Merge branch 'js/t2106-cleanup'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "oid-array.h"
17 #include "connected.h"
18 #include "strvec.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30 #include "worktree.h"
31 #include "shallow.h"
32
33 static const char * const receive_pack_usage[] = {
34         N_("git receive-pack <git-dir>"),
35         NULL
36 };
37
38 enum deny_action {
39         DENY_UNCONFIGURED,
40         DENY_IGNORE,
41         DENY_WARN,
42         DENY_REFUSE,
43         DENY_UPDATE_INSTEAD
44 };
45
46 static int deny_deletes;
47 static int deny_non_fast_forwards;
48 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
49 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
50 static int receive_fsck_objects = -1;
51 static int transfer_fsck_objects = -1;
52 static struct strbuf fsck_msg_types = STRBUF_INIT;
53 static int receive_unpack_limit = -1;
54 static int transfer_unpack_limit = -1;
55 static int advertise_atomic_push = 1;
56 static int advertise_push_options;
57 static int unpack_limit = 100;
58 static off_t max_input_size;
59 static int report_status;
60 static int report_status_v2;
61 static int use_sideband;
62 static int use_atomic;
63 static int use_push_options;
64 static int quiet;
65 static int prefer_ofs_delta = 1;
66 static int auto_update_server_info;
67 static int auto_gc = 1;
68 static int reject_thin;
69 static int stateless_rpc;
70 static const char *service_dir;
71 static const char *head_name;
72 static void *head_name_to_free;
73 static int sent_capabilities;
74 static int shallow_update;
75 static const char *alt_shallow_file;
76 static struct strbuf push_cert = STRBUF_INIT;
77 static struct object_id push_cert_oid;
78 static struct signature_check sigcheck;
79 static const char *push_cert_nonce;
80 static const char *cert_nonce_seed;
81
82 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
83 static const char *NONCE_BAD = "BAD";
84 static const char *NONCE_MISSING = "MISSING";
85 static const char *NONCE_OK = "OK";
86 static const char *NONCE_SLOP = "SLOP";
87 static const char *nonce_status;
88 static long nonce_stamp_slop;
89 static timestamp_t nonce_stamp_slop_limit;
90 static struct ref_transaction *transaction;
91
92 static enum {
93         KEEPALIVE_NEVER = 0,
94         KEEPALIVE_AFTER_NUL,
95         KEEPALIVE_ALWAYS
96 } use_keepalive;
97 static int keepalive_in_sec = 5;
98
99 static struct tmp_objdir *tmp_objdir;
100
101 static struct proc_receive_ref {
102         unsigned int want_add:1,
103                      want_delete:1,
104                      want_modify:1,
105                      negative_ref:1;
106         char *ref_prefix;
107         struct proc_receive_ref *next;
108 } *proc_receive_ref;
109
110 static void proc_receive_ref_append(const char *prefix);
111
112 static enum deny_action parse_deny_action(const char *var, const char *value)
113 {
114         if (value) {
115                 if (!strcasecmp(value, "ignore"))
116                         return DENY_IGNORE;
117                 if (!strcasecmp(value, "warn"))
118                         return DENY_WARN;
119                 if (!strcasecmp(value, "refuse"))
120                         return DENY_REFUSE;
121                 if (!strcasecmp(value, "updateinstead"))
122                         return DENY_UPDATE_INSTEAD;
123         }
124         if (git_config_bool(var, value))
125                 return DENY_REFUSE;
126         return DENY_IGNORE;
127 }
128
129 static int receive_pack_config(const char *var, const char *value, void *cb)
130 {
131         int status = parse_hide_refs_config(var, value, "receive");
132
133         if (status)
134                 return status;
135
136         if (strcmp(var, "receive.denydeletes") == 0) {
137                 deny_deletes = git_config_bool(var, value);
138                 return 0;
139         }
140
141         if (strcmp(var, "receive.denynonfastforwards") == 0) {
142                 deny_non_fast_forwards = git_config_bool(var, value);
143                 return 0;
144         }
145
146         if (strcmp(var, "receive.unpacklimit") == 0) {
147                 receive_unpack_limit = git_config_int(var, value);
148                 return 0;
149         }
150
151         if (strcmp(var, "transfer.unpacklimit") == 0) {
152                 transfer_unpack_limit = git_config_int(var, value);
153                 return 0;
154         }
155
156         if (strcmp(var, "receive.fsck.skiplist") == 0) {
157                 const char *path;
158
159                 if (git_config_pathname(&path, var, value))
160                         return 1;
161                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
162                         fsck_msg_types.len ? ',' : '=', path);
163                 free((char *)path);
164                 return 0;
165         }
166
167         if (skip_prefix(var, "receive.fsck.", &var)) {
168                 if (is_valid_msg_type(var, value))
169                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
170                                 fsck_msg_types.len ? ',' : '=', var, value);
171                 else
172                         warning("Skipping unknown msg id '%s'", var);
173                 return 0;
174         }
175
176         if (strcmp(var, "receive.fsckobjects") == 0) {
177                 receive_fsck_objects = git_config_bool(var, value);
178                 return 0;
179         }
180
181         if (strcmp(var, "transfer.fsckobjects") == 0) {
182                 transfer_fsck_objects = git_config_bool(var, value);
183                 return 0;
184         }
185
186         if (!strcmp(var, "receive.denycurrentbranch")) {
187                 deny_current_branch = parse_deny_action(var, value);
188                 return 0;
189         }
190
191         if (strcmp(var, "receive.denydeletecurrent") == 0) {
192                 deny_delete_current = parse_deny_action(var, value);
193                 return 0;
194         }
195
196         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
197                 prefer_ofs_delta = git_config_bool(var, value);
198                 return 0;
199         }
200
201         if (strcmp(var, "receive.updateserverinfo") == 0) {
202                 auto_update_server_info = git_config_bool(var, value);
203                 return 0;
204         }
205
206         if (strcmp(var, "receive.autogc") == 0) {
207                 auto_gc = git_config_bool(var, value);
208                 return 0;
209         }
210
211         if (strcmp(var, "receive.shallowupdate") == 0) {
212                 shallow_update = git_config_bool(var, value);
213                 return 0;
214         }
215
216         if (strcmp(var, "receive.certnonceseed") == 0)
217                 return git_config_string(&cert_nonce_seed, var, value);
218
219         if (strcmp(var, "receive.certnonceslop") == 0) {
220                 nonce_stamp_slop_limit = git_config_ulong(var, value);
221                 return 0;
222         }
223
224         if (strcmp(var, "receive.advertiseatomic") == 0) {
225                 advertise_atomic_push = git_config_bool(var, value);
226                 return 0;
227         }
228
229         if (strcmp(var, "receive.advertisepushoptions") == 0) {
230                 advertise_push_options = git_config_bool(var, value);
231                 return 0;
232         }
233
234         if (strcmp(var, "receive.keepalive") == 0) {
235                 keepalive_in_sec = git_config_int(var, value);
236                 return 0;
237         }
238
239         if (strcmp(var, "receive.maxinputsize") == 0) {
240                 max_input_size = git_config_int64(var, value);
241                 return 0;
242         }
243
244         if (strcmp(var, "receive.procreceiverefs") == 0) {
245                 if (!value)
246                         return config_error_nonbool(var);
247                 proc_receive_ref_append(value);
248                 return 0;
249         }
250
251         return git_default_config(var, value, cb);
252 }
253
254 static void show_ref(const char *path, const struct object_id *oid)
255 {
256         if (sent_capabilities) {
257                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
258         } else {
259                 struct strbuf cap = STRBUF_INIT;
260
261                 strbuf_addstr(&cap,
262                               "report-status report-status-v2 delete-refs side-band-64k quiet");
263                 if (advertise_atomic_push)
264                         strbuf_addstr(&cap, " atomic");
265                 if (prefer_ofs_delta)
266                         strbuf_addstr(&cap, " ofs-delta");
267                 if (push_cert_nonce)
268                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
269                 if (advertise_push_options)
270                         strbuf_addstr(&cap, " push-options");
271                 strbuf_addf(&cap, " object-format=%s", the_hash_algo->name);
272                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
273                 packet_write_fmt(1, "%s %s%c%s\n",
274                              oid_to_hex(oid), path, 0, cap.buf);
275                 strbuf_release(&cap);
276                 sent_capabilities = 1;
277         }
278 }
279
280 static int show_ref_cb(const char *path_full, const struct object_id *oid,
281                        int flag, void *data)
282 {
283         struct oidset *seen = data;
284         const char *path = strip_namespace(path_full);
285
286         if (ref_is_hidden(path, path_full))
287                 return 0;
288
289         /*
290          * Advertise refs outside our current namespace as ".have"
291          * refs, so that the client can use them to minimize data
292          * transfer but will otherwise ignore them.
293          */
294         if (!path) {
295                 if (oidset_insert(seen, oid))
296                         return 0;
297                 path = ".have";
298         } else {
299                 oidset_insert(seen, oid);
300         }
301         show_ref(path, oid);
302         return 0;
303 }
304
305 static void show_one_alternate_ref(const struct object_id *oid,
306                                    void *data)
307 {
308         struct oidset *seen = data;
309
310         if (oidset_insert(seen, oid))
311                 return;
312
313         show_ref(".have", oid);
314 }
315
316 static void write_head_info(void)
317 {
318         static struct oidset seen = OIDSET_INIT;
319
320         for_each_ref(show_ref_cb, &seen);
321         for_each_alternate_ref(show_one_alternate_ref, &seen);
322         oidset_clear(&seen);
323         if (!sent_capabilities)
324                 show_ref("capabilities^{}", &null_oid);
325
326         advertise_shallow_grafts(1);
327
328         /* EOF */
329         packet_flush(1);
330 }
331
332 #define RUN_PROC_RECEIVE_SCHEDULED      1
333 #define RUN_PROC_RECEIVE_RETURNED       2
334 struct command {
335         struct command *next;
336         const char *error_string;
337         struct ref_push_report *report;
338         unsigned int skip_update:1,
339                      did_not_exist:1,
340                      run_proc_receive:2;
341         int index;
342         struct object_id old_oid;
343         struct object_id new_oid;
344         char ref_name[FLEX_ARRAY]; /* more */
345 };
346
347 static void proc_receive_ref_append(const char *prefix)
348 {
349         struct proc_receive_ref *ref_pattern;
350         char *p;
351         int len;
352
353         ref_pattern = xcalloc(1, sizeof(struct proc_receive_ref));
354         p = strchr(prefix, ':');
355         if (p) {
356                 while (prefix < p) {
357                         if (*prefix == 'a')
358                                 ref_pattern->want_add = 1;
359                         else if (*prefix == 'd')
360                                 ref_pattern->want_delete = 1;
361                         else if (*prefix == 'm')
362                                 ref_pattern->want_modify = 1;
363                         else if (*prefix == '!')
