 0;
2038                 if (!delete_only(commands)) {
2039                         unpack_status = unpack_with_sideband(&si);
2040                         update_shallow_info(commands, &si, &ref);
2041                 }
2042                 use_keepalive = KEEPALIVE_ALWAYS;
2043                 execute_commands(commands, unpack_status, &si,
2044                                  &push_options);
2045                 if (pack_lockfile)
2046                         unlink_or_warn(pack_lockfile);
2047                 if (report_status)
2048                         report(commands, unpack_status);
2049                 run_receive_hook(commands, "post-receive", 1,
2050                                  &push_options);
2051                 run_update_post_hook(commands);
2052                 string_list_clear(&push_options, 0);
2053                 if (auto_gc) {
2054                         const char *argv_gc_auto[] = {
2055                                 "gc", "--auto", "--quiet", NULL,
2056                         };
2057                         struct child_process proc = CHILD_PROCESS_INIT;
2058
2059                         proc.no_stdin = 1;
2060                         proc.stdout_to_stderr = 1;
2061                         proc.err = use_sideband ? -1 : 0;
2062                         proc.git_cmd = 1;
2063                         proc.argv = argv_gc_auto;
2064
2065                         close_object_store(the_repository->objects);
2066                         if (!start_command(&proc)) {
2067                                 if (use_sideband)
2068                                         copy_to_sideband(proc.err, -1, NULL);
2069                                 finish_command(&proc);
2070                         }
2071                 }
2072                 if (auto_update_server_info)
2073                         update_server_info(0);
2074                 clear_shallow_info(&si);
2075         }
2076         if (use_sideband)
2077                 packet_flush(1);
2078         oid_array_clear(&shallow);
2079         oid_array_clear(&ref);
2080         free((void *)push_cert_nonce);
2081         return 0;
2082 }