364                                 ref_pattern->negative_ref = 1;
365                         prefix++;
366                 }
367                 prefix++;
368         } else {
369                 ref_pattern->want_add = 1;
370                 ref_pattern->want_delete = 1;
371                 ref_pattern->want_modify = 1;
372         }
373         len = strlen(prefix);
374         while (len && prefix[len - 1] == '/')
375                 len--;
376         ref_pattern->ref_prefix = xmemdupz(prefix, len);
377         if (!proc_receive_ref) {
378                 proc_receive_ref = ref_pattern;
379         } else {
380                 struct proc_receive_ref *end;
381
382                 end = proc_receive_ref;
383                 while (end->next)
384                         end = end->next;
385                 end->next = ref_pattern;
386         }
387 }
388
389 static int proc_receive_ref_matches(struct command *cmd)
390 {
391         struct proc_receive_ref *p;
392
393         if (!proc_receive_ref)
394                 return 0;
395
396         for (p = proc_receive_ref; p; p = p->next) {
397                 const char *match = p->ref_prefix;
398                 const char *remains;
399
400                 if (!p->want_add && is_null_oid(&cmd->old_oid))
401                         continue;
402                 else if (!p->want_delete && is_null_oid(&cmd->new_oid))
403                         continue;
404                 else if (!p->want_modify &&
405                          !is_null_oid(&cmd->old_oid) &&
406                          !is_null_oid(&cmd->new_oid))
407                         continue;
408
409                 if (skip_prefix(cmd->ref_name, match, &remains) &&
410                     (!*remains || *remains == '/')) {
411                         if (!p->negative_ref)
412                                 return 1;
413                 } else if (p->negative_ref) {
414                         return 1;
415                 }
416         }
417         return 0;
418 }
419
420 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
421 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
422
423 static void report_message(const char *prefix, const char *err, va_list params)
424 {
425         int sz;
426         char msg[4096];
427
428         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
429         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
430         if (sz > (sizeof(msg) - 1))
431                 sz = sizeof(msg) - 1;
432         msg[sz++] = '\n';
433
434         if (use_sideband)
435                 send_sideband(1, 2, msg, sz, use_sideband);
436         else
437                 xwrite(2, msg, sz);
438 }
439
440 static void rp_warning(const char *err, ...)
441 {
442         va_list params;
443         va_start(params, err);
444         report_message("warning: ", err, params);
445         va_end(params);
446 }
447
448 static void rp_error(const char *err, ...)
449 {
450         va_list params;
451         va_start(params, err);
452         report_message("error: ", err, params);
453         va_end(params);
454 }
455
456 static int copy_to_sideband(int in, int out, void *arg)
457 {
458         char data[128];
459         int keepalive_active = 0;
460
461         if (keepalive_in_sec <= 0)
462                 use_keepalive = KEEPALIVE_NEVER;
463         if (use_keepalive == KEEPALIVE_ALWAYS)
464                 keepalive_active = 1;
465
466         while (1) {
467                 ssize_t sz;
468
469                 if (keepalive_active) {
470                         struct pollfd pfd;
471                         int ret;
472
473                         pfd.fd = in;
474                         pfd.events = POLLIN;
475                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
476
477                         if (ret < 0) {
478                                 if (errno == EINTR)
479                                         continue;
480                                 else
481                                         break;
482                         } else if (ret == 0) {
483                                 /* no data; send a keepalive packet */
484                                 static const char buf[] = "0005\1";
485                                 write_or_die(1, buf, sizeof(buf) - 1);
486                                 continue;
487                         } /* else there is actual data to read */
488                 }
489
490                 sz = xread(in, data, sizeof(data));
491                 if (sz <= 0)
492                         break;
493
494                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
495                         const char *p = memchr(data, '\0', sz);
496                         if (p) {
497                                 /*
498                                  * The NUL tells us to start sending keepalives. Make
499                                  * sure we send any other data we read along
500                                  * with it.
501                                  */
502                                 keepalive_active = 1;
503                                 send_sideband(1, 2, data, p - data, use_sideband);
504                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
505                                 continue;
506                         }
507                 }
508
509                 /*
510                  * Either we're not looking for a NUL signal, or we didn't see
511                  * it yet; just pass along the data.
512                  */
513                 send_sideband(1, 2, data, sz, use_sideband);
514         }
515         close(in);
516         return 0;
517 }
518
519 static void hmac_hash(unsigned char *out,
520                       const char *key_in, size_t key_len,
521                       const char *text, size_t text_len)
522 {
523         unsigned char key[GIT_MAX_BLKSZ];
524         unsigned char k_ipad[GIT_MAX_BLKSZ];
525         unsigned char k_opad[GIT_MAX_BLKSZ];
526         int i;
527         git_hash_ctx ctx;
528
529         /* RFC 2104 2. (1) */
530         memset(key, '\0', GIT_MAX_BLKSZ);
531         if (the_hash_algo->blksz < key_len) {
532                 the_hash_algo->init_fn(&ctx);
533                 the_hash_algo->update_fn(&ctx, key_in, key_len);
534                 the_hash_algo->final_fn(key, &ctx);
535         } else {
536                 memcpy(key, key_in, key_len);
537         }
538
539         /* RFC 2104 2. (2) & (5) */
540         for (i = 0; i < sizeof(key); i++) {
541                 k_ipad[i] = key[i] ^ 0x36;
542                 k_opad[i] = key[i] ^ 0x5c;
543         }
544
545         /* RFC 2104 2. (3) & (4) */
546         the_hash_algo->init_fn(&ctx);
547         the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
548         the_hash_algo->update_fn(&ctx, text, text_len);
549         the_hash_algo->final_fn(out, &ctx);
550
551         /* RFC 2104 2. (6) & (7) */
552         the_hash_algo->init_fn(&ctx);
553         the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
554         the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
555         the_hash_algo->final_fn(out, &ctx);
556 }
557
558 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
559 {
560         struct strbuf buf = STRBUF_INIT;
561         unsigned char hash[GIT_MAX_RAWSZ];
562
563         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
564         hmac_hash(hash, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
565         strbuf_release(&buf);
566
567         /* RFC 2104 5. HMAC-SHA1 or HMAC-SHA256 */
568         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, (int)the_hash_algo->hexsz, hash_to_hex(hash));
569         return strbuf_detach(&buf, NULL);
570 }
571
572 /*
573  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
574  * after dropping "_commit" from its name and possibly moving it out
575  * of commit.c
576  */
577 static char *find_header(const char *msg, size_t len, const char *key,
578                          const char **next_line)
579 {
580         int key_len = strlen(key);
581         const char *line = msg;
582
583         while (line && line < msg + len) {
584                 const char *eol = strchrnul(line, '\n');
585
586                 if ((msg + len <= eol) || line == eol)
587                         return NULL;
588                 if (line + key_len < eol &&
589                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
590                         int offset = key_len + 1;
591                         if (next_line)
592                                 *next_line = *eol ? eol + 1 : eol;
593                         return xmemdupz(line + offset, (eol - line) - offset);
594                 }
595                 line = *eol ? eol + 1 : NULL;
596         }
597         return NULL;
598 }
599
600 /*
601  * Return zero if a and b are equal up to n bytes and nonzero if they are not.
602  * This operation is guaranteed to run in constant time to avoid leaking data.
603  */
604 static int constant_memequal(const char *a, const char *b, size_t n)
605 {
606         int res = 0;
607         size_t i;
608
609         for (i = 0; i < n; i++)
610                 res |= a[i] ^ b[i];
611         return res;
612 }
613
614 static const char *check_nonce(const char *buf, size_t len)
615 {
616         char *nonce = find_header(buf, len, "nonce", NULL);
617         timestamp_t stamp, ostamp;
618         char *bohmac, *expect = NULL;
619         const char *retval = NONCE_BAD;
620         size_t noncelen;
621
622         if (!nonce) {
623                 retval = NONCE_MISSING;
624                 goto leave;
625         } else if (!push_cert_nonce) {
626                 retval = NONCE_UNSOLICITED;
627                 goto leave;
628         } else if (!strcmp(push_cert_nonce, nonce)) {
629                 retval = NONCE_OK;
630                 goto leave;
631         }
632
633         if (!stateless_rpc) {
634                 /* returned nonce MUST match what we gave out earlier */
635                 retval = NONCE_BAD;
636                 goto leave;
637         }
638
639         /*
640          * In stateless mode, we may be receiving a nonce issued by
641          * another instance of the server that serving the same
642          * repository, and the timestamps may not match, but the
643          * nonce-seed and dir should match, so we can recompute and
644          * report the time slop.
645          *
646          * In addition, when a nonce issued by another instance has
647          * timestamp within receive.certnonceslop seconds, we pretend
648          * as if we issued that nonce when reporting to the hook.
649          */
650
651         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
652         if (*nonce <= '0' || '9' < *nonce) {
653                 retval = NONCE_BAD;
654                 goto leave;
655         }
656         stamp = parse_timestamp(nonce, &bohmac, 10);
657         if (bohmac == nonce || bohmac[0] != '-') {
658                 retval = NONCE_BAD;
659                 goto leave;
660         }
661
662         noncelen = strlen(nonce);
663         expect = prepare_push_cert_nonce(service_dir, stamp);
664         if (noncelen != strlen(expect)) {
665                 /* This is not even the right size. */
666                 retval = NONCE_BAD;
667                 goto leave;
668         }
669         if (constant_memequal(expect, nonce, noncelen)) {
670                 /* Not what we would have signed earlier */
671                 retval = NONCE_BAD;
672                 goto leave;
673         }
674
675         /*
676          * By how many seconds is this nonce stale?  Negative value
677          * would mean it was issued by another server with its clock
678          * skewed in the future.
679          */
680         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
681         nonce_stamp_slop = (long)ostamp - (long)stamp;
682
683         if (nonce_stamp_slop_limit &&
684             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
685                 /*
686                  * Pretend as if the received nonce (which passes the
687                  * HMAC check, so it is not a forged by third-party)
688                  * is what we issued.
689                  */
690                 free((void *)push_cert_nonce);
691                 push_cert_nonce = xstrdup(nonce);
692                 retval = NONCE_OK;
693         } else {
694                 retval = NONCE_SLOP;
695         }
696
697 leave:
698         free(nonce);
699         free(expect);
700         return retval;
701 }
702
703 /*
704  * Return 1 if there is no push_cert or if the push options in push_cert are
705  * the same as those in the argument; 0 otherwise.
706  */
707 static int check_cert_push_options(const struct string_list *push_options)
708 {
709         const char *buf = push_cert.buf;
710         int len = push_cert.len;
711
712         char *option;
713         const char *next_line;
714         int options_seen = 0;
715
716         int retval = 1;
717
718         if (!len)
719                 return 1;
720
721         while ((option = find_header(buf, len, "push-option", &next_line))) {
722                 len -= (next_line - buf);
723                 buf = next_line;
724                 options_seen++;
725                 if (options_seen > push_options->nr
726                     || strcmp(option,
727                               push_options->items[options_seen - 1].string)) {
728                         retval = 0;
729                         goto leave;
730                 }
731                 free(option);
732         }
733
734         if (options_seen != push_options->nr)
735                 retval = 0;
736
737 leave:
738         free(option);
739         return retval;
740 }
741
742 static void prepare_push_cert_sha1(struct child_process *proc)
743 {
744         static int already_done;
745
746         if (!push_cert.len)
747                 return;
748
749         if (!already_done) {
750                 int bogs /* beginning_of_gpg_sig */;
751
752                 already_done = 1;
753                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
754                                       &push_cert_oid))
755                         oidclr(&push_cert_oid);
756
757                 memset(&sigcheck, '\0', sizeof(sigcheck));
758
759                 bogs = parse_signature(push_cert.buf, push_cert.len);
760                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
761                                 push_cert.len - bogs, &sigcheck);
762
763                 nonce_status = check_nonce(push_cert.buf, bogs);
764         }
765         if (!is_null_oid(&push_cert_oid)) {
766                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
767                              oid_to_hex(&push_cert_oid));
768                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
769                              sigcheck.signer ? sigcheck.signer : "");
770                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
771                              sigcheck.key ? sigcheck.key : "");
772                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
773                              sigcheck.result);
774                 if (push_cert_nonce) {
775                         strvec_pushf(&proc->env_array,
776                                      "GIT_PUSH_CERT_NONCE=%s",
777                                      push_cert_nonce);
778                         strvec_pushf(&proc->env_array,
779                                      "GIT_PUSH_CERT_NONCE_STATUS=%s",
780                                      nonce_status);
781                         if (nonce_status == NONCE_SLOP)
782                                 strvec_pushf(&proc->env_array,
783                                              "GIT_PUSH_CERT_NONCE_SLOP=%ld",
784                                              nonce_stamp_slop);
785                 }
786         }
787 }
788
789 struct receive_hook_feed_state {
790         struct command *cmd;
791         struct ref_push_report *report;
792         int skip_broken;
793         struct strbuf buf;
794         const struct string_list *push_options;
795 };
796
797 typedef int (*feed_fn)(void *, const char **, size_t *);
798 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
799                              struct receive_hook_feed_state *feed_state)
800 {
801         struct child_process proc = CHILD_PROCESS_INIT;
802         struct async muxer;
803         const char *argv[2];
804         int code;
805
806         argv[0] = find_hook(hook_name);
807         if (!argv[0])
808                 return 0;
809
810         argv[1] = NULL;
811
812         proc.argv = argv;
813         proc.in = -1;
814         proc.stdout_to_stderr = 1;
815         proc.trace2_hook_name = hook_name;
816
817         if (feed_state->push_options) {
818                 int i;
819                 for (i = 0; i < feed_state->push_options->nr; i++)
820                         strvec_pushf(&proc.env_array,
821                                      "GIT_PUSH_OPTION_%d=%s", i,
822                                      feed_state->push_options->items[i].string);
823                 strvec_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
824                              feed_state->push_options->nr);
825         } else
826                 strvec_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
827
828         if (tmp_objdir)
829                 strvec_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
830
831         if (use_sideband) {
832                 memset(&muxer, 0, sizeof(muxer));
833                 muxer.proc = copy_to_sideband;
834                 muxer.in = -1;
835                 code = start_async(&muxer);
836                 if (code)
837                         return code;
838                 proc.err = muxer.in;
839         }
840
841         prepare_push_cert_sha1(&proc);
842
843         code = start_command(&proc);
844         if (code) {
845                 if (use_sideband)
846                         finish_async(&muxer);
847                 return code;
848         }
849
850         sigchain_push(SIGPIPE, SIG_IGN);
851
852         while (1) {
853                 const char *buf;
854                 size_t n;
855                 if (feed(feed_state, &buf, &n))
856                         break;
857                 if (write_in_full(proc.in, buf, n) < 0)
858                         break;
859         }
860         close(proc.in);
861         if (use_sideband)
862                 finish_async(&muxer);
863
864         sigchain_pop(SIGPIPE);
865
866         return finish_command(&proc);
867 }
868
869 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
870 {
871         struct receive_hook_feed_state *state = state_;
872         struct command *cmd = state->cmd;
873
874         while (cmd &&
875                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
876                 cmd = cmd->next;
877         if (!cmd)
878                 return -1; /* EOF */
879         if (!bufp)
880                 return 0; /* OK, can feed something. */
881         strbuf_reset(&state->buf);
882         if (!state->report)
883                 state->report = cmd->report;
884         if (state->report) {
885                 struct object_id *old_oid;
886                 struct object_id *new_oid;
887                 const char *ref_name;
888
889                 old_oid = state->report->old_oid ? state->report->old_oid : &cmd->old_oid;
890                 new_oid = state->report->new_oid ? state->report->new_oid : &cmd->new_oid;
891                 ref_name = state->report->ref_name ? state->report->ref_name : cmd->ref_name;
892                 strbuf_addf(&state->buf, "%s %s %s\n",
893                             oid_to_hex(old_oid), oid_to_hex(new_oid),
894                             ref_name);
895                 state->report = state->report->next;
896                 if (!state->report)
897                         state->cmd = cmd->next;
898         } else {
899                 strbuf_addf(&state->buf, "%s %s %s\n",
900                             oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
901                             cmd->ref_name);
902                 state->cmd = cmd->next;
903         }
904         if (bufp) {
905                 *bufp = state->buf.buf;
906                 *sizep = state->buf.len;
907         }
908         return 0;
909 }
910
911 static int run_receive_hook(struct command *commands,
912                             const char *hook_name,
913                             int skip_broken,
914                             const struct string_list *push_options)
915 {
916         struct receive_hook_feed_state state;
917         int status;
918
919         strbuf_init(&state.buf, 0);
920         state.cmd = commands;
921         state.skip_broken = skip_broken;
922         state.report = NULL;
923         if (feed_receive_hook(&state, NULL, NULL))
924                 return 0;
925         state.cmd = commands;
926         state.push_options = push_options;
927         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
928         strbuf_release(&state.buf);
929         return status;
930 }
931
932 static int run_update_hook(struct command *cmd)
933 {
934         const char *argv[5];
935         struct child_process proc = CHILD_PROCESS_INIT;
936         int code;
937
938         argv[0] = find_hook("update");
939         if (!argv[0])
940                 return 0;
941
942         argv[1] = cmd->ref_name;
943         argv[2] = oid_to_hex(&cmd->old_oid);
944         argv[3] = oid_to_hex(&cmd->new_oid);
945         argv[4] = NULL;
946
947         proc.no_stdin = 1;
948         proc.stdout_to_stderr = 1;
949         proc.err = use_sideband ? -1 : 0;
950         proc.argv = argv;
951         proc.trace2_hook_name = "update";
952
953         code = start_command(&proc);
954         if (code)
955                 return code;
956         if (use_sideband)
957                 copy_to_sideband(proc.err, -1, NULL);
958         return finish_command(&proc);
959 }
960
961 static struct command *find_command_by_refname(struct command *list,
962                                                const char *refname)
963 {
964         for (; list; list = list->next)
965                 if (!strcmp(list->ref_name, refname))
966                         return list;
967         return NULL;
968 }
969
970 static int read_proc_receive_report(struct packet_reader *reader,
971                                     struct command *commands,
972                                     struct strbuf *errmsg)
973 {
974         struct command *cmd;
975         struct command *hint = NULL;
976         struct ref_push_report *report = NULL;
977         int new_report = 0;
978         int code = 0;
979         int once = 0;
980         int response = 0;
981
982         for (;;) {
983                 struct object_id old_oid, new_oid;
984                 const char *head;
985                 const char *refname;
986                 char *p;
987                 enum packet_read_status status;
988
989                 status = packet_reader_read(reader);
990                 if (status != PACKET_READ_NORMAL) {
991                         /* Check whether proc-receive exited abnormally */
992                         if (status == PACKET_READ_EOF && !response) {
993                                 strbuf_addstr(errmsg, "proc-receive exited abnormally");
994                                 return -1;
995                         }
996                         break;
997                 }
998                 response++;
999
1000                 head = reader->line;
1001                 p = strchr(head, ' ');
1002                 if (!p) {
1003                         strbuf_addf(errmsg, "proc-receive reported incomplete status line: '%s'\n", head);
1004                         code = -1;
1005                         continue;
1006                 }
1007                 *p++ = '\0';
1008                 if (!strcmp(head, "option")) {
1009                         const char *key, *val;
1010
1011                         if (!hint || !(report || new_report)) {
1012                                 if (!once++)
1013                                         strbuf_addstr(errmsg, "proc-receive reported 'option' without a matching 'ok/ng' directive\n");
1014                                 code = -1;
1015                                 continue;
1016                         }
1017                         if (new_report) {
1018                                 if (!hint->report) {
1019                                         hint->report = xcalloc(1, sizeof(struct ref_push_report));
1020                                         report = hint->report;
1021                                 } else {
1022                                         report = hint->report;
1023                                         while (report->next)
1024                                                 report = report->next;
1025                                         report->next = xcalloc(1, sizeof(struct ref_push_report));
1026                                         report = report->next;
1027                                 }
1028                                 new_report = 0;
1029                         }
1030                         key = p;
1031                         p = strchr(key, ' ');
1032                         if (p)
1033                                 *p++ = '\0';
1034                         val = p;
1035                         if (!strcmp(key, "refname"))
1036                                 report->ref_name = xstrdup_or_null(val);
1037                         else if (!strcmp(key, "old-oid") && val &&
1038                                  !parse_oid_hex(val, &old_oid, &val))
1039                                 report->old_oid = oiddup(&old_oid);
1040                         else if (!strcmp(key, "new-oid") && val &&
1041                                  !parse_oid_hex(val, &new_oid, &val))
1042                                 report->new_oid = oiddup(&new_oid);
1043                         else if (!strcmp(key, "forced-update"))
1044                                 report->forced_update = 1;
1045                         else if (!strcmp(key, "fall-through"))
1046                                 /* Fall through, let 'receive-pack' to execute it. */
1047                                 hint->run_proc_receive = 0;
1048                         continue;
1049                 }
1050
1051                 report = NULL;
1052                 new_report = 0;
1053                 refname = p;
1054                 p = strchr(refname, ' ');
1055                 if (p)
1056                         *p++ = '\0';
1057                 if (strcmp(head, "ok") && strcmp(head, "ng")) {
1058                         strbuf_addf(errmsg, "proc-receive reported bad status '%s' on ref '%s'\n",
1059                                     head, refname);
1060                         code = -1;
1061                         continue;
1062                 }
1063
1064                 /* first try searching at our hint, falling back to all refs */
1065                 if (hint)
1066                         hint = find_command_by_refname(hint, refname);
1067                 if (!hint)
1068                         hint = find_command_by_refname(commands, refname);
1069                 if (!hint) {
1070                         strbuf_addf(errmsg, "proc-receive reported status on unknown ref: %s\n",
1071                                     refname);
1072                         code = -1;
1073                         continue;
1074                 }
1075                 if (!hint->run_proc_receive) {
1076                         strbuf_addf(errmsg, "proc-receive reported status on unexpected ref: %s\n",
1077                                     refname);
1078                         code = -1;
1079                         continue;
1080                 }
1081                 hint->run_proc_receive |= RUN_PROC_RECEIVE_RETURNED;
1082                 if (!strcmp(head, "ng")) {
1083                         if (p)
1084                                 hint->error_string = xstrdup(p);
1085                         else
1086                                 hint->error_string = "failed";
1087                         code = -1;
1088                         continue;
1089                 }
1090                 new_report = 1;
1091         }
1092
1093         for (cmd = commands; cmd; cmd = cmd->next)
1094                 if (cmd->run_proc_receive && !cmd->error_string &&
1095                     !(cmd->run_proc_receive & RUN_PROC_RECEIVE_RETURNED)) {
1096                     cmd->error_string = "proc-receive failed to report status";
1097                     code = -1;
1098                 }
1099         return code;
1100 }
1101
1102 static int run_proc_receive_hook(struct command *commands,
1103                                  const struct string_list *push_options)
1104 {
1105         struct child_process proc = CHILD_PROCESS_INIT;
1106         struct async muxer;
1107         struct command *cmd;
1108         const char *argv[2];
1109         struct packet_reader reader;
1110         struct strbuf cap = STRBUF_INIT;
1111         struct strbuf errmsg = STRBUF_INIT;
1112         int hook_use_push_options = 0;
1113         int version = 0;
1114         int code;
1115
1116         argv[0] = find_hook("proc-receive");
1117         if (!argv[0]) {
1118                 rp_error("cannot find hook 'proc-receive'");
1119                 return -1;
1120         }
1121         argv[1] = NULL;
1122
1123         proc.argv = argv;
1124         proc.in = -1;
1125         proc.out = -1;
1126         proc.trace2_hook_name = "proc-receive";
1127
1128         if (use_sideband) {
1129                 memset(&muxer, 0, sizeof(muxer));
1130                 muxer.proc = copy_to_sideband;
1131                 muxer.in = -1;
1132                 code = start_async(&muxer);
1133                 if (code)
1134                         return code;
1135                 proc.err = muxer.in;
1136         } else {
1137                 proc.err = 0;
1138         }
1139
1140         code = start_command(&proc);
1141         if (code) {
1142                 if (use_sideband)
1143                         finish_async(&muxer);
1144                 return code;
1145         }
1146
1147         sigchain_push(SIGPIPE, SIG_IGN);
1148
1149         /* Version negotiaton */
1150         packet_reader_init(&reader, proc.out, NULL, 0,
1151                            PACKET_READ_CHOMP_NEWLINE |
1152                            PACKET_READ_GENTLE_ON_EOF);
1153         if (use_atomic)
1154                 strbuf_addstr(&cap, " atomic");
1155         if (use_push_options)
1156                 strbuf_addstr(&cap, " push-options");
1157         if (cap.len) {
1158                 code = packet_write_fmt_gently(proc.in, "version=1%c%s\n", '\0', cap.buf + 1);
1159                 strbuf_release(&cap);
1160         } else {
1161                 code = packet_write_fmt_gently(proc.in, "version=1\n");
1162         }
1163         if (!code)
1164                 code = packet_flush_gently(proc.in);
1165
1166         if (!code)
1167                 for (;;) {
1168                         int linelen;
1169                         enum packet_read_status status;
1170
1171                         status = packet_reader_read(&reader);
1172                         if (status != PACKET_READ_NORMAL) {
1173                                 /* Check whether proc-receive exited abnormally */
1174                                 if (status == PACKET_READ_EOF)
1175                                         code = -1;
1176                                 break;
1177                         }
1178
1179                         if (reader.pktlen > 8 && starts_with(reader.line, "version=")) {
1180                                 version = atoi(reader.line + 8);
1181                                 linelen = strlen(reader.line);
1182                                 if (linelen < reader.pktlen) {
1183                                         const char *feature_list = reader.line + linelen + 1;
1184                                         if (parse_feature_request(feature_list, "push-options"))
1185                                                 hook_use_push_options = 1;
1186                                 }
1187                         }
1188                 }
1189
1190         if (code) {
1191                 strbuf_addstr(&errmsg, "fail to negotiate version with proc-receive hook");
1192                 goto cleanup;
1193         }
1194
1195         switch (version) {
1196         case 0:
1197                 /* fallthrough */
1198         case 1:
1199                 break;
1200         default:
1201                 strbuf_addf(&errmsg, "proc-receive version '%d' is not supported",
1202                             version);
1203                 code = -1;
1204                 goto cleanup;
1205         }
1206
1207         /* Send commands */
1208         for (cmd = commands; cmd; cmd = cmd->next) {
1209                 if (!cmd->run_proc_receive || cmd->skip_update || cmd->error_string)
1210                         continue;
1211                 code = packet_write_fmt_gently(proc.in, "%s %s %s",
1212                                                oid_to_hex(&cmd->old_oid),
1213                                                oid_to_hex(&cmd->new_oid),
1214                                                cmd->ref_name);
1215                 if (code)
1216                         break;
1217         }
1218         if (!code)
1219                 code = packet_flush_gently(proc.in);
1220         if (code) {
1221                 strbuf_addstr(&errmsg, "fail to write commands to proc-receive hook");
1222                 goto cleanup;
1223         }
1224
1225         /* Send push options */
1226         if (hook_use_push_options) {
1227                 struct string_list_item *item;
1228
1229                 for_each_string_list_item(item, push_options) {
1230                         code = packet_write_fmt_gently(proc.in, "%s", item->string);
1231                         if (code)
1232                                 break;
1233                 }
1234                 if (!code)
1235                         code = packet_flush_gently(proc.in);
1236                 if (code) {
1237                         strbuf_addstr(&errmsg,
1238                                       "fail to write push-options to proc-receive hook");
1239                         goto cleanup;
1240                 }
1241         }
1242
1243         /* Read result from proc-receive */
1244         code = read_proc_receive_report(&reader, commands, &errmsg);
1245
1246 cleanup:
1247         close(proc.in);
1248         close(proc.out);
1249         if (use_sideband)
1250                 finish_async(&muxer);
1251         if (finish_command(&proc))
1252                 code = -1;
1253         if (errmsg.len >0) {
1254                 char *p = errmsg.buf;
1255
1256                 p += errmsg.len - 1;
1257                 if (*p == '\n')
1258                         *p = '\0';
1259                 rp_error("%s", errmsg.buf);
1260                 strbuf_release(&errmsg);
1261         }
1262         sigchain_pop(SIGPIPE);
1263
1264         return code;
1265 }
1266
1267 static char *refuse_unconfigured_deny_msg =
1268         N_("By default, updating the current branch in a non-bare repository\n"
1269            "is denied, because it will make the index and work tree inconsistent\n"
1270            "with what you pushed, and will require 'git reset --hard' to match\n"
1271            "the work tree to HEAD.\n"
1272            "\n"
1273            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
1274            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
1275            "its current branch; however, this is not recommended unless you\n"
1276            "arranged to update its work tree to match what you pushed in some\n"
1277            "other way.\n"
1278            "\n"
1279            "To squelch this message and still keep the default behaviour, set\n"
1280            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
1281
1282 static void refuse_unconfigured_deny(void)
1283 {
1284         rp_error("%s", _(refuse_unconfigured_deny_msg));
1285 }
1286
1287 static char *refuse_unconfigured_deny_delete_current_msg =
1288         N_("By default, deleting the current branch is denied, because the next\n"
1289            "'git clone' won't result in any file checked out, causing confusion.\n"
1290            "\n"
1291            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
1292            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
1293            "current branch, with or without a warning message.\n"
1294            "\n"
1295            "To squelch this message, you can set it to 'refuse'.");
1296
1297 static void refuse_unconfigured_deny_delete_current(void)
1298 {
1299         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
1300 }
1301
1302 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
1303 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
1304 {
1305         struct shallow_lock shallow_lock = SHALLOW_LOCK_INIT;
1306         struct oid_array extra = OID_ARRAY_INIT;
1307         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1308         uint32_t mask = 1 << (cmd->index % 32);
1309         int i;
1310
1311         trace_printf_key(&trace_shallow,
1312                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
1313         for (i = 0; i < si->shallow->nr; i++)
1314                 if (si->used_shallow[i] &&
1315                     (si->used_shallow[i][cmd->index / 32] & mask) &&
1316                     !delayed_reachability_test(si, i))
1317                         oid_array_append(&extra, &si->shallow->oid[i]);
1318
1319         opt.env = tmp_objdir_env(tmp_objdir);
1320         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
1321         if (check_connected(command_singleton_iterator, cmd, &opt)) {
1322                 rollback_shallow_file(the_repository, &shallow_lock);
1323                 oid_array_clear(&extra);
1324                 return -1;
1325         }
1326
1327         commit_shallow_file(the_repository, &shallow_lock);
1328
1329         /*
1330          * Make sure setup_alternate_shallow() for the next ref does
1331          * not lose these new roots..
1332          */
1333         for (i = 0; i < extra.nr; i++)
1334                 register_shallow(the_repository, &extra.oid[i]);
1335
1336         si->shallow_ref[cmd->index] = 0;
1337         oid_array_clear(&extra);
1338         return 0;
1339 }
1340
1341 /*
1342  * NEEDSWORK: we should consolidate various implementions of "are we
1343  * on an unborn branch?" test into one, and make the unified one more
1344  * robust. !get_sha1() based check used here and elsewhere would not
1345  * allow us to tell an unborn branch from corrupt ref, for example.
1346  * For the purpose of fixing "deploy-to-update does not work when
1347  * pushing into an empty repository" issue, this should suffice for
1348  * now.
1349  */
1350 static int head_has_history(void)
1351 {
1352         struct object_id oid;
1353
1354         return !get_oid("HEAD", &oid);
1355 }
1356
1357 static const char *push_to_deploy(unsigned char *sha1,
1358                                   struct strvec *env,
1359                                   const char *work_tree)
1360 {
1361         const char *update_refresh[] = {
1362                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
1363         };
1364         const char *diff_files[] = {
1365                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
1366         };
1367         const char *diff_index[] = {
1368                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
1369                 NULL, "--", NULL
1370         };
1371         const char *read_tree[] = {
1372                 "read-tree", "-u", "-m", NULL, NULL
1373         };
1374         struct child_process child = CHILD_PROCESS_INIT;
1375
1376         child.argv = update_refresh;
1377         child.env = env->v;
1378         child.dir = work_tree;
1379         child.no_stdin = 1;
1380         child.stdout_to_stderr = 1;
1381         child.git_cmd = 1;
1382         if (run_command(&child))
1383                 return "Up-to-date check failed";
1384
1385         /* run_command() does not clean up completely; reinitialize */
1386         child_process_init(&child);
1387         child.argv = diff_files;
1388         child.env = env->v;
1389         child.dir = work_tree;
1390         child.no_stdin = 1;
1391         child.stdout_to_stderr = 1;
1392         child.git_cmd = 1;
1393         if (run_command(&child))
1394                 return "Working directory has unstaged changes";
1395
1396         /* diff-index with either HEAD or an empty tree */
1397         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
1398
1399         child_process_init(&child);
1400         child.argv = diff_index;
1401         child.env = env->v;
1402         child.no_stdin = 1;
1403         child.no_stdout = 1;
1404         child.stdout_to_stderr = 0;
1405         child.git_cmd = 1;
1406         if (run_command(&child))
1407                 return "Working directory has staged changes";
1408
1409         read_tree[3] = hash_to_hex(sha1);
1410         child_process_init(&child);
1411         child.argv = read_tree;
1412         child.env = env->v;
1413         child.dir = work_tree;
1414         child.no_stdin = 1;
1415         child.no_stdout = 1;
1416         child.stdout_to_stderr = 0;
1417         child.git_cmd = 1;
1418         if (run_command(&child))
1419                 return "Could not update working tree to new HEAD";
1420
1421         return NULL;
1422 }
1423
1424 static const char *push_to_checkout_hook = "push-to-checkout";
1425
1426 static const char *push_to_checkout(unsigned char *hash,
1427                                     struct strvec *env,
1428                                     const char *work_tree)
1429 {
1430         strvec_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1431         if (run_hook_le(env->v, push_to_checkout_hook,
1432                         hash_to_hex(hash), NULL))
1433                 return "push-to-checkout hook declined";
1434         else
1435                 return NULL;
1436 }
1437
1438 static const char *update_worktree(unsigned char *sha1, const struct worktree *worktree)
1439 {
1440         const char *retval, *work_tree, *git_dir = NULL;
1441         struct strvec env = STRVEC_INIT;
1442
1443         if (worktree && worktree->path)
1444                 work_tree = worktree->path;
1445         else if (git_work_tree_cfg)
1446                 work_tree = git_work_tree_cfg;
1447         else
1448                 work_tree = "..";
1449
1450         if (is_bare_repository())
1451                 return "denyCurrentBranch = updateInstead needs a worktree";
1452         if (worktree)
1453                 git_dir = get_worktree_git_dir(worktree);
1454         if (!git_dir)
1455                 git_dir = get_git_dir();
1456
1457         strvec_pushf(&env, "GIT_DIR=%s", absolute_path(git_dir));
1458
1459         if (!find_hook(push_to_checkout_hook))
1460                 retval = push_to_deploy(sha1, &env, work_tree);
1461         else
1462                 retval = push_to_checkout(sha1, &env, work_tree);
1463
1464         strvec_clear(&env);
1465         return retval;
1466 }
1467
1468 static const char *update(struct command *cmd, struct shallow_info *si)
1469 {
1470         const char *name = cmd->ref_name;
1471         struct strbuf namespaced_name_buf = STRBUF_INIT;
1472         static char *namespaced_name;
1473         const char *ret;
1474         struct object_id *old_oid = &cmd->old_oid;
1475         struct object_id *new_oid = &cmd->new_oid;
1476         int do_update_worktree = 0;
1477         const struct worktree *worktree = is_bare_repository() ? NULL : find_shared_symref("HEAD", name);
1478
1479         /* only refs/... are allowed */
1480         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1481                 rp_error("refusing to create funny ref '%s' remotely", name);
1482                 return "funny refname";
1483         }
1484
1485         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1486         free(namespaced_name);
1487         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1488
1489         if (worktree) {
1490                 switch (deny_current_branch) {
1491                 case DENY_IGNORE:
1492                         break;
1493                 case DENY_WARN:
1494                         rp_warning("updating the current branch");
1495                         break;
1496                 case DENY_REFUSE:
1497                 case DENY_UNCONFIGURED:
1498                         rp_error("refusing to update checked out branch: %s", name);
1499                         if (deny_current_branch == DENY_UNCONFIGURED)
1500                                 refuse_unconfigured_deny();
1501                         return "branch is currently checked out";
1502                 case DENY_UPDATE_INSTEAD:
1503                         /* pass -- let other checks intervene first */
1504                         do_update_worktree = 1;
1505                         break;
1506                 }
1507         }
1508
1509         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1510                 error("unpack should have generated %s, "
1511                       "but I can't find it!", oid_to_hex(new_oid));
1512                 return "bad pack";
1513         }
1514
1515         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1516                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1517                         rp_error("denying ref deletion for %s", name);
1518                         return "deletion prohibited";
1519                 }
1520
1521                 if (worktree || (head_name && !strcmp(namespaced_name, head_name))) {
1522                         switch (deny_delete_current) {
1523                         case DENY_IGNORE:
1524                                 break;
1525                         case DENY_WARN:
1526                                 rp_warning("deleting the current branch");
1527                                 break;
1528                         case DENY_REFUSE:
1529                         case DENY_UNCONFIGURED:
1530                         case DENY_UPDATE_INSTEAD:
1531                                 if (deny_delete_current == DENY_UNCONFIGURED)
1532                                         refuse_unconfigured_deny_delete_current();
1533                                 rp_error("refusing to delete the current branch: %s", name);
1534                                 return "deletion of the current branch prohibited";
1535                         default:
1536                                 return "Invalid denyDeleteCurrent setting";
1537                         }
1538                 }
1539         }
1540
1541         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1542             !is_null_oid(old_oid) &&
1543             starts_with(name, "refs/heads/")) {
1544                 struct object *old_object, *new_object;
1545                 struct commit *old_commit, *new_commit;
1546
1547                 old_object = parse_object(the_repository, old_oid);
1548                 new_object = parse_object(the_repository, new_oid);
1549
1550                 if (!old_object || !new_object ||
1551                     old_object->type != OBJ_COMMIT ||
1552                     new_object->type != OBJ_COMMIT) {
1553                         error("bad sha1 objects for %s", name);
1554                         return "bad ref";
1555                 }
1556                 old_commit = (struct commit *)old_object;
1557                 new_commit = (struct commit *)new_object;
1558                 if (!in_merge_bases(old_commit, new_commit)) {
1559                         rp_error("denying non-fast-forward %s"
1560                                  " (you should pull first)", name);
1561                         return "non-fast-forward";
1562                 }
1563         }
1564         if (run_update_hook(cmd)) {
1565                 rp_error("hook declined to update %s", name);
1566                 return "hook declined";
1567         }
1568
1569         if (do_update_worktree) {
1570                 ret = update_worktree(new_oid->hash, find_shared_symref("HEAD", name));
1571                 if (ret)
1572                         return ret;
1573         }
1574
1575         if (is_null_oid(new_oid)) {
1576                 struct strbuf err = STRBUF_INIT;
1577                 if (!parse_object(the_repository, old_oid)) {
1578                         old_oid = NULL;
1579                         if (ref_exists(name)) {
1580                                 rp_warning("Allowing deletion of corrupt ref.");
1581                         } else {
1582                                 rp_warning("Deleting a non-existent ref.");
1583                                 cmd->did_not_exist = 1;
1584                         }
1585                 }
1586                 if (ref_transaction_delete(transaction,
1587                                            namespaced_name,
1588                                            old_oid,
1589                                            0, "push", &err)) {
1590                         rp_error("%s", err.buf);
1591                         strbuf_release(&err);
1592                         return "failed to delete";
1593                 }
1594                 strbuf_release(&err);
1595                 return NULL; /* good */
1596         }
1597         else {
1598                 struct strbuf err = STRBUF_INIT;
1599                 if (shallow_update && si->shallow_ref[cmd->index] &&
1600                     update_shallow_ref(cmd, si))
1601                         return "shallow error";
1602
1603                 if (ref_transaction_update(transaction,
1604                                            namespaced_name,
1605                                            new_oid, old_oid,
1606                                            0, "push",
1607                                            &err)) {
1608                         rp_error("%s", err.buf);
1609                         strbuf_release(&err);
1610
1611                         return "failed to update ref";
1612                 }
1613                 strbuf_release(&err);
1614
1615                 return NULL; /* good */
1616         }
1617 }
1618
1619 static void run_update_post_hook(struct command *commands)
1620 {
1621         struct command *cmd;
1622         struct child_process proc = CHILD_PROCESS_INIT;
1623         const char *hook;
1624
1625         hook = find_hook("post-update");
1626         if (!hook)
1627                 return;
1628
1629         for (cmd = commands; cmd; cmd = cmd->next) {
1630                 if (cmd->error_string || cmd->did_not_exist)
1631                         continue;
1632                 if (!proc.args.nr)
1633                         strvec_push(&proc.args, hook);
1634                 strvec_push(&proc.args, cmd->ref_name);
1635         }
1636         if (!proc.args.nr)
1637                 return;
1638
1639         proc.no_stdin = 1;
1640         proc.stdout_to_stderr = 1;
1641         proc.err = use_sideband ? -1 : 0;
1642         proc.trace2_hook_name = "post-update";
1643
1644         if (!start_command(&proc)) {
1645                 if (use_sideband)
1646                         copy_to_sideband(proc.err, -1, NULL);
1647                 finish_command(&proc);
1648         }
1649 }
1650
1651 static void check_aliased_update_internal(struct command *cmd,
1652                                           struct string_list *list,
1653                                           const char *dst_name, int flag)
1654 {
1655         struct string_list_item *item;
1656         struct command *dst_cmd;
1657
1658         if (!(flag & REF_ISSYMREF))
1659                 return;
1660
1661         if (!dst_name) {
1662                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1663                 cmd->skip_update = 1;
1664                 cmd->error_string = "broken symref";
1665                 return;
1666         }
1667         dst_name = strip_namespace(dst_name);
1668
1669         if ((item = string_list_lookup(list, dst_name)) == NULL)
1670                 return;
1671
1672         cmd->skip_update = 1;
1673
1674         dst_cmd = (struct command *) item->util;
1675
1676         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1677             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1678                 return;
1679
1680         dst_cmd->skip_update = 1;
1681
1682         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1683                  " its target '%s' (%s..%s)",
1684                  cmd->ref_name,
1685                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1686                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1687                  dst_cmd->ref_name,
1688                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1689                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1690
1691         cmd->error_string = dst_cmd->error_string =
1692                 "inconsistent aliased update";
1693 }
1694
1695 static void check_aliased_update(struct command *cmd, struct string_list *list)
1696 {
1697         struct strbuf buf = STRBUF_INIT;
1698         const char *dst_name;
1699         int flag;
1700
1701         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1702         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1703         check_aliased_update_internal(cmd, list, dst_name, flag);
1704         strbuf_release(&buf);
1705 }
1706
1707 static void check_aliased_updates(struct command *commands)
1708 {
1709         struct command *cmd;
1710         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1711
1712         for (cmd = commands; cmd; cmd = cmd->next) {
1713                 struct string_list_item *item =
1714                         string_list_append(&ref_list, cmd->ref_name);
1715                 item->util = (void *)cmd;
1716         }
1717         string_list_sort(&ref_list);
1718
1719         for (cmd = commands; cmd; cmd = cmd->next) {
1720                 if (!cmd->error_string)
1721                         check_aliased_update(cmd, &ref_list);
1722         }
1723
1724         string_list_clear(&ref_list, 0);
1725 }
1726
1727 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1728 {
1729         struct command **cmd_list = cb_data;
1730         struct command *cmd = *cmd_list;
1731
1732         if (!cmd || is_null_oid(&cmd->new_oid))
1733                 return -1; /* end of list */
1734         *cmd_list = NULL; /* this returns only one */
1735         oidcpy(oid, &cmd->new_oid);
1736         return 0;
1737 }
1738
1739 static void set_connectivity_errors(struct command *commands,
1740                                     struct shallow_info *si)
1741 {
1742         struct command *cmd;
1743
1744         for (cmd = commands; cmd; cmd = cmd->next) {
1745                 struct command *singleton = cmd;
1746                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1747
1748                 if (shallow_update && si->shallow_ref[cmd->index])
1749                         /* to be checked in update_shallow_ref() */
1750                         continue;
1751
1752                 opt.env = tmp_objdir_env(tmp_objdir);
1753                 if (!check_connected(command_singleton_iterator, &singleton,
1754                                      &opt))
1755                         continue;
1756
1757                 cmd->error_string = "missing necessary objects";
1758         }
1759 }
1760
1761 struct iterate_data {
1762         struct command *cmds;
1763         struct shallow_info *si;
1764 };
1765
1766 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1767 {
1768         struct iterate_data *data = cb_data;
1769         struct command **cmd_list = &data->cmds;
1770         struct command *cmd = *cmd_list;
1771
1772         for (; cmd; cmd = cmd->next) {
1773                 if (shallow_update && data->si->shallow_ref[cmd->index])
1774                         /* to be checked in update_shallow_ref() */
1775                         continue;
1776                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1777                         oidcpy(oid, &cmd->new_oid);
1778                         *cmd_list = cmd->next;
1779                         return 0;
1780                 }
1781         }
1782         *cmd_list = NULL;
1783         return -1; /* end of list */
1784 }
1785
1786 static void reject_updates_to_hidden(struct command *commands)
1787 {
1788         struct strbuf refname_full = STRBUF_INIT;
1789         size_t prefix_len;
1790         struct command *cmd;
1791
1792         strbuf_addstr(&refname_full, get_git_namespace());
1793         prefix_len = refname_full.len;
1794
1795         for (cmd = commands; cmd; cmd = cmd->next) {
1796                 if (cmd->error_string)
1797                         continue;
1798
1799                 strbuf_setlen(&refname_full, prefix_len);
1800                 strbuf_addstr(&refname_full, cmd->ref_name);
1801
1802                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1803                         continue;
1804                 if (is_null_oid(&cmd->new_oid))
1805                         cmd->error_string = "deny deleting a hidden ref";
1806                 else
1807                         cmd->error_string = "deny updating a hidden ref";
1808         }
1809
1810         strbuf_release(&refname_full);
1811 }
1812
1813 static int should_process_cmd(struct command *cmd)
1814 {
1815         return !cmd->error_string && !cmd->skip_update;
1816 }
1817
1818 static void warn_if_skipped_connectivity_check(struct command *commands,
1819                                                struct shallow_info *si)
1820 {
1821         struct command *cmd;
1822         int checked_connectivity = 1;
1823
1824         for (cmd = commands; cmd; cmd = cmd->next) {
1825                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1826                         error("BUG: connectivity check has not been run on ref %s",
1827                               cmd->ref_name);
1828                         checked_connectivity = 0;
1829                 }
1830         }
1831         if (!checked_connectivity)
1832                 BUG("connectivity check skipped???");
1833 }
1834
1835 static void execute_commands_non_atomic(struct command *commands,
1836                                         struct shallow_info *si)
1837 {
1838         struct command *cmd;
1839         struct strbuf err = STRBUF_INIT;
1840
1841         for (cmd = commands; cmd; cmd = cmd->next) {
1842                 if (!should_process_cmd(cmd) || cmd->run_proc_receive)
1843                         continue;
1844
1845                 transaction = ref_transaction_begin(&err);
1846                 if (!transaction) {
1847                         rp_error("%s", err.buf);
1848                         strbuf_reset(&err);
1849                         cmd->error_string = "transaction failed to start";
1850                         continue;
1851                 }
1852
1853                 cmd->error_string = update(cmd, si);
1854
1855                 if (!cmd->error_string
1856                     && ref_transaction_commit(transaction, &err)) {
1857                         rp_error("%s", err.buf);
1858                         strbuf_reset(&err);
1859                         cmd->error_string = "failed to update ref";
1860                 }
1861                 ref_transaction_free(transaction);
1862         }
1863         strbuf_release(&err);
1864 }
1865
1866 static void execute_commands_atomic(struct command *commands,
1867                                         struct shallow_info *si)
1868 {
1869         struct command *cmd;
1870         struct strbuf err = STRBUF_INIT;
1871         const char *reported_error = "atomic push failure";
1872
1873         transaction = ref_transaction_begin(&err);
1874         if (!transaction) {
1875                 rp_error("%s", err.buf);
1876                 strbuf_reset(&err);
1877                 reported_error = "transaction failed to start";
1878                 goto failure;
1879         }
1880
1881         for (cmd = commands; cmd; cmd = cmd->next) {
1882                 if (!should_process_cmd(cmd) || cmd->run_proc_receive)
1883                         continue;
1884
1885                 cmd->error_string = update(cmd, si);
1886
1887                 if (cmd->error_string)
1888                         goto failure;
1889         }
1890
1891         if (ref_transaction_commit(transaction, &err)) {
1892                 rp_error("%s", err.buf);
1893                 reported_error = "atomic transaction failed";
1894                 goto failure;
1895         }
1896         goto cleanup;
1897
1898 failure:
1899         for (cmd = commands; cmd; cmd = cmd->next)
1900                 if (!cmd->error_string)
1901                         cmd->error_string = reported_error;
1902
1903 cleanup:
1904         ref_transaction_free(transaction);
1905         strbuf_release(&err);
1906 }
1907
1908 static void execute_commands(struct command *commands,
1909                              const char *unpacker_error,
1910                              struct shallow_info *si,
1911                              const struct string_list *push_options)
1912 {
1913         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1914         struct command *cmd;
1915         struct iterate_data data;
1916         struct async muxer;
1917         int err_fd = 0;
1918         int run_proc_receive = 0;
1919
1920         if (unpacker_error) {
1921                 for (cmd = commands; cmd; cmd = cmd->next)
1922                         cmd->error_string = "unpacker error";
1923                 return;
1924         }
1925
1926         if (use_sideband) {
1927                 memset(&muxer, 0, sizeof(muxer));
1928                 muxer.proc = copy_to_sideband;
1929                 muxer.in = -1;
1930                 if (!start_async(&muxer))
1931                         err_fd = muxer.in;
1932                 /* ...else, continue without relaying sideband */
1933         }
1934
1935         data.cmds = commands;
1936         data.si = si;
1937         opt.err_fd = err_fd;
1938         opt.progress = err_fd && !quiet;
1939         opt.env = tmp_objdir_env(tmp_objdir);
1940         if (check_connected(iterate_receive_command_list, &data, &opt))
1941                 set_connectivity_errors(commands, si);
1942
1943         if (use_sideband)
1944                 finish_async(&muxer);
1945
1946         reject_updates_to_hidden(commands);
1947
1948         /*
1949          * Try to find commands that have special prefix in their reference names,
1950          * and mark them to run an external "proc-receive" hook later.
1951          */
1952         if (proc_receive_ref) {
1953                 for (cmd = commands; cmd; cmd = cmd->next) {
1954                         if (!should_process_cmd(cmd))
1955                                 continue;
1956
1957                         if (proc_receive_ref_matches(cmd)) {
1958                                 cmd->run_proc_receive = RUN_PROC_RECEIVE_SCHEDULED;
1959                                 run_proc_receive = 1;
1960                         }
1961                 }
1962         }
1963
1964         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1965                 for (cmd = commands; cmd; cmd = cmd->next) {
1966                         if (!cmd->error_string)
1967                                 cmd->error_string = "pre-receive hook declined";
1968                 }
1969                 return;
1970         }
1971
1972         /*
1973          * Now we'll start writing out refs, which means the objects need
1974          * to be in their final positions so that other processes can see them.
1975          */
1976         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1977                 for (cmd = commands; cmd; cmd = cmd->next) {
1978                         if (!cmd->error_string)
1979                                 cmd->error_string = "unable to migrate objects to permanent storage";
1980                 }
1981                 return;
1982         }
1983         tmp_objdir = NULL;
1984
1985         check_aliased_updates(commands);
1986
1987         free(head_name_to_free);
1988         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1989
1990         if (run_proc_receive &&
1991             run_proc_receive_hook(commands, push_options))
1992                 for (cmd = commands; cmd; cmd = cmd->next)
1993                         if (!cmd->error_string &&
1994                             !(cmd->run_proc_receive & RUN_PROC_RECEIVE_RETURNED) &&
1995                             (cmd->run_proc_receive || use_atomic))
1996                                 cmd->error_string = "fail to run proc-receive hook";
1997
1998         if (use_atomic)
1999                 execute_commands_atomic(commands, si);
2000         else
2001                 execute_commands_non_atomic(commands, si);
2002
2003         if (shallow_update)
2004                 warn_if_skipped_connectivity_check(commands, si);
2005 }
2006
2007 static struct command **queue_command(struct command **tail,
2008                                       const char *line,
2009                                       int linelen)
2010 {
2011         struct object_id old_oid, new_oid;
2012         struct command *cmd;
2013         const char *refname;
2014         int reflen;
2015         const char *p;
2016
2017         if (parse_oid_hex(line, &old_oid, &p) ||
2018             *p++ != ' ' ||
2019             parse_oid_hex(p, &new_oid, &p) ||
2020             *p++ != ' ')
2021                 die("protocol error: expected old/new/ref, got '%s'", line);
2022
2023         refname = p;
2024         reflen = linelen - (p - line);
2025         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
2026         oidcpy(&cmd->old_oid, &old_oid);
2027         oidcpy(&cmd->new_oid, &new_oid);
2028         *tail = cmd;
2029         return &cmd->next;
2030 }
2031
2032 static void queue_commands_from_cert(struct command **tail,
2033                                      struct strbuf *push_cert)
2034 {
2035         const char *boc, *eoc;
2036
2037         if (*tail)
2038                 die("protocol error: got both push certificate and unsigned commands");
2039
2040         boc = strstr(push_cert->buf, "\n\n");
2041         if (!boc)
2042                 die("malformed push certificate %.*s", 100, push_cert->buf);
2043         else
2044                 boc += 2;
2045         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
2046
2047         while (boc < eoc) {
2048                 const char *eol = memchr(boc, '\n', eoc - boc);
2049                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
2050                 boc = eol ? eol + 1 : eoc;
2051         }
2052 }
2053
2054 static struct command *read_head_info(struct packet_reader *reader,
2055                                       struct oid_array *shallow)
2056 {
2057         struct command *commands = NULL;
2058         struct command **p = &commands;
2059         for (;;) {
2060                 int linelen;
2061
2062                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
2063                         break;
2064
2065                 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
2066                         struct object_id oid;
2067                         if (get_oid_hex(reader->line + 8, &oid))
2068                                 die("protocol error: expected shallow sha, got '%s'",
2069                                     reader->line + 8);
2070                         oid_array_append(shallow, &oid);
2071                         continue;
2072                 }
2073
2074                 linelen = strlen(reader->line);
2075                 if (linelen < reader->pktlen) {
2076                         const char *feature_list = reader->line + linelen + 1;
2077                         const char *hash = NULL;
2078                         int len = 0;
2079                         if (parse_feature_request(feature_list, "report-status"))
2080                                 report_status = 1;
2081                         if (parse_feature_request(feature_list, "report-status-v2"))
2082                                 report_status_v2 = 1;
2083                         if (parse_feature_request(feature_list, "side-band-64k"))
2084                                 use_sideband = LARGE_PACKET_MAX;
2085                         if (parse_feature_request(feature_list, "quiet"))
2086                                 quiet = 1;
2087                         if (advertise_atomic_push
2088                             && parse_feature_request(feature_list, "atomic"))
2089                                 use_atomic = 1;
2090                         if (advertise_push_options
2091                             && parse_feature_request(feature_list, "push-options"))
2092                                 use_push_options = 1;
2093                         hash = parse_feature_value(feature_list, "object-format", &len, NULL);
2094                         if (!hash) {
2095                                 hash = hash_algos[GIT_HASH_SHA1].name;
2096                                 len = strlen(hash);
2097                         }
2098                         if (xstrncmpz(the_hash_algo->name, hash, len))
2099                                 die("error: unsupported object format '%s'", hash);
2100                 }
2101
2102                 if (!strcmp(reader->line, "push-cert")) {
2103                         int true_flush = 0;
2104                         int saved_options = reader->options;
2105                         reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
2106
2107                         for (;;) {
2108                                 packet_reader_read(reader);
2109                                 if (reader->status == PACKET_READ_FLUSH) {
2110                                         true_flush = 1;
2111                                         break;
2112                                 }
2113                                 if (reader->status != PACKET_READ_NORMAL) {
2114                                         die("protocol error: got an unexpected packet");
2115                                 }
2116                                 if (!strcmp(reader->line, "push-cert-end\n"))
2117                                         break; /* end of cert */
2118                                 strbuf_addstr(&push_cert, reader->line);
2119                         }
2120                         reader->options = saved_options;
2121
2122                         if (true_flush)
2123                                 break;
2124                         continue;
2125                 }
2126
2127                 p = queue_command(p, reader->line, linelen);
2128         }
2129
2130         if (push_cert.len)
2131                 queue_commands_from_cert(p, &push_cert);
2132
2133         return commands;
2134 }
2135
2136 static void read_push_options(struct packet_reader *reader,
2137                               struct string_list *options)
2138 {
2139         while (1) {
2140                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
2141                         break;
2142
2143                 string_list_append(options, reader->line);
2144         }
2145 }
2146
2147 static const char *parse_pack_header(struct pack_header *hdr)
2148 {
2149         switch (read_pack_header(0, hdr)) {
2150         case PH_ERROR_EOF:
2151                 return "eof before pack header was fully read";
2152
2153         case PH_ERROR_PACK_SIGNATURE:
2154                 return "protocol error (pack signature mismatch detected)";
2155
2156         case PH_ERROR_PROTOCOL:
2157                 return "protocol error (pack version unsupported)";
2158
2159         default:
2160                 return "unknown error in parse_pack_header";
2161
2162         case 0:
2163                 return NULL;
2164         }
2165 }
2166
2167 static const char *pack_lockfile;
2168
2169 static void push_header_arg(struct strvec *args, struct pack_header *hdr)
2170 {
2171         strvec_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
2172                      ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
2173 }
2174
2175 static const char *unpack(int err_fd, struct shallow_info *si)
2176 {
2177         struct pack_header hdr;
2178         const char *hdr_err;
2179         int status;
2180         struct child_process child = CHILD_PROCESS_INIT;
2181         int fsck_objects = (receive_fsck_objects >= 0
2182                             ? receive_fsck_objects
2183                             : transfer_fsck_objects >= 0
2184                             ? transfer_fsck_objects
2185                             : 0);
2186
2187         hdr_err = parse_pack_header(&hdr);
2188         if (hdr_err) {
2189                 if (err_fd > 0)
2190                         close(err_fd);
2191                 return hdr_err;
2192         }
2193
2194         if (si->nr_ours || si->nr_theirs) {
2195                 alt_shallow_file = setup_temporary_shallow(si->shallow);
2196                 strvec_push(&child.args, "--shallow-file");
2197                 strvec_push(&child.args, alt_shallow_file);
2198         }
2199
2200         tmp_objdir = tmp_objdir_create();
2201         if (!tmp_objdir) {
2202                 if (err_fd > 0)
2203                         close(err_fd);
2204                 return "unable to create temporary object directory";
2205         }
2206         child.env = tmp_objdir_env(tmp_objdir);
2207
2208         /*
2209          * Normally we just pass the tmp_objdir environment to the child
2210          * processes that do the heavy lifting, but we may need to see these
2211          * objects ourselves to set up shallow information.
2212          */
2213         tmp_objdir_add_as_alternate(tmp_objdir);
2214
2215         if (ntohl(hdr.hdr_entries) < unpack_limit) {
2216                 strvec_push(&child.args, "unpack-objects");
2217                 push_header_arg(&child.args, &hdr);
2218                 if (quiet)
2219                         strvec_push(&child.args, "-q");
2220                 if (fsck_objects)
2221                         strvec_pushf(&child.args, "--strict%s",
2222                                      fsck_msg_types.buf);
2223                 if (max_input_size)
2224                         strvec_pushf(&child.args, "--max-input-size=%"PRIuMAX,
2225                                      (uintmax_t)max_input_size);
2226                 child.no_stdout = 1;
2227                 child.err = err_fd;
2228                 child.git_cmd = 1;
2229                 status = run_command(&child);
2230                 if (status)
2231                         return "unpack-objects abnormal exit";
2232         } else {
2233                 char hostname[HOST_NAME_MAX + 1];
2234
2235                 strvec_pushl(&child.args, "index-pack", "--stdin", NULL);
2236                 push_header_arg(&child.args, &hdr);
2237
2238                 if (xgethostname(hostname, sizeof(hostname)))
2239                         xsnprintf(hostname, sizeof(hostname), "localhost");
2240                 strvec_pushf(&child.args,
2241                              "--keep=receive-pack %"PRIuMAX" on %s",
2242                              (uintmax_t)getpid(),
2243                              hostname);
2244
2245                 if (!quiet && err_fd)
2246                         strvec_push(&child.args, "--show-resolving-progress");
2247                 if (use_sideband)
2248                         strvec_push(&child.args, "--report-end-of-input");
2249                 if (fsck_objects)
2250                         strvec_pushf(&child.args, "--strict%s",
2251                                      fsck_msg_types.buf);
2252                 if (!reject_thin)
2253                         strvec_push(&child.args, "--fix-thin");
2254                 if (max_input_size)
2255                         strvec_pushf(&child.args, "--max-input-size=%"PRIuMAX,
2256                                      (uintmax_t)max_input_size);
2257                 child.out = -1;
2258                 child.err = err_fd;
2259                 child.git_cmd = 1;
2260                 status = start_command(&child);
2261                 if (status)
2262                         return "index-pack fork failed";
2263                 pack_lockfile = index_pack_lockfile(child.out);
2264                 close(child.out);
2265                 status = finish_command(&child);
2266                 if (status)
2267                         return "index-pack abnormal exit";
2268                 reprepare_packed_git(the_repository);
2269         }
2270         return NULL;
2271 }
2272
2273 static const char *unpack_with_sideband(struct shallow_info *si)
2274 {
2275         struct async muxer;
2276         const char *ret;
2277
2278         if (!use_sideband)
2279                 return unpack(0, si);
2280
2281         use_keepalive = KEEPALIVE_AFTER_NUL;
2282         memset(&muxer, 0, sizeof(muxer));
2283         muxer.proc = copy_to_sideband;
2284         muxer.in = -1;
2285         if (start_async(&muxer))
2286                 return NULL;
2287
2288         ret = unpack(muxer.in, si);
2289
2290         finish_async(&muxer);
2291         return ret;
2292 }
2293
2294 static void prepare_shallow_update(struct shallow_info *si)
2295 {
2296         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
2297
2298         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
2299         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
2300
2301         si->need_reachability_test =
2302                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
2303         si->reachable =
2304                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
2305         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
2306
2307         for (i = 0; i < si->nr_ours; i++)
2308                 si->need_reachability_test[si->ours[i]] = 1;
2309
2310         for (i = 0; i < si->shallow->nr; i++) {
2311                 if (!si->used_shallow[i])
2312                         continue;
2313                 for (j = 0; j < bitmap_size; j++) {
2314                         if (!si->used_shallow[i][j])
2315                                 continue;
2316                         si->need_reachability_test[i]++;
2317                         for (k = 0; k < 32; k++)
2318                                 if (si->used_shallow[i][j] & (1U << k))
2319                                         si->shallow_ref[j * 32 + k]++;
2320                 }
2321
2322                 /*
2323                  * true for those associated with some refs and belong
2324                  * in "ours" list aka "step 7 not done yet"
2325                  */
2326                 si->need_reachability_test[i] =
2327                         si->need_reachability_test[i] > 1;
2328         }
2329
2330         /*
2331          * keep hooks happy by forcing a temporary shallow file via
2332          * env variable because we can't add --shallow-file to every
2333          * command. check_connected() will be done with
2334          * true .git/shallow though.
2335          */
2336         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
2337 }
2338
2339 static void update_shallow_info(struct command *commands,
2340                                 struct shallow_info *si,
2341                                 struct oid_array *ref)
2342 {
2343         struct command *cmd;
2344         int *ref_status;
2345         remove_nonexistent_theirs_shallow(si);
2346         if (!si->nr_ours && !si->nr_theirs) {
2347                 shallow_update = 0;
2348                 return;
2349         }
2350
2351         for (cmd = commands; cmd; cmd = cmd->next) {
2352                 if (is_null_oid(&cmd->new_oid))
2353                         continue;
2354                 oid_array_append(ref, &cmd->new_oid);
2355                 cmd->index = ref->nr - 1;
2356         }
2357         si->ref = ref;
2358
2359         if (shallow_update) {
2360                 prepare_shallow_update(si);
2361                 return;
2362         }
2363
2364         ALLOC_ARRAY(ref_status, ref->nr);
2365         assign_shallow_commits_to_refs(si, NULL, ref_status);
2366         for (cmd = commands; cmd; cmd = cmd->next) {
2367                 if (is_null_oid(&cmd->new_oid))
2368                         continue;
2369                 if (ref_status[cmd->index]) {
2370                         cmd->error_string = "shallow update not allowed";
2371                         cmd->skip_update = 1;
2372                 }
2373         }
2374         free(ref_status);
2375 }
2376
2377 static void report(struct command *commands, const char *unpack_status)
2378 {
2379         struct command *cmd;
2380         struct strbuf buf = STRBUF_INIT;
2381
2382         packet_buf_write(&buf, "unpack %s\n",
2383                          unpack_status ? unpack_status : "ok");
2384         for (cmd = commands; cmd; cmd = cmd->next) {
2385                 if (!cmd->error_string)
2386                         packet_buf_write(&buf, "ok %s\n",
2387                                          cmd->ref_name);
2388                 else
2389                         packet_buf_write(&buf, "ng %s %s\n",
2390                                          cmd->ref_name, cmd->error_string);
2391         }
2392         packet_buf_flush(&buf);
2393
2394         if (use_sideband)
2395                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
2396         else
2397                 write_or_die(1, buf.buf, buf.len);
2398         strbuf_release(&buf);
2399 }
2400
2401 static void report_v2(struct command *commands, const char *unpack_status)
2402 {
2403         struct command *cmd;
2404         struct strbuf buf = STRBUF_INIT;
2405         struct ref_push_report *report;
2406
2407         packet_buf_write(&buf, "unpack %s\n",
2408                          unpack_status ? unpack_status : "ok");
2409         for (cmd = commands; cmd; cmd = cmd->next) {
2410                 int count = 0;
2411
2412                 if (cmd->error_string) {
2413                         packet_buf_write(&buf, "ng %s %s\n",
2414                                          cmd->ref_name,
2415                                          cmd->error_string);
2416                         continue;
2417                 }
2418                 packet_buf_write(&buf, "ok %s\n",
2419                                  cmd->ref_name);
2420                 for (report = cmd->report; report; report = report->next) {
2421                         if (count++ > 0)
2422                                 packet_buf_write(&buf, "ok %s\n",
2423                                                  cmd->ref_name);
2424                         if (report->ref_name)
2425                                 packet_buf_write(&buf, "option refname %s\n",
2426                                                  report->ref_name);
2427                         if (report->old_oid)
2428                                 packet_buf_write(&buf, "option old-oid %s\n",
2429                                                  oid_to_hex(report->old_oid));
2430                         if (report->new_oid)
2431                                 packet_buf_write(&buf, "option new-oid %s\n",
2432                                                  oid_to_hex(report->new_oid));
2433                         if (report->forced_update)
2434                                 packet_buf_write(&buf, "option forced-update\n");
2435                 }
2436         }
2437         packet_buf_flush(&buf);
2438
2439         if (use_sideband)
2440                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
2441         else
2442                 write_or_die(1, buf.buf, buf.len);
2443         strbuf_release(&buf);
2444 }
2445
2446 static int delete_only(struct command *commands)
2447 {
2448         struct command *cmd;
2449         for (cmd = commands; cmd; cmd = cmd->next) {
2450                 if (!is_null_oid(&cmd->new_oid))
2451                         return 0;
2452         }
2453         return 1;
2454 }
2455
2456 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
2457 {
2458         int advertise_refs = 0;
2459         struct command *commands;
2460         struct oid_array shallow = OID_ARRAY_INIT;
2461         struct oid_array ref = OID_ARRAY_INIT;
2462         struct shallow_info si;
2463         struct packet_reader reader;
2464
2465         struct option options[] = {
2466                 OPT__QUIET(&quiet, N_("quiet")),
2467                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
2468                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
2469                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
2470                 OPT_END()
2471         };
2472
2473         packet_trace_identity("receive-pack");
2474
2475         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
2476
2477         if (argc > 1)
2478                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
2479         if (argc == 0)
2480                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
2481
2482         service_dir = argv[0];
2483
2484         setup_path();
2485
2486         if (!enter_repo(service_dir, 0))
2487                 die("'%s' does not appear to be a git repository", service_dir);
2488
2489         git_config(receive_pack_config, NULL);
2490         if (cert_nonce_seed)
2491                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
2492
2493         if (0 <= transfer_unpack_limit)
2494                 unpack_limit = transfer_unpack_limit;
2495         else if (0 <= receive_unpack_limit)
2496                 unpack_limit = receive_unpack_limit;
2497
2498         switch (determine_protocol_version_server()) {
2499         case protocol_v2:
2500                 /*
2501                  * push support for protocol v2 has not been implemented yet,
2502                  * so ignore the request to use v2 and fallback to using v0.
2503                  */
2504                 break;
2505         case protocol_v1:
2506                 /*
2507                  * v1 is just the original protocol with a version string,
2508                  * so just fall through after writing the version string.
2509                  */
2510                 if (advertise_refs || !stateless_rpc)
2511                         packet_write_fmt(1, "version 1\n");
2512
2513                 /* fallthrough */
2514         case protocol_v0:
2515                 break;
2516         case protocol_unknown_version:
2517                 BUG("unknown protocol version");
2518         }
2519
2520         if (advertise_refs || !stateless_rpc) {
2521                 write_head_info();
2522         }
2523         if (advertise_refs)
2524                 return 0;
2525
2526         packet_reader_init(&reader, 0, NULL, 0,
2527                            PACKET_READ_CHOMP_NEWLINE |
2528                            PACKET_READ_DIE_ON_ERR_PACKET);
2529
2530         if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2531                 const char *unpack_status = NULL;
2532                 struct string_list push_options = STRING_LIST_INIT_DUP;
2533
2534                 if (use_push_options)
2535                         read_push_options(&reader, &push_options);
2536                 if (!check_cert_push_options(&push_options)) {
2537                         struct command *cmd;
2538                         for (cmd = commands; cmd; cmd = cmd->next)
2539                                 cmd->error_string = "inconsistent push options";
2540                 }
2541
2542                 prepare_shallow_info(&si, &shallow);
2543                 if (!si.nr_ours && !si.nr_theirs)
2544                         shallow_update = 0;
2545                 if (!delete_only(commands)) {
2546                         unpack_status = unpack_with_sideband(&si);
2547                         update_shallow_info(commands, &si, &ref);
2548                 }
2549                 use_keepalive = KEEPALIVE_ALWAYS;
2550                 execute_commands(commands, unpack_status, &si,
2551                                  &push_options);
2552                 if (pack_lockfile)
2553                         unlink_or_warn(pack_lockfile);
2554                 if (report_status_v2)
2555                         report_v2(commands, unpack_status);
2556                 else if (report_status)
2557                         report(commands, unpack_status);
2558                 run_receive_hook(commands, "post-receive", 1,
2559                                  &push_options);
2560                 run_update_post_hook(commands);
2561                 string_list_clear(&push_options, 0);
2562                 if (auto_gc) {
2563                         const char *argv_gc_auto[] = {
2564                                 "gc", "--auto", "--quiet", NULL,
2565                         };
2566                         struct child_process proc = CHILD_PROCESS_INIT;
2567
2568                         proc.no_stdin = 1;
2569                         proc.stdout_to_stderr = 1;
2570                         proc.err = use_sideband ? -1 : 0;
2571                         proc.git_cmd = 1;
2572                         proc.argv = argv_gc_auto;
2573
2574                         close_object_store(the_repository->objects);
2575                         if (!start_command(&proc)) {
2576                                 if (use_sideband)
2577                                         copy_to_sideband(proc.err, -1, NULL);
2578                                 finish_command(&proc);
2579                         }
2580                 }
2581                 if (auto_update_server_info)
2582                         update_server_info(0);
2583                 clear_shallow_info(&si);
2584         }
2585         if (use_sideband)
2586                 packet_flush(1);
2587         oid_array_clear(&shallow);
2588         oid_array_clear(&ref);
2589         free((void *)push_cert_nonce);
2590         return 0;
2591 }